cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6133] Finalizing for now with replacing SecurityException with JweException in the jwe code, to be continued later on
Date Fri, 03 Apr 2015 13:40:45 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.0.x-fixes 546dd30e4 -> c92eff973


[CXF-6133] Finalizing for now with replacing SecurityException with JweException in the jwe code, to be continued later on


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c92eff97
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c92eff97
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c92eff97

Branch: refs/heads/3.0.x-fixes
Commit: c92eff973089880e5ff8c88524a7971edd428b37
Parents: 546dd30
Author: Sergey Beryozkin <sberyozkin@talend.com>
Authored: Fri Apr 3 14:39:09 2015 +0100
Committer: Sergey Beryozkin <sberyozkin@talend.com>
Committed: Fri Apr 3 14:40:28 2015 +0100

----------------------------------------------------------------------
 .../jose/jaxrs/JweWriterInterceptor.java        |  7 +++-
 .../security/jose/jaxrs/KeyManagementUtils.java | 36 ++++++++++++++------
 .../jwe/AbstractContentEncryptionAlgorithm.java |  3 +-
 ...stractContentEncryptionCipherProperties.java |  4 +++
 .../jose/jwe/AbstractJweDecryption.java         |  5 +++
 .../jose/jwe/AbstractJweEncryption.java         | 15 +++++---
 .../jwe/AbstractWrapKeyEncryptionAlgorithm.java | 16 +++++----
 .../jose/jwe/AesCbcHmacJweDecryption.java       |  6 ++--
 .../jose/jwe/AesCbcHmacJweEncryption.java       |  3 +-
 .../jwe/AesGcmContentDecryptionAlgorithm.java   |  3 +-
 .../jwe/AesGcmContentEncryptionAlgorithm.java   |  3 +-
 .../jwe/AesGcmWrapKeyDecryptionAlgorithm.java   | 11 ++++--
 .../jose/jwe/AesWrapKeyDecryptionAlgorithm.java |  6 ++--
 .../jose/jwe/DirectKeyDecryptionAlgorithm.java  |  6 +++-
 .../jose/jwe/DirectKeyEncryptionAlgorithm.java  | 11 +++---
 .../security/jose/jwe/JweCompactConsumer.java   | 15 +++++---
 .../security/jose/jwe/JweDecryptionOutput.java  |  4 ++-
 .../cxf/rs/security/jose/jwe/JweException.java  |  2 +-
 .../rs/security/jose/jwe/JweJsonConsumer.java   | 23 +++++++++----
 .../rs/security/jose/jwe/JweJsonProducer.java   | 19 +++++++----
 .../rs/security/jose/jwe/JweOutputStream.java   |  6 +++-
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 18 +++++++---
 .../PbesHmacAesWrapKeyDecryptionAlgorithm.java  |  5 +--
 .../PbesHmacAesWrapKeyEncryptionAlgorithm.java  | 15 +++++---
 .../jose/jwe/RSAKeyDecryptionAlgorithm.java     |  4 +--
 .../jose/jwe/WrappedKeyDecryptionAlgorithm.java | 12 +++++--
 26 files changed, 184 insertions(+), 74 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
index 58cab8e..108a15f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java
@@ -21,6 +21,7 @@ package org.apache.cxf.rs.security.jose.jaxrs;
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.OutputStream;
+import java.util.logging.Logger;
 import java.util.zip.DeflaterOutputStream;
 
 import javax.annotation.Priority;
@@ -29,6 +30,7 @@ import javax.ws.rs.core.MediaType;
 import javax.ws.rs.ext.WriterInterceptor;
 import javax.ws.rs.ext.WriterInterceptorContext;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.helpers.IOUtils;
 import org.apache.cxf.io.CachedOutputStream;
@@ -38,12 +40,14 @@ import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionInput;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionOutput;
 import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
+import org.apache.cxf.rs.security.jose.jwe.JweException;
 import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
 import org.apache.cxf.rs.security.jose.jwe.JweOutputStream;
 import org.apache.cxf.rs.security.jose.jwe.JweUtils;
 
 @Priority(Priorities.JWE_WRITE_PRIORITY)
 public class JweWriterInterceptor implements WriterInterceptor {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JweWriterInterceptor.class);
     private JweEncryptionProvider encryptionProvider;
     private boolean contentTypeRequired = true;
     private boolean useJweOutputStream;
@@ -79,7 +83,8 @@ public class JweWriterInterceptor implements WriterInterceptor {
                                                    encryption.getContentEncryptionKey(), 
                                                    encryption.getIv());
             } catch (IOException ex) {
-                throw new SecurityException(ex);
+                LOG.warning("JWE encryption error");
+                throw new JweException(JweException.Error.CONTENT_ENCRYPTION_FAILURE, ex);
             }
             OutputStream wrappedStream = null;
             JweOutputStream jweOutputStream = new JweOutputStream(actualOs, encryption.getCipher(), 

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
index cad54f8..5a1fe60 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java
@@ -40,14 +40,17 @@ import java.util.Arrays;
 import java.util.Enumeration;
 import java.util.List;
 import java.util.Properties;
+import java.util.logging.Logger;
 
 import org.apache.cxf.Bus;
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.PropertyUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
 import org.apache.cxf.jaxrs.utils.ResourceUtils;
 import org.apache.cxf.message.Message;
 import org.apache.cxf.message.MessageUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
 import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.security.SecurityContext;
 
@@ -68,6 +71,7 @@ public final class KeyManagementUtils {
     public static final String RSSEC_DECRYPT_KEY_PSWD_PROVIDER = "rs.security.decryption.key.password.provider";
     public static final String RSSEC_DEFAULT_ALGORITHMS = "rs.security.default.algorithms";
     public static final String RSSEC_REPORT_KEY_PROP = "rs.security.report.public.key";
+    private static final Logger LOG = LogUtils.getL7dLogger(KeyManagementUtils.class);
     
     private KeyManagementUtils() {
     }
@@ -89,7 +93,8 @@ public final class KeyManagementUtils {
                 return new X509Certificate[]{(X509Certificate)CryptoUtils.loadCertificate(keyStore, alias)};
             }
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("X509 Certificates can not be created");
+            throw new JoseException(ex);
         }    
     }
     
@@ -107,7 +112,8 @@ public final class KeyManagementUtils {
             Properties props = ResourceUtils.loadProperties(keyStoreLoc, bus);
             return KeyManagementUtils.loadPublicKey(m, props);
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("Public key can not be loaded");
+            throw new JoseException(ex);
         }
     }
     private static String getMessageProperty(Message m, String keyStoreLocPropPreferred, 
@@ -115,7 +121,8 @@ public final class KeyManagementUtils {
         String propLoc = 
             (String)MessageUtils.getContextualProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault);
         if (propLoc == null) {
-            throw new SecurityException();
+            LOG.warning("Properties resource is not identified");
+            throw new JoseException();
         }
         return propLoc;
     }
@@ -219,7 +226,8 @@ public final class KeyManagementUtils {
             InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
             return CryptoUtils.loadKeyStore(is, keyStorePswd.toCharArray(), keyStoreType);
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("Key store can not be loaded");
+            throw new JoseException(ex);
         }
     }
     public static List<String> encodeX509CertificateChain(X509Certificate[] chain) {
@@ -231,7 +239,8 @@ public final class KeyManagementUtils {
             try {
                 encodedChain.add(CryptoUtils.encodeCertificate(cert));
             } catch (Exception ex) {
-                throw new SecurityException(ex);
+                LOG.warning("X509 Certificate can not be encoded");
+                throw new JoseException(ex);
             }    
         }
         return encodedChain;
@@ -243,7 +252,8 @@ public final class KeyManagementUtils {
                 try {
                     certs.add((X509Certificate)CryptoUtils.decodeCertificate(encodedCert));
                 } catch (Exception ex) {
-                    throw new SecurityException(ex);
+                    LOG.warning("X509 Certificate can not be decoded");
+                    throw new JoseException(ex);
                 }
             }
             return certs;
@@ -269,7 +279,8 @@ public final class KeyManagementUtils {
             CertPath certPath = buildResult.getCertPath();
             CertPathValidator.getInstance("PKIX").validate(certPath, pbParams);
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("Certificate path validation error");
+            throw new JoseException(ex);
         }
     }
     public static X509Certificate[] toX509CertificateChainArray(List<String> base64EncodedChain) {
@@ -288,7 +299,7 @@ public final class KeyManagementUtils {
                                                  String storeProp1, String storeProp2) {
         if (m == null) {
             if (required) {
-                throw new SecurityException();
+                throw new JoseException();
             }
             return null;
         }
@@ -299,7 +310,8 @@ public final class KeyManagementUtils {
             try {
                 props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus());
             } catch (Exception ex) {
-                throw new SecurityException(ex);
+                LOG.warning("Properties resource is not identified");
+                throw new JoseException(ex);
             }
         } else {
             String keyFile = (String)m.getContextualProperty(RSSEC_KEY_STORE_FILE);
@@ -314,7 +326,8 @@ public final class KeyManagementUtils {
             }
         }
         if (props == null && required) { 
-            throw new SecurityException();
+            LOG.warning("Properties resource is not identified");
+            throw new JoseException();
         }
         return props; 
     }
@@ -337,7 +350,8 @@ public final class KeyManagementUtils {
             return loadPrivateKey(ks, m, props, keyOper, alias);
             
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("Private key can not be loaded");
+            throw new JoseException(ex);
         }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
index 7627b94..bf7a68c 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
@@ -48,7 +48,8 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
         if (iv == null) {
             return CryptoUtils.generateSecureRandomBytes(getIvSize() / 8);
         } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) {
-            throw new SecurityException();
+            LOG.warning("Custom IV is recommeded to be used once");
+            throw new JweException(JweException.Error.CUSTOM_IV_REUSED);
         } else {
             return iv;
         }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
index f7eb38c..4f9eecd 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java
@@ -19,12 +19,16 @@
 package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 
 
 public abstract class AbstractContentEncryptionCipherProperties implements ContentEncryptionCipherProperties {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractContentEncryptionCipherProperties.class);
+    
     private static final int DEFAULT_AUTH_TAG_LENGTH = 128;
     private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
     private ContentAlgorithm algo;

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
index d49359c..88cde87 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java
@@ -20,15 +20,20 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.common.util.crypto.KeyProperties;
 import org.apache.cxf.rs.security.jose.JoseConstants;
 import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
+import org.apache.cxf.rs.security.jose.jws.JwsUtils;
 
 public abstract class AbstractJweDecryption implements JweDecryptionProvider {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JwsUtils.class);
+    
     private KeyDecryptionAlgorithm keyDecryptionAlgo;
     private ContentDecryptionAlgorithm contentDecryptionAlgo;
     protected AbstractJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo,

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index 613dd2c..171ecc6 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -20,10 +20,12 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Arrays;
+import java.util.logging.Logger;
 
 import javax.crypto.Cipher;
 import javax.crypto.SecretKey;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.common.util.crypto.KeyProperties;
 import org.apache.cxf.rs.security.jose.JoseConstants;
@@ -33,6 +35,7 @@ import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public abstract class AbstractJweEncryption implements JweEncryptionProvider {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJweEncryption.class);
     protected static final int DEFAULT_AUTH_TAG_LENGTH = 128;
     private ContentEncryptionProvider contentEncryptionAlgo;
     private KeyEncryptionProvider keyEncryptionAlgo;
@@ -165,10 +168,14 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider {
         if (jweInHeaders != null) {
             if (jweInHeaders.getKeyEncryptionAlgorithm() != null 
                 && (getKeyAlgorithm() == null 
-                    || !getKeyAlgorithm().getJwaName().equals(jweInHeaders.getKeyEncryptionAlgorithm()))
-                || jweInHeaders.getContentEncryptionAlgorithm() != null 
-                    && !getContentEncryptionAlgoJwt().equals(jweInHeaders.getContentEncryptionAlgorithm())) {
-                throw new SecurityException();
+                    || !getKeyAlgorithm().getJwaName().equals(jweInHeaders.getKeyEncryptionAlgorithm()))) {
+                LOG.warning("Invalid key encryption algorithm");
+                throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
+            }
+            if (jweInHeaders.getContentEncryptionAlgorithm() != null 
+                && !getContentEncryptionAlgoJwt().equals(jweInHeaders.getContentEncryptionAlgorithm())) {
+                LOG.warning("Invalid content encryption algorithm");
+                throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
             }
             theHeaders.asMap().putAll(jweInHeaders.asMap());
             protectedHeaders = jweInHeaders.getProtectedHeaders() != null 

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
index 3797b64..642fcf6 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractWrapKeyEncryptionAlgorithm.java
@@ -21,13 +21,16 @@ package org.apache.cxf.rs.security.jose.jwe;
 import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
 import java.util.Set;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.common.util.crypto.KeyProperties;
 import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public abstract class AbstractWrapKeyEncryptionAlgorithm implements KeyEncryptionProvider {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractWrapKeyEncryptionAlgorithm.class);
     private Key keyEncryptionKey;
     private boolean wrap;
     private KeyAlgorithm algorithm;
@@ -80,21 +83,22 @@ public abstract class AbstractWrapKeyEncryptionAlgorithm implements KeyEncryptio
     }
     protected String checkAlgorithm(String algo) {
         if (algo != null && !supportedAlgorithms.contains(algo)) {
-            throw new SecurityException();
+            LOG.warning("Invalid key encryption algorithm: " + algo);
+            throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
         }
         return algo;
     }
     protected void checkAlgorithms(JweHeaders headers) {
         String providedAlgo = headers.getKeyEncryptionAlgorithm();
-        if ((providedAlgo == null && algorithm == null)
-            || (providedAlgo != null && algorithm != null && !providedAlgo.equals(algorithm.getJwaName()))) {
-            throw new SecurityException();
+        if (providedAlgo != null && !providedAlgo.equals(algorithm.getJwaName())) {
+            LOG.warning("Invalid key encryption algorithm: " + providedAlgo);
+            throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
         }
         if (providedAlgo != null) {
             checkAlgorithm(providedAlgo);
-        } else if (algorithm != null) {
-            headers.setKeyEncryptionAlgorithm(algorithm.getJwaName());
+        } else {
             checkAlgorithm(algorithm.getJwaName());
+            headers.setKeyEncryptionAlgorithm(algorithm.getJwaName());
         }
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
index b39b787..c89ffd1 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java
@@ -57,7 +57,8 @@ public class AesCbcHmacJweDecryption extends JweDecryption {
         macState.mac.update(jweDecryptionInput.getEncryptedContent());
         byte[] expectedAuthTag = AesCbcHmacJweEncryption.signAndGetTag(macState);
         if (!Arrays.equals(actualAuthTag, expectedAuthTag)) {
-            throw new SecurityException();
+            LOG.warning("Invalid authentication tag");
+            throw new JweException(JweException.Error.CONTENT_DECRYPTION_FAILURE);
         }
         
     }
@@ -82,7 +83,8 @@ public class AesCbcHmacJweDecryption extends JweDecryption {
     private String validateCekAlgorithm(String cekAlgo) {
         if (!AlgorithmUtils.isAesCbcHmac(cekAlgo) 
             || supportedAlgo != null && !supportedAlgo.equals(cekAlgo)) {
-            throw new SecurityException();
+            LOG.warning("Invalid content encryption algorithm");
+            throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
         }
         return cekAlgo;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index d3de1c7..8ac33e4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -167,7 +167,8 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
     
     private static ContentAlgorithm validateCekAlgorithm(ContentAlgorithm cekAlgo) {
         if (!AlgorithmUtils.isAesCbcHmac(cekAlgo.getJwaName())) {
-            throw new SecurityException();
+            LOG.warning("Invalid content encryption algorithm");
+            throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
         }
         return cekAlgo;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
index f1a75ea..c588c5e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java
@@ -33,7 +33,8 @@ public class AesGcmContentDecryptionAlgorithm extends AbstractContentEncryptionC
     public byte[] getEncryptedSequence(JweHeaders headers, byte[] cipher, byte[] authTag) {
         String algo = headers.getContentEncryptionAlgorithm();
         if (!AlgorithmUtils.isAesGcm(algo) || !getAlgorithm().getJwaName().equals(algo)) {
-            throw new SecurityException();
+            LOG.warning("Invalid content encryption algorithm");
+            throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
         }
         return JweCompactConsumer.getCipherWithAuthTag(cipher, authTag);
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
index f5788d9..0b4dd1e 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
@@ -46,6 +46,7 @@ public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionA
         if (AlgorithmUtils.isAesGcm(algo.getJwaName())) {       
             return algo;
         }
-        throw new SecurityException();
+        LOG.warning("Invalid content encryption algorithm");
+        throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
     }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
index 8d8ec23..f0529f2 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyDecryptionAlgorithm.java
@@ -19,15 +19,19 @@
 package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
 
 import javax.crypto.SecretKey;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
+import org.apache.cxf.rs.security.jose.JoseException;
 import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
+    protected static final Logger LOG = LogUtils.getL7dLogger(AesGcmWrapKeyDecryptionAlgorithm.class);
     public AesGcmWrapKeyDecryptionAlgorithm(String encodedKey) {    
         this(encodedKey, null);
     }
@@ -35,7 +39,7 @@ public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgori
         this(CryptoUtils.decodeSequence(encodedKey), supportedAlgo);
     }
     public AesGcmWrapKeyDecryptionAlgorithm(byte[] secretKey) {    
-        this(secretKey, null);
+        this(secretKey, KeyAlgorithm.A128GCMKW);
     }
     public AesGcmWrapKeyDecryptionAlgorithm(byte[] secretKey, KeyAlgorithm supportedAlgo) {    
         this(CryptoUtils.createSecretKeySpec(secretKey, AlgorithmUtils.AES), supportedAlgo);
@@ -61,13 +65,14 @@ public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgori
             Object ivHeader = jweDecryptionInput.getJweHeaders().getHeader(headerName);
             return Base64UrlUtility.decode(ivHeader.toString());
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            throw new JoseException(ex);
         }
     }
     protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
         super.validateKeyEncryptionAlgorithm(keyAlgo);
         if (!AlgorithmUtils.isAesGcmKeyWrap(keyAlgo)) {
-            throw new SecurityException();
+            LOG.warning("Invalid key encryption algorithm");
+            throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
         }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
index 7cfe880..2ef461f 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java
@@ -26,13 +26,13 @@ import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public class AesWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public AesWrapKeyDecryptionAlgorithm(String encodedKey) {    
-        this(encodedKey, null);
+        this(encodedKey, KeyAlgorithm.A128KW);
     }
     public AesWrapKeyDecryptionAlgorithm(String encodedKey, KeyAlgorithm supportedAlgo) {    
         this(CryptoUtils.decodeSequence(encodedKey), supportedAlgo);
     }
     public AesWrapKeyDecryptionAlgorithm(byte[] secretKey) {    
-        this(secretKey, null);
+        this(secretKey, KeyAlgorithm.A128KW);
     }
     public AesWrapKeyDecryptionAlgorithm(byte[] secretKey, KeyAlgorithm supportedAlgo) {    
         this(CryptoUtils.createSecretKeySpec(secretKey, AlgorithmUtils.AES_WRAP_ALGO_JAVA), 
@@ -48,7 +48,7 @@ public class AesWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm
     protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
         super.validateKeyEncryptionAlgorithm(keyAlgo);
         if (!isValidAlgorithmFamily(keyAlgo)) {
-            throw new SecurityException();
+            reportInvalidKeyAlgorithm(keyAlgo);
         }
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java
index 0d08f2d..6bf953d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java
@@ -19,10 +19,13 @@
 package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.Key;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public class DirectKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
+    private static final Logger LOG = LogUtils.getL7dLogger(DirectKeyDecryptionAlgorithm.class);
     private byte[] contentDecryptionKey;
     public DirectKeyDecryptionAlgorithm(Key contentDecryptionKey) {    
         this(contentDecryptionKey.getEncoded());
@@ -42,7 +45,8 @@ public class DirectKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
     protected void validateKeyEncryptionKey(JweDecryptionInput jweDecryptionInput) {
         byte[] encryptedCEK = jweDecryptionInput.getEncryptedCEK();
         if (encryptedCEK != null && encryptedCEK.length > 0) {
-            throw new SecurityException();
+            LOG.warning("Unexpected content encryption key");
+            throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
         }
     }
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java
index e878beb..2f038a9 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java
@@ -18,18 +18,21 @@
  */
 package org.apache.cxf.rs.security.jose.jwe;
 
+import java.util.logging.Logger;
+
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public class DirectKeyEncryptionAlgorithm implements KeyEncryptionProvider {
+    private static final Logger LOG = LogUtils.getL7dLogger(DirectKeyEncryptionAlgorithm.class);
     public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] theCek) {
-        if (headers.getKeyEncryptionAlgorithm() != null) {
-            throw new SecurityException();
-        }
+        checkKeyEncryptionAlgorithm(headers);
         return new byte[0];
     }
     protected void checkKeyEncryptionAlgorithm(JweHeaders headers) {
         if (headers.getKeyEncryptionAlgorithm() != null) {
-            throw new SecurityException();
+            LOG.warning("Key encryption algorithm header is set");
+            throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
         }
     }
     @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
index 229ab78..4fb17b4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java
@@ -20,14 +20,18 @@
 package org.apache.cxf.rs.security.jose.jwe;
 
 import java.io.UnsupportedEncodingException;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64Exception;
 import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.rs.security.jose.JoseException;
 import org.apache.cxf.rs.security.jose.JoseHeaders;
 import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
 
 
 public class JweCompactConsumer {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JweCompactConsumer.class);
     private JweDecryptionInput jweDecryptionInput;
     public JweCompactConsumer(String jweContent) {
         if (jweContent.startsWith("\"") && jweContent.endsWith("\"")) {
@@ -35,7 +39,8 @@ public class JweCompactConsumer {
         }
         String[] parts = jweContent.split("\\.");
         if (parts.length != 5) {
-            throw new SecurityException("5 JWE parts are expected");
+            LOG.warning("5 JWE parts are expected");
+            throw new JweException(JweException.Error.INVALID_COMPACT_JWE);
         }
         try {
             String headersJson = new String(Base64UrlUtility.decode(parts[0]));
@@ -46,7 +51,8 @@ public class JweCompactConsumer {
             JoseHeadersReaderWriter reader = new JoseHeadersReaderWriter();
             JoseHeaders joseHeaders = reader.fromJsonHeaders(headersJson);
             if (joseHeaders.getUpdateCount() != null) { 
-                throw new SecurityException("Duplicate headers have been detected");
+                LOG.warning("Duplicate headers have been detected");
+                throw new JweException(JweException.Error.INVALID_COMPACT_JWE);
             }
             JweHeaders jweHeaders = new JweHeaders(joseHeaders);
             jweDecryptionInput = new JweDecryptionInput(encryptedCEK,
@@ -58,7 +64,8 @@ public class JweCompactConsumer {
                                                         jweHeaders);
             
         } catch (Base64Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("Incorrect Base64 URL encoding");
+            throw new JweException(JweException.Error.INVALID_COMPACT_JWE);
         }
     }
     
@@ -111,7 +118,7 @@ public class JweCompactConsumer {
         try {
             return new String(getDecryptedContent(decryption), "UTF-8");
         } catch (UnsupportedEncodingException ex) {
-            throw new SecurityException(ex);
+            throw new JoseException(ex);
         }
     }
     public boolean validateCriticalHeaders() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java
index f3cf255..7e2b290 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java
@@ -20,6 +20,8 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.io.UnsupportedEncodingException;
 
+import org.apache.cxf.rs.security.jose.JoseException;
+
 public class JweDecryptionOutput {
     private JweHeaders headers;
     private byte[] content;
@@ -37,7 +39,7 @@ public class JweDecryptionOutput {
         try {
             return new String(getContent(), "UTF-8");
         } catch (UnsupportedEncodingException ex) {
-            throw new SecurityException(ex);
+            throw new JoseException(ex);
         }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
index fdfd4ca..5b3dae5 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweException.java
@@ -39,7 +39,7 @@ public class JweException extends JoseException {
         NO_DECRYPTOR,
         NO_INIT_PROPERTIES,
         KEY_ALGORITHM_NOT_SET,
-        CONTENT_ALGORITHM_NOT_SET,
+        CUSTOM_IV_REUSED,
         INVALID_KEY_ALGORITHM,
         INVALID_CONTENT_ALGORITHM,
         INVALID_CONTENT_KEY,

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
index 24ab37a..b13d367 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java
@@ -24,12 +24,16 @@ import java.util.LinkedHashMap;
 import java.util.LinkedList;
 import java.util.List;
 import java.util.Map;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.helpers.CastUtils;
 import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
+import org.apache.cxf.rs.security.jose.JoseException;
 import org.apache.cxf.rs.security.jose.JoseUtils;
 
 public class JweJsonConsumer {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JweJsonConsumer.class);
     private String protectedHeaderJson;
     private JweHeaders protectedHeaderJwe;
     private JweHeaders sharedUnprotectedHeader;
@@ -58,12 +62,14 @@ public class JweJsonConsumer {
     }
     
     private JweDecryptionInput getJweDecryptionInput(JweDecryptionProvider jwe, JweJsonEncryptionEntry entry) {
-        if (jwe == null || entry == null) {
-            throw new SecurityException();
+        if (entry == null) {
+            LOG.warning("JWE JSON Entry is not available");
+            throw new JweException(JweException.Error.INVALID_JSON_JWE);
         }
         JweHeaders unionHeaders = recipientsMap.get(entry);
         if (unionHeaders == null) {
-            throw new SecurityException();
+            LOG.warning("JWE JSON Entry union headers are not available");
+            throw new JweException(JweException.Error.INVALID_JSON_JWE);
         }
         JweDecryptionInput input = new JweDecryptionInput(entry.getEncryptedKey(),
                                                           iv,
@@ -99,7 +105,8 @@ public class JweJsonConsumer {
         List<Map<String, Object>> encryptionArray = CastUtils.cast((List<?>)jsonObjectMap.get("recipients"));
         if (encryptionArray != null) {
             if (jsonObjectMap.containsKey("encryption_key")) {
-                throw new SecurityException("Invalid JWE JSON sequence");
+                LOG.warning("JWE JSON encryption_key is missing");
+                throw new JweException(JweException.Error.INVALID_JSON_JWE);
             }
             for (Map<String, Object> encryptionEntry : encryptionArray) {
                 this.recipients.add(getEncryptionObject(encryptionEntry));
@@ -126,14 +133,16 @@ public class JweJsonConsumer {
         if (sharedUnprotectedHeader != null) {
             if (!Collections.disjoint(unionHeaders.asMap().keySet(), 
                                       sharedUnprotectedHeader.asMap().keySet())) {
-                throw new SecurityException("Protected and unprotected headers have duplicate values");
+                LOG.warning("Protected and unprotected headers have duplicate values");
+                throw new JweException(JweException.Error.INVALID_JSON_JWE);
             }
             unionHeaders.asMap().putAll(sharedUnprotectedHeader.asMap());
         }
         if (recipientUnprotected != null) {
             if (!Collections.disjoint(unionHeaders.asMap().keySet(), 
                                       recipientUnprotected.asMap().keySet())) {
-                throw new SecurityException("Protected and unprotected headers have duplicate values");
+                LOG.warning("Union and recipient unprotected headers have duplicate values");
+                throw new JweException(JweException.Error.INVALID_JSON_JWE);
             }
             unionHeaders.asMap().putAll(recipientUnprotected.asMap());
         }
@@ -168,7 +177,7 @@ public class JweJsonConsumer {
         try {
             return new String(aad, "UTF-8");
         } catch (UnsupportedEncodingException ex) {
-            throw new SecurityException(ex);
+            throw new JoseException(ex);
         }
     }
     public List<JweJsonEncryptionEntry> getRecipients() {

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
index b722d08..4fbf737 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java
@@ -25,12 +25,15 @@ import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.rs.security.jose.JoseConstants;
 import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter;
 
 public class JweJsonProducer {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JweJsonProducer.class);
     private JoseHeadersReaderWriter writer = new JoseHeadersReaderWriter();
     private JweHeaders protectedHeader;
     private JweHeaders unprotectedHeader;
@@ -81,7 +84,8 @@ public class JweJsonProducer {
         if (unprotectedHeader != null) {
             if (!Collections.disjoint(unionHeaders.asMap().keySet(), 
                                      unprotectedHeader.asMap().keySet())) {
-                throw new SecurityException("Protected and unprotected headers have duplicate values");
+                LOG.warning("Protected and unprotected headers have duplicate values");
+                throw new JweException(JweException.Error.INVALID_JSON_JWE);
             }
             checkCriticalHeaders(unprotectedHeader);
             unionHeaders.asMap().putAll(unprotectedHeader.asMap());
@@ -101,7 +105,8 @@ public class JweJsonProducer {
                 checkCriticalHeaders(perRecipientUnprotected);
                 if (!Collections.disjoint(unionHeaders.asMap().keySet(), 
                                           perRecipientUnprotected.asMap().keySet())) {
-                    throw new SecurityException("Protected and unprotected headers have duplicate values");
+                    LOG.warning("union and recipient unprotected headers have duplicate values");
+                    throw new JweException(JweException.Error.INVALID_JSON_JWE);
                 }
                 jsonHeaders = new JweHeaders(unionHeaders.asMap());
                 jsonHeaders.asMap().putAll(perRecipientUnprotected.asMap());
@@ -130,8 +135,8 @@ public class JweJsonProducer {
             
             byte[] encryptedCek = state.getContentEncryptionKey(); 
             if (encryptedCek.length == 0 && encryptor.getKeyAlgorithm() != null) {
-                // can be null only if it is the direct key encryption
-                throw new SecurityException();
+                LOG.warning("Unexpected key encryption algorithm");
+                throw new JweException(JweException.Error.INVALID_JSON_JWE);
             }
             String encodedCek = encryptedCek.length == 0 ? null : Base64UrlUtility.encode(encryptedCek);    
             entries.add(new JweJsonEncryptionEntry(perRecipientUnprotected, encodedCek));
@@ -173,13 +178,15 @@ public class JweJsonProducer {
             set.add(encryptor.getContentAlgorithm().getJwaName());
         }
         if (set.size() != 1) {
-            throw new SecurityException("Invalid content encryption algorithm");
+            LOG.warning("Invalid content encryption algorithm");
+            throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
         }
         return set.iterator().next();
     }
     private static void checkCriticalHeaders(JweHeaders unprotected) {
         if (unprotected.asMap().containsKey(JoseConstants.HEADER_CRITICAL)) {
-            throw new SecurityException();
+            LOG.warning("Unprotected headers contain critical headers");
+            throw new JweException(JweException.Error.INVALID_JSON_JWE);
         }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
index e8faa37..1a0447d 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java
@@ -22,12 +22,15 @@ import java.io.FilterOutputStream;
 import java.io.IOException;
 import java.io.OutputStream;
 import java.nio.ByteBuffer;
+import java.util.logging.Logger;
 
 import javax.crypto.Cipher;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 
 public class JweOutputStream extends FilterOutputStream {
+    protected static final Logger LOG = LogUtils.getL7dLogger(JweOutputStream.class);
     private Cipher encryptingCipher;
     private int blockSize;
     private AuthenticationTagProducer authTagProducer;
@@ -126,7 +129,8 @@ public class JweOutputStream extends FilterOutputStream {
                 encodeAndWrite(authTag, 0, authTagLengthBits / 8, true);
             }
         } catch (Exception ex) {
-            throw new SecurityException();
+            LOG.warning("Content encryption failure");
+            throw new JweException(JweException.Error.CONTENT_ENCRYPTION_FAILURE, ex);
         }
         flushed = true;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 95aa785..2980137 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -28,10 +28,12 @@ import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Properties;
+import java.util.logging.Logger;
 
 import javax.crypto.KeyAgreement;
 import javax.crypto.SecretKey;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.common.util.crypto.MessageDigestUtils;
 import org.apache.cxf.jaxrs.utils.JAXRSUtils;
@@ -48,6 +50,7 @@ import org.apache.cxf.rs.security.jose.jwk.JsonWebKey;
 import org.apache.cxf.rs.security.jose.jwk.JwkUtils;
 
 public final class JweUtils {
+    private static final Logger LOG = LogUtils.getL7dLogger(JweUtils.class);
     private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm";
     private static final String JSON_WEB_ENCRYPTION_KEY_ALGO_PROP = "rs.security.jwe.key.encryption.algorithm";
     private static final String JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP = "rs.security.jwe.zip.algorithm";
@@ -462,7 +465,8 @@ public final class JweUtils {
         final byte[] emptyPartyInfo = new byte[4];
        
         if (apuBytes != null && apvBytes != null && Arrays.equals(apuBytes, apvBytes)) {
-            throw new SecurityException();
+            LOG.warning("Derived key calculation problem: apu equals to apv");
+            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
         }
         byte[] algorithmId = concatenateDatalenAndData(StringUtils.toBytesASCII(algoName));
         byte[] partyUInfo = apuBytes == null ? emptyPartyInfo : concatenateDatalenAndData(apuBytes);
@@ -488,7 +492,8 @@ public final class JweUtils {
             byte[] round1Hash = MessageDigestUtils.createDigest(concatKDF, MessageDigestUtils.ALGO_SHA_256);
             return Arrays.copyOf(round1Hash, algoKeyBitLen / 8);
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("Derived key calculation problem: round hash1 error");
+            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
         }
     }
     private static byte[] generateKeyZ(ECPrivateKey privateKey, ECPublicKey publicKey) {
@@ -498,7 +503,8 @@ public final class JweUtils {
             ka.doPhase(publicKey, true);
             return ka.generateSecret();
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            LOG.warning("Derived key calculation problem");
+            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
         }
     }
     private static byte[] concatenateDatalenAndData(byte[] bytesASCII) {
@@ -530,7 +536,8 @@ public final class JweUtils {
                                                                      String contentEncryptionAlgo,
                                                                      String compression) {
         if (keyEncryptionProvider == null && ctEncryptionProvider == null) {
-            throw new SecurityException();
+            LOG.warning("Key or content encryptor is not available");
+            throw new JweException(JweException.Error.NO_ENCRYPTOR);
         }
         JweHeaders headers = 
             prepareJweHeaders(keyEncryptionProvider != null ? keyEncryptionProvider.getAlgorithm().getJwaName() : null,
@@ -545,7 +552,8 @@ public final class JweUtils {
                                                                     SecretKey ctDecryptionKey,
                                                                     String contentDecryptionAlgo) {
         if (keyDecryptionProvider == null && ctDecryptionKey == null) {
-            throw new SecurityException();
+            LOG.warning("Key or content encryptor is not available");
+            throw new JweException(JweException.Error.NO_ENCRYPTOR);
         }
         if (keyDecryptionProvider != null) {
             return createJweDecryptionProvider(keyDecryptionProvider, contentDecryptionAlgo);

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
index 020d9b01..80fd2db 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
@@ -19,6 +19,7 @@
 package org.apache.cxf.rs.security.jose.jwe;
 
 import org.apache.cxf.common.util.Base64UrlUtility;
+import org.apache.cxf.rs.security.jose.JoseException;
 import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
@@ -54,7 +55,7 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
         int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt);
         byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm
             .createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
-        KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey) {
+        KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey, algo) {
             protected boolean isValidAlgorithmFamily(String wrapAlgo) {
                 return AlgorithmUtils.isPbesHsWrap(wrapAlgo);
             }    
@@ -65,7 +66,7 @@ public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgor
         try {
             return Base64UrlUtility.decode(p2sHeader.toString());
         } catch (Exception ex) {
-            throw new SecurityException(ex);
+            throw new JoseException(ex);
         }
     }
     @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
index 6e678c7..d2d4ff4 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
@@ -23,7 +23,9 @@ import java.nio.CharBuffer;
 import java.nio.charset.Charset;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.Base64UrlUtility;
 import org.apache.cxf.common.util.StringUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
@@ -38,6 +40,7 @@ import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator;
 import org.bouncycastle.crypto.params.KeyParameter;
 
 public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvider {
+    protected static final Logger LOG = LogUtils.getL7dLogger(PbesHmacAesWrapKeyEncryptionAlgorithm.class);
     private static final Map<String, Integer> PBES_HMAC_MAP;
     private static final Map<String, String> PBES_AES_MAP;
     private static final Map<String, Integer> DERIVED_KEY_SIZE_MAP;
@@ -92,13 +95,15 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvi
     static byte[] validatePassword(byte[] p, String keyAlgoJwt, boolean hashLargePasswords) {
         int minLen = DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt);
         if (p.length < minLen || p.length > 128) {
-            throw new SecurityException();
+            LOG.warning("Invalid password length: " + p.length);
+            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
         }
         if (p.length > minLen && hashLargePasswords) {
             try {
                 return MessageDigestUtils.createDigest(p, MessageDigestUtils.ALGO_SHA_256);
             } catch (Exception ex) {
-                throw new SecurityException(ex);
+                LOG.warning("Password hash calculation error");
+                throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE, ex);
             }
         } else {
             return p;
@@ -157,13 +162,15 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvi
     }
     static KeyAlgorithm validateKeyAlgorithm(KeyAlgorithm algo) {
         if (!AlgorithmUtils.isPbesHsWrap(algo.getJwaName())) {
-            throw new SecurityException();
+            LOG.warning("Invalid key encryption algorithm");
+            throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
         }
         return algo;
     }
     static int validatePbesCount(int count) {
         if (count < 1000) {
-            throw new SecurityException();
+            LOG.warning("Iteration count is too low");
+            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
         }
         return count;
     }    

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
index b1809c8..d29b442 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
@@ -25,7 +25,7 @@ import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public class RSAKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey) {    
-        this(privateKey, null);
+        this(privateKey, KeyAlgorithm.RSA_OAEP);
     }
     public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey, KeyAlgorithm supportedAlgo) {    
         this(privateKey, supportedAlgo, true);
@@ -40,7 +40,7 @@ public class RSAKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
     protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
         super.validateKeyEncryptionAlgorithm(keyAlgo);
         if (!AlgorithmUtils.isRsaKeyWrap(keyAlgo)) {
-            throw new SecurityException();
+            reportInvalidKeyAlgorithm(keyAlgo);
         }
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/c92eff97/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
index 4e5f74e..6414461 100644
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
+++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
@@ -20,13 +20,16 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
+import java.util.logging.Logger;
 
+import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.common.util.crypto.CryptoUtils;
 import org.apache.cxf.common.util.crypto.KeyProperties;
 import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 
 public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
+    protected static final Logger LOG = LogUtils.getL7dLogger(WrappedKeyDecryptionAlgorithm.class);
     private Key cekDecryptionKey;
     private boolean unwrap;
     private KeyAlgorithm supportedAlgo;
@@ -68,10 +71,15 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm {
         return AlgorithmUtils.toJavaName(keyAlgo);
     }
     protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
-        if (keyAlgo == null || supportedAlgo != null && !supportedAlgo.getJwaName().equals(keyAlgo)) {
-            throw new SecurityException();
+        if (keyAlgo == null 
+            || !supportedAlgo.getJwaName().equals(keyAlgo)) {
+            reportInvalidKeyAlgorithm(keyAlgo);
         }
     }
+    protected void reportInvalidKeyAlgorithm(String keyAlgo) {
+        LOG.warning("Invalid key encryption algorithm: " + keyAlgo);
+        throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
+    }
     protected String getContentEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
         return AlgorithmUtils.toJavaName(jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm());
     }


Mime
View raw message