cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject [3/3] cxf git commit: [CXF-6085] Refactoring someof existing JWE code to get it ready to deal with JWE JSON
Date Fri, 06 Feb 2015 14:32:15 GMT
[CXF-6085] Refactoring someof existing JWE code to get it ready to deal with JWE JSON


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/f019b583
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/f019b583
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/f019b583

Branch: refs/heads/3.0.x-fixes
Commit: f019b583f4a7b3e8e2de074cb454e5629a85b530
Parents: 0c43f88
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Feb 6 14:30:26 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Feb 6 14:31:55 2015 +0000

----------------------------------------------------------------------
 .../jose/jaxrs/JweWriterInterceptor.java        |  2 +-
 ...stractContentEncryptionCipherProperties.java |  4 +-
 .../jose/jwe/AbstractJweDecryption.java         | 67 ++++++++++---------
 .../jose/jwe/AbstractJweEncryption.java         | 23 ++++---
 .../jose/jwe/AesCbcHmacJweDecryption.java       | 21 +++---
 .../jose/jwe/AesCbcHmacJweEncryption.java       | 16 ++---
 .../jwe/AesGcmWrapKeyDecryptionAlgorithm.java   | 14 ++--
 .../jwe/ContentEncryptionCipherProperties.java  |  2 +-
 .../jose/jwe/DirectKeyJweDecryption.java        |  8 +--
 .../jwe/EcdhAesWrapKeyDecryptionAlgorithm.java  |  7 +-
 .../jose/jwe/EcdhDirectKeyJweDecryption.java    |  6 +-
 .../security/jose/jwe/JweCompactConsumer.java   | 50 +++++++-------
 .../security/jose/jwe/JweDecryptionInput.java   | 68 ++++++++++++++++++++
 .../jose/jwe/JweDecryptionProvider.java         |  2 +-
 .../jose/jwe/JweEncryptionProvider.java         |  2 +-
 .../cxf/rs/security/jose/jwe/JweHeaders.java    |  1 -
 .../jose/jwe/JweJwtCompactConsumer.java         |  2 +-
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 13 +++-
 .../jose/jwe/KeyDecryptionAlgorithm.java        |  2 +-
 .../PbesHmacAesWrapKeyDecryptionAlgorithm.java  | 16 ++---
 .../jose/jwe/WrappedKeyDecryptionAlgorithm.java | 26 ++++----
 21 files changed, 221 insertions(+), 131 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index 36a2c51..ca4f5c9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -70,7 +70,7 @@ public class JweWriterInterceptor implements WriterInterceptor {
         }
         
         if (useJweOutputStream) {
-            JweEncryptionState encryption = theEncryptionProvider.createJweEncryptionState(jweHeaders);
+            JweEncryptionState encryption = theEncryptionProvider.createJweEncryptionState(jweHeaders, null);
             try {
                 JweCompactProducer.startJweContent(actualOs,
                                                    encryption.getHeaders(), 

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
index ca2d6b9..e9fc794 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
@@ -33,8 +33,8 @@ public abstract class AbstractContentEncryptionCipherProperties implements Conte
     public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) {
         return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv);
     }
-    public byte[] getAdditionalAuthenticationData(String headersJson) {
-        return JweHeaders.toCipherAdditionalAuthData(headersJson);
+    public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
+        return JweUtils.getAdditionalAuthenticationData(headersJson, aad);
     }
     protected int getAuthTagLen() {
         return authTagLen;

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
index a00feaa..ad4fd8e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
@@ -35,61 +35,60 @@ public abstract class AbstractJweDecryption implements JweDecryptionProvider {
         this.contentDecryptionAlgo = contentDecryptionAlgo;
     }
     
-    protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) {
-        return this.keyDecryptionAlgo.getDecryptedContentEncryptionKey(consumer);
+    protected byte[] getContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+        return keyDecryptionAlgo.getDecryptedContentEncryptionKey(jweDecryptionInput);
     }
     
     public JweDecryptionOutput decrypt(String content) {
         JweCompactConsumer consumer = new JweCompactConsumer(content);
-        return doDecrypt(consumer);
+        byte[] cek = getContentEncryptionKey(consumer.getJweDecryptionInput());
+        return doDecrypt(consumer.getJweDecryptionInput(), cek);
     }
-    public byte[] decrypt(JweCompactConsumer consumer) {
-        return doDecrypt(consumer).getContent();
+    public byte[] decrypt(JweDecryptionInput jweDecryptionInput) {
+        byte[] cek = getContentEncryptionKey(jweDecryptionInput);
+        return doDecrypt(jweDecryptionInput, cek).getContent();
     }
-    
-    protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer) {
-        byte[] cek = getContentEncryptionKey(consumer);
-        return doDecrypt(consumer, cek);
-    }
-    protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) {
-        KeyProperties keyProperties = new KeyProperties(getContentEncryptionAlgorithm(consumer));
-        keyProperties.setAdditionalData(getContentEncryptionCipherAAD(consumer));
-        AlgorithmParameterSpec spec = getContentEncryptionCipherSpec(consumer);
+    protected JweDecryptionOutput doDecrypt(JweDecryptionInput jweDecryptionInput, byte[] cek) {
+        KeyProperties keyProperties = new KeyProperties(getContentEncryptionAlgorithm(jweDecryptionInput));
+        keyProperties.setAdditionalData(getContentEncryptionCipherAAD(jweDecryptionInput));
+        AlgorithmParameterSpec spec = getContentEncryptionCipherSpec(jweDecryptionInput);
         keyProperties.setAlgoSpec(spec);
         boolean compressionSupported = 
-            JoseConstants.DEFLATE_ZIP_ALGORITHM.equals(consumer.getJweHeaders().getZipAlgorithm());
+            JoseConstants.DEFLATE_ZIP_ALGORITHM.equals(jweDecryptionInput.getJweHeaders().getZipAlgorithm());
         keyProperties.setCompressionSupported(compressionSupported);
-        byte[] actualCek = getActualCek(cek, consumer.getJweHeaders().getContentEncryptionAlgorithm());
+        byte[] actualCek = getActualCek(cek, jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm());
         Key secretKey = CryptoUtils.createSecretKeySpec(actualCek, keyProperties.getKeyAlgo());
         byte[] bytes = 
-            CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(consumer), secretKey, keyProperties);
-        return new JweDecryptionOutput(consumer.getJweHeaders(), bytes);
+            CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(jweDecryptionInput), secretKey, keyProperties);
+        return new JweDecryptionOutput(jweDecryptionInput.getJweHeaders(), bytes);
     }
     protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
         return consumer.getEncryptedContentEncryptionKey();
     }
-    protected AlgorithmParameterSpec getContentEncryptionCipherSpec(JweCompactConsumer consumer) {
-        return contentDecryptionAlgo.getAlgorithmParameterSpec(getContentEncryptionCipherInitVector(consumer));
+    protected AlgorithmParameterSpec getContentEncryptionCipherSpec(JweDecryptionInput jweDecryptionInput) {
+        return contentDecryptionAlgo.getAlgorithmParameterSpec(
+            getContentEncryptionCipherInitVector(jweDecryptionInput));
     }
-    protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
-        return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
+    protected String getContentEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
+        return Algorithm.toJavaName(jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm());
     }
-    protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) {
-        return contentDecryptionAlgo.getAdditionalAuthenticationData(consumer.getDecodedJsonHeaders());
+    protected byte[] getContentEncryptionCipherAAD(JweDecryptionInput jweDecryptionInput) {
+        return contentDecryptionAlgo.getAdditionalAuthenticationData(
+            jweDecryptionInput.getDecodedJsonHeaders(), jweDecryptionInput.getAad());
     }
-    protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) {
-        return contentDecryptionAlgo.getEncryptedSequence(consumer.getJweHeaders(),
-                                                          consumer.getEncryptedContent(), 
-                                                          getEncryptionAuthenticationTag(consumer));
+    protected byte[] getEncryptedContentWithAuthTag(JweDecryptionInput jweDecryptionInput) {
+        return contentDecryptionAlgo.getEncryptedSequence(jweDecryptionInput.getJweHeaders(),
+                                                          jweDecryptionInput.getEncryptedContent(), 
+                                                          getEncryptionAuthenticationTag(jweDecryptionInput));
     }
-    protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) { 
-        return consumer.getContentDecryptionCipherInitVector();
+    protected byte[] getContentEncryptionCipherInitVector(JweDecryptionInput jweDecryptionInput) { 
+        return jweDecryptionInput.getInitVector();
     }
-    protected byte[] getEncryptionAuthenticationTag(JweCompactConsumer consumer) {
-        return consumer.getEncryptionAuthenticationTag();
+    protected byte[] getEncryptionAuthenticationTag(JweDecryptionInput jweDecryptionInput) {
+        return jweDecryptionInput.getAuthTag();
     }
-    protected int getEncryptionAuthenticationTagLenBits(JweCompactConsumer consumer) {
-        return getEncryptionAuthenticationTag(consumer).length * 8;
+    protected int getEncryptionAuthenticationTagLenBits(JweDecryptionInput jweDecryptionInput) {
+        return getEncryptionAuthenticationTag(jweDecryptionInput).length * 8;
     }
     protected byte[] getActualCek(byte[] theCek, String algoJwt) {
         return theCek;

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index 03ef462..37991d9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -78,11 +78,11 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
     protected String getContentEncryptionAlgoJava() {
         return Algorithm.toJavaName(getContentEncryptionAlgoJwt());
     }
-    protected byte[] getAAD(JweHeaders theHeaders) {
-        return getContentEncryptionAlgorithm().getAdditionalAuthenticationData(writer.headersToJson(theHeaders));
+    protected byte[] getAAD(String protectedHeaders, byte[] aad) {
+        return getContentEncryptionAlgorithm().getAdditionalAuthenticationData(protectedHeaders, aad);
     }
     public String encrypt(byte[] content, JweHeaders jweHeaders) {
-        JweEncryptionInternal state = getInternalState(jweHeaders);
+        JweEncryptionInternal state = getInternalState(jweHeaders, null);
         
         byte[] cipher = CryptoUtils.encryptBytes(content, createCekSecretKey(state), state.keyProps);
         
@@ -113,8 +113,8 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
         return writer;
     }
     @Override
-    public JweEncryptionState createJweEncryptionState(JweHeaders jweHeaders) {
-        JweEncryptionInternal state = getInternalState(jweHeaders);
+    public JweEncryptionState createJweEncryptionState(JweHeaders jweHeaders, byte[] aad) {
+        JweEncryptionInternal state = getInternalState(jweHeaders, aad);
         Cipher c = CryptoUtils.initCipher(createCekSecretKey(state), state.keyProps, 
                                           Cipher.ENCRYPT_MODE);
         return new JweEncryptionState(c, 
@@ -136,7 +136,7 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
         return theCek;
     }
     
-    private JweEncryptionInternal getInternalState(JweHeaders jweHeaders) {
+    private JweEncryptionInternal getInternalState(JweHeaders jweHeaders, byte[] aad) {
         byte[] theCek = getContentEncryptionKey();
         String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm());
         KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
@@ -158,9 +158,12 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
             theHeaders = new JweHeaders(theHeaders.asMap());
             theHeaders.asMap().putAll(jweHeaders.asMap());
         }
-        byte[] additionalEncryptionParam = getAAD(theHeaders);
-        keyProps.setAdditionalData(additionalEncryptionParam);
+        JweHeaders protectedHeaders = theHeaders;
+            
+        String protectedHeadersJson = writer.headersToJson(protectedHeaders);
         
+        byte[] additionalEncryptionParam = getAAD(protectedHeadersJson, aad);
+        keyProps.setAdditionalData(additionalEncryptionParam);
         
         JweEncryptionInternal state = new JweEncryptionInternal();
         state.theHeaders = theHeaders;
@@ -168,6 +171,8 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
         state.keyProps = keyProps;
         state.secretKey = theCek; 
         state.theIv = theIv;
+        state.protectedHeadersJson = protectedHeadersJson;
+        state.aad = aad;
         return state;
     }
     private boolean compressionRequired(JweHeaders theHeaders) {
@@ -182,5 +187,7 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
         byte[] theIv;
         KeyProperties keyProps;
         byte[] secretKey;
+        String protectedHeadersJson;
+        byte[] aad;
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
index 84a9fdd..6b902da 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
@@ -35,24 +35,25 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
         super(keyDecryptionAlgo, new AesCbcContentDecryptionAlgorithm(supportedAlgo));
         this.supportedAlgo = supportedAlgo;
     }
-    protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) {
-        validateAuthenticationTag(consumer, cek);
-        return super.doDecrypt(consumer, cek);
+    protected JweDecryptionOutput doDecrypt(JweDecryptionInput jweDecryptionInput, byte[] cek) {
+        validateAuthenticationTag(jweDecryptionInput, cek);
+        return super.doDecrypt(jweDecryptionInput, cek);
     }
     @Override
     protected byte[] getActualCek(byte[] theCek, String algoJwt) {
         validateCekAlgorithm(algoJwt);
         return AesCbcHmacJweEncryption.doGetActualCek(theCek, algoJwt);
     }
-    protected void validateAuthenticationTag(JweCompactConsumer consumer, byte[] theCek) {
-        byte[] actualAuthTag = consumer.getEncryptionAuthenticationTag();
+    protected void validateAuthenticationTag(JweDecryptionInput jweDecryptionInput, byte[] theCek) {
+        byte[] actualAuthTag = jweDecryptionInput.getAuthTag();
         
         final AesCbcHmacJweEncryption.MacState macState = 
             AesCbcHmacJweEncryption.getInitializedMacState(theCek, 
-                                                           consumer.getContentDecryptionCipherInitVector(),
-                                                           consumer.getJweHeaders(),
-                                                           consumer.getDecodedJsonHeaders());
-        macState.mac.update(consumer.getEncryptedContent());
+                                                           jweDecryptionInput.getInitVector(),
+                                                           jweDecryptionInput.getAad(),
+                                                           jweDecryptionInput.getJweHeaders(),
+                                                           jweDecryptionInput.getDecodedJsonHeaders());
+        macState.mac.update(jweDecryptionInput.getEncryptedContent());
         byte[] expectedAuthTag = AesCbcHmacJweEncryption.signAndGetTag(macState);
         if (!Arrays.equals(actualAuthTag, expectedAuthTag)) {
             throw new SecurityException();
@@ -69,7 +70,7 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption {
             return new IvParameterSpec(theIv);
         }
         @Override
-        public byte[] getAdditionalAuthenticationData(String headersJson) {
+        public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
             return null;
         }
         @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index 6613625..488466c 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -100,13 +100,14 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
         return authTag;
     }
     private MacState getInitializedMacState(final JweEncryptionInternal state) {
-        String headersJson = getJwtHeadersWriter().headersToJson(state.theHeaders);
-        return getInitializedMacState(state.secretKey, state.theIv, state.theHeaders, headersJson);
+        return getInitializedMacState(state.secretKey, state.theIv, state.aad, 
+                                      state.theHeaders, state.protectedHeadersJson);
     }
     protected static MacState getInitializedMacState(byte[] secretKey,
                                                      byte[] theIv,
-                                                     JweHeaders theHeaders, 
-                                                     String headersJson) {
+                                                     byte[] extraAad,
+                                                     JweHeaders theHeaders,
+                                                     String protectedHeadersJson) {
         String algoJwt = theHeaders.getContentEncryptionAlgorithm();
         int size = getFullCekKeySize(algoJwt) / 2;
         byte[] macKey = new byte[size];
@@ -115,8 +116,7 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
         String hmacAlgoJava = AES_HMAC_MAP.get(algoJwt);
         Mac mac = HmacUtils.getInitializedMac(macKey, hmacAlgoJava, null);
         
-        
-        byte[] aad = JweHeaders.toCipherAdditionalAuthData(headersJson);
+        byte[] aad = JweUtils.getAdditionalAuthenticationData(protectedHeadersJson, extraAad);
         ByteBuffer buf = ByteBuffer.allocate(8);
         final byte[] al = buf.putInt(0).putInt(aad.length * 8).array();
         
@@ -125,7 +125,7 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
         MacState macState = new MacState();
         macState.mac = mac;
         macState.al = al;
-        macState.headersJson = headersJson;
+        macState.headersJson = protectedHeadersJson;
         return macState;
     }
     
@@ -160,7 +160,7 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption {
             return new IvParameterSpec(theIv);
         }
         @Override
-        public byte[] getAdditionalAuthenticationData(String headersJson) {
+        public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
             return null;
         }
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
index 0043ec2..6180014 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
@@ -46,18 +46,18 @@ public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgori
         super(secretKey, supportedAlgo);
     }
     @Override
-    protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
-        byte[] encryptedCekKey = super.getEncryptedContentEncryptionKey(consumer);
-        byte[] tag = getDecodedBytes(consumer, "tag");
+    protected byte[] getEncryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+        byte[] encryptedCekKey = super.getEncryptedContentEncryptionKey(jweDecryptionInput);
+        byte[] tag = getDecodedBytes(jweDecryptionInput, "tag");
         return JweCompactConsumer.getCipherWithAuthTag(encryptedCekKey, tag);
     }
-    protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) {
-        byte[] iv = getDecodedBytes(consumer, "iv");
+    protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweDecryptionInput jweDecryptionInput) {
+        byte[] iv = getDecodedBytes(jweDecryptionInput, "iv");
         return CryptoUtils.getContentEncryptionCipherSpec(128, iv);
     }
-    private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) {
+    private byte[] getDecodedBytes(JweDecryptionInput jweDecryptionInput, String headerName) {
         try {
-            Object ivHeader = consumer.getJweHeaders().getHeader(headerName);
+            Object ivHeader = jweDecryptionInput.getJweHeaders().getHeader(headerName);
             return Base64UrlUtility.decode(ivHeader.toString());
         } catch (Exception ex) {
             throw new SecurityException(ex);

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
index 89d70f4..e75eecc 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java
@@ -23,6 +23,6 @@ import java.security.spec.AlgorithmParameterSpec;
 
 public interface ContentEncryptionCipherProperties {
     String getAlgorithm();
-    byte[] getAdditionalAuthenticationData(String headersJson);
+    byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad);
     AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
index e57ee32..576cdaa 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java
@@ -39,16 +39,16 @@ public class DirectKeyJweDecryption extends AbstractJweDecryption {
             this.contentDecryptionKey = contentDecryptionKey;
         }
         @Override
-        public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
-            validateKeyEncryptionKey(consumer);
+        public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+            validateKeyEncryptionKey(jweDecryptionInput);
             return contentDecryptionKey;
         }
         @Override
         public String getAlgorithm() {
             return null;
         }
-        protected void validateKeyEncryptionKey(JweCompactConsumer consumer) {
-            byte[] encryptedCEK = consumer.getEncryptedContentEncryptionKey();
+        protected void validateKeyEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+            byte[] encryptedCEK = jweDecryptionInput.getEncryptedCEK();
             if (encryptedCEK != null && encryptedCEK.length > 0) {
                 throw new SecurityException();
             }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java
index 025d2db..fd72fa9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyDecryptionAlgorithm.java
@@ -33,15 +33,16 @@ public class EcdhAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm
         this.algo = algo;
     }
     @Override
-    public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
+    public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
         byte[] derivedKey = 
-            EcdhDirectKeyJweDecryption.getDecryptedContentEncryptionKeyFromHeaders(consumer.getJweHeaders(), key);
+            EcdhDirectKeyJweDecryption.getDecryptedContentEncryptionKeyFromHeaders(
+                jweDecryptionInput.getJweHeaders(), key);
         KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey) {
             protected boolean isValidAlgorithmFamily(String wrapAlgo) {
                 return Algorithm.isEcdhEsWrap(wrapAlgo);
             }    
         };
-        return aesWrap.getDecryptedContentEncryptionKey(consumer);
+        return aesWrap.getDecryptedContentEncryptionKey(jweDecryptionInput);
     }    
     
     @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java
index 37049ea..584c54f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweDecryption.java
@@ -49,10 +49,10 @@ public class EcdhDirectKeyJweDecryption extends DirectKeyJweDecryption {
             this.privateKey = privateKey;
         }
         @Override
-        public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
-            super.validateKeyEncryptionKey(consumer);
+        public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+            super.validateKeyEncryptionKey(jweDecryptionInput);
             
-            return getDecryptedContentEncryptionKeyFromHeaders(consumer.getJweHeaders(), privateKey);
+            return getDecryptedContentEncryptionKeyFromHeaders(jweDecryptionInput.getJweHeaders(), privateKey);
         }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
index fb7be1a..229ab78 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
@@ -28,12 +28,7 @@ import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
 
 
 public class JweCompactConsumer {
-    private String headersJson;
-    private byte[] encryptedCEK;
-    private byte[] initVector;
-    private byte[] encryptedContent;
-    private byte[] authTag;
-    private JweHeaders jweHeaders;
+    private JweDecryptionInput jweDecryptionInput;
     public JweCompactConsumer(String jweContent) {
         if (jweContent.startsWith("\"") && jweContent.endsWith("\"")) {
             jweContent = jweContent.substring(1, jweContent.length() - 1);
@@ -43,18 +38,24 @@ public class JweCompactConsumer {
             throw new SecurityException("5 JWE parts are expected");
         }
         try {
-            headersJson = new String(Base64UrlUtility.decode(parts[0]));
-            encryptedCEK = Base64UrlUtility.decode(parts[1]);
-            initVector = Base64UrlUtility.decode(parts[2]);
-            
-            encryptedContent = Base64UrlUtility.decode(parts[3]);
-            authTag = Base64UrlUtility.decode(parts[4]);
+            String headersJson = new String(Base64UrlUtility.decode(parts[0]));
+            byte[] encryptedCEK = Base64UrlUtility.decode(parts[1]);
+            byte[] initVector = Base64UrlUtility.decode(parts[2]);
+            byte[] encryptedContent = Base64UrlUtility.decode(parts[3]);
+            byte[] authTag = Base64UrlUtility.decode(parts[4]);
             JoseHeadersReaderWriter reader = new JoseHeadersReaderWriter();
             JoseHeaders joseHeaders = reader.fromJsonHeaders(headersJson);
             if (joseHeaders.getUpdateCount() != null) { 
                 throw new SecurityException("Duplicate headers have been detected");
             }
-            jweHeaders = new JweHeaders(joseHeaders);
+            JweHeaders jweHeaders = new JweHeaders(joseHeaders);
+            jweDecryptionInput = new JweDecryptionInput(encryptedCEK,
+                                                        initVector, 
+                                                        encryptedContent,
+                                                        authTag,
+                                                        null,
+                                                        headersJson,
+                                                        jweHeaders);
             
         } catch (Base64Exception ex) {
             throw new SecurityException(ex);
@@ -62,37 +63,39 @@ public class JweCompactConsumer {
     }
     
     public String getDecodedJsonHeaders() {
-        return headersJson;
+        return jweDecryptionInput.getDecodedJsonHeaders();
     }
     
     public JweHeaders getJweHeaders() {
-        return jweHeaders;
+        return jweDecryptionInput.getJweHeaders();
     }
     
     public byte[] getEncryptedContentEncryptionKey() {
-        return encryptedCEK;
+        return jweDecryptionInput.getEncryptedCEK();
     }
     
     public byte[] getContentDecryptionCipherInitVector() {
-        return initVector;
+        return jweDecryptionInput.getInitVector();
     }
     
     public byte[] getContentEncryptionCipherAAD() {
-        return JweHeaders.toCipherAdditionalAuthData(headersJson);
+        return JweHeaders.toCipherAdditionalAuthData(jweDecryptionInput.getDecodedJsonHeaders());
     }
     
     public byte[] getEncryptionAuthenticationTag() {
-        return authTag;
+        return jweDecryptionInput.getAuthTag();
     }
     
     public byte[] getEncryptedContent() {
-        return encryptedContent;
+        return jweDecryptionInput.getEncryptedContent();
     }
     
     public byte[] getEncryptedContentWithAuthTag() {
-        return getCipherWithAuthTag(encryptedContent, authTag);
+        return getCipherWithAuthTag(getEncryptedContent(), getEncryptionAuthenticationTag());
+    }
+    public JweDecryptionInput getJweDecryptionInput() {
+        return jweDecryptionInput;
     }
-    
     public static byte[] getCipherWithAuthTag(byte[] cipher, byte[] authTag) {
         byte[] encryptedContentWithTag = new byte[cipher.length + authTag.length];
         System.arraycopy(cipher, 0, encryptedContentWithTag, 0, cipher.length);
@@ -101,7 +104,8 @@ public class JweCompactConsumer {
     }
     
     public byte[] getDecryptedContent(JweDecryptionProvider decryption) {
-        return decryption.decrypt(this);
+        // temp workaround
+        return decryption.decrypt(jweDecryptionInput);
     }
     public String getDecryptedContentText(JweDecryptionProvider decryption) {
         try {

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionInput.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionInput.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionInput.java
new file mode 100644
index 0000000..8d7f00f
--- /dev/null
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionInput.java
@@ -0,0 +1,68 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.cxf.rs.security.jose.jwe;
+
+
+public class JweDecryptionInput {
+    private String headersJson;
+    private byte[] encryptedCEK;
+    private byte[] initVector;
+    private byte[] encryptedContent;
+    private byte[] authTag;
+    private byte[] aad;
+    private JweHeaders jweHeaders;
+    
+    public JweDecryptionInput(byte[] encryptedCEK,
+                              byte[] initVector,
+                              byte[] encryptedContent,
+                              byte[] authTag,
+                              byte[] aad,
+                              String headersJson,
+                              JweHeaders jweHeaders) {
+        this.encryptedCEK = encryptedCEK;
+        this.initVector = initVector;
+        this.encryptedContent = encryptedContent;
+        this.aad = aad;
+        this.authTag = authTag;
+        this.headersJson = headersJson;
+        this.jweHeaders = jweHeaders;
+    }
+
+    public byte[] getEncryptedCEK() {
+        return encryptedCEK;
+    }
+    public byte[] getInitVector() {
+        return initVector;
+    }
+    public byte[] getEncryptedContent() {
+        return encryptedContent;
+    }
+    public byte[] getAuthTag() {
+        return authTag;
+    }
+    public byte[] getAad() {
+        return aad;
+    }
+    public String getDecodedJsonHeaders() {
+        return headersJson;
+    }
+    public JweHeaders getJweHeaders() {
+        return jweHeaders;
+    }
+}

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java
index 006bc03..1f4861a 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java
@@ -22,5 +22,5 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 public interface JweDecryptionProvider extends JweKeyProperties {
     JweDecryptionOutput decrypt(String jweContent);
-    byte[] decrypt(JweCompactConsumer consumer);
+    byte[] decrypt(JweDecryptionInput jweInput);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
index addc7b6..df4a0d9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java
@@ -25,5 +25,5 @@ public interface JweEncryptionProvider extends JweKeyProperties {
     /**
      * Prepare JWE state (optional operation)
      */
-    JweEncryptionState createJweEncryptionState(JweHeaders jweHeaders);
+    JweEncryptionState createJweEncryptionState(JweHeaders jweHeaders, byte[] aad);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
index 7b0ce21..f049ffb 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java
@@ -31,7 +31,6 @@ import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
 
 
 public class JweHeaders extends JoseHeaders {
-    
     public JweHeaders() {
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java
index 8f4599a..77dcf27 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJwtCompactConsumer.java
@@ -48,7 +48,7 @@ public class JweJwtCompactConsumer  {
                                                                 headers.getContentEncryptionAlgorithm()));
     }
     public JwtToken decryptWith(JweDecryptionProvider jwe) {
-        byte[] bytes = jwe.decrypt(jweConsumer);
+        byte[] bytes = jwe.decrypt(jweConsumer.getJweDecryptionInput());
         JwtClaims claims = new JwtTokenReaderWriter().fromJsonClaims(toString(bytes));
         return new JwtToken(headers, claims);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index ae820f6..accd8a3 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -413,7 +413,18 @@ public final class JweUtils {
         byte[] keyZ = generateKeyZ(privateKey, peerPublicKey);
         return calculateDerivedKey(keyZ, algoName, partyUInfo, partyVInfo, algoKeyBitLen);
     }
-    
+    public static byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
+        byte[] headersAAD = JweHeaders.toCipherAdditionalAuthData(headersJson);
+        if (aad != null) {
+            // JWE JSON can provide the extra aad
+            byte[] newAAD = Arrays.copyOf(headersAAD, headersAAD.length + 1 + aad.length);
+            newAAD[headersAAD.length] = '.';
+            System.arraycopy(aad, 0, newAAD, headersAAD.length + 1, aad.length);
+            return newAAD;
+        } else {
+            return headersAAD;
+        }
+    }
     private static byte[] calculateDerivedKey(byte[] keyZ, 
                                               String algoName,
                                               byte[] apuBytes, 

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
index 83339ad..f8df934 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java
@@ -21,5 +21,5 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 public interface KeyDecryptionAlgorithm {
     String getAlgorithm();
-    byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer);
+    byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput);
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
index 3fb8cb9..3fd9992 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
@@ -44,10 +44,11 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
         this.algo = algo;
     }
     @Override
-    public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
-        byte[] saltInput = getDecodedBytes(consumer, "p2s");
-        int pbesCount = consumer.getJweHeaders().getIntegerHeader("p2c");
-        String keyAlgoJwt = consumer.getJweHeaders().getAlgorithm();
+    public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+        JweHeaders jweHeaders = jweDecryptionInput.getJweHeaders();
+        byte[] saltInput = getDecodedBytes(jweHeaders.getHeader("p2s"));
+        int pbesCount = jweHeaders.getIntegerHeader("p2c");
+        String keyAlgoJwt = jweHeaders.getAlgorithm();
         int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt);
         byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm
             .createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
@@ -56,12 +57,11 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
                 return Algorithm.isPbesHsWrap(wrapAlgo);
             }    
         };
-        return aesWrap.getDecryptedContentEncryptionKey(consumer);
+        return aesWrap.getDecryptedContentEncryptionKey(jweDecryptionInput);
     }    
-    private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) {
+    private byte[] getDecodedBytes(Object p2sHeader) {
         try {
-            Object headerValue = consumer.getJweHeaders().getHeader(headerName);
-            return Base64UrlUtility.decode(headerValue.toString());
+            return Base64UrlUtility.decode(p2sHeader.toString());
         } catch (Exception ex) {
             throw new SecurityException(ex);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/f019b583/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
index 3775ef7..2980dcc 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
@@ -37,19 +37,19 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
         this.supportedAlgo = supportedAlgo;
         this.unwrap = unwrap;
     }
-    public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) {
-        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer));
-        AlgorithmParameterSpec spec = getAlgorithmParameterSpec(consumer); 
+    public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(jweDecryptionInput));
+        AlgorithmParameterSpec spec = getAlgorithmParameterSpec(jweDecryptionInput); 
         if (spec != null) {
             keyProps.setAlgoSpec(spec);
         }
         if (!unwrap) {
             keyProps.setBlockSize(getKeyCipherBlockSize());
-            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer), 
+            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(jweDecryptionInput), 
                                             getCekDecryptionKey(), keyProps);
         } else {
-            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer), 
-                                               getContentEncryptionAlgorithm(consumer), 
+            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(jweDecryptionInput), 
+                                               getContentEncryptionAlgorithm(jweDecryptionInput), 
                                                getCekDecryptionKey(), 
                                                keyProps).getEncoded();
         }
@@ -61,8 +61,8 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
     protected int getKeyCipherBlockSize() {
         return -1;
     }
-    protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) {
-        String keyAlgo = consumer.getJweHeaders().getKeyEncryptionAlgorithm();
+    protected String getKeyEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
+        String keyAlgo = jweDecryptionInput.getJweHeaders().getKeyEncryptionAlgorithm();
         validateKeyEncryptionAlgorithm(keyAlgo);
         return Algorithm.toJavaName(keyAlgo);
     }
@@ -71,14 +71,14 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
             throw new SecurityException();
         }
     }
-    protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) {
-        return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm());
+    protected String getContentEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
+        return Algorithm.toJavaName(jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm());
     }
-    protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) {
+    protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweDecryptionInput jweDecryptionInput) {
         return null;
     }
-    protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) {
-        return consumer.getEncryptedContentEncryptionKey();
+    protected byte[] getEncryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
+        return jweDecryptionInput.getEncryptedCEK();
     }
     @Override
     public String getAlgorithm() {


Mime
View raw message