cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6085] Prototyping JwsJsonConsumer
Date Tue, 17 Feb 2015 17:43:00 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 6991bdb7f -> 5ca457f15


[CXF-6085] Prototyping JwsJsonConsumer


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/5ca457f1
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/5ca457f1
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/5ca457f1

Branch: refs/heads/master
Commit: 5ca457f153fc1e461d6d224f9bd27ef9a0874596
Parents: 6991bdb
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Tue Feb 17 17:42:36 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Tue Feb 17 17:42:36 2015 +0000

----------------------------------------------------------------------
 .../json/JsonMapObjectReaderWriter.java         |   6 +-
 .../rs/security/jose/jwe/JweJsonConsumer.java   | 181 +++++++++++++++++++
 .../jose/jwe/JweJsonEncryptionEntry.java        |   4 +
 .../cxf/rs/security/jose/jwe/JweUtils.java      |  20 +-
 .../security/jose/jwe/JweJsonConsumerTest.java  | 162 +++++++++++++++++
 .../security/jose/jwe/JweJsonProducerTest.java  |  28 ++-
 6 files changed, 382 insertions(+), 19 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/5ca457f1/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JsonMapObjectReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JsonMapObjectReaderWriter.java
b/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JsonMapObjectReaderWriter.java
index dac1459..20e0777 100644
--- a/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JsonMapObjectReaderWriter.java
+++ b/rt/rs/extensions/providers/src/main/java/org/apache/cxf/jaxrs/provider/json/JsonMapObjectReaderWriter.java
@@ -115,7 +115,11 @@ public class JsonMapObjectReaderWriter {
             out.append("\r\n ");
         }
     }
-        
+    public JsonMapObject fromJsonToJsonObject(String json) {
+        JsonMapObject obj = new JsonMapObject();
+        fromJson(obj, json);
+        return obj;
+    }    
     public void fromJson(JsonMapObject obj, String json) {
         String theJson = json.trim();
         JsonObjectSettable settable = new JsonObjectSettable(obj);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5ca457f1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
new file mode 100644
index 0000000..23a014f
--- /dev/null
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
@@ -0,0 +1,181 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.io.UnsupportedEncodingException;
+import java.util.Collections;
+import java.util.LinkedHashMap;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.Map;
+
+import org.apache.cxf.helpers.CastUtils;
+import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
+import org.apache.cxf.rs.security.jose.JoseUtils;
+
+public class JweJsonConsumer {
+    private String protectedHeaderJson;
+    private JweHeaders protectedHeaderJwe;
+    private JweHeaders sharedUnprotectedHeader;
+    private List<JweJsonEncryptionEntry> recipients = new LinkedList<JweJsonEncryptionEntry>();
+    private Map<JweJsonEncryptionEntry, JweHeaders> recipientsMap = 
+        new LinkedHashMap<JweJsonEncryptionEntry, JweHeaders>();
+    private byte[] aad;
+    private byte[] iv;
+    private byte[] cipherBytes;
+    private byte[] authTag;
+    
+    private JsonMapObjectReaderWriter reader = new JsonMapObjectReaderWriter();
+    
+    public JweJsonConsumer(String payload) {
+        prepare(payload);
+    }
+
+    public JweDecryptionOutput decryptWith(JweDecryptionProvider jwe) {
+        JweJsonEncryptionEntry entry = getJweDecryptionEntry(jwe);
+        return decryptWith(jwe, entry);
+    }
+    public JweDecryptionOutput decryptWith(JweDecryptionProvider jwe, JweJsonEncryptionEntry
entry) {
+        JweDecryptionInput jweDecryptionInput = getJweDecryptionInput(jwe, entry);
+        byte[] content = jwe.decrypt(jweDecryptionInput);
+        return new JweDecryptionOutput(jweDecryptionInput.getJweHeaders(), content);
+    }
+    
+    private JweDecryptionInput getJweDecryptionInput(JweDecryptionProvider jwe, JweJsonEncryptionEntry
entry) {
+        if (jwe == null || entry == null) {
+            throw new SecurityException();
+        }
+        JweHeaders unionHeaders = recipientsMap.get(entry);
+        if (unionHeaders == null) {
+            throw new SecurityException();
+        }
+        JweDecryptionInput input = new JweDecryptionInput(entry.getEncryptedKey(),
+                                                          iv,
+                                                          cipherBytes,
+                                                          authTag,
+                                                          aad,
+                                                          protectedHeaderJson,
+                                                          unionHeaders);
+        return input;
+    }
+
+    private JweJsonEncryptionEntry getJweDecryptionEntry(JweDecryptionProvider jwe) {
+        for (Map.Entry<JweJsonEncryptionEntry, JweHeaders> entry : recipientsMap.entrySet())
{
+            String keyAlgo = entry.getValue().getKeyEncryptionAlgorithm();
+            if (keyAlgo != null && keyAlgo.equals(jwe.getKeyAlgorithm())
+                || keyAlgo == null && jwe.getKeyAlgorithm() == null) {
+                return entry.getKey();        
+            }    
+        }
+        return null;
+    }
+
+    private void prepare(String payload) {
+        Map<String, Object> jsonObjectMap = reader.fromJson(payload);
+        String encodedProtectedHeader = (String)jsonObjectMap.get("protected");
+        if (encodedProtectedHeader != null) {
+            protectedHeaderJson = JoseUtils.decodeToString(encodedProtectedHeader);
+            protectedHeaderJwe = 
+                new JweHeaders(reader.fromJson(protectedHeaderJson));
+        }
+        Map<String, Object> unprotectedHeader = CastUtils.cast((Map<?, ?>)jsonObjectMap.get("unprotected"));
+        sharedUnprotectedHeader = unprotectedHeader == null ? null : new JweHeaders(unprotectedHeader);
+        List<Map<String, Object>> encryptionArray = CastUtils.cast((List<?>)jsonObjectMap.get("recipients"));
+        if (encryptionArray != null) {
+            if (jsonObjectMap.containsKey("encryption_key")) {
+                throw new SecurityException("Invalid JWE JSON sequence");
+            }
+            for (Map<String, Object> encryptionEntry : encryptionArray) {
+                this.recipients.add(getEncryptionObject(encryptionEntry));
+            }
+        } else {
+            this.recipients.add(getEncryptionObject(jsonObjectMap));
+        }
+        aad = getDecodedBytes(jsonObjectMap, "aad");
+        cipherBytes = getDecodedBytes(jsonObjectMap, "ciphertext");
+        iv = getDecodedBytes(jsonObjectMap, "iv");
+        authTag = getDecodedBytes(jsonObjectMap, "tag");
+    }
+    protected JweJsonEncryptionEntry getEncryptionObject(Map<String, Object> encryptionEntry)
{
+        Map<String, Object> header = CastUtils.cast((Map<?, ?>)encryptionEntry.get("header"));
+        JweHeaders recipientUnprotected = header == null ? null : new JweHeaders(header);
+        String encodedKey = (String)encryptionEntry.get("encrypted_key");
+        JweJsonEncryptionEntry entry = new JweJsonEncryptionEntry(recipientUnprotected, encodedKey);
+        
+        JweHeaders unionHeaders = new JweHeaders();
+        if (protectedHeaderJwe != null) {
+            unionHeaders.asMap().putAll(protectedHeaderJwe.asMap());
+            unionHeaders.setProtectedHeaders(protectedHeaderJwe);
+        }
+        if (sharedUnprotectedHeader != null) {
+            if (!Collections.disjoint(unionHeaders.asMap().keySet(), 
+                                      sharedUnprotectedHeader.asMap().keySet())) {
+                throw new SecurityException("Protected and unprotected headers have duplicate
values");
+            }
+            unionHeaders.asMap().putAll(sharedUnprotectedHeader.asMap());
+        }
+        if (recipientUnprotected != null) {
+            if (!Collections.disjoint(unionHeaders.asMap().keySet(), 
+                                      recipientUnprotected.asMap().keySet())) {
+                throw new SecurityException("Protected and unprotected headers have duplicate
values");
+            }
+            unionHeaders.asMap().putAll(recipientUnprotected.asMap());
+        }
+        
+        recipientsMap.put(entry, unionHeaders);
+        return entry;
+        
+    }
+    protected byte[] getDecodedBytes(Map<String, Object> map, String name) {
+        String value = (String)map.get(name);
+        if (value != null) {
+            return JoseUtils.decode(value);
+        }
+        return null;
+    }
+
+    public JweHeaders getProtectedHeader() {
+        return protectedHeaderJwe;
+    }
+
+    public JweHeaders getSharedUnprotectedHeader() {
+        return sharedUnprotectedHeader;
+    }
+
+    public byte[] getAad() {
+        return aad;
+    }
+    public String getAadText() {
+        if (aad == null) {
+            return null;
+        }
+        try {
+            return new String(aad, "UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            throw new SecurityException(ex);
+        }
+    }
+    public List<JweJsonEncryptionEntry> getRecipients() {
+        return recipients;
+    }
+
+    public Map<JweJsonEncryptionEntry, JweHeaders> getRecipientsMap() {
+        return recipientsMap;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5ca457f1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonEncryptionEntry.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonEncryptionEntry.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonEncryptionEntry.java
index cdba53e..caa6d9f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonEncryptionEntry.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonEncryptionEntry.java
@@ -22,6 +22,7 @@ import java.util.LinkedHashMap;
 import java.util.Map;
 
 import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
+import org.apache.cxf.rs.security.jose.JoseUtils;
 
 public class JweJsonEncryptionEntry {
     private JweHeaders unprotectedHeader;
@@ -39,6 +40,9 @@ public class JweJsonEncryptionEntry {
     public String getEncodedEncryptedKey() {
         return encodedEncryptedKey;
     }
+    public byte[] getEncryptedKey() {
+        return encodedEncryptedKey == null ? null : JoseUtils.decode(encodedEncryptedKey);
+    }
     public String toJson() {
         JsonMapObjectReaderWriter jsonWriter = new JsonMapObjectReaderWriter();
         Map<String, Object> recipientsEntry = new LinkedHashMap<String, Object>();

http://git-wip-us.apache.org/repos/asf/cxf/blob/5ca457f1/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index c5aba2a..feba8bc 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -212,8 +212,13 @@ public final class JweUtils {
         return null;
     }
     public static JweEncryption getDirectKeyJweEncryption(JsonWebKey key) {
-        return new JweEncryption(new DirectKeyEncryptionAlgorithm(),
+        if (Algorithm.isAesCbcHmac(key.getAlgorithm())) {
+            return new AesCbcHmacJweEncryption(key.getAlgorithm(), JwkUtils.toSecretKey(key).getEncoded(),

+                                               null, new DirectKeyEncryptionAlgorithm());
+        } else {
+            return new JweEncryption(new DirectKeyEncryptionAlgorithm(),
                                  getContentEncryptionAlgorithm(key, key.getAlgorithm()));
+        }
     }
     public static JweEncryption getDirectKeyJweEncryption(SecretKey key, String algorithm)
{
         if (Algorithm.isAesCbcHmac(algorithm)) {
@@ -225,12 +230,21 @@ public final class JweUtils {
         }
     }
     public static JweDecryption getDirectKeyJweDecryption(SecretKey key, String algorithm)
{
-        return new JweDecryption(new DirectKeyDecryptionAlgorithm(key), 
+        if (Algorithm.isAesCbcHmac(algorithm)) { 
+            return new AesCbcHmacJweDecryption(new DirectKeyDecryptionAlgorithm(key), algorithm);
+        } else {
+            return new JweDecryption(new DirectKeyDecryptionAlgorithm(key), 
                                  getContentDecryptionAlgorithm(algorithm));
+        }
     }
     public static JweDecryption getDirectKeyJweDecryption(JsonWebKey key) {
-        return new JweDecryption(new DirectKeyDecryptionAlgorithm(JwkUtils.toSecretKey(key)),

+        if (Algorithm.isAesCbcHmac(key.getAlgorithm())) { 
+            return new AesCbcHmacJweDecryption(
+                new DirectKeyDecryptionAlgorithm(JwkUtils.toSecretKey(key).getEncoded()),
key.getAlgorithm());
+        } else {
+            return new JweDecryption(new DirectKeyDecryptionAlgorithm(JwkUtils.toSecretKey(key)),

                                  getContentDecryptionAlgorithm(key.getAlgorithm()));
+        }
     }
     public static JweEncryptionProvider loadEncryptionProvider(boolean required) {
         return loadEncryptionProvider(null, required);

http://git-wip-us.apache.org/repos/asf/cxf/blob/5ca457f1/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
new file mode 100644
index 0000000..0fcdece
--- /dev/null
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
@@ -0,0 +1,162 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+import java.security.Security;
+
+import javax.crypto.Cipher;
+import javax.crypto.SecretKey;
+
+import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.jose.JoseConstants;
+import org.apache.cxf.rs.security.jose.jwa.Algorithm;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
+import org.junit.AfterClass;
+import org.junit.Assert;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+public class JweJsonConsumerTest extends Assert {
+
+    static final String SINGLE_RECIPIENT_ALL_HEADERS_AAD_MODIFIED_OUTPUT = 
+        "{" 
+        + "\"protected\":\"eyJlbmMiOiJBMTI4R0NNIn0\","
+        + "\"unprotected\":{\"jku\":\"https://server.example.com/keys.jwks\"},"    
+        + "\"recipients\":" 
+        + "["
+        + "{"
+        + "\"header\":{\"alg\":\"A128KW\"},"
+        + "\"encrypted_key\":\"b3-M9_CRgT3wEBhhXlpb-BoY7vtA4W_N\""
+        + "}"
+        + "],"
+        + "\"aad\":\"" + Base64UrlUtility.encode(JweJsonProducerTest.EXTRA_AAD_SOURCE + ".")
+ "\","
+        + "\"iv\":\"48V1_ALb6US04U3b\","
+        + "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
+        + "\"tag\":\"oVUQGS9608D-INq61-vOaA\""
+        + "}";
+    
+    @BeforeClass
+    public static void registerBouncyCastleIfNeeded() throws Exception {
+        try {
+            Cipher.getInstance(Algorithm.AES_GCM_ALGO_JAVA);
+            Cipher.getInstance(Algorithm.AES_CBC_ALGO_JAVA);
+        } catch (Throwable t) {
+            Security.addProvider(new BouncyCastleProvider());    
+        }
+    }
+    @AfterClass
+    public static void unregisterBouncyCastleIfNeeded() throws Exception {
+        Security.removeProvider(BouncyCastleProvider.class.getName());    
+    }
+    
+    @Test
+    public void testSingleRecipientGcm() throws Exception {
+        final String text = "The true sign of intelligence is not knowledge but imagination.";
+        doTestSingleRecipient(text, 
+                              JweJsonProducerTest.SINGLE_RECIPIENT_OUTPUT, 
+                              JoseConstants.A128GCM_ALGO, 
+                              JweJsonProducerTest.WRAPPER_BYTES1,
+                              null);
+    }
+    @Test
+    public void testSingleRecipientFlatGcm() throws Exception {
+        final String text = "The true sign of intelligence is not knowledge but imagination.";
+        doTestSingleRecipient(text, 
+                              JweJsonProducerTest.SINGLE_RECIPIENT_FLAT_OUTPUT, 
+                              JoseConstants.A128GCM_ALGO, 
+                              JweJsonProducerTest.WRAPPER_BYTES1,
+                              null);
+    }
+    @Test
+    public void testSingleRecipientDirectGcm() throws Exception {
+        final String text = "The true sign of intelligence is not knowledge but imagination.";
+        doTestSingleRecipient(text, 
+                              JweJsonProducerTest.SINGLE_RECIPIENT_DIRECT_OUTPUT, 
+                              JoseConstants.A128GCM_ALGO, 
+                              null, 
+                              JweJsonProducerTest.CEK_BYTES);
+    }
+    @Test
+    public void testSingleRecipientDirectA128CBCHS256() throws Exception {
+        String text = "Live long and prosper.";
+        doTestSingleRecipient(text, 
+                              JweJsonProducerTest.SINGLE_RECIPIENT_A128CBCHS256_DIRECT_OUTPUT,

+                              JoseConstants.A128CBC_HS256_ALGO, 
+                              null,
+                              JweCompactReaderWriterTest.CONTENT_ENCRYPTION_KEY_A3);
+    }
+    @Test
+    public void testSingleRecipientA128CBCHS256() throws Exception {
+        String text = "Live long and prosper.";
+        doTestSingleRecipient(text, 
+                              JweJsonProducerTest.SINGLE_RECIPIENT_A128CBCHS256_OUTPUT, 
+                              JoseConstants.A128CBC_HS256_ALGO, 
+                              Base64UrlUtility.decode(JweCompactReaderWriterTest.KEY_ENCRYPTION_KEY_A3),
+                              null);
+    }
+    @Test
+    public void testSingleRecipientAllTypeOfHeadersAndAad() {
+        final String text = "The true sign of intelligence is not knowledge but imagination.";
+        
+        SecretKey wrapperKey = CryptoUtils.createSecretKeySpec(JweJsonProducerTest.WRAPPER_BYTES1,

+                                                               "AES");
+        JweDecryptionProvider jwe = JweUtils.createJweDecryptionProvider(wrapperKey, JoseConstants.A128KW_ALGO,

+                                                                         JoseConstants.A128GCM_ALGO);
+        JweJsonConsumer consumer = new JweJsonConsumer(JweJsonProducerTest.SINGLE_RECIPIENT_ALL_HEADERS_AAD_OUTPUT);
+        JweDecryptionOutput out = consumer.decryptWith(jwe);
+        assertEquals(text, out.getContentText());
+        assertEquals(JweJsonProducerTest.EXTRA_AAD_SOURCE, consumer.getAadText());
+    }
+    @Test
+    public void testSingleRecipientAllTypeOfHeadersAndAadModified() {
+        SecretKey wrapperKey = CryptoUtils.createSecretKeySpec(JweJsonProducerTest.WRAPPER_BYTES1,

+                                                               "AES");
+        JweDecryptionProvider jwe = JweUtils.createJweDecryptionProvider(wrapperKey, JoseConstants.A128KW_ALGO,

+                                                                         JoseConstants.A128GCM_ALGO);
+        JweJsonConsumer consumer = new JweJsonConsumer(SINGLE_RECIPIENT_ALL_HEADERS_AAD_MODIFIED_OUTPUT);
+        try {
+            consumer.decryptWith(jwe);
+            fail("AAD check has passed unexpectedly");
+        } catch (SecurityException ex) {
+            // expected
+        }
+        
+    }
+    private void doTestSingleRecipient(String text,
+                                       String input, 
+                                       String contentEncryptionAlgo,
+                                       final byte[] wrapperKeyBytes,
+                                       final byte[] cek) throws Exception {
+        JweDecryptionProvider jwe = null;
+        if (wrapperKeyBytes != null) {
+            SecretKey wrapperKey = CryptoUtils.createSecretKeySpec(wrapperKeyBytes, "AES");
+            jwe = JweUtils.createJweDecryptionProvider(wrapperKey, JoseConstants.A128KW_ALGO,
contentEncryptionAlgo);
+        } else {
+            SecretKey cekKey = CryptoUtils.createSecretKeySpec(cek, "AES");
+            jwe = JweUtils.getDirectKeyJweDecryption(cekKey, contentEncryptionAlgo);
+        }
+        JweJsonConsumer consumer = new JweJsonConsumer(input);
+        JweDecryptionOutput out = consumer.decryptWith(jwe);
+        assertEquals(text, out.getContentText());
+    }
+    
+}
+

http://git-wip-us.apache.org/repos/asf/cxf/blob/5ca457f1/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
index 0fdcc97..1fa0c9f 100644
--- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
+++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java
@@ -38,10 +38,10 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 
 public class JweJsonProducerTest extends Assert {
-    private static final byte[] WRAPPER_BYTES1 = {91, 96, 105, 38, 99, 108, 110, 8, -93,
50, -15, 62, 0, -115, 73, -39};
-    private static final byte[] WRAPPER_BYTES2 = {-39, 96, 105, 38, 99, 108, 110, 8, -93,
50, -15, 62, 0, -115, 73, 91};
-    private static final byte[] CEK_BYTES = {-43, 123, 77, 115, 40, 49, -4, -9, -48, -74,
62, 59, 60, 102, -22, -100};
-    private static final String SINGLE_RECIPIENT_OUTPUT = 
+    static final byte[] WRAPPER_BYTES1 = {91, 96, 105, 38, 99, 108, 110, 8, -93, 50, -15,
62, 0, -115, 73, -39};
+    static final byte[] WRAPPER_BYTES2 = {-39, 96, 105, 38, 99, 108, 110, 8, -93, 50, -15,
62, 0, -115, 73, 91};
+    static final byte[] CEK_BYTES = {-43, 123, 77, 115, 40, 49, -4, -9, -48, -74, 62, 59,
60, 102, -22, -100};
+    static final String SINGLE_RECIPIENT_OUTPUT = 
         "{" 
         + "\"protected\":\"eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIn0\","
         + "\"recipients\":" 
@@ -52,7 +52,7 @@ public class JweJsonProducerTest extends Assert {
         + "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
         + "\"tag\":\"GxWlwvTPmHi4ZnQgafiHew\""
         + "}";
-    private static final String SINGLE_RECIPIENT_FLAT_OUTPUT = 
+    static final String SINGLE_RECIPIENT_FLAT_OUTPUT = 
         "{" 
         + "\"protected\":\"eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIn0\","
         + "\"encrypted_key\":\"b3-M9_CRgT3wEBhhXlpb-BoY7vtA4W_N\","
@@ -60,7 +60,7 @@ public class JweJsonProducerTest extends Assert {
         + "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
         + "\"tag\":\"GxWlwvTPmHi4ZnQgafiHew\""
         + "}";
-    private static final String SINGLE_RECIPIENT_DIRECT_OUTPUT = 
+    static final String SINGLE_RECIPIENT_DIRECT_OUTPUT = 
         "{" 
         + "\"protected\":\"eyJlbmMiOiJBMTI4R0NNIn0\","
         + "\"recipients\":" 
@@ -71,14 +71,14 @@ public class JweJsonProducerTest extends Assert {
         + "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
         + "\"tag\":\"Te59ApbK8wNBDY_1_dgYSw\""
         + "}";
-    private static final String SINGLE_RECIPIENT_DIRECT_FLAT_OUTPUT = 
+    static final String SINGLE_RECIPIENT_DIRECT_FLAT_OUTPUT = 
         "{" 
         + "\"protected\":\"eyJlbmMiOiJBMTI4R0NNIn0\","
         + "\"iv\":\"48V1_ALb6US04U3b\","
         + "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
         + "\"tag\":\"Te59ApbK8wNBDY_1_dgYSw\""
         + "}";
-    private static final String SINGLE_RECIPIENT_ALL_HEADERS_AAD_OUTPUT = 
+    static final String SINGLE_RECIPIENT_ALL_HEADERS_AAD_OUTPUT = 
         "{" 
         + "\"protected\":\"eyJlbmMiOiJBMTI4R0NNIn0\","
         + "\"unprotected\":{\"jku\":\"https://server.example.com/keys.jwks\"},"    
@@ -89,14 +89,12 @@ public class JweJsonProducerTest extends Assert {
         + "\"encrypted_key\":\"b3-M9_CRgT3wEBhhXlpb-BoY7vtA4W_N\""
         + "}"
         + "],"
-        + "\"aad\":\"WyJ2Y2FyZCIsW1sidmVyc2lvbiIse30sInRleHQiLCI0LjAiXSxbImZuIix7fSwidGV4dCIsIk1lcmlhZG9jIEJyYW5keWJ1Y"
-                    + "2siXSxbIm4iLHt9LCJ0ZXh0IixbIkJyYW5keWJ1Y2siLCJNZXJpYWRvYyIsIk1yLiIsIiJdXSxbImJkYXkiLHt9LCJ0ZXh0"
-                    + "IiwiVEEgMjk4MiJdLFsiZ2VuZGVyIix7fSwidGV4dCIsIk0iXV1d\","
+        + "\"aad\":\"" + Base64UrlUtility.encode(JweJsonProducerTest.EXTRA_AAD_SOURCE) +
"\","
         + "\"iv\":\"48V1_ALb6US04U3b\","
         + "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
         + "\"tag\":\"oVUQGS9608D-INq61-vOaA\""
         + "}";
-    private static final String MULTIPLE_RECIPIENTS_OUTPUT = 
+    static final String MULTIPLE_RECIPIENTS_OUTPUT = 
         "{" 
         + "\"protected\":\"eyJlbmMiOiJBMTI4R0NNIn0\","
         + "\"unprotected\":{\"jku\":\"https://server.example.com/keys.jwks\",\"alg\":\"A128KW\"},"
   
@@ -116,7 +114,7 @@ public class JweJsonProducerTest extends Assert {
         + "\"ciphertext\":\"KTuJBMk9QG59xPB-c_YLM5-J7VG40_eMPvyHDD7eB-WHj_34YiWgpBOydTBm4RW0zUCJZ09xqorhWJME-DcQ\","
         + "\"tag\":\"oVUQGS9608D-INq61-vOaA\""
         + "}";
-    private static final String EXTRA_AAD_SOURCE = 
+    static final String EXTRA_AAD_SOURCE = 
         "[\"vcard\",["
         + "[\"version\",{},\"text\",\"4.0\"],"
         + "[\"fn\",{},\"text\",\"Meriadoc Brandybuck\"],"
@@ -124,7 +122,7 @@ public class JweJsonProducerTest extends Assert {
         + "[\"bday\",{},\"text\",\"TA 2982\"],"
         + "[\"gender\",{},\"text\",\"M\"]"
         + "]]";
-    private static final String SINGLE_RECIPIENT_A128CBCHS256_OUTPUT = 
+    static final String SINGLE_RECIPIENT_A128CBCHS256_OUTPUT = 
         "{" 
         + "\"protected\":\"eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0\","
         + "\"recipients\":" 
@@ -135,7 +133,7 @@ public class JweJsonProducerTest extends Assert {
         + "\"ciphertext\":\"KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY\","
         + "\"tag\":\"U0m_YmjN04DJvceFICbCVQ\""
         + "}";
-    private static final String SINGLE_RECIPIENT_A128CBCHS256_DIRECT_OUTPUT = 
+    static final String SINGLE_RECIPIENT_A128CBCHS256_DIRECT_OUTPUT = 
         "{" 
         + "\"protected\":\"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0\","
         + "\"recipients\":" 


Mime
View raw message