cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cohei...@apache.org
Subject [05/20] cxf git commit: Splitting current jose module into jose-core + jose-jaxrs
Date Tue, 13 Oct 2015 10:42:05 GMT
http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
deleted file mode 100644
index 1ee6eea..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java
+++ /dev/null
@@ -1,77 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwe;
-
-import org.apache.cxf.common.util.Base64UrlUtility;
-import org.apache.cxf.rs.security.jose.JoseException;
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
-
-public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionProvider {
-    private byte[] password;
-    private KeyAlgorithm algo;
-    public PbesHmacAesWrapKeyDecryptionAlgorithm(String password) {    
-        this(password, KeyAlgorithm.PBES2_HS256_A128KW, false);
-    }
-    public PbesHmacAesWrapKeyDecryptionAlgorithm(String password, KeyAlgorithm algo, boolean hashLargePasswords) {    
-        this(PbesHmacAesWrapKeyEncryptionAlgorithm.stringToBytes(password), algo, hashLargePasswords);
-    }
-    public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password) {    
-        this(password, KeyAlgorithm.PBES2_HS256_A128KW, false);
-    }
-    public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password, KeyAlgorithm algo, boolean hashLargePasswords) {    
-        this(PbesHmacAesWrapKeyEncryptionAlgorithm.charsToBytes(password), algo, hashLargePasswords);
-    }
-    public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password) {    
-        this(password, KeyAlgorithm.PBES2_HS256_A128KW, false);
-    }
-    public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password, KeyAlgorithm algo, boolean hashLargePasswords) {    
-        this.password = 
-            PbesHmacAesWrapKeyEncryptionAlgorithm.validatePassword(password, algo.getJwaName(), hashLargePasswords);
-        this.algo = algo;
-    }
-    @Override
-    public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
-        JweHeaders jweHeaders = jweDecryptionInput.getJweHeaders();
-        byte[] saltInput = getDecodedBytes(jweHeaders.getHeader("p2s"));
-        int pbesCount = jweHeaders.getIntegerHeader("p2c");
-        String keyAlgoJwt = jweHeaders.getKeyEncryptionAlgorithm().getJwaName();
-        int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt);
-        byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm
-            .createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount);
-        KeyDecryptionProvider aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey, algo) {
-            protected boolean isValidAlgorithmFamily(String wrapAlgo) {
-                return AlgorithmUtils.isPbesHsWrap(wrapAlgo);
-            }    
-        };
-        return aesWrap.getDecryptedContentEncryptionKey(jweDecryptionInput);
-    }    
-    private byte[] getDecodedBytes(Object p2sHeader) {
-        try {
-            return Base64UrlUtility.decode(p2sHeader.toString());
-        } catch (Exception ex) {
-            throw new JoseException(ex);
-        }
-    }
-    @Override
-    public KeyAlgorithm getAlgorithm() {
-        return algo;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
deleted file mode 100644
index 0a17be5..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java
+++ /dev/null
@@ -1,192 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwe;
-
-import java.nio.ByteBuffer;
-import java.nio.CharBuffer;
-import java.nio.charset.Charset;
-import java.util.HashMap;
-import java.util.Map;
-import java.util.logging.Logger;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.common.util.Base64UrlUtility;
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
-import org.apache.cxf.rt.security.crypto.CryptoUtils;
-import org.apache.cxf.rt.security.crypto.MessageDigestUtils;
-import org.bouncycastle.crypto.Digest;
-import org.bouncycastle.crypto.digests.SHA256Digest;
-import org.bouncycastle.crypto.digests.SHA384Digest;
-import org.bouncycastle.crypto.digests.SHA512Digest;
-import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator;
-import org.bouncycastle.crypto.params.KeyParameter;
-
-public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvider {
-    protected static final Logger LOG = LogUtils.getL7dLogger(PbesHmacAesWrapKeyEncryptionAlgorithm.class);
-    private static final Map<String, Integer> PBES_HMAC_MAP;
-    private static final Map<String, String> PBES_AES_MAP;
-    private static final Map<String, Integer> DERIVED_KEY_SIZE_MAP;
-    static {
-        PBES_HMAC_MAP = new HashMap<String, Integer>();
-        PBES_HMAC_MAP.put(KeyAlgorithm.PBES2_HS256_A128KW.getJwaName(), 256);
-        PBES_HMAC_MAP.put(KeyAlgorithm.PBES2_HS384_A192KW.getJwaName(), 384);
-        PBES_HMAC_MAP.put(KeyAlgorithm.PBES2_HS512_A256KW.getJwaName(), 512);
-        
-        PBES_AES_MAP = new HashMap<String, String>();
-        PBES_AES_MAP.put(KeyAlgorithm.PBES2_HS256_A128KW.getJwaName(), KeyAlgorithm.A128KW.getJwaName());
-        PBES_AES_MAP.put(KeyAlgorithm.PBES2_HS384_A192KW.getJwaName(), KeyAlgorithm.A192KW.getJwaName());
-        PBES_AES_MAP.put(KeyAlgorithm.PBES2_HS512_A256KW.getJwaName(), KeyAlgorithm.A256KW.getJwaName());
-        
-        DERIVED_KEY_SIZE_MAP = new HashMap<String, Integer>();
-        DERIVED_KEY_SIZE_MAP.put(KeyAlgorithm.PBES2_HS256_A128KW.getJwaName(), 16);
-        DERIVED_KEY_SIZE_MAP.put(KeyAlgorithm.PBES2_HS384_A192KW.getJwaName(), 24);
-        DERIVED_KEY_SIZE_MAP.put(KeyAlgorithm.PBES2_HS512_A256KW.getJwaName(), 32);
-    }
-    
-    
-    private byte[] password;
-    private int pbesCount;
-    private KeyAlgorithm keyAlgoJwt;
-    public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, KeyAlgorithm keyAlgoJwt) {
-        this(stringToBytes(password), keyAlgoJwt);
-    }
-    public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, int pbesCount, 
-                                                 KeyAlgorithm keyAlgoJwt, 
-                                                 boolean hashLargePasswords) {
-        this(stringToBytes(password), pbesCount, keyAlgoJwt, hashLargePasswords);
-    }
-    public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, KeyAlgorithm keyAlgoJwt) {
-        this(password, 4096, keyAlgoJwt, false);
-    }
-    public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, int pbesCount, 
-                                                 KeyAlgorithm keyAlgoJwt, 
-                                                 boolean hashLargePasswords) {
-        this(charsToBytes(password), pbesCount, keyAlgoJwt, hashLargePasswords);
-    }
-    public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, KeyAlgorithm keyAlgoJwt) {
-        this(password, 4096, keyAlgoJwt, false);
-    }
-    public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, int pbesCount, 
-                                                 KeyAlgorithm keyAlgoJwt, 
-                                                 boolean hashLargePasswords) {
-        this.keyAlgoJwt = validateKeyAlgorithm(keyAlgoJwt);
-        this.password = validatePassword(password, keyAlgoJwt.getJwaName(), hashLargePasswords);
-        this.pbesCount = validatePbesCount(pbesCount);
-    }
-    
-    static byte[] validatePassword(byte[] p, String keyAlgoJwt, boolean hashLargePasswords) {
-        int minLen = DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt);
-        if (p.length < minLen || p.length > 128) {
-            LOG.warning("Invalid password length: " + p.length);
-            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
-        }
-        if (p.length > minLen && hashLargePasswords) {
-            try {
-                return MessageDigestUtils.createDigest(p, MessageDigestUtils.ALGO_SHA_256);
-            } catch (Exception ex) {
-                LOG.warning("Password hash calculation error");
-                throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE, ex);
-            }
-        } else {
-            return p;
-        }
-    }
-    @Override
-    public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) {
-        int keySize = getKeySize(keyAlgoJwt.getJwaName());
-        byte[] saltInput = CryptoUtils.generateSecureRandomBytes(keySize);
-        byte[] derivedKey = createDerivedKey(keyAlgoJwt.getJwaName(), 
-                                             keySize, password, saltInput, pbesCount);
-        
-        headers.setHeader("p2s", Base64UrlUtility.encode(saltInput));
-        headers.setIntegerHeader("p2c", pbesCount);
-        
-        KeyEncryptionProvider aesWrap = new AesWrapKeyEncryptionAlgorithm(derivedKey, keyAlgoJwt) {
-            protected void checkAlgorithms(JweHeaders headers) {
-                // complete
-            }
-            protected String getKeyEncryptionAlgoJava(JweHeaders headers) {
-                return AlgorithmUtils.AES_WRAP_ALGO_JAVA;
-            }
-        };
-        return aesWrap.getEncryptedContentEncryptionKey(headers, cek);
-        
-        
-    }
-    static int getKeySize(String keyAlgoJwt) {
-        return DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt);
-    }
-    static byte[] createDerivedKey(String keyAlgoJwt, int keySize,
-                                   byte[] password, byte[] saltInput, int pbesCount) {
-        byte[] saltValue = createSaltValue(keyAlgoJwt, saltInput);
-        Digest digest = null;
-        int macSigSize = PBES_HMAC_MAP.get(keyAlgoJwt);
-        if (macSigSize == 256) { 
-            digest = new SHA256Digest();
-        } else if (macSigSize == 384) {
-            digest = new SHA384Digest();
-        } else {
-            digest = new SHA512Digest();
-        }
-        PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest);
-        gen.init(password, saltValue, pbesCount);
-        return ((KeyParameter) gen.generateDerivedParameters(keySize * 8)).getKey();
-    }
-    
-    
-    private static byte[] createSaltValue(String keyAlgoJwt, byte[] saltInput) {
-        byte[] algoBytes = stringToBytes(keyAlgoJwt);
-        byte[] saltValue = new byte[algoBytes.length + 1 + saltInput.length];
-        System.arraycopy(algoBytes, 0, saltValue, 0, algoBytes.length);
-        saltValue[algoBytes.length] = 0;
-        System.arraycopy(saltInput, 0, saltValue, algoBytes.length + 1, saltInput.length);
-        return saltValue;
-    }
-    static KeyAlgorithm validateKeyAlgorithm(KeyAlgorithm algo) {
-        if (!AlgorithmUtils.isPbesHsWrap(algo.getJwaName())) {
-            LOG.warning("Invalid key encryption algorithm");
-            throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
-        }
-        return algo;
-    }
-    static int validatePbesCount(int count) {
-        if (count < 1000) {
-            LOG.warning("Iteration count is too low");
-            throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
-        }
-        return count;
-    }    
-    
-    static byte[] stringToBytes(String str) {
-        return StringUtils.toBytesUTF8(str);
-    }
-    static byte[] charsToBytes(char[] chars) {
-        ByteBuffer bb = Charset.forName("UTF-8").encode(CharBuffer.wrap(chars));
-        byte[] b = new byte[bb.remaining()];
-        bb.get(b);
-        return b;
-    }
-    @Override
-    public KeyAlgorithm getAlgorithm() {
-        return keyAlgoJwt;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
deleted file mode 100644
index d29b442..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyDecryptionAlgorithm.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwe;
-
-import java.security.interfaces.RSAPrivateKey;
-
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
-
-public class RSAKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm {
-    public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey) {    
-        this(privateKey, KeyAlgorithm.RSA_OAEP);
-    }
-    public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey, KeyAlgorithm supportedAlgo) {    
-        this(privateKey, supportedAlgo, true);
-    }
-    public RSAKeyDecryptionAlgorithm(RSAPrivateKey privateKey, KeyAlgorithm supportedAlgo, boolean unwrap) {    
-        super(privateKey, supportedAlgo, unwrap);
-    }
-    protected int getKeyCipherBlockSize() {
-        return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length;
-    }
-    @Override
-    protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
-        super.validateKeyEncryptionAlgorithm(keyAlgo);
-        if (!AlgorithmUtils.isRsaKeyWrap(keyAlgo)) {
-            reportInvalidKeyAlgorithm(keyAlgo);
-        }
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyEncryptionAlgorithm.java
deleted file mode 100644
index b820cdd..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAKeyEncryptionAlgorithm.java
+++ /dev/null
@@ -1,34 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwe;
-
-import java.security.interfaces.RSAPublicKey;
-
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
-
-public class RSAKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm {
-    public RSAKeyEncryptionAlgorithm(RSAPublicKey publicKey, KeyAlgorithm jweAlgo) {
-        this(publicKey, jweAlgo, true);
-    }
-    public RSAKeyEncryptionAlgorithm(RSAPublicKey publicKey, KeyAlgorithm jweAlgo, boolean wrap) {
-        super(publicKey, jweAlgo, wrap, AlgorithmUtils.RSA_CEK_SET);
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
deleted file mode 100644
index 0787886..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java
+++ /dev/null
@@ -1,97 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwe;
-
-import java.security.Key;
-import java.security.spec.AlgorithmParameterSpec;
-import java.util.logging.Logger;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
-import org.apache.cxf.rt.security.crypto.CryptoUtils;
-import org.apache.cxf.rt.security.crypto.KeyProperties;
-
-public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionProvider {
-    protected static final Logger LOG = LogUtils.getL7dLogger(WrappedKeyDecryptionAlgorithm.class);
-    private Key cekDecryptionKey;
-    private boolean unwrap;
-    private KeyAlgorithm supportedAlgo;
-    public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey, KeyAlgorithm supportedAlgo) {    
-        this(cekDecryptionKey, supportedAlgo, true);
-    }
-    public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey, KeyAlgorithm supportedAlgo, boolean unwrap) {    
-        this.cekDecryptionKey = cekDecryptionKey;
-        this.supportedAlgo = supportedAlgo;
-        this.unwrap = unwrap;
-    }
-    public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
-        KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(jweDecryptionInput));
-        AlgorithmParameterSpec spec = getAlgorithmParameterSpec(jweDecryptionInput); 
-        if (spec != null) {
-            keyProps.setAlgoSpec(spec);
-        }
-        if (!unwrap) {
-            keyProps.setBlockSize(getKeyCipherBlockSize());
-            return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(jweDecryptionInput), 
-                                            getCekDecryptionKey(), keyProps);
-        } else {
-            return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(jweDecryptionInput), 
-                                               getContentEncryptionAlgorithm(jweDecryptionInput), 
-                                               getCekDecryptionKey(), 
-                                               keyProps).getEncoded();
-        }
-    }
-    
-    protected Key getCekDecryptionKey() {
-        return cekDecryptionKey;
-    }
-    protected int getKeyCipherBlockSize() {
-        return -1;
-    }
-    protected String getKeyEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
-        String keyAlgo = jweDecryptionInput.getJweHeaders().getKeyEncryptionAlgorithm().getJwaName();
-        validateKeyEncryptionAlgorithm(keyAlgo);
-        return AlgorithmUtils.toJavaName(keyAlgo);
-    }
-    protected void validateKeyEncryptionAlgorithm(String keyAlgo) {
-        if (keyAlgo == null 
-            || !supportedAlgo.getJwaName().equals(keyAlgo)) {
-            reportInvalidKeyAlgorithm(keyAlgo);
-        }
-    }
-    protected void reportInvalidKeyAlgorithm(String keyAlgo) {
-        LOG.warning("Invalid key encryption algorithm: " + keyAlgo);
-        throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
-    }
-    protected String getContentEncryptionAlgorithm(JweDecryptionInput jweDecryptionInput) {
-        return AlgorithmUtils.toJavaName(
-            jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm().getJwaName());
-    }
-    protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweDecryptionInput jweDecryptionInput) {
-        return null;
-    }
-    protected byte[] getEncryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
-        return jweDecryptionInput.getEncryptedCEK();
-    }
-    @Override
-    public KeyAlgorithm getAlgorithm() {
-        return supportedAlgo;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
deleted file mode 100644
index 5593e0b..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/DefaultJwkReaderWriter.java
+++ /dev/null
@@ -1,49 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
-
-
-
-
-
-public class DefaultJwkReaderWriter extends JsonMapObjectReaderWriter
-    implements JwkReaderWriter {
-    @Override
-    public String jwkSetToJson(JsonWebKeys jwks) {
-        return toJson(jwks);
-    }
-    @Override
-    public JsonWebKeys jsonToJwkSet(String jwksJson) {
-        JsonWebKeys jwks = new JsonWebKeys();
-        fromJson(jwks, jwksJson);
-        return jwks;
-    }
-    @Override
-    public String jwkToJson(JsonWebKey jwk) {
-        return toJson(jwk);
-    }
-    @Override
-    public JsonWebKey jsonToJwk(String jwkJson) {
-        JsonWebKey jwk = new JsonWebKey();
-        fromJson(jwk, jwkJson);
-        return jwk;
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
deleted file mode 100644
index a5479d0..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKey.java
+++ /dev/null
@@ -1,180 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.jaxrs.provider.json.JsonMapObject;
-import org.apache.cxf.rs.security.jose.JoseConstants;
-
-
-public class JsonWebKey extends JsonMapObject {
-    
-    public static final String KEY_TYPE = "kty";
-    public static final String PUBLIC_KEY_USE = "use";
-    public static final String KEY_OPERATIONS = "key_ops";
-    public static final String KEY_ALGO = JoseConstants.HEADER_ALGORITHM;
-    public static final String KEY_ID = JoseConstants.HEADER_KEY_ID;
-    public static final String X509_URL = JoseConstants.HEADER_X509_URL;
-    public static final String X509_CHAIN = JoseConstants.HEADER_X509_CHAIN;
-    public static final String X509_THUMBPRINT = JoseConstants.HEADER_X509_THUMBPRINT;
-    public static final String X509_THUMBPRINT_SHA256 = JoseConstants.HEADER_X509_THUMBPRINT_SHA256;
-    
-    public static final String KEY_TYPE_RSA = "RSA";
-    public static final String RSA_MODULUS = "n";
-    public static final String RSA_PUBLIC_EXP = "e";
-    public static final String RSA_PRIVATE_EXP = "d";
-    public static final String RSA_FIRST_PRIME_FACTOR = "p";
-    public static final String RSA_SECOND_PRIME_FACTOR = "q";
-    public static final String RSA_FIRST_PRIME_CRT = "dp";
-    public static final String RSA_SECOND_PRIME_CRT = "dq";
-    public static final String RSA_FIRST_CRT_COEFFICIENT = "qi";
-        
-    public static final String KEY_TYPE_OCTET = "oct";
-    public static final String OCTET_KEY_VALUE = "k";
-    
-    public static final String KEY_TYPE_ELLIPTIC = "EC";
-    public static final String EC_CURVE = "crv";
-    public static final String EC_CURVE_P256 = "P-256";
-    public static final String EC_CURVE_P384 = "P-384";
-    public static final String EC_CURVE_P521 = "P-521";
-    public static final String EC_X_COORDINATE = "x";
-    public static final String EC_Y_COORDINATE = "y";
-    public static final String EC_PRIVATE_KEY = "d";
-    
-    public static final String PUBLIC_KEY_USE_SIGN = "sig";
-    public static final String PUBLIC_KEY_USE_ENCRYPT = "enc";
-    
-    public static final String KEY_OPER_SIGN = "sign";
-    public static final String KEY_OPER_VERIFY = "verify";
-    public static final String KEY_OPER_ENCRYPT = "encrypt";
-    public static final String KEY_OPER_DECRYPT = "decrypt";
-    public static final String KEY_OPER_WRAP_KEY = "wrapKey";
-    public static final String KEY_OPER_UNWRAP_KEY = "unwrapKey";
-    public static final String KEY_OPER_DERIVE_KEY = "deriveKey";
-    public static final String KEY_OPER_DERIVE_BITS = "deriveBits";
-    
-    public JsonWebKey() {
-        
-    }
-    
-    public JsonWebKey(Map<String, Object> values) {
-        super(values);
-    }
-    
-    public void setKeyType(KeyType keyType) {
-        setProperty(KEY_TYPE, keyType.toString());
-    }
-    
-    public KeyType getKeyType() {
-        Object prop = getProperty(KEY_TYPE);
-        return prop == null ? null : KeyType.getKeyType(prop.toString());
-    }
-
-    public void setPublicKeyUse(PublicKeyUse use) {
-        setProperty(PUBLIC_KEY_USE, use.toString());
-    }
-    
-    public PublicKeyUse getPublicKeyUse() {
-        Object prop = getProperty(PUBLIC_KEY_USE);
-        return prop == null ? null : PublicKeyUse.getPublicKeyUse(prop.toString());
-    }
-
-    public void setKeyOperation(List<KeyOperation> keyOperation) {
-        List<String> ops = new ArrayList<String>(keyOperation.size());
-        for (KeyOperation op : keyOperation) {
-            ops.add(op.toString());
-        }
-        setProperty(KEY_OPERATIONS, ops);
-    }
-
-    public List<KeyOperation> getKeyOperation() {
-        List<Object> ops = CastUtils.cast((List<?>)getProperty(KEY_OPERATIONS));
-        if (ops == null) {
-            return null;
-        }
-        List<KeyOperation> keyOps = new ArrayList<KeyOperation>(ops.size());
-        for (Object op : ops) {
-            keyOps.add(KeyOperation.getKeyOperation(op.toString()));
-        }
-        return keyOps;
-    }
-    
-    public void setAlgorithm(String algorithm) {
-        setProperty(KEY_ALGO, algorithm);
-    }
-
-    public String getAlgorithm() {
-        return (String)getProperty(KEY_ALGO);
-    }
-    
-    public void setKeyId(String kid) {
-        setProperty(KEY_ID, kid);
-    }
-
-    public String getKeyId() {
-        return (String)getProperty(KEY_ID);
-    }
-    
-    public void setX509Url(String x509Url) {
-        setProperty(X509_URL, x509Url);
-    }
-    
-    public String getX509Url() {
-        return (String)getProperty(X509_URL);
-    }
-
-    public void setX509Chain(List<String> x509Chain) {
-        setProperty(X509_CHAIN, x509Chain);
-    }
-
-    public List<String> getX509Chain() {
-        return CastUtils.cast((List<?>)getProperty(X509_CHAIN));
-    }
-    
-    public void setX509Thumbprint(String x509Thumbprint) {
-        setProperty(X509_THUMBPRINT, x509Thumbprint);
-    }
-    
-    public String getX509Thumbprint() {
-        return (String)getProperty(X509_THUMBPRINT);
-    }
-    
-    public void setX509ThumbprintSHA256(String x509Thumbprint) {
-        setProperty(X509_THUMBPRINT_SHA256, x509Thumbprint);
-    }
-    
-    public String getX509ThumbprintSHA256() {
-        return (String)getProperty(X509_THUMBPRINT_SHA256);
-    }
-    
-    public JsonWebKey setKeyProperty(String name, Object value) {
-        setProperty(name, value);
-        return this;
-    }
-    public Object getKeyProperty(String name) {
-        return getProperty(name);
-    }
-    
-    
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
deleted file mode 100644
index 55a19f6..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JsonWebKeys.java
+++ /dev/null
@@ -1,130 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-import java.util.Collections;
-import java.util.LinkedHashMap;
-import java.util.LinkedList;
-import java.util.List;
-import java.util.Map;
-
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.jaxrs.provider.json.JsonMapObject;
-
-public class JsonWebKeys extends JsonMapObject {
-    public static final String KEYS_PROPERTY = "keys";
-    public List<JsonWebKey> getKeys() {
-        List<?> list = (List<?>)super.getProperty(KEYS_PROPERTY);
-        if (list != null && !list.isEmpty()) {
-            Object first = list.get(0);
-            if (first instanceof JsonWebKey) {
-                return CastUtils.cast(list);
-            } else {
-                List<JsonWebKey> keys = new LinkedList<JsonWebKey>();
-                List<Map<String, Object>> listOfMaps = 
-                    CastUtils.cast((List<?>)super.getProperty(KEYS_PROPERTY));
-                for (Map<String, Object> map : listOfMaps) {
-                    keys.add(new JsonWebKey(map));
-                }
-                return keys;
-            }
-        } else {
-            return null;
-        }
-    }
-
-    public void setKeys(List<JsonWebKey> keys) {
-        super.setProperty(KEYS_PROPERTY, keys);
-    }
-    
-    public Map<String, JsonWebKey> getKeyIdMap() {
-        List<JsonWebKey> keys = getKeys();
-        if (keys == null) {
-            return Collections.emptyMap();
-        }
-        Map<String, JsonWebKey> map = new LinkedHashMap<String, JsonWebKey>();
-        for (JsonWebKey key : keys) {
-            String kid = key.getKeyId();
-            if (kid != null) {
-                map.put(kid, key);
-            }
-        }
-        return map;
-    }
-    public JsonWebKey getKey(String kid) {
-        return getKeyIdMap().get(kid);
-    }
-    public Map<KeyType, List<JsonWebKey>> getKeyTypeMap() {
-        List<JsonWebKey> keys = getKeys();
-        if (keys == null) {
-            return Collections.emptyMap();
-        }
-        Map<KeyType, List<JsonWebKey>> map = new LinkedHashMap<KeyType, List<JsonWebKey>>();
-        for (JsonWebKey key : keys) {
-            KeyType type = key.getKeyType();
-            if (type != null) {
-                List<JsonWebKey> list = map.get(type);
-                if (list == null) {
-                    list = new LinkedList<JsonWebKey>();
-                    map.put(type, list);
-                }
-                list.add(key);
-            }
-        }
-        return map;
-    }
-    
-    public Map<KeyOperation, List<JsonWebKey>> getKeyOperationMap() {
-        List<JsonWebKey> keys = getKeys();
-        if (keys == null) {
-            return Collections.emptyMap();
-        }
-        Map<KeyOperation, List<JsonWebKey>> map = new LinkedHashMap<KeyOperation, List<JsonWebKey>>();
-        for (JsonWebKey key : keys) {
-            List<KeyOperation> ops = key.getKeyOperation();
-            if (ops != null) {
-                for (KeyOperation op : ops) {
-                    List<JsonWebKey> list = map.get(op);
-                    if (list == null) {
-                        list = new LinkedList<JsonWebKey>();
-                        map.put(op, list);
-                    }
-                    list.add(key);
-                }
-            }
-        }
-        return map;
-    }
-    public List<JsonWebKey> getKeys(String keyType) {
-        KeyType kt = KeyType.getKeyType(keyType);
-        if (kt == null) {
-            return null;
-        }
-        return getKeyTypeMap().get(kt);
-    }
-    public List<JsonWebKey> getRsaKeys() {
-        return getKeyTypeMap().get(KeyType.RSA);
-    }
-    public List<JsonWebKey> getEllipticKeys() {
-        return getKeyTypeMap().get(KeyType.EC);
-    }
-    public List<JsonWebKey> getSecretKeys() {
-        return getKeyTypeMap().get(KeyType.OCTET);
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkException.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkException.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkException.java
deleted file mode 100644
index 44e9535..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkException.java
+++ /dev/null
@@ -1,35 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-import org.apache.cxf.rs.security.jose.JoseException;
-
-public class JwkException extends JoseException {
-
-    private static final long serialVersionUID = 4118589816228511524L;
-    public JwkException() {
-
-    }
-    public JwkException(String error) {
-        super(error);
-    }
-    public JwkException(Throwable cause) {
-        super(cause);
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
deleted file mode 100644
index 679b7aa..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkReaderWriter.java
+++ /dev/null
@@ -1,27 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-
-public interface JwkReaderWriter {
-    String jwkToJson(JsonWebKey jwk);
-    JsonWebKey jsonToJwk(String jwkJson);
-    String jwkSetToJson(JsonWebKeys jwkSet);
-    JsonWebKeys jsonToJwkSet(String jwkSetJson);
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
deleted file mode 100644
index 9251c54..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/JwkUtils.java
+++ /dev/null
@@ -1,533 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-import java.io.IOException;
-import java.io.InputStream;
-import java.math.BigInteger;
-import java.net.URI;
-import java.security.cert.X509Certificate;
-import java.security.interfaces.ECPrivateKey;
-import java.security.interfaces.ECPublicKey;
-import java.security.interfaces.RSAPrivateCrtKey;
-import java.security.interfaces.RSAPrivateKey;
-import java.security.interfaces.RSAPublicKey;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.Collections;
-import java.util.HashMap;
-import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-
-import javax.crypto.SecretKey;
-
-import org.apache.cxf.Bus;
-import org.apache.cxf.common.util.Base64UrlUtility;
-import org.apache.cxf.common.util.StringUtils;
-import org.apache.cxf.helpers.CastUtils;
-import org.apache.cxf.helpers.IOUtils;
-import org.apache.cxf.jaxrs.provider.json.JsonMapObjectReaderWriter;
-import org.apache.cxf.jaxrs.utils.ResourceUtils;
-import org.apache.cxf.message.Message;
-import org.apache.cxf.message.MessageUtils;
-import org.apache.cxf.rs.security.jose.JoseConstants;
-import org.apache.cxf.rs.security.jose.JoseHeaders;
-import org.apache.cxf.rs.security.jose.JoseUtils;
-import org.apache.cxf.rs.security.jose.jaxrs.KeyManagementUtils;
-import org.apache.cxf.rs.security.jose.jaxrs.PrivateKeyPasswordProvider;
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
-import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption;
-import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption;
-import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.JweHeaders;
-import org.apache.cxf.rs.security.jose.jwe.JweUtils;
-import org.apache.cxf.rs.security.jose.jwe.KeyDecryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionProvider;
-import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyDecryptionAlgorithm;
-import org.apache.cxf.rs.security.jose.jwe.PbesHmacAesWrapKeyEncryptionAlgorithm;
-import org.apache.cxf.rs.security.jose.jws.JwsUtils;
-import org.apache.cxf.rt.security.crypto.CryptoUtils;
-import org.apache.cxf.rt.security.crypto.MessageDigestUtils;
-
-public final class JwkUtils {
-    public static final String JWK_KEY_STORE_TYPE = "jwk";
-    public static final String RSSEC_KEY_STORE_JWKSET = "rs.security.keystore.jwkset";
-    public static final String RSSEC_KEY_STORE_JWKKEY = "rs.security.keystore.jwkkey";
-    private static final Map<KeyType, List<String>> JWK_REQUIRED_FIELDS_MAP;
-    static {
-        JWK_REQUIRED_FIELDS_MAP = new HashMap<KeyType, List<String>>();
-        JWK_REQUIRED_FIELDS_MAP.put(KeyType.RSA, Arrays.asList(
-            JsonWebKey.RSA_PUBLIC_EXP, JsonWebKey.KEY_TYPE, JsonWebKey.RSA_MODULUS));
-        JWK_REQUIRED_FIELDS_MAP.put(KeyType.EC, Arrays.asList(
-            JsonWebKey.EC_CURVE, JsonWebKey.KEY_TYPE, JsonWebKey.EC_X_COORDINATE, JsonWebKey.EC_Y_COORDINATE));
-        JWK_REQUIRED_FIELDS_MAP.put(KeyType.OCTET, Arrays.asList(
-            JsonWebKey.OCTET_KEY_VALUE, JsonWebKey.KEY_TYPE));
-    }
-    private JwkUtils() {
-        
-    }
-    public static String getThumbprint(String keySequence) {
-        return getThumbprint(readJwkKey(keySequence));
-    }
-    public static String getThumbprint(JsonWebKey key) {
-        List<String> fields = getRequiredFields(key.getKeyType());
-        JsonWebKey thumbprintKey = new JsonWebKey();
-        for (String f : fields) {
-            thumbprintKey.setProperty(f, key.getProperty(f));
-        }
-        String json = new JsonMapObjectReaderWriter().toJson(thumbprintKey);
-        byte[] digest = MessageDigestUtils.createDigest(json, MessageDigestUtils.ALGO_SHA_256);
-        return Base64UrlUtility.encode(digest);
-    }
-    public static List<String> getRequiredFields(KeyType keyType) {
-        return JWK_REQUIRED_FIELDS_MAP.get(keyType);
-    }
-    public static JsonWebKey readJwkKey(URI uri) throws IOException {
-        return readJwkKey(uri.toURL().openStream());
-    }
-    public static JsonWebKeys readJwkSet(URI uri) throws IOException {
-        return readJwkSet(uri.toURL().openStream());
-    }
-    public static JsonWebKey readJwkKey(InputStream is) throws IOException {
-        return readJwkKey(IOUtils.readStringFromStream(is));
-    }
-    public static JsonWebKeys readJwkSet(InputStream is) throws IOException {
-        return readJwkSet(IOUtils.readStringFromStream(is));
-    }
-    public static JsonWebKey readJwkKey(String jwkJson) {
-        return new DefaultJwkReaderWriter().jsonToJwk(jwkJson);
-    }
-    public static JsonWebKeys readJwkSet(String jwksJson) {
-        return new DefaultJwkReaderWriter().jsonToJwkSet(jwksJson);
-    }
-    public static String jwkKeyToJson(JsonWebKey jwkKey) {
-        return new DefaultJwkReaderWriter().jwkToJson(jwkKey);
-    }
-    public static String jwkSetToJson(JsonWebKeys jwkSet) {
-        return new DefaultJwkReaderWriter().jwkSetToJson(jwkSet);
-    }
-    public static String encodeJwkKey(JsonWebKey jwkKey) {
-        return Base64UrlUtility.encode(jwkKeyToJson(jwkKey));
-    }
-    public static String encodeJwkSet(JsonWebKeys jwkSet) {
-        return Base64UrlUtility.encode(jwkSetToJson(jwkSet));
-    }
-    public static JsonWebKey decodeJwkKey(String jwkJson) {
-        return readJwkKey(JoseUtils.decodeToString(jwkJson));
-    }
-    public static JsonWebKeys decodeJwkSet(String jwksJson) {
-        return readJwkSet(JoseUtils.decodeToString(jwksJson));
-    }
-    public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) {
-        return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter());
-    }
-    public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password, JwkReaderWriter writer) {
-        return encryptJwkSet(jwkSet, createDefaultEncryption(password), writer);
-    }
-    public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter writer) {
-        return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkSetToJson(jwkSet)), 
-                           toJweHeaders("jwk-set+json"));
-    }
-    public static String encryptJwkSet(JsonWebKeys jwkSet, RSAPublicKey key, KeyAlgorithm keyAlgo, 
-                                       ContentAlgorithm contentAlgo) {
-        return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkSetToJson(jwkSet)),
-                                "jwk-set+json");
-    }
-    public static String signJwkSet(JsonWebKeys jwkSet, RSAPrivateKey key, SignatureAlgorithm algo) {
-        return JwsUtils.sign(key, algo, jwkSetToJson(jwkSet), "jwk-set+json");
-    }
-    public static String encryptJwkSet(JsonWebKeys jwkSet, SecretKey key, KeyAlgorithm keyAlgo, 
-                                       ContentAlgorithm contentAlgo) {
-        return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkSetToJson(jwkSet)),
-                                "jwk-set+json");
-    }
-    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) {
-        return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password, JwkReaderWriter reader) {
-        return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password), reader);
-    }
-    public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe, JwkReaderWriter reader) {
-        return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText());
-    }
-    public static JsonWebKeys decryptJwkSet(RSAPrivateKey key, KeyAlgorithm keyAlgo, ContentAlgorithm ctAlgo,
-                                            String jsonJwkSet) {
-        return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet)));
-    }
-    public static JsonWebKeys verifyJwkSet(RSAPublicKey key, SignatureAlgorithm keyAlgo, String jsonJwk) {
-        return readJwkSet(JwsUtils.verify(key, keyAlgo, jsonJwk));
-    }
-    public static JsonWebKeys decryptJwkSet(SecretKey key, KeyAlgorithm keyAlgo, ContentAlgorithm ctAlgo, 
-                                            String jsonJwkSet) {
-        return readJwkSet(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwkSet)));
-    }
-    public static JsonWebKeys decryptJwkSet(InputStream is, char[] password) throws IOException {
-        return decryptJwkSet(is, password, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKeys decryptJwkSet(InputStream is, char[] password, JwkReaderWriter reader) 
-        throws IOException {
-        return decryptJwkSet(is, createDefaultDecryption(password), reader);
-    }
-    public static JsonWebKeys decryptJwkSet(InputStream is, JweDecryptionProvider jwe, JwkReaderWriter reader)
-        throws IOException {
-        return reader.jsonToJwkSet(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
-    }
-    public static String encryptJwkKey(JsonWebKey jwk, char[] password) {
-        return encryptJwkKey(jwk, password, new DefaultJwkReaderWriter());
-    }
-    public static String encryptJwkKey(JsonWebKey jwkKey, char[] password, JwkReaderWriter writer) {
-        return encryptJwkKey(jwkKey, createDefaultEncryption(password), writer);
-    }
-    public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter writer) {
-        return jwe.encrypt(StringUtils.toBytesUTF8(writer.jwkToJson(jwkKey)), 
-                           toJweHeaders("jwk+json"));
-    }
-    public static String encryptJwkKey(JsonWebKey jwkKey, RSAPublicKey key, KeyAlgorithm keyAlgo, 
-                                       ContentAlgorithm contentAlgo) {
-        return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkKeyToJson(jwkKey)),
-                                "jwk+json");
-    }
-    public static String encryptJwkKey(JsonWebKey jwkKey, SecretKey key, KeyAlgorithm keyAlgo, 
-                                       ContentAlgorithm contentAlgo) {
-        return JweUtils.encrypt(key, keyAlgo, contentAlgo, StringUtils.toBytesUTF8(jwkKeyToJson(jwkKey)),
-                                "jwk+json");
-    }
-    public static String signJwkKey(JsonWebKey jwkKey, RSAPrivateKey key, SignatureAlgorithm algo) {
-        return JwsUtils.sign(key, algo, jwkKeyToJson(jwkKey), "jwk+json");
-    }
-    public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) {
-        return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter reader) {
-        return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader);
-    }
-    public static JsonWebKey decryptJwkKey(RSAPrivateKey key, KeyAlgorithm keyAlgo, ContentAlgorithm ctAlgo, 
-                                           String jsonJwk) {
-        return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk)));
-    }
-    public static JsonWebKey verifyJwkKey(RSAPublicKey key, SignatureAlgorithm keyAlgo, String jsonJwk) {
-        return readJwkKey(JwsUtils.verify(key, keyAlgo, jsonJwk));
-    }
-    public static JsonWebKey decryptJwkKey(SecretKey key, KeyAlgorithm keyAlgo, ContentAlgorithm ctAlgo, 
-                                           String jsonJwk) {
-        return readJwkKey(toString(JweUtils.decrypt(key, keyAlgo, ctAlgo, jsonJwk)));
-    }
-    public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe, JwkReaderWriter reader) {
-        return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText());
-    }
-    public static JsonWebKey decryptJwkKey(InputStream is, char[] password) throws IOException {
-        return decryptJwkKey(is, password, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKey decryptJwkKey(InputStream is, char[] password, JwkReaderWriter reader) 
-        throws IOException {
-        return decryptJwkKey(is, createDefaultDecryption(password), reader);
-    }
-    public static JsonWebKey decryptJwkKey(InputStream is, JweDecryptionProvider jwe, JwkReaderWriter reader) 
-        throws IOException {
-        return reader.jsonToJwk(jwe.decrypt(IOUtils.readStringFromStream(is)).getContentText());
-    }
-    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb) {
-        return loadJwkSet(m, props, cb, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb, 
-                                         JwkReaderWriter reader) {
-        String key = (String)props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE);
-        JsonWebKeys jwkSet = key != null ? (JsonWebKeys)m.getExchange().get(key) : null;
-        if (jwkSet == null) {
-            jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb, reader);
-            if (key != null) {
-                m.getExchange().put(key, jwkSet);
-            }
-        }
-        return jwkSet;
-    }
-    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb) {
-        return loadJwkSet(props, bus, cb, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb, 
-                                         JwkReaderWriter reader) {
-        JweDecryptionProvider decryption = cb != null
-            ? new AesCbcHmacJweDecryption(new PbesHmacAesWrapKeyDecryptionAlgorithm(cb.getPassword(props))) : null;
-        return loadJwkSet(props, bus, decryption, reader);
-    }
-    public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider jwe, JwkReaderWriter reader) {
-        String keyContent = null;
-        String keyStoreLoc = props.getProperty(KeyManagementUtils.RSSEC_KEY_STORE_FILE);
-        if (keyStoreLoc != null) {
-            try {
-                InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus);
-                if (is == null) {
-                    throw new JwkException("Error in loading keystore location: " + keyStoreLoc);
-                }
-                keyContent = IOUtils.readStringFromStream(is);
-            } catch (Exception ex) {
-                throw new JwkException(ex);
-            }
-        } else {
-            keyContent = props.getProperty(RSSEC_KEY_STORE_JWKSET);
-            if (keyContent == null) {
-                keyContent = props.getProperty(RSSEC_KEY_STORE_JWKKEY);
-            }
-        }
-        if (jwe != null) {
-            keyContent = jwe.decrypt(keyContent).getContentText();
-        }
-        if (props.getProperty(RSSEC_KEY_STORE_JWKKEY) == null) {
-            return reader.jsonToJwkSet(keyContent);
-        } else {
-            JsonWebKey key = reader.jsonToJwk(keyContent);
-            JsonWebKeys keys = new JsonWebKeys();
-            keys.setKeys(Collections.singletonList(key));
-            return keys;
-        }
-    }
-    public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper) {
-        return loadJsonWebKey(m, props, keyOper, null);
-    }
-    public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper, String inHeaderKid) {
-        return loadJsonWebKey(m, props, keyOper, inHeaderKid, new DefaultJwkReaderWriter());
-    }
-    public static JsonWebKey loadJsonWebKey(Message m, Properties props, KeyOperation keyOper, String inHeaderKid, 
-                                            JwkReaderWriter reader) {
-        PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper);
-        JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
-        String kid = null;
-        if (inHeaderKid != null 
-            && MessageUtils.getContextualBoolean(m, KeyManagementUtils.RSSEC_ACCEPT_PUBLIC_KEY_PROP, true)) {
-            kid = inHeaderKid;
-        } else {
-            kid = KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS, keyOper);
-        }
-        if (kid != null) {
-            return jwkSet.getKey(kid);
-        } else if (keyOper != null) {
-            List<JsonWebKey> keys = jwkSet.getKeyOperationMap().get(keyOper);
-            if (keys != null && keys.size() == 1) {
-                return keys.get(0);
-            }
-        }
-        return null;
-    }
-    public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, KeyOperation keyOper) {
-        return loadJsonWebKeys(m, props, keyOper, new DefaultJwkReaderWriter());
-    }
-
-    public static List<JsonWebKey> loadJsonWebKeys(Message m, Properties props, 
-                                                   KeyOperation keyOper, 
-                                                   JwkReaderWriter reader) {
-        PrivateKeyPasswordProvider cb = KeyManagementUtils.loadPasswordProvider(m, props, keyOper);
-        JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader);
-        String kid = KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIAS, keyOper);
-        if (kid != null) {
-            return Collections.singletonList(jwkSet.getKey(kid));
-        }
-        String kids = KeyManagementUtils.getKeyId(m, props, KeyManagementUtils.RSSEC_KEY_STORE_ALIASES, keyOper);
-        if (kids != null) {
-            String[] values = kids.split(",");
-            List<JsonWebKey> keys = new ArrayList<JsonWebKey>(values.length);
-            for (String value : values) {
-                keys.add(jwkSet.getKey(value));
-            }
-            return keys;
-        }
-        if (keyOper != null) {
-            List<JsonWebKey> keys = jwkSet.getKeyOperationMap().get(keyOper);
-            if (keys != null && keys.size() == 1) {
-                return Collections.singletonList(keys.get(0));
-            }
-        }
-        return null;
-    }
-    public static RSAPublicKey toRSAPublicKey(JsonWebKey jwk) {
-        return toRSAPublicKey(jwk, false);
-    }
-    public static RSAPublicKey toRSAPublicKey(JsonWebKey jwk, boolean checkX509) {
-        String encodedModulus = (String)jwk.getProperty(JsonWebKey.RSA_MODULUS);
-        String encodedPublicExponent = (String)jwk.getProperty(JsonWebKey.RSA_PUBLIC_EXP);
-        if (encodedModulus != null) {
-            return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent);
-        } else if (checkX509) {
-            List<X509Certificate> chain = toX509CertificateChain(jwk);
-            return (RSAPublicKey)chain.get(0).getPublicKey();
-        }
-        return null;
-    }
-    public static List<X509Certificate> toX509CertificateChain(JsonWebKey jwk) {
-        List<String> base64EncodedChain = jwk.getX509Chain();
-        return KeyManagementUtils.toX509CertificateChain(base64EncodedChain);
-    }
-    public static JsonWebKey fromECPublicKey(ECPublicKey pk, String curve) {
-        JsonWebKey jwk = new JsonWebKey();
-        jwk.setKeyType(KeyType.EC);
-        jwk.setProperty(JsonWebKey.EC_CURVE, curve);
-        jwk.setProperty(JsonWebKey.EC_X_COORDINATE, 
-                        Base64UrlUtility.encode(pk.getW().getAffineX().toByteArray()));
-        jwk.setProperty(JsonWebKey.EC_Y_COORDINATE, 
-                        Base64UrlUtility.encode(pk.getW().getAffineY().toByteArray()));
-        return jwk;
-    }
-    public static JsonWebKey fromECPrivateKey(ECPrivateKey pk, String curve) {
-        JsonWebKey jwk = new JsonWebKey();
-        jwk.setKeyType(KeyType.EC);
-        jwk.setProperty(JsonWebKey.EC_CURVE, curve);
-        jwk.setProperty(JsonWebKey.EC_PRIVATE_KEY, 
-                        Base64UrlUtility.encode(pk.getS().toByteArray()));
-        return jwk;
-    }
-    public static JsonWebKey fromRSAPublicKey(RSAPublicKey pk, String algo) {
-        JsonWebKey jwk = prepareRSAJwk(pk.getModulus(), algo);
-        String encodedPublicExponent = Base64UrlUtility.encode(pk.getPublicExponent().toByteArray());
-        jwk.setProperty(JsonWebKey.RSA_PUBLIC_EXP, encodedPublicExponent);
-        return jwk;
-    }
-    public static JsonWebKey fromX509CertificateChain(List<X509Certificate> chain, String algo) {
-        JsonWebKey jwk = new JsonWebKey();
-        jwk.setAlgorithm(algo);
-        List<String> encodedChain = KeyManagementUtils.encodeX509CertificateChain(chain);
-        jwk.setX509Chain(encodedChain);
-        return jwk;
-    }
-    
-    public static RSAPrivateKey toRSAPrivateKey(JsonWebKey jwk) {
-        String encodedModulus = (String)jwk.getProperty(JsonWebKey.RSA_MODULUS);
-        String encodedPrivateExponent = (String)jwk.getProperty(JsonWebKey.RSA_PRIVATE_EXP);
-        String encodedPrimeP = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_PRIME_FACTOR);
-        if (encodedPrimeP == null) {
-            return CryptoUtils.getRSAPrivateKey(encodedModulus, encodedPrivateExponent);
-        } else {
-            String encodedPublicExponent = (String)jwk.getProperty(JsonWebKey.RSA_PUBLIC_EXP);
-            String encodedPrimeQ = (String)jwk.getProperty(JsonWebKey.RSA_SECOND_PRIME_FACTOR);
-            String encodedPrimeExpP = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_PRIME_CRT);
-            String encodedPrimeExpQ = (String)jwk.getProperty(JsonWebKey.RSA_SECOND_PRIME_CRT);
-            String encodedCrtCoefficient = (String)jwk.getProperty(JsonWebKey.RSA_FIRST_CRT_COEFFICIENT);
-            return CryptoUtils.getRSAPrivateKey(encodedModulus, 
-                                                encodedPublicExponent,
-                                                encodedPrivateExponent,
-                                                encodedPrimeP,
-                                                encodedPrimeQ,
-                                                encodedPrimeExpP,
-                                                encodedPrimeExpQ,
-                                                encodedCrtCoefficient);
-        }
-    }
-    public static JsonWebKey fromRSAPrivateKey(RSAPrivateKey pk, String algo) {
-        JsonWebKey jwk = prepareRSAJwk(pk.getModulus(), algo);
-        String encodedPrivateExponent = Base64UrlUtility.encode(pk.getPrivateExponent().toByteArray());
-        jwk.setProperty(JsonWebKey.RSA_PRIVATE_EXP, encodedPrivateExponent);
-        if (pk instanceof RSAPrivateCrtKey) {
-            RSAPrivateCrtKey pkCrt = (RSAPrivateCrtKey)pk;
-            jwk.setProperty(JsonWebKey.RSA_FIRST_PRIME_FACTOR, 
-                            Base64UrlUtility.encode(pkCrt.getPrimeP().toByteArray()));
-            jwk.setProperty(JsonWebKey.RSA_SECOND_PRIME_FACTOR, 
-                            Base64UrlUtility.encode(pkCrt.getPrimeQ().toByteArray()));
-            jwk.setProperty(JsonWebKey.RSA_FIRST_PRIME_CRT, 
-                            Base64UrlUtility.encode(pkCrt.getPrimeExponentP().toByteArray()));
-            jwk.setProperty(JsonWebKey.RSA_SECOND_PRIME_CRT, 
-                            Base64UrlUtility.encode(pkCrt.getPrimeExponentQ().toByteArray()));
-            jwk.setProperty(JsonWebKey.RSA_FIRST_CRT_COEFFICIENT, 
-                            Base64UrlUtility.encode(pkCrt.getCrtCoefficient().toByteArray()));
-        }
-        // "oth" can be populated too if needed
-        return jwk;
-    }
-    public static ECPublicKey toECPublicKey(JsonWebKey jwk) {
-        String eCurve = (String)jwk.getProperty(JsonWebKey.EC_CURVE);
-        String encodedXCoord = (String)jwk.getProperty(JsonWebKey.EC_X_COORDINATE);
-        String encodedYCoord = (String)jwk.getProperty(JsonWebKey.EC_Y_COORDINATE);
-        return CryptoUtils.getECPublicKey(eCurve, encodedXCoord, encodedYCoord);
-    }
-    public static ECPrivateKey toECPrivateKey(JsonWebKey jwk) {
-        String eCurve = (String)jwk.getProperty(JsonWebKey.EC_CURVE);
-        String encodedPrivateKey = (String)jwk.getProperty(JsonWebKey.EC_PRIVATE_KEY);
-        return CryptoUtils.getECPrivateKey(eCurve, encodedPrivateKey);
-    }
-    
-    public static SecretKey toSecretKey(JsonWebKey jwk) {
-        return CryptoUtils.createSecretKeySpec((String)jwk.getProperty(JsonWebKey.OCTET_KEY_VALUE), 
-                                               AlgorithmUtils.toJavaName(jwk.getAlgorithm()));
-    }
-    public static JsonWebKey fromSecretKey(SecretKey secretKey, String algo) {
-        if (!AlgorithmUtils.isOctet(algo)) {
-            throw new JwkException("Invalid algorithm");
-        }
-        JsonWebKey jwk = new JsonWebKey();
-        jwk.setKeyType(KeyType.OCTET);
-        jwk.setAlgorithm(algo);
-        String encodedSecretKey = Base64UrlUtility.encode(secretKey.getEncoded());
-        jwk.setProperty(JsonWebKey.OCTET_KEY_VALUE, encodedSecretKey);
-        return jwk;
-    }
-    
-    
-    private static JweEncryptionProvider createDefaultEncryption(char[] password) {
-        KeyEncryptionProvider keyEncryption = 
-            new PbesHmacAesWrapKeyEncryptionAlgorithm(password, KeyAlgorithm.PBES2_HS256_A128KW);
-        return new AesCbcHmacJweEncryption(ContentAlgorithm.A128CBC_HS256, keyEncryption);
-    }
-    private static JweDecryptionProvider createDefaultDecryption(char[] password) {
-        KeyDecryptionProvider keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password);
-        return new AesCbcHmacJweDecryption(keyDecryption);
-    }
-    private static JsonWebKey prepareRSAJwk(BigInteger modulus, String algo) {
-        if (!AlgorithmUtils.isRsa(algo)) {
-            throw new JwkException("Invalid algorithm");
-        }
-        JsonWebKey jwk = new JsonWebKey();
-        jwk.setKeyType(KeyType.RSA);
-        jwk.setAlgorithm(algo);
-        String encodedModulus = Base64UrlUtility.encode(modulus.toByteArray());
-        jwk.setProperty(JsonWebKey.RSA_MODULUS, encodedModulus);
-        return jwk;
-    }
-    private static String toString(byte[] bytes) {
-        try {
-            return new String(bytes, "UTF-8");
-        } catch (Exception ex) {
-            throw new RuntimeException(ex);
-        }
-    }
-    private static JweHeaders toJweHeaders(String ct) {
-        return new JweHeaders(Collections.<String, Object>singletonMap(JoseConstants.HEADER_CONTENT_TYPE, ct));
-    }
-    public static void setPublicKeyInfo(JsonWebKey jwk, JoseHeaders headers, String algo,
-                                        boolean reportPublicKey, boolean reportPublicKeyId) {
-        if (reportPublicKey && KeyType.RSA.equals(jwk.getKeyType())) {
-            List<String> chain = CastUtils.cast((List<?>)jwk.getProperty("x5c"));
-            //TODO: if needed the chain can be reported as part of a 'jwk' property
-            if (chain != null) {
-                headers.setX509Chain(chain);
-            } else {
-                JsonWebKey jwkPublic = JwkUtils.fromRSAPublicKey(JwkUtils.toRSAPublicKey(jwk), algo);
-                if (reportPublicKeyId && jwk.getKeyId() != null) {
-                    jwkPublic.setKeyId(jwk.getKeyId());
-                }
-                headers.setJsonWebKey(jwkPublic);
-            }
-        }
-        if (reportPublicKeyId && jwk.getKeyId() != null) {
-            headers.setKeyId(jwk.getKeyId());
-        }
-        
-    }
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/KeyOperation.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/KeyOperation.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/KeyOperation.java
deleted file mode 100644
index c258543..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/KeyOperation.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-
-public enum KeyOperation {
-    SIGN(JsonWebKey.KEY_OPER_SIGN),
-    VERIFY(JsonWebKey.KEY_OPER_VERIFY),
-    ENCRYPT(JsonWebKey.KEY_OPER_ENCRYPT),
-    DECRYPT(JsonWebKey.KEY_OPER_DECRYPT),
-    WRAPKEY(JsonWebKey.KEY_OPER_WRAP_KEY),
-    UNWRAPKEY(JsonWebKey.KEY_OPER_UNWRAP_KEY),
-    DERIVEKEY(JsonWebKey.KEY_OPER_DERIVE_KEY),
-    DERIVEBITS(JsonWebKey.KEY_OPER_DERIVE_BITS);
-    
-    private final String oper;
-    private KeyOperation(String oper) {
-        this.oper = oper;
-    }
-    public static KeyOperation getKeyOperation(String oper) {
-        if (oper == null) {
-            return null;
-        }
-        return valueOf(oper.toUpperCase());
-    }
-    public String toString() {
-        return oper;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/KeyType.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/KeyType.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/KeyType.java
deleted file mode 100644
index b10afb8..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/KeyType.java
+++ /dev/null
@@ -1,44 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-
-public enum KeyType {
-    RSA(JsonWebKey.KEY_TYPE_RSA),
-    EC(JsonWebKey.KEY_TYPE_ELLIPTIC),
-    OCTET(JsonWebKey.KEY_TYPE_OCTET);
-    
-    private final String type;
-    private KeyType(String type) {
-        this.type = type;
-    }
-    public static KeyType getKeyType(String type) {
-        if (type == null) {
-            return null;
-        } else if (JsonWebKey.KEY_TYPE_OCTET.equals(type)) {
-            return OCTET;    
-        } else {
-            return valueOf(type);
-        }
-    }
-    public String toString() {
-        return type;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/PublicKeyUse.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/PublicKeyUse.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/PublicKeyUse.java
deleted file mode 100644
index 9b46b4f..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk/PublicKeyUse.java
+++ /dev/null
@@ -1,46 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jwk;
-
-
-public enum PublicKeyUse {
-    SIGN(JsonWebKey.PUBLIC_KEY_USE_SIGN),
-    ENCRYPT(JsonWebKey.PUBLIC_KEY_USE_ENCRYPT);
-    
-    private final String use;
-    private PublicKeyUse(String use) {
-        this.use = use;
-    }
-    public static PublicKeyUse getPublicKeyUse(String use) {
-        if (use == null) {
-            return null;
-        }
-        if (JsonWebKey.PUBLIC_KEY_USE_SIGN.equals(use)) {
-            return SIGN; 
-        } else if (JsonWebKey.PUBLIC_KEY_USE_ENCRYPT.equals(use)) {
-            return ENCRYPT; 
-        } else {
-            return valueOf(use);
-        }
-    }
-    public String toString() {
-        return use;
-    }
-    
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
deleted file mode 100644
index df400fa..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/AbstractJwsSignatureProvider.java
+++ /dev/null
@@ -1,76 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jws;
-
-import java.util.logging.Logger;
-
-import org.apache.cxf.common.logging.LogUtils;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
-
-
-public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvider {
-    protected static final Logger LOG = LogUtils.getL7dLogger(AbstractJwsSignatureProvider.class);
-    private SignatureAlgorithm algorithm;
-    
-    protected AbstractJwsSignatureProvider(SignatureAlgorithm algo) {
-        this.algorithm = algo;
-    }
-    
-    protected JwsHeaders prepareHeaders(JwsHeaders headers) {
-        if (headers == null) {
-            headers = new JwsHeaders();
-        }
-        SignatureAlgorithm sigAlgo = headers.getSignatureAlgorithm();
-        if (sigAlgo != null) {
-            checkAlgorithm(sigAlgo.getJwaName());
-        } else {
-            checkAlgorithm(algorithm.getJwaName());
-            headers.setSignatureAlgorithm(algorithm);
-        }
-        return headers;
-    }
-    @Override
-    public SignatureAlgorithm getAlgorithm() {
-        return algorithm;    
-    }
-    @Override
-    public byte[] sign(JwsHeaders headers, byte[] content) {
-        JwsSignature sig = createJwsSignature(headers);
-        sig.update(content, 0, content.length);
-        return sig.sign();
-    }
-    @Override
-    public JwsSignature createJwsSignature(JwsHeaders headers) {
-        return doCreateJwsSignature(prepareHeaders(headers));
-    }
-    
-    protected abstract JwsSignature doCreateJwsSignature(JwsHeaders headers);
-    
-    protected void checkAlgorithm(String algo) {
-        if (algo == null) {
-            LOG.warning("Signature algorithm is not set");
-            throw new JwsException(JwsException.Error.ALGORITHM_NOT_SET);
-        }
-        if (!isValidAlgorithmFamily(algo)) {
-            LOG.warning("Invalid signature algorithm: " + algo);
-            throw new JwsException(JwsException.Error.INVALID_ALGORITHM);
-        }
-    }
-    protected abstract boolean isValidAlgorithmFamily(String algo);
-}

http://git-wip-us.apache.org/repos/asf/cxf/blob/5e40ea35/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
deleted file mode 100644
index 3bb92b9..0000000
--- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/EcDsaJwsSignatureProvider.java
+++ /dev/null
@@ -1,110 +0,0 @@
-/**
- * Licensed to the Apache Software Foundation (ASF) under one
- * or more contributor license agreements. See the NOTICE file
- * distributed with this work for additional information
- * regarding copyright ownership. The ASF licenses this file
- * to you under the Apache License, Version 2.0 (the
- * "License"); you may not use this file except in compliance
- * with the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an
- * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- * KIND, either express or implied. See the License for the
- * specific language governing permissions and limitations
- * under the License.
- */
-package org.apache.cxf.rs.security.jose.jws;
-
-import java.security.SecureRandom;
-import java.security.Signature;
-import java.security.interfaces.ECPrivateKey;
-import java.security.spec.AlgorithmParameterSpec;
-
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
-import org.apache.cxf.rs.security.jose.jwa.SignatureAlgorithm;
-
-public class EcDsaJwsSignatureProvider extends PrivateKeyJwsSignatureProvider {
-    public EcDsaJwsSignatureProvider(ECPrivateKey key, SignatureAlgorithm algo) {
-        this(key, null, algo);
-    }
-    public EcDsaJwsSignatureProvider(ECPrivateKey key, AlgorithmParameterSpec spec, SignatureAlgorithm algo) {
-        this(key, null, spec, algo);
-    }
-    public EcDsaJwsSignatureProvider(ECPrivateKey key, SecureRandom random, AlgorithmParameterSpec spec, 
-                                     SignatureAlgorithm algo) {
-        super(key, random, spec, algo);
-    }
-    @Override
-    protected boolean isValidAlgorithmFamily(String algo) {
-        return AlgorithmUtils.isEcDsaSign(algo);
-    }
-    @Override
-    protected JwsSignature doCreateJwsSignature(Signature s) {
-        return new EcDsaPrivateKeyJwsSignature(s, 
-            EcDsaJwsSignatureVerifier.SIGNATURE_LENGTH_MAP.get(super.getAlgorithm().getJwaName()));
-    }
-    
-    protected static class EcDsaPrivateKeyJwsSignature extends PrivateKeyJwsSignature {
-        private int outLen;
-        public EcDsaPrivateKeyJwsSignature(Signature s, int outLen) {
-            super(s);
-            this.outLen = outLen;
-        }
-        @Override
-        public byte[] sign() {
-            byte[] jcaDer = super.sign();
-            return jcaOutputToJoseOutput(outLen, jcaDer);
-        }
-    }
-    
-    private static byte[] jcaOutputToJoseOutput(int jwsSignatureLen, byte jcaDer[]) {
-        // DER uses a pattern of type-length-value triplets
-        // http://en.wikipedia.org/wiki/Abstract_Syntax_Notation_One#Example_encoded_in_DER
-        
-        // The algorithm implementation guarantees the correct DER format so no extra validation
-        
-        // ECDSA signature production: 
-        // 48 (SEQUENCE) + Total Length (1 or 2 bytes, the 1st byte is -127 if 2 bytes) 
-        // + R & S triples, where both triples are represented as 
-        // 2(INTEGER TYPE) + length + the actual sequence of a given length;
-        // The sequence might have the extra leading zeroes which need to be skipped
-        int requiredPartLen = jwsSignatureLen / 2;
-        
-        int rsDataBlockStart = jcaDer[1] == -127 ? 4 : 3;
-        int rPartLen = jcaDer[rsDataBlockStart];
-        int rDataBlockStart = rsDataBlockStart + 1;
-        int rPartLenDiff = rPartLen - requiredPartLen; 
-        int rValueStart = rDataBlockStart + getDataBlockOffset(jcaDer, rDataBlockStart, rPartLenDiff);
-        
-        int sPartStart = rDataBlockStart + rPartLen;
-        int sPartLen = jcaDer[sPartStart + 1];
-        int sPartLenDiff = sPartLen - requiredPartLen; 
-        int sDataBlockStart = sPartStart + 2;
-        int sValueStart = sDataBlockStart + getDataBlockOffset(jcaDer, sDataBlockStart, sPartLenDiff);
-                
-        byte[] result = new byte[jwsSignatureLen]; 
-        System.arraycopy(jcaDer, rValueStart, result, 
-            rPartLenDiff < 0 ? rPartLenDiff * -1 : 0, 
-            rPartLenDiff < 0 ? requiredPartLen + rPartLenDiff : requiredPartLen);
-        System.arraycopy(jcaDer, sValueStart, result, 
-            sPartLenDiff < 0 ? requiredPartLen + sPartLenDiff * -1 : requiredPartLen, 
-            sPartLenDiff < 0 ? requiredPartLen + sPartLenDiff : requiredPartLen);
-        return result;
-    }
-    private static int getDataBlockOffset(byte[] jcaDer, int blockStart, int partLenDiff) {
-        // ECDSA productions have 64, 96 or 132 output lengths. The R and S parts would be 32, 48 or 66 bytes each.
-        // If it is 32 or 48 bytes then we may have occasional extra zeroes in the JCA DER output
-        int i = 0;
-        if (partLenDiff > 0) {
-            while (i < partLenDiff && jcaDer[blockStart + i] == 0) {
-                i++;
-            }
-        }
-        return i;
-    }
-    
-    
-}


Mime
View raw message