cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6085] Making sure JweJsonProducer does not deal with crypto calculations
Date Fri, 13 Feb 2015 13:41:40 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 7ea458707 -> ab206d52f


[CXF-6085] Making sure JweJsonProducer does not deal with crypto calculations


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/ab206d52
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/ab206d52
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/ab206d52

Branch: refs/heads/3.0.x-fixes
Commit: ab206d52fc6b535f1173c0790146c3530c5fc096
Parents: 7ea4587
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Feb 13 13:39:50 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Feb 13 13:41:21 2015 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/JweWriterInterceptor.java        |  6 +-
 .../jose/jwe/AbstractJweEncryption.java         | 63 ++++++++++-----
 .../jose/jwe/AesCbcHmacJweEncryption.java       | 15 ++--
 .../security/jose/jwe/JweEncryptionInput.java   | 48 ++++++++---
 .../security/jose/jwe/JweEncryptionOutput.java  | 78 ++++++++++++++++++
 .../jose/jwe/JweEncryptionProvider.java         |  2 +-
 .../security/jose/jwe/JweEncryptionState.java   | 63 ---------------
 .../rs/security/jose/jwe/JweJsonProducer.java   | 83 ++++++++------------
 .../security/jose/jwe/JweJsonProducerTest.java  | 22 +++---
 9 files changed, 212 insertions(+), 168 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index 7291edd..58cab8e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -36,8 +36,8 @@ import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.rs.security.jose.JoseConstants;
 import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionInput;
+import org.apache.cxf.rs.security.jose.jwe.JweEncryptionOutput;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweEncryptionState;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
 import org.apache.cxf.rs.security.jose.jwe.JweOutputStream;
 import org.apache.cxf.rs.security.jose.jwe.JweUtils;
@@ -71,8 +71,8 @@ public class JweWriterInterceptor implements WriterInterceptor {
         }
         
         if (useJweOutputStream) {
-            JweEncryptionState encryption = 
-                theEncryptionProvider.createJweEncryptionState(new JweEncryptionInput(jweHeaders));
+            JweEncryptionOutput encryption = 
+                theEncryptionProvider.getEncryptionOutput(new JweEncryptionInput(jweHeaders));
             try {
                 JweCompactProducer.startJweContent(actualOs,
                                                    encryption.getHeaders(), 

http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index ac545dc..18fdc5c 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.Arrays;
 
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
@@ -78,22 +79,53 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider
{
     protected byte[] getAAD(String protectedHeaders, byte[] aad) {
         return getContentEncryptionAlgorithm().getAdditionalAuthenticationData(protectedHeaders,
aad);
     }
+    @Override
     public String encrypt(byte[] content, JweHeaders jweHeaders) {
         JweEncryptionInternal state = getInternalState(jweHeaders, null);
         
-        byte[] cipher = CryptoUtils.encryptBytes(content, createCekSecretKey(state), state.keyProps);
-        
-        
-        JweCompactProducer producer = getJweCompactProducer(state, cipher);
+        byte[] encryptedContent = encryptInternal(state, content);
+        byte[] cipher = getActualCipher(encryptedContent);
+        byte[] authTag = getAuthenticationTag(state, encryptedContent);
+        JweCompactProducer producer = new JweCompactProducer(state.protectedHeadersJson,

+                                                             state.jweContentEncryptionKey,
+                                                             state.theIv,
+                                                             cipher,
+                                                             authTag);
         return producer.getJweContent();
     }
-    
-    protected JweCompactProducer getJweCompactProducer(JweEncryptionInternal state, byte[]
cipher) {
-        return new JweCompactProducer(state.theHeaders, 
-                                      state.jweContentEncryptionKey,
+    @Override
+    public JweEncryptionOutput getEncryptionOutput(JweEncryptionInput jweInput) {
+        JweEncryptionInternal state = getInternalState(jweInput.getJweHeaders(), jweInput);
+        Cipher c = null;
+        AuthenticationTagProducer authTagProducer = null;
+        byte[] cipher = null;
+        byte[] authTag = null;
+        if (jweInput.getContent() == null) {
+            c = CryptoUtils.initCipher(createCekSecretKey(state), state.keyProps, 
+                                              Cipher.ENCRYPT_MODE);
+            authTagProducer = getAuthenticationTagProducer(state);
+        } else {
+            byte[] encryptedContent = encryptInternal(state, jweInput.getContent());
+            cipher = getActualCipher(encryptedContent);
+            authTag = getAuthenticationTag(state, encryptedContent);    
+        }
+        return new JweEncryptionOutput(c, 
+                                      state.theHeaders, 
+                                      state.jweContentEncryptionKey, 
                                       state.theIv,
+                                      authTagProducer,
+                                      state.keyProps,
                                       cipher,
-                                      DEFAULT_AUTH_TAG_LENGTH);
+                                      authTag);
+    }
+    protected byte[] encryptInternal(JweEncryptionInternal state, byte[] content) {
+        return CryptoUtils.encryptBytes(content, createCekSecretKey(state), state.keyProps);
+    }
+    protected byte[] getActualCipher(byte[] cipher) {
+        return Arrays.copyOf(cipher, cipher.length - DEFAULT_AUTH_TAG_LENGTH / 8);
+    }
+    protected byte[] getAuthenticationTag(JweEncryptionInternal state, byte[] cipher) {
+        return Arrays.copyOfRange(cipher, cipher.length - DEFAULT_AUTH_TAG_LENGTH / 8, cipher.length);
     }
     @Override
     public String getKeyAlgorithm() {
@@ -106,18 +138,7 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider
{
     protected JoseHeadersReaderWriter getJwtHeadersWriter() {
         return writer;
     }
-    @Override
-    public JweEncryptionState createJweEncryptionState(JweEncryptionInput jweInput) {
-        JweEncryptionInternal state = getInternalState(jweInput.getJweHeaders(), jweInput);
-        Cipher c = CryptoUtils.initCipher(createCekSecretKey(state), state.keyProps, 
-                                          Cipher.ENCRYPT_MODE);
-        return new JweEncryptionState(c, 
-                                      state.theHeaders, 
-                                      state.jweContentEncryptionKey, 
-                                      state.theIv,
-                                      getAuthenticationTagProducer(state),
-                                      state.keyProps.isCompressionSupported());
-    }
+    
     protected AuthenticationTagProducer getAuthenticationTagProducer(JweEncryptionInternal
state) {
         return null;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index a673540..dc6ab44 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -72,16 +72,13 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
     protected static int getFullCekKeySize(String algoJwt) {
         return AES_CEK_SIZE_MAP.get(algoJwt);
     }
-    
-    protected JweCompactProducer getJweCompactProducer(JweEncryptionInternal state, byte[]
cipher) {
+    protected byte[] getActualCipher(byte[] cipher) {
+        return cipher;
+    }
+    protected byte[] getAuthenticationTag(JweEncryptionInternal state, byte[] cipher) {
         final MacState macState = getInitializedMacState(state);
         macState.mac.update(cipher);
-        byte[] authTag = signAndGetTag(macState);
-        return new JweCompactProducer(macState.headersJson,
-                                      state.jweContentEncryptionKey,
-                                      state.theIv,
-                                      cipher,
-                                      authTag);
+        return signAndGetTag(macState);
     }
     
     protected static byte[] signAndGetTag(MacState macState) {
@@ -119,7 +116,6 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
         MacState macState = new MacState();
         macState.mac = mac;
         macState.al = al;
-        macState.headersJson = protectedHeadersJson;
         return macState;
     }
     
@@ -162,7 +158,6 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
     protected static class MacState {
         protected Mac mac;
         private byte[] al;
-        private String headersJson;
     }
     
     private static String validateCekAlgorithm(String cekAlgo) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java
index cb07be3..a1336ca 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java
@@ -23,24 +23,36 @@ public class JweEncryptionInput {
     private byte[] cek;
     private byte[] iv;
     private byte[] aad;
+    private byte[] content;
+    public JweEncryptionInput() {
+        
+    }
     public JweEncryptionInput(JweHeaders jweHeaders) {
-        this.jweHeaders = jweHeaders;
+        this(jweHeaders, null);
     }
     public JweEncryptionInput(JweHeaders jweHeaders,
-                              byte[] cek,
-                              byte[] iv) {
-        this(jweHeaders, cek, iv, null);
-        
+                              byte[] content) {
+        this(jweHeaders, content, null);
     }
     public JweEncryptionInput(JweHeaders jweHeaders,
+                              byte[] content,
                               byte[] aad) {
-        this(jweHeaders, null, null, aad);
+        this(jweHeaders, content, aad, null, null);
+        
     }
     public JweEncryptionInput(JweHeaders jweHeaders,
+                              byte[] content,
                               byte[] cek,
-                              byte[] iv,
-                              byte[] aad) {
-        this(jweHeaders);
+                              byte[] iv) {
+        this(jweHeaders, content, null, cek, iv);
+    }
+    public JweEncryptionInput(JweHeaders jweHeaders,
+                              byte[] content,
+                              byte[] aad,
+                              byte[] cek,
+                              byte[] iv) {
+        this.jweHeaders = jweHeaders;
+        this.content = content;
         this.cek = cek;
         this.iv = iv;
         this.aad = aad;
@@ -48,13 +60,31 @@ public class JweEncryptionInput {
     public JweHeaders getJweHeaders() {
         return jweHeaders;
     }
+    public void setJweHeaders(JweHeaders jweHeaders) {
+        this.jweHeaders = jweHeaders;
+    }
     public byte[] getCek() {
         return cek;
     }
+    public void setCek(byte[] cek) {
+        this.cek = cek;
+    }
     public byte[] getIv() {
         return iv;
     }
+    public void setIv(byte[] iv) {
+        this.iv = iv;
+    }
     public byte[] getAad() {
         return aad;
     }
+    public void setAad(byte[] aad) {
+        this.aad = aad;
+    }
+    public byte[] getContent() {
+        return content;
+    }
+    public void setContent(byte[] content) {
+        this.content = content;
+    }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java
new file mode 100644
index 0000000..918ef5a
--- /dev/null
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionOutput.java
@@ -0,0 +1,78 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import javax.crypto.Cipher;
+
+import org.apache.cxf.common.util.crypto.KeyProperties;
+
+public class JweEncryptionOutput {
+    private Cipher cipher;
+    private JweHeaders headers;
+    private byte[] contentEncryptionKey;
+    private byte[] iv;
+    private AuthenticationTagProducer authTagProducer;
+    private byte[] encryptedContent;
+    private byte[] authTag;
+    private KeyProperties keyProps;
+    
+    //CHECKSTYLE:OFF
+    public JweEncryptionOutput(Cipher cipher, 
+                              JweHeaders headers, 
+                              byte[] contentEncryptionKey, 
+                              byte[] iv, 
+                              AuthenticationTagProducer authTagProducer,
+                              KeyProperties keyProps,
+                              byte[] encryptedContent,
+                              byte[] authTag) {
+    //CHECKSTYLE:ON    
+        this.cipher = cipher;
+        this.headers = headers;
+        this.contentEncryptionKey = contentEncryptionKey;
+        this.iv = iv;
+        this.authTagProducer = authTagProducer;
+        this.keyProps = keyProps;
+        this.encryptedContent = encryptedContent;
+        this.authTag = authTag;
+    }
+    public Cipher getCipher() {
+        return cipher;
+    }
+    public JweHeaders getHeaders() {
+        return headers;
+    }
+    public byte[] getContentEncryptionKey() {
+        return contentEncryptionKey;
+    }
+    public byte[] getIv() {
+        return iv;
+    }
+    public boolean isCompressionSupported() {
+        return keyProps.isCompressionSupported();
+    }
+    public AuthenticationTagProducer getAuthTagProducer() {
+        return authTagProducer;
+    }
+    public byte[] getEncryptedContent() {
+        return encryptedContent;
+    }
+    public byte[] getAuthTag() {
+        return authTag;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
index 25b931a..615212b 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
@@ -29,5 +29,5 @@ public interface JweEncryptionProvider extends JweKeyProperties {
      * Prepare JWE state for completing either
      * JWE compact or JSON encryption 
      */
-    JweEncryptionState createJweEncryptionState(JweEncryptionInput jweInput);
+    JweEncryptionOutput getEncryptionOutput(JweEncryptionInput jweInput);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionState.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionState.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionState.java
deleted file mode 100644
index 0732250..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionState.java
+++ /dev/null
@@ -1,63 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwe;
-
-import javax.crypto.Cipher;
-
-public class JweEncryptionState {
-    private Cipher cipher;
-    private JweHeaders headers;
-    private byte[] contentEncryptionKey;
-    private byte[] iv;
-    private boolean compressionSupported;
-    private AuthenticationTagProducer authTagProducer;
-    
-    public JweEncryptionState(Cipher cipher, 
-                              JweHeaders headers, 
-                              byte[] contentEncryptionKey, 
-                              byte[] iv, 
-                              AuthenticationTagProducer authTagProducer,
-                              boolean compressionSupported) {
-        this.cipher = cipher;
-        this.headers = headers;
-        this.contentEncryptionKey = contentEncryptionKey;
-        this.iv = iv;
-        this.authTagProducer = authTagProducer;
-        this.compressionSupported = compressionSupported;
-    }
-    public Cipher getCipher() {
-        return cipher;
-    }
-    public JweHeaders getHeaders() {
-        return headers;
-    }
-    public byte[] getContentEncryptionKey() {
-        return contentEncryptionKey;
-    }
-    public byte[] getIv() {
-        return iv;
-    }
-    public boolean isCompressionSupported() {
-        return compressionSupported;
-    }
-    public AuthenticationTagProducer getAuthTagProducer() {
-        return authTagProducer;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
index a53b8fa..4586a0f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
@@ -28,7 +28,6 @@ import java.util.Map;
 import java.util.Set;
 
 import org.apache.cxf.common.util.Base64UrlUtility;
-import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
 
 public class JweJsonProducer {
@@ -75,9 +74,6 @@ public class JweJsonProducer {
             && recipientUnprotected.size() != encryptors.size()) {
             throw new IllegalArgumentException();
         }
-        //TODO: determine the actual cek and iv length based on the algo
-        byte[] cek = generateCek();
-        byte[] iv = generateIv();
         JweHeaders unionHeaders = new JweHeaders();
         if (protectedHeader != null) {
             unionHeaders.asMap().putAll(protectedHeader.asMap());
@@ -94,6 +90,7 @@ public class JweJsonProducer {
         Map<String, Object> jweJsonMap = new LinkedHashMap<String, Object>();
         byte[] cipherText = null;
         byte[] authTag = null;
+        byte[] iv = null;
         for (int i = 0; i < encryptors.size(); i++) {
             JweEncryptionProvider encryptor = encryptors.get(i);
             JweHeaders perRecipientUnprotected = 
@@ -111,49 +108,38 @@ public class JweJsonProducer {
             }
             jsonHeaders.setProtectedHeaders(protectedHeader);
             
-            JweEncryptionInput input = new JweEncryptionInput(jsonHeaders,
-                                                              cek,
-                                                              iv,
-                                                              aad);
+            JweEncryptionInput input = createEncryptionInput(jsonHeaders);
                 
-            JweEncryptionState state = encryptor.createJweEncryptionState(input);
-            try {
-                byte[] currentCipherOutput = state.getCipher().doFinal(content);
-                if (state.getAuthTagProducer() != null) {
-                    cipherText = currentCipherOutput;
-                    state.getAuthTagProducer().update(content, 0, content.length);
-                    authTag = state.getAuthTagProducer().getTag();
-                } else {
-                    byte[] currentCipherText = null;
-                    byte[] currentAuthTag = null;
-                    
-                    final int authTagLengthBits = 128;
-                    final int cipherTextLen = currentCipherOutput.length - authTagLengthBits
/ 8;
-                    currentCipherText = Arrays.copyOf(currentCipherOutput, cipherTextLen);
-                    currentAuthTag = Arrays.copyOfRange(currentCipherOutput, cipherTextLen,

-                                                        cipherTextLen + authTagLengthBits
/ 8);
-                    if (cipherText == null) {
-                        cipherText = currentCipherText;
-                    } else if (!Arrays.equals(cipherText, currentCipherText)) {
-                        throw new SecurityException();
-                    }
-                    if (authTag == null) {
-                        authTag = currentAuthTag;
-                    } else if (!Arrays.equals(authTag, currentAuthTag)) {
-                        throw new SecurityException();
-                    }
-                }
-                
-                byte[] encryptedCek = state.getContentEncryptionKey(); 
-                if (encryptedCek == null && encryptor.getKeyAlgorithm() != null)
{
-                    // can be null only if it is the direct key encryption
-                    throw new SecurityException();
-                }
-                String encodedCek = encryptedCek == null ? null : Base64UrlUtility.encode(encryptedCek);
   
-                entries.add(new JweJsonEncryptionEntry(perRecipientUnprotected, encodedCek));
-            } catch (Exception ex) {
-                throw new SecurityException(ex);
+            JweEncryptionOutput state = encryptor.getEncryptionOutput(input);
+            
+            byte[] currentCipherText = state.getEncryptedContent();
+            byte[] currentAuthTag = state.getAuthTag();
+            byte[] currentIv = state.getIv();
+            if (cipherText == null) {
+                cipherText = currentCipherText;
+            } else if (!Arrays.equals(cipherText, currentCipherText)) {
+                throw new SecurityException();
+            }
+            if (authTag == null) {
+                authTag = currentAuthTag;
+            } else if (!Arrays.equals(authTag, currentAuthTag)) {
+                throw new SecurityException();
+            }
+            if (iv == null) {
+                iv = currentIv;
+            } else if (!Arrays.equals(iv, currentIv)) {
+                throw new SecurityException();
             }
+            
+            
+            byte[] encryptedCek = state.getContentEncryptionKey(); 
+            if (encryptedCek == null && encryptor.getKeyAlgorithm() != null) {
+                // can be null only if it is the direct key encryption
+                throw new SecurityException();
+            }
+            String encodedCek = encryptedCek == null ? null : Base64UrlUtility.encode(encryptedCek);
   
+            entries.add(new JweJsonEncryptionEntry(perRecipientUnprotected, encodedCek));
+            
         }
         if (protectedHeader != null) {
             jweJsonMap.put("protected", 
@@ -179,11 +165,8 @@ public class JweJsonProducer {
         jweJsonMap.put("tag", Base64UrlUtility.encode(authTag));
         return writer.toJson(jweJsonMap);
     }
-    protected byte[] generateIv() {
-        return CryptoUtils.generateSecureRandomBytes(16);
-    }
-    protected byte[] generateCek() {
-        return CryptoUtils.generateSecureRandomBytes(32);
+    protected JweEncryptionInput createEncryptionInput(JweHeaders jsonHeaders) {
+        return new JweEncryptionInput(jsonHeaders, content, aad);
     }
     private String checkAndGetContentAlgorithm(List<JweEncryptionProvider> encryptors)
{
         Set<String> set = new HashSet<String>();

http://git-wip-us.apache.org/repos/asf/cxf/blob/ab206d52/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
index 83ce452..32a3555 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
@@ -92,7 +92,7 @@ public class JweJsonProducerTest extends Assert {
         + "],"
         + "\"iv\":\"AxY8DCtDaGlsbGljb3RoZQ\","
         + "\"ciphertext\":\"KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY\","
-        + "\"tag\":\"vmz4ZlGcZHWBlSMbwtP_Jg\""
+        + "\"tag\":\"U0m_YmjN04DJvceFICbCVQ\""
         + "}";
     private static final Boolean SKIP_AES_GCM_TESTS = isJava6();
     
@@ -153,11 +153,11 @@ public class JweJsonProducerTest extends Assert {
                                             contentEncryptionAlgo);
         JweEncryptionProvider jwe = JweUtils.createJweEncryptionProvider(wrapperKey, headers);
         JweJsonProducer p = new JweJsonProducer(headers, StringUtils.toBytesUTF8(text), canBeFlat)
{
-            protected byte[] generateIv() {
-                return iv;
-            }
-            protected byte[] generateCek() {
-                return cek;
+            protected JweEncryptionInput createEncryptionInput(JweHeaders jsonHeaders) {
+                JweEncryptionInput input = super.createEncryptionInput(jsonHeaders);
+                input.setCek(cek);
+                input.setIv(iv);
+                return input;
             }    
         };
         String jweJson = p.encryptWith(jwe);
@@ -185,12 +185,12 @@ public class JweJsonProducerTest extends Assert {
                                                 StringUtils.toBytesUTF8(text),
                                                 StringUtils.toBytesUTF8(EXTRA_AAD_SOURCE),
                                                 false) {
-            protected byte[] generateIv() {
-                return JweCompactReaderWriterTest.INIT_VECTOR_A1;
+            protected JweEncryptionInput createEncryptionInput(JweHeaders jsonHeaders) {
+                JweEncryptionInput input = super.createEncryptionInput(jsonHeaders);
+                input.setCek(CEK_BYTES);
+                input.setIv(JweCompactReaderWriterTest.INIT_VECTOR_A1);
+                return input;
             }
-            protected byte[] generateCek() {
-                return CEK_BYTES;
-            }    
         };
         JweHeaders recepientUnprotectedHeaders = new JweHeaders();
         recepientUnprotectedHeaders.setKeyEncryptionAlgorithm(JoseConstants.A128KW_ALGO);


Mime
View raw message