cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Supporting Colm's refactoring related to EC JWS keys at JweUtils level too
Date Wed, 29 Apr 2015 09:54:54 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 184f5126d -> 0e01cb7bc


Supporting Colm's refactoring related to EC JWS keys at JweUtils level too


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0e01cb7b
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0e01cb7b
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0e01cb7b

Branch: refs/heads/3.0.x-fixes
Commit: 0e01cb7bc27a21e72c7029998717a36ee95f7024
Parents: 184f512
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Wed Apr 29 10:52:15 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Wed Apr 29 10:54:39 2015 +0100

----------------------------------------------------------------------
 .../jwe/EcdhAesWrapKeyEncryptionAlgorithm.java  |  6 ++++
 .../jose/jwe/EcdhDirectKeyJweEncryption.java    | 12 ++++++-
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 36 +++++++++++---------
 3 files changed, 36 insertions(+), 18 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/0e01cb7b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java
index c61f102..524a135 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java
@@ -40,6 +40,12 @@ public class EcdhAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvider
     
     public EcdhAesWrapKeyEncryptionAlgorithm(ECPublicKey peerPublicKey,
                                              String curve,
+                                             KeyAlgorithm keyAlgo) {
+        
+        this(peerPublicKey, curve, null, null, keyAlgo);
+    }
+    public EcdhAesWrapKeyEncryptionAlgorithm(ECPublicKey peerPublicKey,
+                                             String curve,
                                              String apuString,
                                              String apvString,
                                              KeyAlgorithm keyAlgo) {

http://git-wip-us.apache.org/repos/asf/cxf/blob/0e01cb7b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java
index fe01883..c1e3eef 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java
@@ -77,7 +77,9 @@ public class EcdhDirectKeyJweEncryption extends JweEncryption {
             this.ctAlgo = ctAlgo;
             this.peerPublicKey = peerPublicKey;
             this.ecurve = curve;
-            this.apuBytes = toBytes(apuString);
+            // JWA spec suggests the "apu" field MAY either be omitted or
+            // represent a random 512-bit value (...) and the "apv" field SHOULD NOT be present."
+            this.apuBytes = toApuBytes(apuString);
             this.apvBytes = toBytes(apvString);
         }
         public byte[] getDerivedKey(JweHeaders headers) {
@@ -94,6 +96,14 @@ public class EcdhDirectKeyJweEncryption extends JweEncryption {
                                        jwtAlgo.getJwaName(), jwtAlgo.getKeySizeBits());
             
         }
+        private byte[] toApuBytes(String apuString) {
+            if (apuString != null) {
+                return toBytes(apuString);
+            } else {
+                return CryptoUtils.generateSecureRandomBytes(512 / 8);    
+            }
+            
+        }
         private byte[] toBytes(String str) {
             return str == null ? null : StringUtils.toBytesUTF8(str);
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/0e01cb7b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 119fcb6..c4d4764 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -96,8 +96,8 @@ public final class JweUtils {
         JweEncryptionProvider jwe = getDirectKeyJweEncryption(key);
         return jwe.encrypt(content, toJweHeaders(ct));
     }
-    public static byte[] decrypt(RSAPrivateKey key, String keyAlgo, String contentAlgo, String
content) {
-        KeyDecryptionAlgorithm keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(key,
keyAlgo);
+    public static byte[] decrypt(PrivateKey key, String keyAlgo, String contentAlgo, String
content) {
+        KeyDecryptionAlgorithm keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(key,
keyAlgo);
         return decrypt(keyDecryptionProvider, contentAlgo, content);
     }
     public static byte[] decrypt(SecretKey key, String keyAlgo, String contentAlgo, String
content) {
@@ -133,7 +133,9 @@ public final class JweUtils {
             keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(JwkUtils.toSecretKey(jwk),

                                                                     keyEncryptionAlgo);
         } else {
-            // TODO: support elliptic curve keys
+            keyEncryptionProvider = new EcdhAesWrapKeyEncryptionAlgorithm(JwkUtils.toECPublicKey(jwk),
+                                        jwk.getStringProperty(JsonWebKey.EC_CURVE),
+                                        KeyAlgorithm.getAlgorithm(keyEncryptionAlgo));
         }
         return keyEncryptionProvider;
     }
@@ -156,18 +158,23 @@ public final class JweUtils {
         String keyEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm();
         KeyDecryptionAlgorithm keyDecryptionProvider = null;
         if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) {
-            keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk),

+            keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk),

                                                                  keyEncryptionAlgo);
         } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) {
             keyDecryptionProvider = getSecretKeyDecryptionAlgorithm(JwkUtils.toSecretKey(jwk),
                                             keyEncryptionAlgo);
         } else {
-            // TODO: support elliptic curve keys
+            keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(JwkUtils.toECPrivateKey(jwk),

+                                                                     keyEncryptionAlgo);
         }
         return keyDecryptionProvider;
     }
-    public static KeyDecryptionAlgorithm getRSAKeyDecryptionAlgorithm(RSAPrivateKey key,
String algo) {
-        return new RSAKeyDecryptionAlgorithm(key, KeyAlgorithm.getAlgorithm(algo));
+    public static KeyDecryptionAlgorithm getPrivateKeyDecryptionAlgorithm(PrivateKey key,
String algo) {
+        if (key instanceof RSAPrivateKey) {
+            return new RSAKeyDecryptionAlgorithm((RSAPrivateKey)key, KeyAlgorithm.getAlgorithm(algo));
+        } else {
+            return new EcdhAesWrapKeyDecryptionAlgorithm((ECPrivateKey)key, KeyAlgorithm.getAlgorithm(algo));
+        }
     }
     public static KeyDecryptionAlgorithm getSecretKeyDecryptionAlgorithm(SecretKey key, String
algo) {
         if (AlgorithmUtils.isAesKeyWrap(algo)) {
@@ -327,12 +334,8 @@ public final class JweUtils {
             KeyManagementUtils.validateCertificateChain(props, chain);
             PrivateKey privateKey = 
                 KeyManagementUtils.loadPrivateKey(m, props, chain, JsonWebKey.KEY_OPER_DECRYPT);
-            if (!(privateKey instanceof RSAPrivateKey)) {
-                LOG.warning("Non-RSA private keys are not yet supported for encryption");
-                return null;
-            }
             contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm();
-            keyDecryptionProvider = getRSAKeyDecryptionAlgorithm((RSAPrivateKey)privateKey,

+            keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(privateKey, 
                                                                  inHeaders.getKeyEncryptionAlgorithm());
         } else {
             if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE)))
{
@@ -346,9 +349,8 @@ public final class JweUtils {
                     keyDecryptionProvider = getKeyDecryptionAlgorithm(jwk, keyEncryptionAlgo);
                 }
             } else {
-                keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(
-                    (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(
-                        m, props, JsonWebKey.KEY_OPER_DECRYPT), keyEncryptionAlgo);
+                keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(
+                    KeyManagementUtils.loadPrivateKey(m, props, JsonWebKey.KEY_OPER_DECRYPT),
keyEncryptionAlgo);
             }
         }
         return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentEncryptionAlgo);
@@ -405,10 +407,10 @@ public final class JweUtils {
                                      getContentEncryptionAlgorithm(contentEncryptionAlgo));
         }
     }
-    public static JweDecryptionProvider createJweDecryptionProvider(RSAPrivateKey key,
+    public static JweDecryptionProvider createJweDecryptionProvider(PrivateKey key,
                                                                     String keyAlgo,
                                                                     String contentDecryptionAlgo)
{
-        return createJweDecryptionProvider(getRSAKeyDecryptionAlgorithm(key, keyAlgo), contentDecryptionAlgo);
+        return createJweDecryptionProvider(getPrivateKeyDecryptionAlgorithm(key, keyAlgo),
contentDecryptionAlgo);
     }
     public static JweDecryptionProvider createJweDecryptionProvider(SecretKey key,
                                                                     String keyAlgo,


Mime
View raw message