cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From serg...@apache.org
Subject cxf git commit: [CXF-6993] Moving the cek auto-generation into where it should be in ContentEncryptionProvider, and optionally controlling if a cek should be generated once
Date Wed, 22 Mar 2017 22:54:34 GMT
Repository: cxf
Updated Branches:
  refs/heads/3.1.x-fixes 4fbb05ce3 -> 6b7631060


[CXF-6993] Moving the cek auto-generation into where it should be in ContentEncryptionProvider,
and optionally controlling if a cek should be generated once


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/6b763106
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/6b763106
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/6b763106

Branch: refs/heads/3.1.x-fixes
Commit: 6b7631060e263852af694c3bb307db19a3d68c19
Parents: 4fbb05c
Author: Sergey Beryozkin <sberyozkin@gmail.com>
Authored: Wed Mar 22 22:41:32 2017 +0000
Committer: Sergey Beryozkin <sberyozkin@gmail.com>
Committed: Wed Mar 22 22:54:01 2017 +0000

----------------------------------------------------------------------
 .../jwe/AbstractContentEncryptionAlgorithm.java | 27 ++++++++++++++++---
 .../jose/jwe/AbstractJweEncryption.java         | 16 -----------
 .../jose/jwe/AesCbcHmacJweEncryption.java       | 28 ++++++++++++--------
 .../jwe/AesGcmContentEncryptionAlgorithm.java   |  6 ++++-
 .../security/jose/jwe/JweJsonConsumerTest.java  |  8 +++---
 .../jaxrs/security/jose/jwejws/server.xml       |  2 +-
 6 files changed, 49 insertions(+), 38 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/6b763106/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
index 3e08de2..af25eac 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java
@@ -20,6 +20,7 @@ package org.apache.cxf.rs.security.jose.jwe;
 
 import java.util.concurrent.atomic.AtomicInteger;
 
+import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
 
@@ -30,9 +31,13 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
     private byte[] cek;
     private byte[] iv;
     private AtomicInteger providedIvUsageCount;
+    private boolean generateCekOnce;
     
-    
-    protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv, ContentAlgorithm
algo) { 
+    protected AbstractContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce)
{
+        super(algo);
+        this.generateCekOnce = generateCekOnce;
+    }
+    protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv, ContentAlgorithm
algo) {
         super(algo);
         this.cek = cek;
         this.iv = iv;
@@ -42,7 +47,18 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
     }
     
     public byte[] getContentEncryptionKey(JweHeaders headers) {
-        return cek;
+        byte[] theCek = null;
+        if (cek == null) {
+            String algoJava = getAlgorithm().getJavaName();
+            theCek = CryptoUtils.getSecretKey(AlgorithmUtils.stripAlgoProperties(algoJava),
+                          getContentEncryptionKeySize(headers)).getEncoded();
+            if (generateCekOnce) {
+                cek = theCek;
+            }
+        } else {
+            theCek = cek;
+        }
+        return theCek;
     }
     public byte[] getInitVector() {
         if (iv == null) {
@@ -54,7 +70,10 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent
             return iv;
         }
     }
-    protected int getIvSize() { 
+    protected int getContentEncryptionKeySize(JweHeaders headers) {
+        return getAlgorithm().getKeySizeBits();
+    }
+    protected int getIvSize() {
         return DEFAULT_IV_SIZE;
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/6b763106/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
index a72b24a..1660671 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java
@@ -29,7 +29,6 @@ import javax.crypto.SecretKey;
 import org.apache.cxf.common.logging.LogUtils;
 import org.apache.cxf.jaxrs.json.basic.JsonMapObjectReaderWriter;
 import org.apache.cxf.rs.security.jose.common.JoseConstants;
-import org.apache.cxf.rs.security.jose.jwa.AlgorithmUtils;
 import org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm;
 import org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm;
 import org.apache.cxf.rt.security.crypto.CryptoUtils;
@@ -54,21 +53,6 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider
{
     }
     
     protected byte[] getContentEncryptionKey(JweHeaders headers) {
-        byte[] cek = getProvidedContentEncryptionKey(headers);
-        if (cek == null) {
-            String algoJava = getContentEncryptionAlgoJava();
-            String algoJwt = getContentEncryptionAlgoJwt();
-            cek = CryptoUtils.getSecretKey(AlgorithmUtils.stripAlgoProperties(algoJava),

-                                           getCekSize(algoJwt)).getEncoded();
-        }
-        return cek;
-    }
-   
-    protected int getCekSize(String algoJwt) {
-        return ContentAlgorithm.valueOf(algoJwt.replace('-', '_')).getKeySizeBits();
-    }
-    
-    protected byte[] getProvidedContentEncryptionKey(JweHeaders headers) {
         return getContentEncryptionAlgorithm().getContentEncryptionKey(headers);
     }
     

http://git-wip-us.apache.org/repos/asf/cxf/blob/6b763106/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
index 8f1e4bc..87a796f 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweEncryption.java
@@ -44,13 +44,16 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
         AES_CEK_SIZE_MAP.put(ContentAlgorithm.A192CBC_HS384.getJwaName(), 48);
         AES_CEK_SIZE_MAP.put(ContentAlgorithm.A256CBC_HS512.getJwaName(), 64);
     }
-    public AesCbcHmacJweEncryption(String cekAlgo, 
+    public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt,
                                    KeyEncryptionProvider keyEncryptionAlgorithm) {
-        this(ContentAlgorithm.getAlgorithm(cekAlgo), keyEncryptionAlgorithm);
+        this(cekAlgoJwt, keyEncryptionAlgorithm, false);
     }
-    public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt, 
-                                   KeyEncryptionProvider keyEncryptionAlgorithm) {
-        this(cekAlgoJwt, null, null, keyEncryptionAlgorithm);
+    public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt,
+                                   KeyEncryptionProvider keyEncryptionAlgorithm,
+                                   boolean generateCekOnce) {
+        super(keyEncryptionAlgorithm,
+              new AesCbcContentEncryptionAlgorithm(validateCekAlgorithm(cekAlgoJwt),
+                                                   generateCekOnce));
     }
     public AesCbcHmacJweEncryption(ContentAlgorithm cekAlgoJwt, byte[] cek, 
                                    byte[] iv, KeyEncryptionProvider keyEncryptionAlgorithm)
{
@@ -63,10 +66,6 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
     protected byte[] getActualCek(byte[] theCek, String algoJwt) {
         return doGetActualCek(theCek, algoJwt);
     }
-    @Override
-    protected int getCekSize(String algoJwt) {
-        return getFullCekKeySize(algoJwt) * 8;
-    }
     protected static byte[] doGetActualCek(byte[] theCek, String algoJwt) {
         int size = getFullCekKeySize(algoJwt) / 2;
         byte[] actualCek = new byte[size];
@@ -147,8 +146,11 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
     }
     
     private static class AesCbcContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm
{
-        AesCbcContentEncryptionAlgorithm(byte[] cek, byte[] iv, ContentAlgorithm algo) {

-            super(cek, iv, algo);    
+        AesCbcContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce)
{
+            super(algo, generateCekOnce);
+        }
+        AesCbcContentEncryptionAlgorithm(byte[] cek, byte[] iv, ContentAlgorithm algo) {
+            super(cek, iv, algo);
         }
         @Override
         public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) {
@@ -158,6 +160,10 @@ public class AesCbcHmacJweEncryption extends JweEncryption {
         public byte[] getAdditionalAuthenticationData(String headersJson, byte[] aad) {
             return null;
         }
+        @Override
+        protected int getContentEncryptionKeySize(JweHeaders headers) {
+            return getFullCekKeySize(getAlgorithm().getJwaName()) * 8;
+        }
     }
     
     protected static class MacState {

http://git-wip-us.apache.org/repos/asf/cxf/blob/6b763106/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
index bba6251..2eaafd9 100644
--- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
+++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentEncryptionAlgorithm.java
@@ -28,7 +28,10 @@ import org.apache.cxf.rt.security.crypto.CryptoUtils;
 public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionAlgorithm
{
     private static final int DEFAULT_IV_SIZE = 96;
     public AesGcmContentEncryptionAlgorithm(ContentAlgorithm algo) {
-        this((byte[])null, null, algo);
+        this(algo, false);
+    }
+    public AesGcmContentEncryptionAlgorithm(ContentAlgorithm algo, boolean generateCekOnce)
{
+        super(checkAlgorithm(algo), generateCekOnce);
     }
     public AesGcmContentEncryptionAlgorithm(String encodedCek, String encodedIv, ContentAlgorithm
algo) {
         this((byte[])CryptoUtils.decodeSequence(encodedCek), CryptoUtils.decodeSequence(encodedIv),
algo);
@@ -58,4 +61,5 @@ public class AesGcmContentEncryptionAlgorithm extends AbstractContentEncryptionA
         LOG.warning("Invalid content encryption algorithm");
         throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
     }
+    
 }
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/cxf/blob/6b763106/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
----------------------------------------------------------------------
diff --git a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
index 1d073c6..1ebdb9f 100644
--- a/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
+++ b/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java
@@ -37,7 +37,6 @@ import org.bouncycastle.jce.provider.BouncyCastleProvider;
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
-import org.junit.Ignore;
 import org.junit.Test;
 
 public class JweJsonConsumerTest extends Assert {
@@ -138,7 +137,6 @@ public class JweJsonConsumerTest extends Assert {
         doTestMultipleRecipients(JweJsonProducerTest.MULTIPLE_RECIPIENTS_OUTPUT);
     }
     @Test
-    @Ignore
     public void testMultipleRecipientsAutogeneratedCek() {
         final String text = "The true sign of intelligence is not knowledge but imagination.";
         SecretKey wrapperKey1 = CryptoUtils.createSecretKeySpec(JweJsonProducerTest.WRAPPER_BYTES1,
"AES");
@@ -153,9 +151,9 @@ public class JweJsonConsumerTest extends Assert {
         
         KeyEncryptionProvider keyEncryption1 = 
             JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey1, KeyAlgorithm.A128KW);
-        ContentEncryptionProvider contentEncryption = 
-            new AesGcmContentEncryptionAlgorithm(ContentAlgorithm.A128GCM);
-            
+        ContentEncryptionProvider contentEncryption =
+            new AesGcmContentEncryptionAlgorithm(ContentAlgorithm.A128GCM, true);
+
         JweEncryptionProvider jwe1 = new JweEncryption(keyEncryption1, contentEncryption);
         KeyEncryptionProvider keyEncryption2 = 
             JweUtils.getSecretKeyEncryptionAlgorithm(wrapperKey2, KeyAlgorithm.A128KW);

http://git-wip-us.apache.org/repos/asf/cxf/blob/6b763106/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
----------------------------------------------------------------------
diff --git a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
index 747653d..873b11e 100644
--- a/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
+++ b/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jose/jwejws/server.xml
@@ -46,7 +46,7 @@ under the License.
         <constructor-arg value="A128KW"/>
     </bean>
     <bean id="aesCbcHmacEncryption" class="org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption">
-        <constructor-arg value="A128CBC-HS256"/>
+        <constructor-arg value="A128CBC_HS256"/>
         <constructor-arg ref="aesWrapEncryptionAlgo"/>
     </bean>
     


Mime
View raw message