cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Making it easier to configure Jwe Content algo when using a client secret
Date Thu, 12 Nov 2015 14:19:22 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes dd598c498 -> 88d513e3a


Making it easier to configure Jwe Content algo when using a client secret


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/88d513e3
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/88d513e3
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/88d513e3

Branch: refs/heads/3.1.x-fixes
Commit: 88d513e3a47cc52335e9419da00319cf147eb66c
Parents: dd598c4
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Thu Nov 12 14:17:36 2015 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Thu Nov 12 14:19:02 2015 +0000

----------------------------------------------------------------------
 .../cxf/rs/security/jose/jwe/JweUtils.java      | 49 +++++++++++++-------
 .../provider/AbstractOAuthJoseJwtConsumer.java  |  4 +-
 .../provider/AbstractOAuthJoseJwtProducer.java  |  6 ++-
 3 files changed, 39 insertions(+), 20 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/88d513e3/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
index 191a8a7..08e5bf9 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java
@@ -307,16 +307,18 @@ public final class JweUtils {
         
         KeyEncryptionProvider keyEncryptionProvider = null;
         KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
-        String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null);
+        ContentAlgorithm contentAlgo = getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM);
         if (m != null) {
-            m.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, contentEncryptionAlgo);
+            m.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, contentAlgo.getJwaName());
         }
         ContentEncryptionProvider ctEncryptionProvider = null;
         if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE)))
{
             JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.ENCRYPT);
             if ("direct".equals(keyAlgo.getJwaName())) {
-                contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm());
-                ctEncryptionProvider = getContentEncryptionProvider(jwk, contentEncryptionAlgo);
+                contentAlgo = getContentEncryptionAlgorithm(m, props, 
+                                            ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()),

+                                            ContentAlgorithm.A128GCM);
+                ctEncryptionProvider = getContentEncryptionProvider(jwk, contentAlgo.getJwaName());
             } else {
                 keyAlgo = getKeyEncryptionAlgorithm(m, props, 
                                                     KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()),

@@ -365,7 +367,7 @@ public final class JweUtils {
         }
         return createJweEncryptionProvider(keyEncryptionProvider, 
                                     ctEncryptionProvider, 
-                                    contentEncryptionAlgo,
+                                    contentAlgo.getJwaName(),
                                     compression);
     }
     public static JweDecryptionProvider loadDecryptionProvider(boolean required) {
@@ -386,7 +388,8 @@ public final class JweUtils {
         
         Message m = PhaseInterceptorChain.getCurrentMessage();
         KeyDecryptionProvider keyDecryptionProvider = null;
-        String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null);
+        ContentAlgorithm contentAlgo = 
+            getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM);
         SecretKey ctDecryptionKey = null;
         KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
         if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN)
!= null) {
@@ -396,7 +399,7 @@ public final class JweUtils {
             X509Certificate cert = chain == null ? null : chain.get(0);
             PrivateKey privateKey = 
                 KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT);
-            contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm().getJwaName();
+            contentAlgo = inHeaders.getContentEncryptionAlgorithm();
             keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, 
                                                                  inHeaders.getKeyEncryptionAlgorithm());
         } else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT)
!= null) {
@@ -407,7 +410,7 @@ public final class JweUtils {
             if (foundCert != null) {
                 PrivateKey privateKey = 
                     KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
-                contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm().getJwaName();
+                contentAlgo = inHeaders.getContentEncryptionAlgorithm();
                 keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, 
                                                                      inHeaders.getKeyEncryptionAlgorithm());
             }
@@ -420,8 +423,10 @@ public final class JweUtils {
                 }
                 
                 if ("direct".equals(keyAlgo.getJwaName())) {
-                    contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm());
-                    ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentEncryptionAlgo);
+                    contentAlgo = getContentEncryptionAlgorithm(m, props, 
+                                                ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()),
+                                                ContentAlgorithm.A128GCM);
+                    ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentAlgo.getJwaName());
                 } else {
                     keyAlgo = getKeyEncryptionAlgorithm(m, props, 
                                                         KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()),
@@ -435,7 +440,7 @@ public final class JweUtils {
             }
         }
         return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, 
-                                           getContentAlgo(contentEncryptionAlgo));
+                                           contentAlgo);
     }
     public static JweEncryptionProvider createJweEncryptionProvider(PublicKey key,
                                                                     KeyAlgorithm keyAlgo,
@@ -694,7 +699,10 @@ public final class JweUtils {
         }
     }
     @SuppressWarnings("deprecation")
-    private static String getContentEncryptionAlgo(Message m, Properties props, String algo)
{
+    public static ContentAlgorithm getContentEncryptionAlgorithm(Message m, 
+                                                       Properties props, 
+                                                       ContentAlgorithm algo,
+                                                       ContentAlgorithm defaultAlgo) {
         if (algo == null) {
             // Check for deprecated identifier first
             String encAlgo = props.getProperty(JoseConstants.DEPR_RSSEC_ENCRYPTION_CONTENT_ALGORITHM);
@@ -702,16 +710,23 @@ public final class JweUtils {
                 encAlgo = (String)m.getContextualProperty(JoseConstants.DEPR_RSSEC_ENCRYPTION_CONTENT_ALGORITHM);
             }
             if (encAlgo != null) {
-                return encAlgo;
+                return ContentAlgorithm.getAlgorithm(encAlgo);
             }
             
-            // Otherwise check newer identifier
-            return KeyManagementUtils.getKeyAlgorithm(m, props, 
-                                                      JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM,

-                                                      AlgorithmUtils.A128GCM_ALGO);
+            return getContentEncryptionAlgorithm(props, defaultAlgo);
         }
         return algo;
     }
+    
+    public static ContentAlgorithm getContentEncryptionAlgorithm(Properties props,
+                                                                 ContentAlgorithm defaultAlgo)
{
+        String algo = KeyManagementUtils.getKeyAlgorithm(PhaseInterceptorChain.getCurrentMessage(),

+                                                  props, 
+                                                  JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM,

+                                                  defaultAlgo == null ? null : defaultAlgo.getJwaName());
+        return ContentAlgorithm.getAlgorithm(algo);
+    }
+    
     private static String encrypt(KeyEncryptionProvider keyEncryptionProvider, 
                                   ContentAlgorithm contentAlgo, byte[] content, String ct)
{
         JweEncryptionProvider jwe = createJweEncryptionProvider(keyEncryptionProvider, contentAlgo,
null);

http://git-wip-us.apache.org/repos/asf/cxf/blob/88d513e3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
index e799e35..5d2fa3b 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java
@@ -58,7 +58,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum
         JweDecryptionProvider theDecryptionProvider = null;
         if (decryptWithClientSecret) {
             SecretKey key = CryptoUtils.decodeSecretKey(clientSecret);
-            theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ContentAlgorithm.A128GCM);
+            Properties props = JweUtils.loadEncryptionInProperties(false);
+            ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM);
+            theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ctAlgo);
         }
         return theDecryptionProvider;
         

http://git-wip-us.apache.org/repos/asf/cxf/blob/88d513e3/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
index 1bd78fe..b0a7414 100644
--- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
+++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java
@@ -48,7 +48,7 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc
             Properties props = JwsUtils.loadSignatureOutProperties(false);
             SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256);
             if (AlgorithmUtils.isHmacSign(sigAlgo)) {
-                return JwsUtils.getHmacSignatureProvider(clientSecret, SignatureAlgorithm.HS256);
+                return JwsUtils.getHmacSignatureProvider(clientSecret, sigAlgo);
             }
         }
         return null;
@@ -56,7 +56,9 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc
     protected JweEncryptionProvider getInitializedEncryptionProvider(String clientSecret)
{
         if (encryptWithClientSecret) {
             SecretKey key = CryptoUtils.decodeSecretKey(clientSecret);
-            return JweUtils.getDirectKeyJweEncryption(key, ContentAlgorithm.A128GCM);
+            Properties props = JweUtils.loadEncryptionOutProperties(false);
+            ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM);
+            return JweUtils.getDirectKeyJweEncryption(key, ctAlgo);
         }
         return null;
     }


Mime
View raw message