cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: Moving the cek auto-generation into where it should be in ContentEncryptionProvider, and optionally controlling if a cek should be generated once
Date Wed, 22 Mar 2017 22:43:48 GMT
Repository: cxf
Updated Branches:
  refs/heads/master 162282359 -> 64070aa91


Moving the cek auto-generation into where it should be in ContentEncryptionProvider, and optionally
controlling if a cek should be generated once


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/64070aa9
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/64070aa9
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/64070aa9

Branch: refs/heads/master
Commit: 64070aa91b4b56155faf7703520a5142fa7a6e36
Parents: 1622823
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Mar 22 22:41:32 2017 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Mar 22 22:41:32 2017 +0000

----------------------------------------------------------------------
 .../jwe/AbstractContentEncryptionAlgorithm.java | 25 +++++++++++++++++---
 .../jose/jwe/AbstractJweEncryption.java         | 16 -------------
 .../jose/jwe/AesCbcHmacJweEncryption.java       | 22 ++++++++++-------
 .../jwe/AesGcmContentEncryptionAlgorithm.java   |  6 ++++-
 .../security/jose/jwe/JweJsonConsumerTest.java  |  4 +---
 .../jaxrs/security/jose/jwejws/server.xml       |  2 +-
 6 files changed, 43 insertions(+), 32 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
index 1ea2e1a..6e27289 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.util.concurrent.atomic.AtomicInteger;
 
+import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 
@@ -30,8 +31,12 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
     private byte[] cek;
     private byte[] iv;
     private AtomicInteger providedIvUsageCount;
-
-
+    private boolean generateCekOnce;
+    
+    protected AbstractContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce)
{
+        super(algo);
+        this.generateCekOnce = generateCekOnce;
+    }
     protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv, ContentAlgorithm
algo) {
         super(algo);
         this.cek = cek;
@@ -42,7 +47,18 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
     }
 
     public byte[] getContentEncryptionKey(JweHeaders headers) {
-        return cek;
+        byte[] theCek = null;
+        if (cek == null) {
+            String algoJava = getAlgorithm().getJavaName();
+            theCek = CryptoUtils.getSecretKey(AlgorithmUtils.stripAlgoProperties(algoJava),
+                          getContentEncryptionKeySize(headers)).getEncoded();
+            if (generateCekOnce) {
+                cek = theCek;
+            }
+        } else {
+            theCek = cek;
+        }
+        return theCek;
     }
     public byte[] getInitVector() {
         if (iv == null) {
@@ -54,6 +70,9 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
             return iv;
         }
     }
+    protected int getContentEncryptionKeySize(JweHeaders headers) {
+        return getAlgorithm().getKeySizeBits();
+    }
     protected int getIvSize() {
         return DEFAULT_IV_SIZE;
     }

http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index acdc067..39057ed 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -29,7 +29,6 @@ import javax.crypto.SecretKey;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
 import org.apache.cxf.rs.security.jose.common.JoseConstants;
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
@@ -54,21 +53,6 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider
{
     }
 
     protected byte[] getContentEncryptionKey(JweHeaders headers) {
-        byte[] cek = getProvidedContentEncryptionKey(headers);
-        if (cek == null) {
-            String algoJava = getContentEncryptionAlgoJava();
-            String algoJwt = getContentEncryptionAlgoJwt();
-            cek = CryptoUtils.getSecretKey(AlgorithmUtils.stripAlgoProperties(algoJava),
-                                           getCekSize(algoJwt)).getEncoded();
-        }
-        return cek;
-    }
-
-    protected int getCekSize(String algoJwt) {
-        return ContentAlgorithm.valueOf(algoJwt.replace('-', '_')).getKeySizeBits();
-    }
-
-    protected byte[] getProvidedContentEncryptionKey(JweHeaders headers) {
         return getContentEncryptionAlgorithm().getContentEncryptionKey(headers);
     }
 

http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index 0713100..12170c1 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -44,13 +44,16 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
         AES_CEK_SIZE_MAP.put(ContentAlgorithm.A192CBC_HS384.getJwaName(), 48);
         AES_CEK_SIZE_MAP.put(ContentAlgorithm.A256CBC_HS512.getJwaName(), 64);
     }
-    public AesCbcHmacJweEncryption(String cekAlgo,
+    public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt,
                                    KeyEncryptionProvider keyEncryptionAlgorithm) {
-        this(ContentAlgorithm.getAlgorithm(cekAlgo), keyEncryptionAlgorithm);
+        this(cekAlgoJwt, keyEncryptionAlgorithm, false);
     }
     public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt,
-                                   KeyEncryptionProvider keyEncryptionAlgorithm) {
-        this(cekAlgoJwt, null, null, keyEncryptionAlgorithm);
+                                   KeyEncryptionProvider keyEncryptionAlgorithm,
+                                   boolean generateCekOnce) {
+        super(keyEncryptionAlgorithm,
+              new AesCbcContentEncryptionAlgorithm(validateCekAlgorithm(cekAlgoJwt),
+                                                   generateCekOnce));
     }
     public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt, byte[] cek,
                                    byte[] iv, KeyEncryptionProvider keyEncryptionAlgorithm)
{
@@ -63,10 +66,6 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
     protected byte[] getActualCek(byte[] theCek, String algoJwt) {
         return doGetActualCek(theCek, algoJwt);
     }
-    @Override
-    protected int getCekSize(String algoJwt) {
-        return getFullCekKeySize(algoJwt) * 8;
-    }
     protected static byte[] doGetActualCek(byte[] theCek, String algoJwt) {
         int size = getFullCekKeySize(algoJwt) / 2;
         byte[] actualCek = new byte[size];
@@ -147,6 +146,9 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
     }
 
     private static class AesCbcContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm
{
+        AesCbcContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce)
{
+            super(algo, generateCekOnce);
+        }
         AesCbcContentEncryptionAlgorithm(byte[] cek, byte[] iv, ContentAlgorithm algo) {
             super(cek, iv, algo);
         }
@@ -158,6 +160,10 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
         public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
             return null;
         }
+        @Override
+        protected int getContentEncryptionKeySize(JweHeaders headers) {
+            return getFullCekKeySize(getAlgorithm().getJwaName()) * 8;
+        }
     }
 
     protected static class MacState {

http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
index 94eddff..20e35c9 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
@@ -28,7 +28,10 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils;
 public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm
{
     private static final int DEFAULT_IV_SIZE = 96;
     public AesGcmContentEncryptionAlgorithm(ContentAlgorithm algo) {
-        this((byte[])null, null, algo);
+        this(algo, false);
+    }
+    public AesGcmContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce)
{
+        super(checkAlgorithm(algo), generateCekOnce);
     }
     public AesGcmContentEncryptionAlgorithm(String encodedCek, String encodedIv, ContentAlgorithm
algo) {
         this((byte[])CryptoUtils.decodeSequence(encodedCek), CryptoUtils.decodeSequence(encodedIv),
algo);
@@ -58,4 +61,5 @@ public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionA
         LOG.warning("Invalid content encryption algorithm");
         throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
     }
+    
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
index 9a3a915..4475375 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
@@ -37,7 +37,6 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
-import org.junit.Ignore;
 import org.junit.Test;
 
 public class JweJsonConsumerTest extends Assert {
@@ -138,7 +137,6 @@ public class JweJsonConsumerTest extends Assert {
         doTestMultipleRecipients(JweJsonProducerTest.MULTIPLE_RECIPIENTS_OUTPUT);
     }
     @Test
-    @Ignore
     public void testMultipleRecipientsAutogeneratedCek() {
         final String text = "The true sign of intelligence is not knowledge but imagination.";
         SecretKey wrapperKey1 = CryptoUtils.createSecretKeySpec(JweJsonProducerTest.WRAPPER_BYTES1,
"AES");
@@ -154,7 +152,7 @@ public class JweJsonConsumerTest extends Assert {
         KeyEncryptionProvider keyEncryption1 =
             JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey1, KeyAlgorithm.A128KW);
         ContentEncryptionProvider contentEncryption =
-            new AesGcmContentEncryptionAlgorithm(ContentAlgorithm.A128GCM);
+            new AesGcmContentEncryptionAlgorithm(ContentAlgorithm.A128GCM, true);
 
         JweEncryptionProvider jwe1 = new JweEncryption(keyEncryption1, contentEncryption);
         KeyEncryptionProvider keyEncryption2 =

http://git-wip-us.apache.org/repos/asf/cxf/blob/64070aa9/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
index 5b4cd22..df959aa 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
@@ -46,7 +46,7 @@ under the License.
         <constructor-arg value="A128KW"/>
     </bean>
     <bean id="aesCbcHmacEncryption" class="org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption">
-        <constructor-arg value="A128CBC-HS256"/>
+        <constructor-arg value="A128CBC_HS256"/>
         <constructor-arg ref="aesWrapEncryptionAlgo"/>
     </bean>
     


Mime
View raw message