git commit: [CXF-5311] Adding a test where CEK is not included in the JWE sequence

Thu, 05 Jun 2014 09:04:25 -0700 

Repository: cxf
Updated Branches:
  refs/heads/master 63e9732af -> 567f9862f


[CXF-5311] Adding a test where CEK is not included in the JWE sequence


Project: http://git-wip-us.apache.org/repos/asf/cxf/repo
Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/567f9862
Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/567f9862
Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/567f9862

Branch: refs/heads/master
Commit: 567f9862fa817ed6446cac1ec93fea3ad8c73ac5
Parents: 63e9732
Author: Sergey Beryozkin <[email protected]>
Authored: Thu Jun 5 17:03:31 2014 +0100
Committer: Sergey Beryozkin <[email protected]>
Committed: Thu Jun 5 17:03:31 2014 +0100

----------------------------------------------------------------------
 .../rs/security/oauth2/jwe/JweDecryptor.java    | 28 +++++++++++++-------
 .../rs/security/oauth2/jwe/JweEncryptor.java    | 23 ++++++++++------
 .../rs/security/oauth2/jwe/RSAJweDecryptor.java |  2 +-
 .../oauth2/jwe/JweCompactReaderWriterTest.java  | 20 +++++++++++++-
 4 files changed, 53 insertions(+), 20 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/cxf/blob/567f9862/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
----------------------------------------------------------------------
diff --git 
a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
 
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
index 625f424..31c432c 100644
--- 
a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
+++ 
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweDecryptor.java
@@ -27,29 +27,37 @@ import 
org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties;
 
 public class JweDecryptor {
     private JweCompactConsumer jweConsumer;
-    private Key decryptionKey;
+    private Key cekDecryptionKey;
+    private byte[] contentDecryptionKey;
     private boolean unwrap;
     private CeProvider ceProvider = new CeProvider();
-    public JweDecryptor(String jweContent, Key decryptionKey, boolean unwrap) 
{    
+    public JweDecryptor(String jweContent, Key cekDecryptionKey, boolean 
unwrap) {    
         this.jweConsumer = new JweCompactConsumer(jweContent);
-        this.decryptionKey = decryptionKey;
+        this.cekDecryptionKey = cekDecryptionKey;
         this.unwrap = unwrap;
     }
-    
-    protected Key getDecryptionKey() {
-        return decryptionKey;
+    public JweDecryptor(String jweContent, Key contentDecryptionKey) {    
+        this(jweContent, null, false);
+        this.contentDecryptionKey = contentDecryptionKey.getEncoded();
+    }
+    protected Key getCekDecryptionKey() {
+        return cekDecryptionKey;
     }
     
-    protected byte[] getDecryptedContentEncryptionKey() {
+    protected byte[] getContentEncryptionKey() {
         // This can be overridden if needed
+        if (contentDecryptionKey != null) {
+            return contentDecryptionKey;
+        }
+        
         KeyProperties keyProps = new 
KeyProperties(getKeyEncryptionAlgorithm());
         if (!unwrap) {
             keyProps.setBlockSize(getKeyCipherBlockSize());
-            return 
CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), decryptionKey, 
keyProps);
+            return 
CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), 
getCekDecryptionKey(), keyProps);
         } else {
             return 
CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), 
                                                
getContentEncryptionAlgorithm(), 
-                                               decryptionKey, 
+                                               getCekDecryptionKey(), 
                                                keyProps).getEncoded();
         }
     }
@@ -105,7 +113,7 @@ public class JweDecryptor {
 
         @Override
         public byte[] getContentEncryptionKey(JweHeaders headers, byte[] 
encryptedKey) {
-            return getDecryptedContentEncryptionKey();
+            return JweDecryptor.this.getContentEncryptionKey();
         }
 
         @Override

http://git-wip-us.apache.org/repos/asf/cxf/blob/567f9862/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
----------------------------------------------------------------------
diff --git 
a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
 
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
index b1b617f..600eed3 100644
--- 
a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
+++ 
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptor.java
@@ -22,6 +22,8 @@ import java.io.UnsupportedEncodingException;
 import java.security.Key;
 import java.security.spec.AlgorithmParameterSpec;
 
+import javax.crypto.SecretKey;
+
 import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter;
@@ -39,28 +41,33 @@ public class JweEncryptor {
     private int authTagLen = DEFAULT_AUTH_TAG_LENGTH;
     private boolean wrap;
     
-    public JweEncryptor(String contentEncryptionAlgo, byte[] cek) {
-        this(new JweHeaders(contentEncryptionAlgo), cek);
+    public JweEncryptor(SecretKey cek, byte[] iv) {
+        this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), 
cek.getEncoded(), iv);
     }
-    public JweEncryptor(JweHeaders headers, byte[] cek) {
+    public JweEncryptor(JweHeaders headers, byte[] cek, byte[] iv) {
         this.headers = headers;
         this.cek = cek;
+        this.iv = iv;
     }
     public JweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int 
authTagLen) {
-        this(headers, cek);
-        this.iv = iv;
+        this(headers, cek, iv);
         this.authTagLen = authTagLen;
     }
     public JweEncryptor(JweHeaders headers, Key cekEncryptionKey) {
         this.headers = headers;
         this.cekEncryptionKey = cekEncryptionKey;
     }
+    public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, 
byte[] iv) {
+        this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH);
+        this.cekEncryptionKey = cekEncryptionKey;
+    }
     public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, 
byte[] iv, 
                                    int authTagLen, boolean wrap) {
         this(headers, cek, iv, authTagLen);
         this.cekEncryptionKey = cekEncryptionKey;
         this.wrap = wrap;
     }
+    
     public JweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, 
byte[] iv, int authTagLen, 
                                    boolean wrap, JwtHeadersWriter writer) {
         this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap);
@@ -87,9 +94,9 @@ public class JweEncryptor {
     }
     
     protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) {
-        if (theCek == null) {
-            return new byte[]{};
-        } else  {
+        if (cekEncryptionKey == null) {
+            return cek;
+        } else {
             KeyProperties secretKeyProperties = new 
KeyProperties(getContentEncryptionKeyEncryptionAlgo());
             if (!wrap) {
                 return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, 
secretKeyProperties);

http://git-wip-us.apache.org/repos/asf/cxf/blob/567f9862/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
----------------------------------------------------------------------
diff --git 
a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
 
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
index a0ddc79..cce3cb5 100644
--- 
a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
+++ 
b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java
@@ -30,6 +30,6 @@ public class RSAJweDecryptor extends JweDecryptor {
         this(jweContent, privateKey, true);
     }
     protected int getKeyCipherBlockSize() {
-        return 
((RSAPublicKey)getDecryptionKey()).getModulus().toByteArray().length;
+        return 
((RSAPublicKey)getCekDecryptionKey()).getModulus().toByteArray().length;
     }
 }

http://git-wip-us.apache.org/repos/asf/cxf/blob/567f9862/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
----------------------------------------------------------------------
diff --git 
a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
 
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
index 8fbedce..9d1b06f 100644
--- 
a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
+++ 
b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java
@@ -30,6 +30,7 @@ import org.apache.cxf.rs.security.oauth2.jwt.Algorithm;
 import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants;
 import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils;
 import org.bouncycastle.jce.provider.BouncyCastleProvider;
+
 import org.junit.AfterClass;
 import org.junit.Assert;
 import org.junit.BeforeClass;
@@ -81,6 +82,13 @@ public class JweCompactReaderWriterTest extends Assert {
         
         decrypt(jweContent, specPlainText);
     }
+    @Test
+    public void testDirectKeyEncryptDecrypt() throws Exception {
+        final String specPlainText = "The true sign of intelligence is not 
knowledge but imagination.";
+        String jweContent = encryptContentDirect(specPlainText);
+        
+        decryptDirect(jweContent, specPlainText);
+    }
     
     @Test
     public void testEncryptDecryptJwsToken() throws Exception {
@@ -94,12 +102,22 @@ public class JweCompactReaderWriterTest extends Assert {
         RSAJweEncryptor encryptor = new RSAJweEncryptor(publicKey, key, 
JwtConstants.A256GCM_ALGO, INIT_VECTOR);
         return encryptor.getJweContent(content);
     }
-    
+    private String encryptContentDirect(String content) throws Exception {
+        SecretKey key = 
CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY, "AES");
+        JweEncryptor encryptor = new JweEncryptor(key, INIT_VECTOR);
+        return encryptor.getJweContent(content);
+    }
     private void decrypt(String jweContent, String plainContent) throws 
Exception {
         RSAPrivateKey privateKey = 
CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED, RSA_PRIVATE_EXPONENT_ENCODED);
         RSAJweDecryptor decryptor = new RSAJweDecryptor(jweContent, 
privateKey);
         String decryptedText = decryptor.getDecryptedContentText();
         assertEquals(decryptedText, plainContent);
     }
+    private void decryptDirect(String jweContent, String plainContent) throws 
Exception {
+        SecretKey key = 
CryptoUtils.createSecretKeySpec(CONTENT_ENCRYPTION_KEY, "AES");
+        JweDecryptor decryptor = new JweDecryptor(jweContent, key);
+        String decryptedText = decryptor.getDecryptedContentText();
+        assertEquals(decryptedText, plainContent);
+    }
 }

Reply via email to