Return-Path: X-Original-To: apmail-cxf-commits-archive@www.apache.org Delivered-To: apmail-cxf-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 91B4217980 for ; Thu, 6 Nov 2014 17:06:27 +0000 (UTC) Received: (qmail 7387 invoked by uid 500); 6 Nov 2014 17:06:27 -0000 Delivered-To: apmail-cxf-commits-archive@cxf.apache.org Received: (qmail 7326 invoked by uid 500); 6 Nov 2014 17:06:27 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 7317 invoked by uid 99); 6 Nov 2014 17:06:27 -0000 Received: from tyr.zones.apache.org (HELO tyr.zones.apache.org) (140.211.11.114) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Nov 2014 17:06:27 +0000 Received: by tyr.zones.apache.org (Postfix, from userid 65534) id 316648BC04C; Thu, 6 Nov 2014 17:06:27 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <98df5dbd2a8249938a4ad8e226798940@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: git commit: Adding more JWE utilities Date: Thu, 6 Nov 2014 17:06:27 +0000 (UTC) Repository: cxf Updated Branches: refs/heads/master a7c6e78b4 -> a4ed944b9 Adding more JWE utilities Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/a4ed944b Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/a4ed944b Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/a4ed944b Branch: refs/heads/master Commit: a4ed944b94e173828255f989a7ced0da64ef707c Parents: a7c6e78 Author: Sergey Beryozkin Authored: Thu Nov 6 17:06:10 2014 +0000 Committer: Sergey Beryozkin Committed: Thu Nov 6 17:06:10 2014 +0000 ---------------------------------------------------------------------- .../cxf/rs/security/jose/jwa/Algorithm.java | 11 +- .../security/jose/jwe/JweCompactConsumer.java | 3 +- .../cxf/rs/security/jose/jwe/JweUtils.java | 230 ++++++++++++++----- .../cxf/rs/security/jose/jwk/JwkUtils.java | 113 ++++----- .../oauth2/client/OAuthClientUtils.java | 11 + 5 files changed, 250 insertions(+), 118 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/a4ed944b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java index 5b15866..d816d5a 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java @@ -213,6 +213,9 @@ public enum Algorithm { } return javaName; } + public static boolean isRsa(String algo) { + return isRsaOaep(algo) || isRsaShaSign(algo); + } public static boolean isRsaOaep(String algo) { return RSA_OAEP_CEK_SET.contains(algo); } @@ -231,7 +234,13 @@ public enum Algorithm { public static boolean isHmacSign(String algo) { return HMAC_SIGN_SET.contains(algo); } - + public static boolean isOctet(String algo) { + return isHmacSign(algo) + || isAesCbcHmac(algo) + || isAesGcm(algo) + || isAesGcmKeyWrap(algo) + || isAesKeyWrap(algo); + } public static boolean isRsaShaSign(String algo) { return RSA_SHA_SIGN_SET.contains(algo); } http://git-wip-us.apache.org/repos/asf/cxf/blob/a4ed944b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java index ab4c9b5..5862072 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java @@ -26,7 +26,6 @@ import org.apache.cxf.common.util.Base64UrlUtility; import org.apache.cxf.rs.security.jose.JoseHeaders; import org.apache.cxf.rs.security.jose.JoseHeadersReader; import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter; -import org.apache.cxf.rs.security.jose.jws.JwsUtils; public class JweCompactConsumer { @@ -115,6 +114,6 @@ public class JweCompactConsumer { } } public boolean validateCriticalHeaders() { - return JwsUtils.validateCriticalHeaders(getJweHeaders()); + return JweUtils.validateCriticalHeaders(getJweHeaders()); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/a4ed944b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 836a284..6dc2466 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -40,9 +40,29 @@ public final class JweUtils { private JweUtils() { } - public static boolean validatecriticalheaders(JoseHeaders headers) { - //TODO: Validate JWE specific constraints - return JoseUtils.validateCriticalHeaders(headers); + public String encrypt(RSAPublicKey key, String keyAlgo, String contentAlgo, byte[] content) { + KeyEncryptionAlgorithm keyEncryptionProvider = getRSAKeyEncryptionAlgorithm(key, keyAlgo); + return encrypt(keyEncryptionProvider, contentAlgo, content); + } + public String encrypt(SecretKey key, String keyAlgo, String contentAlgo, byte[] content) { + KeyEncryptionAlgorithm keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(key, keyAlgo); + return encrypt(keyEncryptionProvider, contentAlgo, content); + } + public String encryptDirect(SecretKey key, String contentAlgo, byte[] content) { + JweEncryptionProvider jwe = getDirectKeyJweEncryption(key, contentAlgo); + return jwe.encrypt(content, null); + } + public byte[] decrypt(RSAPrivateKey key, String keyAlgo, String contentAlgo, String content) { + KeyDecryptionAlgorithm keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(key, keyAlgo); + return decrypt(keyDecryptionProvider, contentAlgo, content); + } + public byte[] decrypt(SecretKey key, String keyAlgo, String contentAlgo, String content) { + KeyDecryptionAlgorithm keyDecryptionProvider = getSecretKeyDecryptionAlgorithm(key, keyAlgo); + return decrypt(keyDecryptionProvider, contentAlgo, content); + } + public byte[] decryptDirect(SecretKey key, String contentAlgo, String content) { + JweDecryptionProvider jwe = getDirectKeyJweDecryption(key, contentAlgo); + return jwe.decrypt(content).getContent(); } public static KeyEncryptionAlgorithm getKeyEncryptionAlgorithm(JsonWebKey jwk) { return getKeyEncryptionAlgorithm(jwk, null); @@ -51,20 +71,27 @@ public final class JweUtils { String keyEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); KeyEncryptionAlgorithm keyEncryptionProvider = null; if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(JwkUtils.toRSAPublicKey(jwk), - keyEncryptionAlgo); + keyEncryptionProvider = getRSAKeyEncryptionAlgorithm(JwkUtils.toRSAPublicKey(jwk), + keyEncryptionAlgo); } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = JwkUtils.toSecretKey(jwk); - if (Algorithm.isAesKeyWrap(keyEncryptionAlgo)) { - keyEncryptionProvider = new AesWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); - } else if (Algorithm.isAesGcmKeyWrap(keyEncryptionAlgo)) { - keyEncryptionProvider = new AesGcmWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); - } + keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(JwkUtils.toSecretKey(jwk), + keyEncryptionAlgo); } else { // TODO: support elliptic curve keys } return keyEncryptionProvider; } + public static KeyEncryptionAlgorithm getRSAKeyEncryptionAlgorithm(RSAPublicKey key, String algo) { + return new RSAOaepKeyEncryptionAlgorithm(key, algo); + } + public static KeyEncryptionAlgorithm getSecretKeyEncryptionAlgorithm(SecretKey key, String algo) { + if (Algorithm.isAesKeyWrap(algo)) { + return new AesWrapKeyEncryptionAlgorithm(key, algo); + } else if (Algorithm.isAesGcmKeyWrap(algo)) { + return new AesGcmWrapKeyEncryptionAlgorithm(key, algo); + } + return null; + } public static KeyDecryptionAlgorithm getKeyDecryptionAlgorithm(JsonWebKey jwk) { return getKeyDecryptionAlgorithm(jwk, null); } @@ -72,20 +99,27 @@ public final class JweUtils { String keyEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); KeyDecryptionAlgorithm keyDecryptionProvider = null; if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk), - keyEncryptionAlgo); + keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk), + keyEncryptionAlgo); } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = JwkUtils.toSecretKey(jwk); - if (Algorithm.isAesKeyWrap(jwk.getAlgorithm())) { - keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key, keyEncryptionAlgo); - } else if (Algorithm.isAesGcmKeyWrap(jwk.getAlgorithm())) { - keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key, keyEncryptionAlgo); - } + keyDecryptionProvider = getSecretKeyDecryptionAlgorithm(JwkUtils.toSecretKey(jwk), + keyEncryptionAlgo); } else { // TODO: support elliptic curve keys } return keyDecryptionProvider; } + public static KeyDecryptionAlgorithm getRSAKeyDecryptionAlgorithm(RSAPrivateKey key, String algo) { + return new RSAOaepKeyDecryptionAlgorithm(key, algo); + } + public static KeyDecryptionAlgorithm getSecretKeyDecryptionAlgorithm(SecretKey key, String algo) { + if (Algorithm.isAesKeyWrap(algo)) { + return new AesWrapKeyDecryptionAlgorithm(key, algo); + } else if (Algorithm.isAesGcmKeyWrap(algo)) { + return new AesGcmWrapKeyDecryptionAlgorithm(key, algo); + } + return null; + } public static ContentEncryptionAlgorithm getContentEncryptionAlgorithm(JsonWebKey jwk) { return getContentEncryptionAlgorithm(jwk, null); } @@ -93,13 +127,29 @@ public final class JweUtils { String ctEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); ContentEncryptionAlgorithm contentEncryptionProvider = null; if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = JwkUtils.toSecretKey(jwk); - if (Algorithm.isAesGcm(ctEncryptionAlgo)) { - contentEncryptionProvider = new AesGcmContentEncryptionAlgorithm(key, null, ctEncryptionAlgo); - } + return getContentEncryptionAlgorithm(JwkUtils.toSecretKey(jwk), + ctEncryptionAlgo); } return contentEncryptionProvider; } + public static ContentEncryptionAlgorithm getContentEncryptionAlgorithm(SecretKey key, String algorithm) { + if (Algorithm.isAesGcm(algorithm)) { + return new AesGcmContentEncryptionAlgorithm(key, null, algorithm); + } + return null; + } + public static ContentEncryptionAlgorithm getContentEncryptionAlgorithm(String algorithm) { + if (Algorithm.isAesGcm(algorithm)) { + return new AesGcmContentEncryptionAlgorithm(algorithm); + } + return null; + } + public static ContentDecryptionAlgorithm getContentDecryptionAlgorithm(String algorithm) { + if (Algorithm.isAesGcm(algorithm)) { + return new AesGcmContentDecryptionAlgorithm(algorithm); + } + return null; + } public static SecretKey getContentDecryptionSecretKey(JsonWebKey jwk) { return getContentDecryptionSecretKey(jwk, null); } @@ -110,6 +160,12 @@ public final class JweUtils { } return null; } + public static JweEncryptionProvider getDirectKeyJweEncryption(SecretKey key, String algorithm) { + return new DirectKeyJweEncryption(getContentEncryptionAlgorithm(key, algorithm)); + } + public static JweDecryptionProvider getDirectKeyJweDecryption(SecretKey key, String algorithm) { + return new DirectKeyJweDecryption(key, getContentDecryptionAlgorithm(algorithm)); + } public static JweEncryptionProvider loadEncryptionProvider(String propLoc, Message m) { KeyEncryptionAlgorithm keyEncryptionProvider = null; String keyEncryptionAlgo = null; @@ -127,38 +183,20 @@ public final class JweUtils { keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm()); if ("direct".equals(keyEncryptionAlgo)) { contentEncryptionAlgo = getContentEncryptionAlgo(props, jwk.getAlgorithm()); - ctEncryptionProvider = JweUtils.getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo); + ctEncryptionProvider = getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo); } else { - keyEncryptionProvider = JweUtils.getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo); + keyEncryptionProvider = getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo); } } else { - keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm( + keyEncryptionProvider = getRSAKeyEncryptionAlgorithm( (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), getKeyEncryptionAlgo(props, keyEncryptionAlgo)); } - if (keyEncryptionProvider == null && ctEncryptionProvider == null) { - throw new SecurityException(); - } - - - JweHeaders headers = new JweHeaders(getKeyEncryptionAlgo(props, keyEncryptionAlgo), - contentEncryptionAlgo); - String compression = props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP); - if (compression != null) { - headers.setZipAlgorithm(compression); - } - if (keyEncryptionProvider != null) { - if (Algorithm.isAesCbcHmac(contentEncryptionAlgo)) { - return new AesCbcHmacJweEncryption(contentEncryptionAlgo, keyEncryptionProvider); - } else { - return new WrappedKeyJweEncryption(headers, - keyEncryptionProvider, - new AesGcmContentEncryptionAlgorithm(contentEncryptionAlgo)); - } - } else { - return new DirectKeyJweEncryption(ctEncryptionProvider); - } + return createJweEncryptionProvider(keyEncryptionProvider, + ctEncryptionProvider, + contentEncryptionAlgo, + props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP)); } public static JweDecryptionProvider loadDecryptionProvider(String propLoc, Message m) { KeyDecryptionAlgorithm keyDecryptionProvider = null; @@ -170,33 +208,95 @@ public final class JweUtils { } String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP); SecretKey ctDecryptionKey = null; + String keyEncryptionAlgo = getKeyEncryptionAlgo(props, null); if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - String keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm()); + keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm()); if ("direct".equals(keyEncryptionAlgo)) { contentEncryptionAlgo = getContentEncryptionAlgo(props, contentEncryptionAlgo); - ctDecryptionKey = JweUtils.getContentDecryptionSecretKey(jwk, contentEncryptionAlgo); + ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentEncryptionAlgo); } else { - keyDecryptionProvider = JweUtils.getKeyDecryptionAlgorithm(jwk, keyEncryptionAlgo); + keyDecryptionProvider = getKeyDecryptionAlgorithm(jwk, keyEncryptionAlgo); } } else { - keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm( + keyDecryptionProvider = getRSAKeyDecryptionAlgorithm( (RSAPrivateKey)KeyManagementUtils.loadPrivateKey( - m, props, KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER)); + m, props, KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER), keyEncryptionAlgo); + } + return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentEncryptionAlgo); + } + public static JweEncryptionProvider createJweEncryptionProvider(KeyEncryptionAlgorithm keyEncryptionProvider, + String contentEncryptionAlgo, + String compression) { + JweHeaders headers = + prepareJweHeaders(keyEncryptionProvider != null ? keyEncryptionProvider.getAlgorithm() : null, + contentEncryptionAlgo, compression); + return createJweEncryptionProvider(keyEncryptionProvider, headers); + } + public static JweEncryptionProvider createJweEncryptionProvider(KeyEncryptionAlgorithm keyEncryptionProvider, + JweHeaders headers) { + String contentEncryptionAlgo = headers.getContentEncryptionAlgorithm(); + if (Algorithm.isAesCbcHmac(contentEncryptionAlgo)) { + return new AesCbcHmacJweEncryption(headers, keyEncryptionProvider); + } else { + return new WrappedKeyJweEncryption(headers, + keyEncryptionProvider, + getContentEncryptionAlgorithm(contentEncryptionAlgo)); + } + } + public static JweDecryptionProvider createJweDecryptionProvider(KeyDecryptionAlgorithm keyDecryptionProvider, + String contentDecryptionAlgo) { + if (Algorithm.isAesCbcHmac(contentDecryptionAlgo)) { + return new AesCbcHmacJweDecryption(keyDecryptionProvider, contentDecryptionAlgo); + } else { + return new WrappedKeyJweDecryption(keyDecryptionProvider, + getContentDecryptionAlgorithm(contentDecryptionAlgo)); + } + } + + public static boolean validateCriticalHeaders(JoseHeaders headers) { + //TODO: Validate JWE specific constraints + return JoseUtils.validateCriticalHeaders(headers); + } + private static JweHeaders prepareJweHeaders(String keyEncryptionAlgo, + String contentEncryptionAlgo, + String compression) { + JweHeaders headers = new JweHeaders(); + if (keyEncryptionAlgo != null) { + headers.setAlgorithm(keyEncryptionAlgo); + headers.setContentEncryptionAlgorithm(contentEncryptionAlgo); + if (compression != null) { + headers.setZipAlgorithm(compression); + } + } + return headers; + } + private static JweEncryptionProvider createJweEncryptionProvider(KeyEncryptionAlgorithm keyEncryptionProvider, + ContentEncryptionAlgorithm ctEncryptionProvider, + String contentEncryptionAlgo, + String compression) { + if (keyEncryptionProvider == null && ctEncryptionProvider == null) { + throw new SecurityException(); } + JweHeaders headers = + prepareJweHeaders(keyEncryptionProvider != null ? keyEncryptionProvider.getAlgorithm() : null, + contentEncryptionAlgo, compression); + if (keyEncryptionProvider != null) { + return createJweEncryptionProvider(keyEncryptionProvider, headers); + } else { + return new DirectKeyJweEncryption(headers, ctEncryptionProvider); + } + } + private static JweDecryptionProvider createJweDecryptionProvider(KeyDecryptionAlgorithm keyDecryptionProvider, + SecretKey ctDecryptionKey, + String contentDecryptionAlgo) { if (keyDecryptionProvider == null && ctDecryptionKey == null) { throw new SecurityException(); } if (keyDecryptionProvider != null) { - if (Algorithm.isAesCbcHmac(contentEncryptionAlgo)) { - return new AesCbcHmacJweDecryption(keyDecryptionProvider, contentEncryptionAlgo); - } else { - return new WrappedKeyJweDecryption(keyDecryptionProvider, - new AesGcmContentDecryptionAlgorithm(contentEncryptionAlgo)); - } + return createJweDecryptionProvider(keyDecryptionProvider, contentDecryptionAlgo); } else { - return new DirectKeyJweDecryption(ctDecryptionKey, - new AesGcmContentDecryptionAlgorithm(contentEncryptionAlgo)); + return getDirectKeyJweDecryption(ctDecryptionKey, contentDecryptionAlgo); } } private static String getKeyEncryptionAlgo(Properties props, String algo) { @@ -205,4 +305,12 @@ public final class JweUtils { private static String getContentEncryptionAlgo(Properties props, String algo) { return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo; } + private static String encrypt(KeyEncryptionAlgorithm keyEncryptionProvider, String contentAlgo, byte[] content) { + JweEncryptionProvider jwe = createJweEncryptionProvider(keyEncryptionProvider, contentAlgo, null); + return jwe.encrypt(content, null); + } + private static byte[] decrypt(KeyDecryptionAlgorithm keyDecryptionProvider, String contentAlgo, String content) { + JweDecryptionProvider jwe = createJweDecryptionProvider(keyDecryptionProvider, contentAlgo); + return jwe.decrypt(content).getContent(); + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/a4ed944b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java index 6e4d4b2..3ebbbc6 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java @@ -90,7 +90,7 @@ public final class JwkUtils { return encryptJwkSet(jwkSet, createDefaultEncryption(password), writer); } public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter writer) { - return jwe.encrypt(stringToBytes(writer.jwkSetToJson(jwkSet)), "jwk-set+json"); + return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkSetToJson(jwkSet)), "jwk-set+json"); } public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) { return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter()); @@ -119,7 +119,7 @@ public final class JwkUtils { return encryptJwkKey(jwkKey, createDefaultEncryption(password), writer); } public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter writer) { - return jwe.encrypt(stringToBytes(writer.jwkToJson(jwkKey)), "jwk+json"); + return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkToJson(jwkKey)), "jwk+json"); } public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) { return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter()); @@ -141,15 +141,6 @@ public final class JwkUtils { throws IOException { return reader.jsonToJwk(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText()); } - private static JweEncryptionProvider createDefaultEncryption(char[] password) { - KeyEncryptionAlgorithm keyEncryption = - new PbesHmacAesWrapKeyEncryptionAlgorithm(password, Algorithm.PBES2_HS256_A128KW.getJwtName()); - return new AesCbcHmacJweEncryption(Algorithm.A128CBC_HS256.getJwtName(), keyEncryption); - } - private static JweDecryptionProvider createDefaultDecryption(char[] password) { - KeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password); - return new AesCbcHmacJweDecryption(keyDecryption); - } public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb) { return loadJwkSet(m, props, cb, new DefaultJwkReaderWriter()); } @@ -246,42 +237,13 @@ public final class JwkUtils { } return null; } - private static String getKeyId(Properties props, String propertyName, String keyOper) { - String kid = props.getProperty(propertyName); - if (kid == null && keyOper != null) { - String keyIdProp = null; - if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT)) { - keyIdProp = propertyName + ".jwe"; - } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN) - || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY)) { - keyIdProp = propertyName + ".jws"; - } - if (keyIdProp != null) { - kid = props.getProperty(keyIdProp); - } - } - return kid; - } - private static PrivateKeyPasswordProvider loadPasswordProvider(Message m, Properties props, String keyOper) { - PrivateKeyPasswordProvider cb = - (PrivateKeyPasswordProvider)m.getContextualProperty(KeyManagementUtils.RSSEC_KEY_PSWD_PROVIDER); - if (cb == null && keyOper != null) { - String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER - : keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) - ? KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null; - if (propName != null) { - cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName); - } - } - return cb; - } public static RSAPublicKey toRSAPublicKey(JsonWebKey jwk) { String encodedModulus = (String)jwk.getProperty(JsonWebKey.RSA_MODULUS); String encodedPublicExponent = (String)jwk.getProperty(JsonWebKey.RSA_PUBLIC_EXP); return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent); } - public static JsonWebKey fromRSAPublicKey(RSAPublicKey pk) { - JsonWebKey jwk = prepareRSAJwk(pk.getModulus()); + public static JsonWebKey fromRSAPublicKey(RSAPublicKey pk, String algo) { + JsonWebKey jwk = prepareRSAJwk(pk.getModulus(), algo); String encodedPublicExponent = Base64UrlUtility.encode(pk.getPublicExponent().toByteArray()); jwk.setProperty(JsonWebKey.RSA_PUBLIC_EXP, encodedPublicExponent); return jwk; @@ -308,19 +270,12 @@ public final class JwkUtils { encodedCrtCoefficient); } } - public static JsonWebKey fromRSAPrivateKey(RSAPrivateKey pk) { - JsonWebKey jwk = prepareRSAJwk(pk.getModulus()); + public static JsonWebKey fromRSAPrivateKey(RSAPrivateKey pk, String algo) { + JsonWebKey jwk = prepareRSAJwk(pk.getModulus(), algo); String encodedPrivateExponent = Base64UrlUtility.encode(pk.getPrivateExponent().toByteArray()); jwk.setProperty(JsonWebKey.RSA_PRIVATE_EXP, encodedPrivateExponent); return jwk; } - private static JsonWebKey prepareRSAJwk(BigInteger modulus) { - JsonWebKey jwk = new JsonWebKey(); - jwk.setKeyType(JsonWebKey.KEY_TYPE_RSA); - String encodedModulus = Base64UrlUtility.encode(modulus.toByteArray()); - jwk.setProperty(JsonWebKey.RSA_MODULUS, encodedModulus); - return jwk; - } public static ECPublicKey toECPublicKey(JsonWebKey jwk) { String eCurve = (String)jwk.getProperty(JsonWebKey.EC_CURVE); String encodedXCoord = (String)jwk.getProperty(JsonWebKey.EC_X_COORDINATE); @@ -337,15 +292,65 @@ public final class JwkUtils { return CryptoUtils.createSecretKeySpec((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE), Algorithm.toJavaName(jwk.getAlgorithm())); } - public static JsonWebKey fromSecretKey(SecretKey secretKey) { + public static JsonWebKey fromSecretKey(SecretKey secretKey, String algo) { + if (!Algorithm.isOctet(algo)) { + throw new SecurityException("Invalid algorithm"); + } JsonWebKey jwk = new JsonWebKey(); jwk.setKeyType(JsonWebKey.KEY_TYPE_OCTET); + jwk.setAlgorithm(algo); String encodedSecretKey = Base64UrlUtility.encode(secretKey.getEncoded()); jwk.setProperty(JsonWebKey.OCTET_KEY_VALUE, encodedSecretKey); return jwk; } - private static byte[] stringToBytes(String str) { - return StringUtils.toBytesUTF8(str); + private static String getKeyId(Properties props, String propertyName, String keyOper) { + String kid = props.getProperty(propertyName); + if (kid == null && keyOper != null) { + String keyIdProp = null; + if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT)) { + keyIdProp = propertyName + ".jwe"; + } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN) + || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY)) { + keyIdProp = propertyName + ".jws"; + } + if (keyIdProp != null) { + kid = props.getProperty(keyIdProp); + } + } + return kid; + } + private static PrivateKeyPasswordProvider loadPasswordProvider(Message m, Properties props, String keyOper) { + PrivateKeyPasswordProvider cb = + (PrivateKeyPasswordProvider)m.getContextualProperty(KeyManagementUtils.RSSEC_KEY_PSWD_PROVIDER); + if (cb == null && keyOper != null) { + String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER + : keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) + ? KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null; + if (propName != null) { + cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName); + } + } + return cb; + } + private static JweEncryptionProvider createDefaultEncryption(char[] password) { + KeyEncryptionAlgorithm keyEncryption = + new PbesHmacAesWrapKeyEncryptionAlgorithm(password, Algorithm.PBES2_HS256_A128KW.getJwtName()); + return new AesCbcHmacJweEncryption(Algorithm.A128CBC_HS256.getJwtName(), keyEncryption); + } + private static JweDecryptionProvider createDefaultDecryption(char[] password) { + KeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password); + return new AesCbcHmacJweDecryption(keyDecryption); + } + private static JsonWebKey prepareRSAJwk(BigInteger modulus, String algo) { + if (!Algorithm.isRsa(algo)) { + throw new SecurityException("Invalid algorithm"); + } + JsonWebKey jwk = new JsonWebKey(); + jwk.setKeyType(JsonWebKey.KEY_TYPE_RSA); + jwk.setAlgorithm(algo); + String encodedModulus = Base64UrlUtility.encode(modulus.toByteArray()); + jwk.setProperty(JsonWebKey.RSA_MODULUS, encodedModulus); + return jwk; } } http://git-wip-us.apache.org/repos/asf/cxf/blob/a4ed944b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java index b63de40..19258ac 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/client/OAuthClientUtils.java @@ -27,6 +27,7 @@ import java.util.Map; import javax.ws.rs.ProcessingException; import javax.ws.rs.client.ResponseProcessingException; import javax.ws.rs.core.Form; +import javax.ws.rs.core.HttpHeaders; import javax.ws.rs.core.Response; import javax.ws.rs.core.UriBuilder; @@ -349,6 +350,16 @@ public final class OAuthClientUtils { appendTokenData(sb, accessToken, httpProps); return sb.toString(); } + public static void setAuthorizationHeader(WebClient wc, ClientAccessToken accessToken) { + setAuthorizationHeader(wc, accessToken, null); + } + public static void setAuthorizationHeader(WebClient wc, + ClientAccessToken accessToken, + String httpVerb) { + wc.replaceHeader(HttpHeaders.AUTHORIZATION, + createAuthorizationHeader(accessToken, + new HttpRequestProperties(wc, httpVerb))); + } private static void appendTokenData(StringBuilder sb, ClientAccessToken token,