cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Jose utils updates
Date Mon, 10 Nov 2014 18:22:21 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes f68f775a7 -> f912154d3


Jose utils updates


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f912154d
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f912154d
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f912154d

Branch: refs/heads/3.0.x-fixes
Commit: f912154d305ab8317d04251c045c4921f755be7f
Parents: f68f775
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Mon Nov 10 18:20:01 2014 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Mon Nov 10 18:21:49 2014 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/JweContainerRequestFilter.java   |  4 ++
 .../jose/jaxrs/JweWriterInterceptor.java        |  5 +-
 .../jose/jaxrs/JwsContainerRequestFilter.java   |  5 +-
 .../jaxrs/JwsJsonContainerRequestFilter.java    |  5 +-
 .../jose/jaxrs/JwsJsonWriterInterceptor.java    |  5 +-
 .../jose/jaxrs/JwsWriterInterceptor.java        |  4 ++
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 50 +++++++++-----
 .../cxf/rs/security/jose/jwk/JwkUtils.java      | 62 ++++++++++++++++++
 .../cxf/rs/security/jose/jws/JwsUtils.java      | 22 +++++--
 .../utils/crypto/JwtAccessTokenUtils.java       | 68 ++++++++++++++------
 10 files changed, 184 insertions(+), 46 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
index c58fe7e..a362f76 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java
@@ -22,6 +22,7 @@ import java.io.ByteArrayInputStream;
 import java.io.IOException;
 
 import javax.annotation.Priority;
+import javax.ws.rs.HttpMethod;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
@@ -34,6 +35,9 @@ import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput;
 public class JweContainerRequestFilter extends AbstractJweDecryptingFilter implements ContainerRequestFilter
{
     @Override
     public void filter(ContainerRequestContext context) throws IOException {
+        if (HttpMethod.GET.equals(context.getMethod())) {
+            return;
+        }
         JweDecryptionOutput out = decrypt(context.getEntityStream());
         byte[] bytes = out.getContent();
         context.setEntityStream(new ByteArrayInputStream(bytes));

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index 9ae670e..73a749b 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -54,7 +54,10 @@ public class JweWriterInterceptor implements WriterInterceptor {
     private JoseHeadersWriter writer = new JoseHeadersReaderWriter();
     @Override
     public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException
{
-        
+        if (ctx.getEntity() == null) {
+            ctx.proceed();
+            return;
+        }
         OutputStream actualOs = ctx.getOutputStream();
         
         JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider();

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
index de736f0..e3b4ba4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java
@@ -22,6 +22,7 @@ import java.io.ByteArrayInputStream;
 import java.io.IOException;
 
 import javax.annotation.Priority;
+import javax.ws.rs.HttpMethod;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
@@ -37,7 +38,9 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 public class JwsContainerRequestFilter extends AbstractJwsReaderProvider implements ContainerRequestFilter
{
     @Override
     public void filter(ContainerRequestContext context) throws IOException {
-        
+        if (HttpMethod.GET.equals(context.getMethod())) {
+            return;
+        }
         JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier();
         JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
         if (!p.verifySignatureWith(theSigVerifier)) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
index 93cf0eb..7512536 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonContainerRequestFilter.java
@@ -23,6 +23,7 @@ import java.io.IOException;
 import java.util.List;
 
 import javax.annotation.Priority;
+import javax.ws.rs.HttpMethod;
 import javax.ws.rs.container.ContainerRequestContext;
 import javax.ws.rs.container.ContainerRequestFilter;
 import javax.ws.rs.container.PreMatching;
@@ -39,7 +40,9 @@ import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
 public class JwsJsonContainerRequestFilter extends AbstractJwsJsonReaderProvider implements
ContainerRequestFilter {
     @Override
     public void filter(ContainerRequestContext context) throws IOException {
-        
+        if (HttpMethod.GET.equals(context.getMethod())) {
+            return;
+        }
         List<JwsSignatureVerifier> theSigVerifiers = getInitializedSigVerifiers();
         JwsJsonConsumer p = new JwsJsonConsumer(IOUtils.readStringFromStream(context.getEntityStream()));
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
index 1417cf0..443a738 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJsonWriterInterceptor.java
@@ -47,7 +47,10 @@ public class JwsJsonWriterInterceptor extends AbstractJwsJsonWriterProvider
impl
     private boolean useJwsOutputStream;
     @Override
     public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException
{
-        
+        if (ctx.getEntity() == null) {
+            ctx.proceed();
+            return;
+        }
         List<JwsSignatureProvider> sigProviders = getInitializedSigProviders();
         OutputStream actualOs = ctx.getOutputStream();
         if (useJwsOutputStream) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
index 5a42b8d..36850c4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java
@@ -48,6 +48,10 @@ public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements
W
     private JoseHeadersWriter writer = new JoseHeadersReaderWriter();
     @Override
     public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException
{
+        if (ctx.getEntity() == null) {
+            ctx.proceed();
+            return;
+        }
         JoseHeaders headers = new JoseHeaders();
         JwsSignatureProvider sigProvider = getInitializedSigProvider(headers);
         setContentTypeIfNeeded(headers, ctx);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 6dc2466..628e234 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -40,27 +40,44 @@ public final class JweUtils {
     private JweUtils() {
         
     }
-    public String encrypt(RSAPublicKey key, String keyAlgo, String contentAlgo, byte[] content)
{
+    public static String encrypt(RSAPublicKey key, String keyAlgo, String contentAlgo, byte[]
content) {
+        return encrypt(key, keyAlgo, contentAlgo, content, null);
+    }
+    public static String encrypt(RSAPublicKey key, String keyAlgo, String contentAlgo, byte[]
content, String ct) {
         KeyEncryptionAlgorithm keyEncryptionProvider = getRSAKeyEncryptionAlgorithm(key,
keyAlgo);
-        return encrypt(keyEncryptionProvider, contentAlgo, content);
+        return encrypt(keyEncryptionProvider, contentAlgo, content, ct);
+    }
+    public static String encrypt(SecretKey key, String keyAlgo, String contentAlgo, byte[]
content) {
+        return encrypt(key, keyAlgo, contentAlgo, content, null);
+    }
+    public static String encrypt(SecretKey key, String keyAlgo, String contentAlgo, byte[]
content, String ct) {
+        if (keyAlgo != null) {
+            KeyEncryptionAlgorithm keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(key,
keyAlgo);
+            return encrypt(keyEncryptionProvider, contentAlgo, content, ct);
+        } else {
+            return encryptDirect(key, contentAlgo, content, ct);
+        }
     }
-    public String encrypt(SecretKey key, String keyAlgo, String contentAlgo, byte[] content)
{
-        KeyEncryptionAlgorithm keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(key,
keyAlgo);
-        return encrypt(keyEncryptionProvider, contentAlgo, content);
+    public static String encryptDirect(SecretKey key, String contentAlgo, byte[] content)
{
+        return encryptDirect(key, contentAlgo, content, null);
     }
-    public String encryptDirect(SecretKey key, String contentAlgo, byte[] content) {
+    public static String encryptDirect(SecretKey key, String contentAlgo, byte[] content,
String ct) {
         JweEncryptionProvider jwe = getDirectKeyJweEncryption(key, contentAlgo);
-        return jwe.encrypt(content, null);
+        return jwe.encrypt(content, ct);
     }
-    public byte[] decrypt(RSAPrivateKey key, String keyAlgo, String contentAlgo, String content)
{
+    public static byte[] decrypt(RSAPrivateKey key, String keyAlgo, String contentAlgo, String
content) {
         KeyDecryptionAlgorithm keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(key,
keyAlgo);
         return decrypt(keyDecryptionProvider, contentAlgo, content);
     }
-    public byte[] decrypt(SecretKey key, String keyAlgo, String contentAlgo, String content)
{
-        KeyDecryptionAlgorithm keyDecryptionProvider = getSecretKeyDecryptionAlgorithm(key,
keyAlgo);
-        return decrypt(keyDecryptionProvider, contentAlgo, content);
+    public static byte[] decrypt(SecretKey key, String keyAlgo, String contentAlgo, String
content) {
+        if (keyAlgo != null) {
+            KeyDecryptionAlgorithm keyDecryptionProvider = getSecretKeyDecryptionAlgorithm(key,
keyAlgo);
+            return decrypt(keyDecryptionProvider, contentAlgo, content);
+        } else {
+            return decryptDirect(key, contentAlgo, content);
+        }
     }
-    public byte[] decryptDirect(SecretKey key, String contentAlgo, String content) {
+    public static byte[] decryptDirect(SecretKey key, String contentAlgo, String content)
{
         JweDecryptionProvider jwe = getDirectKeyJweDecryption(key, contentAlgo);
         return jwe.decrypt(content).getContent();
     }
@@ -160,10 +177,10 @@ public final class JweUtils {
         }
         return null;
     }
-    public static JweEncryptionProvider getDirectKeyJweEncryption(SecretKey key, String algorithm)
{
+    public static DirectKeyJweEncryption getDirectKeyJweEncryption(SecretKey key, String
algorithm) {
         return new DirectKeyJweEncryption(getContentEncryptionAlgorithm(key, algorithm));
     }
-    public static JweDecryptionProvider getDirectKeyJweDecryption(SecretKey key, String algorithm)
{
+    public static DirectKeyJweDecryption getDirectKeyJweDecryption(SecretKey key, String
algorithm) {
         return new DirectKeyJweDecryption(key, getContentDecryptionAlgorithm(algorithm));
     }
     public static JweEncryptionProvider loadEncryptionProvider(String propLoc, Message m)
{
@@ -305,9 +322,10 @@ public final class JweUtils {
     private static String getContentEncryptionAlgo(Properties props, String algo) {
         return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo;
     }
-    private static String encrypt(KeyEncryptionAlgorithm keyEncryptionProvider, String contentAlgo,
byte[] content) {
+    private static String encrypt(KeyEncryptionAlgorithm keyEncryptionProvider, 
+                                  String contentAlgo, byte[] content, String ct) {
         JweEncryptionProvider jwe = createJweEncryptionProvider(keyEncryptionProvider, contentAlgo,
null);
-        return jwe.encrypt(content, null);
+        return jwe.encrypt(content, ct);
     }
     private static byte[] decrypt(KeyDecryptionAlgorithm keyDecryptionProvider, String contentAlgo,
String content) {
         JweDecryptionProvider jwe = createJweDecryptionProvider(keyDecryptionProvider, contentAlgo);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
index 3ebbbc6..05ade0d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
@@ -40,6 +40,7 @@ import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
+import org.apache.cxf.rs.security.jose.JoseUtils;
 import org.apache.cxf.rs.security.jose.jaxrs.KeyManagementUtils;
 import org.apache.cxf.rs.security.jose.jaxrs.PrivateKeyPasswordProvider;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
@@ -47,10 +48,12 @@ import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption;
 import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
 import org.apache.cxf.rs.security.jose.jwe.KeyDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyDecryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyEncryptionAlgorithm;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public final class JwkUtils {
     public static final String JWK_KEY_STORE_TYPE = "jwk";
@@ -83,6 +86,18 @@ public final class JwkUtils {
     public static String jwkSetToJson(JsonWebKeys jwkSet) {
         return new DefaultJwkReaderWriter().jwkSetToJson(jwkSet);
     }
+    public static String encodeJwkKey(JsonWebKey jwkKey) {
+        return Base64UrlUtility.encode(jwkKeyToJson(jwkKey));
+    }
+    public static String encodeJwkSet(JsonWebKeys jwkSet) {
+        return Base64UrlUtility.encode(jwkSetToJson(jwkSet));
+    }
+    public static JsonWebKey decodeJwkKey(String jwkJson) {
+        return readJwkKey(JoseUtils.decodeToString(jwkJson));
+    }
+    public static JsonWebKeys decodeJwkSet(String jwksJson) {
+        return readJwkSet(JoseUtils.decodeToString(jwksJson));
+    }
     public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) {
         return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter());
     }
@@ -92,6 +107,17 @@ public final class JwkUtils {
     public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter
writer) {
         return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkSetToJson(jwkSet)), "jwk-set+json");
     }
+    public static String encryptJwkSet(JsonWebKeys jwkSet, RSAPublicKey key, String keyAlgo,
String contentAlgo) {
+        return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkSetToJson(jwkSet)),
+                                "jwk-set+json");
+    }
+    public static String signJwkSet(JsonWebKeys jwkSet, RSAPrivateKey key, String algo) {
+        return JwsUtils.sign(key, algo, jwkSetToJson(jwkSet), "jwk-set+json");
+    }
+    public static String encryptJwkSet(JsonWebKeys jwkSet, SecretKey key, String keyAlgo,
String contentAlgo) {
+        return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkSetToJson(jwkSet)),
+                                "jwk-set+json");
+    }
     public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) {
         return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter());
     }
@@ -101,6 +127,15 @@ public final class JwkUtils {
     public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe,
JwkReaderWriter reader) {
         return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText());
     }
+    public static JsonWebKeys decryptJwkSet(RSAPrivateKey key, String keyAlgo, String ctAlgo,
String jsonJwkSet) {
+        return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet)));
+    }
+    public static JsonWebKeys verifyJwkSet(RSAPublicKey key, String keyAlgo, String jsonJwk)
{
+        return readJwkSet(JwsUtils.verify(key, keyAlgo, jsonJwk));
+    }
+    public static JsonWebKeys decryptJwkSet(SecretKey key, String keyAlgo, String ctAlgo,
String jsonJwkSet) {
+        return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet)));
+    }
     public static JsonWebKeys decryptJwkSet(InputStream is, char[] password) throws IOException
{
         return decryptJwkSet(is, password, new DefaultJwkReaderWriter());
     }
@@ -121,12 +156,32 @@ public final class JwkUtils {
     public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter
writer) {
         return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkToJson(jwkKey)), "jwk+json");
     }
+    public static String encryptJwkKey(JsonWebKey jwkKey, RSAPublicKey key, String keyAlgo,
String contentAlgo) {
+        return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkKeyToJson(jwkKey)),
+                                "jwk+json");
+    }
+    public static String encryptJwkKey(JsonWebKey jwkKey, SecretKey key, String keyAlgo,
String contentAlgo) {
+        return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkKeyToJson(jwkKey)),
+                                "jwk+json");
+    }
+    public static String signJwkKey(JsonWebKey jwkKey, RSAPrivateKey key, String algo) {
+        return JwsUtils.sign(key, algo, jwkKeyToJson(jwkKey), "jwk+json");
+    }
     public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) {
         return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter());
     }
     public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter
reader) {
         return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader);
     }
+    public static JsonWebKey decryptJwkKey(RSAPrivateKey key, String keyAlgo, String ctAlgo,
String jsonJwk) {
+        return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk)));
+    }
+    public static JsonWebKey verifyJwkKey(RSAPublicKey key, String keyAlgo, String jsonJwk)
{
+        return readJwkKey(JwsUtils.verify(key, keyAlgo, jsonJwk));
+    }
+    public static JsonWebKey decryptJwkKey(SecretKey key, String keyAlgo, String ctAlgo,
String jsonJwk) {
+        return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk)));
+    }
     public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe,
JwkReaderWriter reader) {
         return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText());
     }
@@ -353,4 +408,11 @@ public final class JwkUtils {
         jwk.setProperty(JsonWebKey.RSA_MODULUS, encodedModulus);
         return jwk;
     }
+    private static String toString(byte[] bytes) {
+        try {
+            return new String(bytes, "UTF-8");
+        } catch (Exception ex) {
+            throw new RuntimeException(ex);
+        }
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
index aa59142..9e2edf0 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsUtils.java
@@ -43,16 +43,22 @@ public final class JwsUtils {
         
     }
     public static String sign(RSAPrivateKey key, String algo, String content) {
-        return sign(getRSAKeySignatureProvider(key, algo), content);
+        return sign(key, algo, content, null);
+    }
+    public static String sign(RSAPrivateKey key, String algo, String content, String ct)
{
+        return sign(getRSAKeySignatureProvider(key, algo), content, ct);
     }
     public static String sign(byte[] key, String algo, String content) {
-        return sign(getHmacSignatureProvider(key, algo), content);
+        return sign(key, algo, content, null);
+    }
+    public static String sign(byte[] key, String algo, String content, String ct) {
+        return sign(getHmacSignatureProvider(key, algo), content, ct);
     }
-    public static String verifyAndGetContent(RSAPublicKey key, String algo, String content)
{
+    public static String verify(RSAPublicKey key, String algo, String content) {
         JwsCompactConsumer jws = verify(getRSAKeySignatureVerifier(key, algo), content);
         return jws.getDecodedJwsPayload();
     }
-    public static String verifyAndGetContent(byte[] key, String algo, String content) {
+    public static String verify(byte[] key, String algo, String content) {
         JwsCompactConsumer jws = verify(getHmacSignatureVerifier(key, algo), content);
         return jws.getDecodedJwsPayload();
     }
@@ -229,8 +235,12 @@ public final class JwsUtils {
         }
         return jws;
     }
-    private static String sign(JwsSignatureProvider jwsSig, String content) {
-        JwsCompactProducer jws = new JwsCompactProducer(content);
+    private static String sign(JwsSignatureProvider jwsSig, String content, String ct) {
+        JoseHeaders headers = new JoseHeaders();
+        if (ct != null) {
+            headers.setContentType(ct);
+        }
+        JwsCompactProducer jws = new JwsCompactProducer(headers, content);
         jws.signWith(jwsSig);
         return jws.getSignedEncodedJws();
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f912154d/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java
index fd97257..84be13a 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/crypto/JwtAccessTokenUtils.java
@@ -18,22 +18,25 @@
  */
 package org.apache.cxf.rs.security.oauth2.utils.crypto;
 
+import java.security.interfaces.RSAPrivateKey;
+import java.security.interfaces.RSAPublicKey;
+
 import javax.crypto.SecretKey;
 
 import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.rs.security.jose.JoseConstants;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
 import org.apache.cxf.rs.security.jose.jwa.Algorithm;
-import org.apache.cxf.rs.security.jose.jwe.AesGcmContentDecryptionAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.AesGcmContentEncryptionAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.ContentEncryptionAlgorithm;
 import org.apache.cxf.rs.security.jose.jwe.DirectKeyJweDecryption;
-import org.apache.cxf.rs.security.jose.jwe.DirectKeyJweEncryption;
 import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweUtils;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer;
 import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer;
 import org.apache.cxf.rs.security.jose.jws.JwsSignature;
 import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider;
+import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 import org.apache.cxf.rs.security.jose.jwt.JwtToken;
 import org.apache.cxf.rs.security.oauth2.common.Client;
 import org.apache.cxf.rs.security.oauth2.common.ServerAccessToken;
@@ -43,23 +46,25 @@ public final class JwtAccessTokenUtils {
     private JwtAccessTokenUtils() {
         
     }
-    
-    public static ServerAccessToken toAccessToken(JwtToken jwt, 
+    public static ServerAccessToken encryptToAccessToken(JwtToken jwt, 
                                                   Client client,
                                                   SecretKey key) {
-        ContentEncryptionAlgorithm contentEncryption = 
-            new AesGcmContentEncryptionAlgorithm(key, null, Algorithm.A128GCM.getJwtName());
-        JweEncryptionProvider jweEncryption = new DirectKeyJweEncryption(contentEncryption);
-        return toAccessToken(jwt, client, jweEncryption);
+        JweEncryptionProvider jweEncryption = 
+            JweUtils.getDirectKeyJweEncryption(key, Algorithm.A128GCM.getJwtName());
+        return encryptToAccessToken(jwt, client, jweEncryption);
         
     }
-    
-    public static ServerAccessToken toAccessToken(JwtToken jwt, 
+    public static ServerAccessToken encryptToAccessToken(JwtToken jwt, 
                                                   Client client,
                                                   JweEncryptionProvider jweEncryption) {
         String jwtString = new JwsJwtCompactProducer(jwt)
                                .signWith(new NoneSignatureProvider());
         String tokenId = jweEncryption.encrypt(getBytes(jwtString), null);
+        return toAccessToken(jwt, client, tokenId);
+    }
+    private static ServerAccessToken toAccessToken(JwtToken jwt, 
+                                                   Client client,
+                                                   String tokenId) {
         Long issuedAt = jwt.getClaims().getIssuedAt();
         Long notBefore = jwt.getClaims().getNotBefore();
         if (issuedAt == null) {
@@ -72,21 +77,44 @@ public final class JwtAccessTokenUtils {
         } else {
             expiresIn = notBefore - issuedAt;
         }
-        
+       
         return new BearerAccessToken(client, tokenId, issuedAt, expiresIn);
-        
     }
-    public static JwtToken fromAccessTokenId(String tokenId, SecretKey key) {
-        DirectKeyJweDecryption jweDecryption = 
-            new DirectKeyJweDecryption(key, 
-                new AesGcmContentDecryptionAlgorithm(Algorithm.A128GCM.getJwtName()));
-        return fromAccessTokenId(tokenId, jweDecryption);
+    public static JwtToken decryptFromfromAccessToken(String tokenId, SecretKey key) {
+        DirectKeyJweDecryption jweDecryption = JweUtils.getDirectKeyJweDecryption(key, Algorithm.A128GCM.getJwtName());
+        return decryptFromAccessToken(tokenId, jweDecryption);
     }
-    public static JwtToken fromAccessTokenId(String tokenId, JweDecryptionProvider jweDecryption)
{
+    public static JwtToken decryptFromAccessToken(String tokenId, JweDecryptionProvider jweDecryption)
{
         String decrypted = jweDecryption.decrypt(tokenId).getContentText();
         JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(decrypted);
         return consumer.getJwtToken();
     }
+    public static ServerAccessToken signToAccessToken(JwtToken jwt, 
+                                                      Client client,
+                                                      RSAPrivateKey key) {
+        JwsSignatureProvider jws = 
+            JwsUtils.getRSAKeySignatureProvider(key, JoseConstants.RS_SHA_256_ALGO);
+        return signToAccessToken(jwt, client, jws);
+       
+    }
+    public static ServerAccessToken signToAccessToken(JwtToken jwt, 
+                                                      Client client,
+                                                      JwsSignatureProvider jws) {
+        String jwtString = new JwsJwtCompactProducer(jwt).signWith(jws);
+        return toAccessToken(jwt, client, jwtString);
+    }
+    public static JwtToken verifyAccessToken(String tokenId, RSAPublicKey key) {
+        JwsSignatureVerifier jws = JwsUtils.getRSAKeySignatureVerifier(key, JoseConstants.RS_SHA_256_ALGO);
+        return verifyAccessToken(tokenId, jws);
+    }
+    public static JwtToken verifyAccessToken(String tokenId, JwsSignatureVerifier jws) {
+        JwsJwtCompactConsumer consumer = new JwsJwtCompactConsumer(tokenId);
+        if (consumer.verifySignatureWith(jws)) {
+            return consumer.getJwtToken();
+        } else {
+            throw new SecurityException();
+        }
+    }
     private static class NoneSignatureProvider implements JwsSignatureProvider {
 
         @Override


Mime
View raw message