Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 30D92200B43 for ; Tue, 19 Jul 2016 13:47:21 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2F5FD160A8B; Tue, 19 Jul 2016 11:47:21 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 27CD5160A89 for ; Tue, 19 Jul 2016 13:47:20 +0200 (CEST) Received: (qmail 22723 invoked by uid 500); 19 Jul 2016 11:47:19 -0000 Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@cxf.apache.org Delivered-To: mailing list commits@cxf.apache.org Received: (qmail 22714 invoked by uid 99); 19 Jul 2016 11:47:19 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 19 Jul 2016 11:47:19 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 0DD9FE03A6; Tue, 19 Jul 2016 11:47:19 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: sergeyb@apache.org To: commits@cxf.apache.org Message-Id: <39fe5346c7d1434c83a05e9d9dd8f61e@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: cxf git commit: [CXF-6972] Support for per-recipient JWE JSON headers Date: Tue, 19 Jul 2016 11:47:19 +0000 (UTC) archived-at: Tue, 19 Jul 2016 11:47:21 -0000 Repository: cxf Updated Branches: refs/heads/3.1.x-fixes 945daf7e5 -> da47bede9 [CXF-6972] Support for per-recipient JWE JSON headers Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/da47bede Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/da47bede Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/da47bede Branch: refs/heads/3.1.x-fixes Commit: da47bede91c824542bef91ea59e39f77c6e1fb2d Parents: 945daf7 Author: Sergey Beryozkin Authored: Tue Jul 19 14:46:10 2016 +0300 Committer: Sergey Beryozkin Committed: Tue Jul 19 14:47:00 2016 +0300 ---------------------------------------------------------------------- .../cxf/rs/security/jose/jwe/JweHeaders.java | 4 +++ .../rs/security/jose/jwe/JweJsonConsumer.java | 6 +++- .../rs/security/jose/jwe/JweJsonProducer.java | 2 +- .../cxf/rs/security/jose/jws/JwsHeaders.java | 4 +++ .../security/jose/jwe/JweJsonConsumerTest.java | 29 ++++++++++++++++++++ .../security/jose/jwe/JweJsonProducerTest.java | 14 +++++++--- 6 files changed, 53 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/da47bede/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java index d1d8651..34266f6 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java @@ -19,6 +19,7 @@ package org.apache.cxf.rs.security.jose.jwe; +import java.util.Collections; import java.util.Map; import org.apache.cxf.common.util.Base64UrlUtility; @@ -48,6 +49,9 @@ public class JweHeaders extends JoseHeaders { public JweHeaders(Map values) { super(values); } + public JweHeaders(String kid) { + this(Collections.singletonMap(JoseConstants.HEADER_KEY_ID, kid)); + } public JweHeaders(KeyAlgorithm keyEncAlgo, ContentAlgorithm ctEncAlgo) { this(keyEncAlgo, ctEncAlgo, false); } http://git-wip-us.apache.org/repos/asf/cxf/blob/da47bede/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java index 0c8aecd..6e3954b 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumer.java @@ -52,7 +52,11 @@ public class JweJsonConsumer { } public JweDecryptionOutput decryptWith(JweDecryptionProvider jwe) { - JweJsonEncryptionEntry entry = getJweDecryptionEntry(jwe); + return decryptWith(jwe, (Map)null); + } + public JweDecryptionOutput decryptWith(JweDecryptionProvider jwe, + Map recipientProps) { + JweJsonEncryptionEntry entry = getJweDecryptionEntry(jwe, recipientProps); return decryptWith(jwe, entry); } public JweDecryptionOutput decryptWith(JweDecryptionProvider jwe, JweJsonEncryptionEntry entry) { http://git-wip-us.apache.org/repos/asf/cxf/blob/da47bede/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java index 3c8385d..3a3d745 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java @@ -113,7 +113,7 @@ public class JweJsonProducer { LOG.warning("union and recipient unprotected headers have duplicate values"); throw new JweException(JweException.Error.INVALID_JSON_JWE); } - jsonHeaders = new JweHeaders(unionHeaders.asMap()); + jsonHeaders = new JweHeaders(new LinkedHashMap(unionHeaders.asMap())); jsonHeaders.asMap().putAll(perRecipientUnprotected.asMap()); } else { jsonHeaders = unionHeaders; http://git-wip-us.apache.org/repos/asf/cxf/blob/da47bede/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsHeaders.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsHeaders.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsHeaders.java index e860311..322c95b 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsHeaders.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsHeaders.java @@ -18,6 +18,7 @@ */ package org.apache.cxf.rs.security.jose.jws; +import java.util.Collections; import java.util.LinkedList; import java.util.List; import java.util.Map; @@ -42,6 +43,9 @@ public class JwsHeaders extends JoseHeaders { public JwsHeaders(Map values) { super(values); } + public JwsHeaders(String kid) { + this(Collections.singletonMap(JoseConstants.HEADER_KEY_ID, kid)); + } public JwsHeaders(SignatureAlgorithm sigAlgo) { init(sigAlgo); } http://git-wip-us.apache.org/repos/asf/cxf/blob/da47bede/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java index c5d7d58..38c610d 100644 --- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java +++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java @@ -19,6 +19,7 @@ package org.apache.cxf.rs.security.jose.jwe; import java.security.Security; +import java.util.Collections; import javax.crypto.Cipher; import javax.crypto.SecretKey; @@ -127,6 +128,34 @@ public class JweJsonConsumerTest extends Assert { assertEquals(text, out.getContentText()); assertEquals(JweJsonProducerTest.EXTRA_AAD_SOURCE, consumer.getAadText()); } + + @Test + public void testMultipleRecipients() { + final String text = "The true sign of intelligence is not knowledge but imagination."; + + SecretKey wrapperKey1 = CryptoUtils.createSecretKeySpec(JweJsonProducerTest.WRAPPER_BYTES1, + "AES"); + SecretKey wrapperKey2 = CryptoUtils.createSecretKeySpec(JweJsonProducerTest.WRAPPER_BYTES2, + "AES"); + JweJsonConsumer consumer = new JweJsonConsumer(JweJsonProducerTest.MULTIPLE_RECIPIENTS_OUTPUT); + KeyAlgorithm keyAlgo = consumer.getSharedUnprotectedHeader().getKeyEncryptionAlgorithm(); + ContentAlgorithm ctAlgo = consumer.getProtectedHeader().getContentEncryptionAlgorithm(); + // Recipient 1 + JweDecryptionProvider jwe1 = JweUtils.createJweDecryptionProvider(wrapperKey1, keyAlgo, ctAlgo); + JweDecryptionOutput out1 = consumer.decryptWith(jwe1, + Collections.singletonMap("kid", "key1")); + assertEquals(text, out1.getContentText()); + // Recipient 2 + JweDecryptionProvider jwe2 = JweUtils.createJweDecryptionProvider(wrapperKey2, keyAlgo, ctAlgo); + + JweDecryptionOutput out2 = consumer.decryptWith(jwe2, + Collections.singletonMap("kid", "key2")); + assertEquals(text, out2.getContentText()); + + // Extra AAD + assertEquals(JweJsonProducerTest.EXTRA_AAD_SOURCE, consumer.getAadText()); + } + @Test public void testSingleRecipientAllTypeOfHeadersAndAadModified() { SecretKey wrapperKey = CryptoUtils.createSecretKeySpec(JweJsonProducerTest.WRAPPER_BYTES1, http://git-wip-us.apache.org/repos/asf/cxf/blob/da47bede/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java index fb3785d..b6db1c3 100644 --- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java +++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java @@ -102,9 +102,11 @@ public class JweJsonProducerTest extends Assert { + "\"recipients\":" + "[" + "{" + + "\"header\":{\"kid\":\"key1\"}," + "\"encrypted_key\":\"b3-M9_CRgT3wEBhhXlpb-BoY7vtA4W_N\"" + "}," + "{" + + "\"header\":{\"kid\":\"key2\"}," + "\"encrypted_key\":\"6a_nnEYO45qB_Vp6N2QbFQ7Cv1uecbiE\"" + "}" + "]," @@ -277,7 +279,7 @@ public class JweJsonProducerTest extends Assert { sharedUnprotectedHeaders.setJsonWebKeysUrl("https://server.example.com/keys.jwks"); sharedUnprotectedHeaders.setKeyEncryptionAlgorithm(KeyAlgorithm.A128KW); - List jweList = new LinkedList(); + List jweProviders = new LinkedList(); KeyEncryptionProvider keyEncryption1 = JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey1, KeyAlgorithm.A128KW); @@ -287,8 +289,12 @@ public class JweJsonProducerTest extends Assert { KeyEncryptionProvider keyEncryption2 = JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey2, KeyAlgorithm.A128KW); JweEncryptionProvider jwe2 = new JweEncryption(keyEncryption2, contentEncryption); - jweList.add(jwe1); - jweList.add(jwe2); + jweProviders.add(jwe1); + jweProviders.add(jwe2); + + List perRecipientHeades = new LinkedList(); + perRecipientHeades.add(new JweHeaders("key1")); + perRecipientHeades.add(new JweHeaders("key2")); JweJsonProducer p = new JweJsonProducer(protectedHeaders, sharedUnprotectedHeaders, @@ -303,7 +309,7 @@ public class JweJsonProducerTest extends Assert { } }; - String jweJson = p.encryptWith(jweList); + String jweJson = p.encryptWith(jweProviders, perRecipientHeades); assertEquals(MULTIPLE_RECIPIENTS_OUTPUT, jweJson); } }