cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r988530 - in /websites/production/cxf/content: cache/docs.pageCache docs/jax-rs-jose.html
Date Wed, 18 May 2016 12:47:42 GMT
Author: buildbot
Date: Wed May 18 12:47:42 2016
New Revision: 988530

Log:
Production update by buildbot for cxf

Modified:
    websites/production/cxf/content/cache/docs.pageCache
    websites/production/cxf/content/docs/jax-rs-jose.html

Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Wed May 18 12:47:42 2016
@@ -119,13 +119,15 @@ Apache CXF -- JAX-RS JOSE
            <!-- Content -->
            <div class="wiki-content">
 <div id="ConfluenceContent"><p>&#160;</p><p>&#160;</p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1463568424611 {padding: 0px;}
-div.rbtoc1463568424611 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1463568424611 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1463575625414 {padding: 0px;}
+div.rbtoc1463575625414 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463575625414 li {margin-left: 0px;padding-left: 0px;}
 
-/*]]>*/</style></p><div class="toc-macro rbtoc1463568424611">
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverview">JOSE Overview</a>
-<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK
Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS
Signature</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWEEncryption">JWE
Encryption</a></li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebToken">JSON
Web Token</a></li></ul>
+/*]]>*/</style></p><div class="toc-macro rbtoc1463575625414">
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a
shape="rect" href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and Implementation</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWKKeys">JWK
Keys</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSSignature">JWS
Signature</a>
+<ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature
and Verification Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithClearPayload">JWS
with Clear Payload</a></li></ul>
+</li><li><a shape="rect" href="#JAX-RSJOSE-JWEEncryption">JWE Encryption</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JSONWebToken">JSON Web Token</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-JOSEJAX-RSFilters">JOSE JAX-RS
Filters</a>
 <ul class="toc-indentation"><li><a shape="rect" href="#JAX-RSJOSE-JWE">JWE</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JWS">JWS</a></li><li><a shape="rect"
href="#JAX-RSJOSE-LinkingJWTauthenticationstoJWSorJWEcontent">Linking JWT authentications
to JWS or JWE content</a></li></ul>
 </li><li><a shape="rect" href="#JAX-RSJOSE-Configuration">Configuration</a>
@@ -145,7 +147,7 @@ div.rbtoc1463568424611 li {margin-left:
   &lt;version&gt;3.1.7&lt;/version&gt;
 &lt;/dependency&gt;
 </pre>
-</div></div><pre>&#160;</pre><h1 id="JAX-RSJOSE-JOSEOverview">JOSE
Overview</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JWA</a>
- JSON Web Algorithms where all supported signature and encryption algorithms are listed</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517" rel="nofollow">JWK</a>
- JSON Web Keys - introduces a JSON format for describing the public and private keys used
by JWA algorithms</li><li><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515"
rel="nofollow">JWS</a> - JSON Web Signature - describes how the data can be signed
or validated and introduces compact and JSON JWS formats for representing the signed data</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a>
- JSON Web Encryption - describes how the data can be encrypted or decryp
 ted and introduces compact and JSON JWE formats for representing the encrypted data&#160;&#160;</li></ul><p>Additionally,
<a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a>
(JSON Web Token), while technically being not part of JOSE, is often used as an input material
to JWS and JWE processors, especially in OAuth2 flows (example: OAuth2 access tokens can be
represented internally as JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a>
describes how a set of claims in JSON format can be either JWS-signed and/or JWE-enctypted.&#160;</p><h2
id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h2><p>All JOSE signature and
encryption algorithms are grouped and described in the <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JWA</a> (JSON Web Algorithms)
specification.</p><p>The algor
 ithms are split into 3 categories: signature algorithms (HMAC, RSA, Elliptic Curve), algorithms
for supporting the encryption of content encryption keys (RSA-OAEP, AES Key Wrap, etc), and
algorithms for encrypting the actual content (AES GCM, etc).</p><div>The specification
lists all the algorithms that can be used either for signing or encrypting and also describes
how some of these algorithms work in cases</div><div>where JCA (or BouncyCastle)
does not support them directly, example, AES-CBC-HMAC-SHA2.</div><div>Algorithm
name is a type + hint, example: HS256 (HMAC with SHA-256), RSA-OAEP-256 (RSA OAEP key encryption
with SHA-256), etc.</div><p>All JWS and JWE algorithms process not only the actual
data but also the meta-data (the algorithm properties) thus ensuring the algorithm properties
are integrity-protected, additionally JWE algorithms produce authentication tags which ensure
the already encrypted content won't be manipulated.</p><p>Please refer to <a
shape="rect" class="ex
 ternal-link" href="https://tools.ietf.org/html/rfc7518" rel="nofollow">the specification</a>
to get all the information needed (with the follow up links to the corresponding RFC when
applicable) about a particular signature or encryption algorithm: the properties, recommended
key sizes, other security considerations related to all of or some specific algorithms. CXF
JOSE code already enforces a number of the recommended constraints.</p><p>CXF
offers the utility support for working with JWA algorithms in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa"
rel="nofollow">this package</a>.</p><p>Typically one would supply an
algorithm property in a type-safe way either to JWS or JWE processor, for example,&#160;
SignatureAlgorithm.HS256 (HMAC signature) for JWS,&#160;KeyAlgorithm.A256KW (key encryption
wrap) plus ContentAlgorithm.A256GCM for JWE. Each enum has methods fo
 r checking a key size, JWA and Java JCA algorithm names.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK
Keys</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517"
rel="nofollow">JWK</a> (JSON Web Key) is a JSON document describing the cryptographic
key properties. JWKs are very flexible and one can expect JWKs becoming one of the major mechanisms
for representing and storing cryptographic keys. While one does not have to represent the
keys as JWK in order to sign or encrypt the document and rely on Java JCA secret and asymmetric
keys instead, JWK is a preferred representation of signature or encryption keys in JOSE.</p><p>For
example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader
panelHeader pdl" style="border-bottom-width: 1px;"><b>Secret HMAC Key</b></div><div
class="codeContent panelContent pdl">
+</div></div><pre>&#160;</pre><h1 id="JAX-RSJOSE-JOSEOverviewandImplementation">JOSE
Overview and Implementation</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JWA</a>
- JSON Web Algorithms where all supported signature and encryption algorithms are listed</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517" rel="nofollow">JWK</a>
- JSON Web Keys - introduces a JSON format for describing the public and private keys used
by JWA algorithms</li><li><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515"
rel="nofollow">JWS</a> - JSON Web Signature - describes how the data can be signed
or validated and introduces compact and JSON JWS formats for representing the signed data</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a>
- JSON Web Encryption - describes how
  the data can be encrypted or decrypted and introduces compact and JSON JWE formats for representing
the encrypted data&#160;&#160;</li></ul><p>Additionally, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a>
(JSON Web Token), while technically being not part of JOSE, is often used as an input material
to JWS and JWE processors, especially in OAuth2 flows (example: OAuth2 access tokens can be
represented internally as JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7519" rel="nofollow">JWT</a>
describes how a set of claims in JSON format can be either JWS-signed and/or JWE-enctypted.&#160;</p><h2
id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h2><p>All JOSE signature and
encryption algorithms are grouped and described in the <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518" rel="nofollow">JWA</a> (JSON Web Algori
 thms) specification.</p><p>The algorithms are split into 3 categories: signature
algorithms (HMAC, RSA, Elliptic Curve), algorithms for supporting the encryption of content
encryption keys (RSA-OAEP, AES Key Wrap, etc), and algorithms for encrypting the actual content
(AES GCM, etc).</p><div>The specification lists all the algorithms that can be
used either for signing or encrypting and also describes how some of these algorithms work
in cases</div><div>where JCA (or BouncyCastle) does not support them directly,
example, AES-CBC-HMAC-SHA2.</div><div>Algorithm name is a type + hint, example:
HS256 (HMAC with SHA-256), RSA-OAEP-256 (RSA OAEP key encryption with SHA-256), etc.</div><p>All
JWS and JWE algorithms process not only the actual data but also the meta-data (the algorithm
properties) thus ensuring the algorithm properties are integrity-protected, additionally JWE
algorithms produce authentication tags which ensure the already encrypted content won't be
manipulated.</p><p>Pleas
 e refer to <a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518"
rel="nofollow">the specification</a> to get all the information needed (with the
follow up links to the corresponding RFC when applicable) about a particular signature or
encryption algorithm: the properties, recommended key sizes, other security considerations
related to all of or some specific algorithms. CXF JOSE code already enforces a number of
the recommended constraints.</p><p>CXF offers the utility support for working
with JWA algorithms in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa"
rel="nofollow">this package</a>.</p><p>Typically one would supply an
algorithm property in a type-safe way either to JWS or JWE processor, for example,&#160;
SignatureAlgorithm.HS256 for JWS,&#160;KeyAlgorithm.A256KW plus ContentAlgorithm.A256GCM
for JWE, etc. Each enum has methods 
 for checking a key size, JWA and Java JCA algorithm names.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK
Keys</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7517"
rel="nofollow">JWK</a> (JSON Web Key) is a JSON document describing the cryptographic
key properties. JWKs are very flexible and one can expect JWKs becoming one of the major mechanisms
for representing and storing cryptographic keys. While one does not have to represent the
keys as JWK in order to sign or encrypt the document and rely on Java JCA secret and asymmetric
keys instead, JWK is a preferred representation of signature or encryption keys in JOSE.</p><p>For
example:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader
panelHeader pdl" style="border-bottom-width: 1px;"><b>Secret HMAC Key</b></div><div
class="codeContent panelContent pdl">
 <pre class="brush: js; gutter: false; theme: Default" style="font-size:12px;">{
    "kty":"oct",
    "k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
@@ -163,11 +165,21 @@ div.rbtoc1463568424611 li {margin-left:
   "e":"AQAB",
   "alg":"RS256",
   "kid":"Public RSA Key"}</pre>
-</div></div><p>&#160;</p><p>A collection of JWK keys is
called a JWK Key Set which is represented as JSON array of JWKs.</p><p>CXF offers
a utility support for reading and writing JWK keys and key sets and for working with the encrypted
inlined and standalone JWK stores in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk"
rel="nofollow">this package</a>.</p><p>For example, a key set containing
public JWK keys can be seen <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt"
rel="nofollow">here</a> and referred to from the <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19"
rel="nofollow">configu
 ration properties</a>. The private (test) key set can be represented in a <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt"
rel="nofollow">clear form</a>, though most likely you'd want a private key set <a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt"
rel="nofollow">encrypted</a> and referred to <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19"
rel="nofollow">like this</a>.&#160;</p><p>One can inline the encrypted
key or the key set directly in the configuration properties. For example, here is how an encrypted
<a shape="rect" class="external-link" href="
 https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18"
rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an encrypted
<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18"
rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that
the JWK keys have been encrypted if a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java"
rel="nofollow">password provider</a> is available in scope, it is typically registered
with JAX-RS endpoints. The encryption is done with a password based <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/r
 fc7518#section-4.8" rel="nofollow">PBES2 algorithm</a>.&#160;</p><p>Support
for the pluggable strategies for loading JWKs is on the map.</p><h2 id="JAX-RSJOSE-JWSSignature">JWS
Signature</h2><p><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515"
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document content
can be signed. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with a MAC key.</p><p>Here
is one of the ways you can do it in CXF, where a Json Web Token (JWT, see one of the next
sections) is signed by a MAC key:<br clear="none">&#160;</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF JWS HMac</b></div><div class="codeContent panelContent
pdl">
-<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">//
sign
+</div></div><p>&#160;</p><p>A collection of JWK keys is
called a JWK Key Set which is represented as JSON array of JWKs.</p><p>CXF offers
a utility support for reading and writing JWK keys and key sets and for working with the encrypted
inlined and standalone JWK stores in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk"
rel="nofollow">this package</a>.</p><p>For example, a key set containing
public JWK keys can be seen <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt"
rel="nofollow">here</a> and referred to from the <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19"
rel="nofollow">configu
 ration properties</a>. The private (test) key set can be represented in a <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt"
rel="nofollow">clear form</a>, though most likely you'd want a private key set <a
shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt"
rel="nofollow">encrypted</a> and referred to <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19"
rel="nofollow">like this</a>.&#160;</p><p>One can inline the encrypted
key or the key set directly in the configuration properties. For example, here is how an encrypted
<a shape="rect" class="external-link" href="
 https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18"
rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an encrypted
<a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18"
rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that
the JWK keys have been encrypted if a <a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java"
rel="nofollow">password provider</a> is available in scope, it is typically registered
with JAX-RS endpoints. The encryption is done with a password based <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/r
 fc7518#section-4.8" rel="nofollow">PBES2 algorithm</a>.&#160;</p><p>Support
for the pluggable strategies for loading JWKs is on the map.</p><p>Here are some
code examples:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>JWK examples</b></div><div
class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">InputStream
is = JsonWebKeyTest.class.getResourceAsStream(fileName);
+JsonWebKeys keySet = JwkUtils.readJwkSet(is);
+JsonWebKey key = keySet.getKey("Public RSA Key");
+String thumbprint = JwkUtils.getThumbprint(key);
+assertEquals("NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs", thumbprint);
+KeyType keyType = key.getKeyType();
+assertEquals(KeyType.RSA, thumbprint);</pre>
+</div></div><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515" rel="nofollow">JWS</a>
(JSON Web Signature) document describes how a document content can be signed. For example,
<a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be signed with an HMAC key</p><p>CXF
ships JWS related classes in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws"
rel="nofollow">this package</a> and offers a support for all of <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3" rel="nofollow">JWA
signature algorithms</a>.</p><h3 id="JAX-RSJOSE-SignatureandVerificationProviders">Signature
and Verification Providers</h3><p><a shape="rect" class="external-link" href="https
 ://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java"
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a shape="rect"
class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java"
rel="nofollow">JwsSignatureVerifier</a> - validating the signatures. These providers
can be initialized from the keys or certificates loaded from JWK or JCA stores.</p><p>Note
the signature and verification capabilities are represented by 2 different interfaces - it
was done to keep the interfaces minimalistic and have the concerns separated which can be
appreciated most in the cases where the code only signs or only validates.</p><p>The
following table shows the algorithms and the corresponding providers:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td c
 olspan="1" rowspan="1" class="confluenceTd">&#160;</td><td colspan="1" rowspan="1"
class="confluenceTd">JwsSignatureProvider</td><td colspan="1" rowspan="1" class="confluenceTd">JwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2"
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1" class="confluenceTd"><pre>HmacJwsSignatureProvider</pre></td><td
colspan="1" rowspan="1" class="confluenceTd"><pre>HmacJwsSignatureVerifier</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3"
rel="nofollow">RSASSA-PKCS1</a></td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignarureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="ex
 ternal-link" href="https://tools.ietf.org/html/rfc7518#section-3.4" rel="nofollow">ECDSA</a></td><td
colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignarureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.5"
rel="nofollow">RSASSA-PSS</a></td><td colspan="1" rowspan="1" class="confluenceTd">PrivateKeyJwsSignarureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6"
rel="nofollow">None</a></td><td colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignarureProvider</td><td
colspan="1" rowspan="1" class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers
  (except for None) can be initialized with the keys loaded from JWK or JCA stores or from
the in-memory representations.</p><h3 id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3"
rel="nofollow">JWS Compact representation</a> is the most often used JOSE sequence.
It is the concatenation of Base64URL-encoded sequence if JWS headers (algorithm and other
properties),&#160; Base64URL-encoded sequence of the actual data being protected and Base64URL-encoded
sequence of the signature algorithm output bytes.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java"
rel="nofollow">JwsCompactProducer</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jos
 e/jws/JwsCompactConsumer.java" rel="nofollow">JwsCompactConsumer</a> offer a support
for producing and consuming compact JWS sequences, protecting the data in JSON or non-JSON
formats.</p><p><a shape="rect" class="external-link" href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java"
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java"
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which help with
processing typed JWT Tokens.</p><p>&#160;For example, here is how an <a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515#appendix-A.1"
rel="nofollow">Appendix A1</a> example can be done in CXF:</p><p>&#160;</p><div
class="code panel pdl" style="border-widt
 h: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF
JWS HMac</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">//
Sign
+// Algorithm properties are set in the headers
 JoseHeaders headers = new JoseHeaders();
-headers.setAlgorithm(SignatureAlgorithm.HS256.getJwaName());
+headers.setAlgorithm(SignatureAlgorithm.HS256);
 
+// This is the actual data content, JWT in this case, but can be an arbitrary JSON or non-JSON
data
 JwtClaims claims = new JwtClaims();
 claims.setIssuer("joe");
 claims.setExpiryTime(1300819380L);
@@ -185,9 +197,9 @@ assertTrue(jws.verifySignatureWith(new H
                                       SignatureAlgorithm.HS256)));
 JwtToken token = jws.getJwtToken();
 JoseHeaders headers = token.getHeaders();
-assertEquals(SignatureAlgorithm.HS256.getJwaName(), headers.getAlgorithm());
+assertEquals(SignatureAlgorithm.HS256, headers.getAlgorithm());
 validateClaims(token.getClaims());</pre>
-</div></div><p>&#160;</p><p>CXF ships JWS related classes
in <a shape="rect" class="external-link" href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws"
rel="nofollow">this package</a> and offers a support for all of JWA signature algorithms.</p><p><a
shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java;h=9ca48cb2a3b534124f6bdb793a9b0dfa3b6890c5;hb=HEAD">JwsSignatureProvider</a>
supports signing the content, <a shape="rect" class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java;h=26f9597ddb216675cbb7ba24bcb1281c13001041;hb=HEAD">JwsSignatureVerifier</a>
- validating the signatures. Providers and verifiers supporting RSA, HMac and Elliptic Cu
 rve signature algorithms are shipped.</p><p>JwsCompactConsumer and JwsCompactProducer
offer a utility support for creating and validating JWS compact serialization and accept keys
in a variety of formats</p><p>(as JWKs, JCA representations, created out of band
and wrapped in either JwsSignatureProvider or JwsSignatureVerifier).</p><p>JwsJwtCompactConsumer
and JwsJwtCompactProducer are JwsCompactConsumer and JwsCompactProducer specializations that
offer a utility support for signing Json Web Tokens in a compact format.</p><p>JwsJsonConsumer
and JwsJsonProducer support JWS JSON (full) serialization.</p><p>JwsOutputStream
and&#160;JwsJsonOutputStream are specialized output streams that can be used in conjunction
with JWS JAX-RS filters (see one of the next sections)</p><p>to support the best
effort at streaming the content while signing it.&#160; These classes will use <a shape="rect"
class="external-link" href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/
 jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignature.java;h=778b5cb38fd6951bcc06a2a226a057ec3d07d4ef;hb=HEAD">JwsSignature</a>&#160;
optionally returned from JwsSignatureProvider</p><p>instead of working with the
consumer utility classes which deal with the signature process completely in memory.</p><p>&#160;</p><p>Many
more examples will be added here.</p><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a>
(JSON Web Encryption) document describes how a document content, and, when applicable, a content
encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be encrypted</p><p>with
a secret key using Aes Gcm with the actual content encryption key encrypted/wrapped using
RSA-OAEP.</p><p>Here is
  the example for doing Aes Cbc HMac and Aes Key Wrap in CXF:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent
panelContent pdl">
+</div></div><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><h3 id="JAX-RSJOSE-JWSwithClearPayload">JWS
with Clear Payload</h3><h2 id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516" rel="nofollow">JWE</a>
(JSON Web Encryption) document describes how a document content, and, when applicable, a content
encryption key, can be encrypted. For example, <a shape="rect" class="external-link" href="https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.1"
rel="nofollow">Appendix A1</a> shows how the content can be encrypted</p><p>with
a secret key using Aes Gcm with the actual content encryption key encrypted/wrapped using
RSA-OAEP.</p><p>Here is the example for doing Aes Cbc HMac and Aes Key Wrap in
CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeHeader
panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe AesWrapAesCbcHMac</b></div><div
class="codeContent
  panelContent pdl">
 <pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">final
String specPlainText = "Live long and prosper.";
         
 byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);



Mime
View raw message