Repository: cxf Updated Branches: refs/heads/master ac556b7cf -> 117061fed
[CXF-5311] Fixing compact serialization if OOB ceks are used, refactoring abstract JWE helpers, adding empty encryption and signature properties which can be used to enforce that only specific encryption/sign algo props were used Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/117061fe Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/117061fe Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/117061fe Branch: refs/heads/master Commit: 117061fed2242b6a927467e2b6488c9fb111565a Parents: ac556b7 Author: Sergey Beryozkin <[email protected]> Authored: Fri Jun 6 13:30:21 2014 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Jun 6 13:30:21 2014 +0100 ---------------------------------------------------------------------- .../oauth2/jwe/AbstractJweDecryptor.java | 52 +++----------------- .../oauth2/jwe/AbstractJweEncryptor.java | 52 ++++---------------- .../oauth2/jwe/DirectKeyJweDecryptor.java | 15 +++++- .../oauth2/jwe/DirectKeyJweEncryptor.java | 3 ++ .../security/oauth2/jwe/JweCompactConsumer.java | 16 +++++- .../security/oauth2/jwe/JweCompactProducer.java | 4 +- .../rs/security/oauth2/jwe/RSAJweDecryptor.java | 12 +++-- .../oauth2/jwe/WrappedKeyJweDecryptor.java | 39 +++++++++++++-- .../oauth2/jwe/WrappedKeyJweEncryptor.java | 35 +++++++++++-- .../security/oauth2/jws/JwsCompactConsumer.java | 19 +++++-- .../rs/security/oauth2/jwt/JwtTokenReader.java | 1 - .../oauth2/jwt/JwtTokenReaderWriter.java | 3 +- .../security/oauth2/utils/Base64UrlUtility.java | 9 +++- 13 files changed, 151 insertions(+), 109 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java index cff7f28..4b9614f 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryptor.java @@ -18,52 +18,20 @@ */ package org.apache.cxf.rs.security.oauth2.jwe; -import java.security.Key; import java.security.spec.AlgorithmParameterSpec; import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; public abstract class AbstractJweDecryptor { private JweCompactConsumer jweConsumer; - private Key cekDecryptionKey; - private byte[] contentDecryptionKey; - private boolean unwrap; private CeProvider ceProvider = new CeProvider(); - protected AbstractJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) { - this.jweConsumer = new JweCompactConsumer(jweContent); - this.cekDecryptionKey = cekDecryptionKey; - this.unwrap = unwrap; - } - protected AbstractJweDecryptor(String jweContent, Key contentDecryptionKey) { - this(jweContent, null, false); - this.contentDecryptionKey = contentDecryptionKey.getEncoded(); - } - protected Key getCekDecryptionKey() { - return cekDecryptionKey; + protected AbstractJweDecryptor(String jweContent, JweCryptoProperties props) { + this.jweConsumer = new JweCompactConsumer(jweContent, props); } - protected byte[] getContentEncryptionKey() { - // This can be overridden if needed - if (contentDecryptionKey != null) { - return contentDecryptionKey; - } - - KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm()); - if (!unwrap) { - keyProps.setBlockSize(getKeyCipherBlockSize()); - return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(), keyProps); - } else { - return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), - getContentEncryptionAlgorithm(), - getCekDecryptionKey(), - keyProps).getEncoded(); - } - } - protected int getKeyCipherBlockSize() { - return -1; - } + protected abstract byte[] getContentEncryptionKey(); + public byte[] getDecryptedContent() { return jweConsumer.getDecryptedContent(ceProvider); @@ -72,24 +40,20 @@ public abstract class AbstractJweDecryptor { public String getDecryptedContentText() { return jweConsumer.getDecryptedContentText(ceProvider); } - public JweHeaders getJweHeaders() { + public JweHeaders getHeaders() { return getJweConsumer().getJweHeaders(); } protected AlgorithmParameterSpec getContentDecryptionCipherSpec() { - // this can be overridden if needed return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(), getContentEncryptionCipherInitVector()); } - protected String getKeyEncryptionAlgorithm() { - return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm()); - } - protected String getContentEncryptionAlgorithm() { - return Algorithm.toJavaName(getJweHeaders().getContentEncryptionAlgorithm()); - } protected byte[] getEncryptedContentEncryptionKey() { return getJweConsumer().getEncryptedContentEncryptionKey(); } + protected String getContentEncryptionAlgorithm() { + return Algorithm.toJavaName(getHeaders().getContentEncryptionAlgorithm()); + } protected byte[] getContentEncryptionCipherAAD() { return getJweConsumer().getContentEncryptionCipherAAD(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java index 44987f9..2427cc1 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryptor.java @@ -19,7 +19,6 @@ package org.apache.cxf.rs.security.oauth2.jwe; import java.io.UnsupportedEncodingException; -import java.security.Key; import java.security.spec.AlgorithmParameterSpec; import javax.crypto.SecretKey; @@ -33,13 +32,11 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; public abstract class AbstractJweEncryptor { protected static final int DEFAULT_IV_SIZE = 96; protected static final int DEFAULT_AUTH_TAG_LENGTH = 128; - private Key cekEncryptionKey; private JweHeaders headers; private JwtHeadersWriter writer = new JwtTokenReaderWriter(); private byte[] cek; private byte[] iv; private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; - private boolean wrap; protected AbstractJweEncryptor(SecretKey cek, byte[] iv) { this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm())), cek.getEncoded(), iv); @@ -53,24 +50,12 @@ public abstract class AbstractJweEncryptor { this(headers, cek, iv); this.authTagLen = authTagLen; } - protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey) { + protected AbstractJweEncryptor(JweHeaders headers) { this.headers = headers; - this.cekEncryptionKey = cekEncryptionKey; } - protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) { - this(headers, cek, iv, DEFAULT_AUTH_TAG_LENGTH); - this.cekEncryptionKey = cekEncryptionKey; - } - protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, - int authTagLen, boolean wrap) { + protected AbstractJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen, + JwtHeadersWriter writer) { this(headers, cek, iv, authTagLen); - this.cekEncryptionKey = cekEncryptionKey; - this.wrap = wrap; - } - - protected AbstractJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, - boolean wrap, JwtHeadersWriter writer) { - this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap); if (writer != null) { this.writer = writer; } @@ -85,31 +70,11 @@ public abstract class AbstractJweEncryptor { } protected byte[] getContentEncryptionKey() { - if (cek == null && cekEncryptionKey != null) { - String algo = headers.getContentEncryptionAlgorithm(); - return CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded(); - } else { - return cek; - } + return cek; } - protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) { - if (cekEncryptionKey == null) { - return cek; - } else { - KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo()); - if (!wrap) { - return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties); - } else { - return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey, - secretKeyProperties.getKeyAlgo()); - } - } - } + protected abstract byte[] getEncryptedContentEncryptionKey(byte[] theCek); - protected String getContentEncryptionKeyEncryptionAlgo() { - return Algorithm.toJavaName(headers.getKeyEncryptionAlgorithm()); - } protected String getContentEncryptionAlgo() { return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); } @@ -117,11 +82,11 @@ public abstract class AbstractJweEncryptor { protected int getAuthTagLen() { return authTagLen; } - + protected JweHeaders getJweHeaders() { + return headers; + } public String getJweContent(byte[] content) { byte[] theCek = getContentEncryptionKey(); - byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek); - String contentEncryptionAlgoJavaName = Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName); byte[] additionalEncryptionParam = headers.toCipherAdditionalAuthData(writer); @@ -136,6 +101,7 @@ public abstract class AbstractJweEncryptor { CryptoUtils.createSecretKeySpec(theCek, contentEncryptionAlgoJavaName), keyProps); + byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek); JweCompactProducer producer = new JweCompactProducer(headers, jweContentEncryptionKey, theIv, http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java index fd98333..be9378f 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryptor.java @@ -21,7 +21,20 @@ package org.apache.cxf.rs.security.oauth2.jwe; import java.security.Key; public class DirectKeyJweDecryptor extends AbstractJweDecryptor { + private byte[] contentDecryptionKey; public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey) { - super(jweContent, contentDecryptionKey); + this(jweContent, contentDecryptionKey, null); + } + public DirectKeyJweDecryptor(String jweContent, Key contentDecryptionKey, JweCryptoProperties props) { + super(jweContent, props); + this.contentDecryptionKey = contentDecryptionKey.getEncoded(); + } + @Override + protected byte[] getContentEncryptionKey() { + byte[] encryptedCEK = getEncryptedContentEncryptionKey(); + if (encryptedCEK != null && encryptedCEK.length > 0) { + throw new SecurityException(); + } + return contentDecryptionKey; } } http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java index e2b0e43..8872d81 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweEncryptor.java @@ -32,4 +32,7 @@ public class DirectKeyJweEncryptor extends AbstractJweEncryptor { public DirectKeyJweEncryptor(JweHeaders headers, byte[] cek, byte[] iv, int authTagLen) { super(headers, cek, iv, authTagLen); } + protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) { + return new byte[0]; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java index 9c11dcf..042ceda 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java @@ -26,6 +26,7 @@ import java.security.spec.AlgorithmParameterSpec; import org.apache.cxf.common.util.Base64Exception; import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants; +import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersReader; import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter; import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; @@ -40,6 +41,12 @@ public class JweCompactConsumer { private byte[] authTag; private JweHeaders jweHeaders; public JweCompactConsumer(String jweContent) { + this(jweContent, null); + } + public JweCompactConsumer(String jweContent, JweCryptoProperties props) { + this(jweContent, props, new JwtTokenReaderWriter()); + } + public JweCompactConsumer(String jweContent, JweCryptoProperties props, JwtHeadersReader reader) { String[] parts = jweContent.split("\\."); if (parts.length != 5) { throw new SecurityException("5 JWE parts are expected"); @@ -54,12 +61,19 @@ public class JweCompactConsumer { encryptedContentWithTag = new byte[cipherText.length + authTag.length]; System.arraycopy(cipherText, 0, encryptedContentWithTag, 0, cipherText.length); System.arraycopy(authTag, 0, encryptedContentWithTag, cipherText.length, authTag.length); - jweHeaders = new JweHeaders(new JwtTokenReaderWriter().fromJsonHeaders(headersJson).asMap()); + jweHeaders = new JweHeaders(reader.fromJsonHeaders(headersJson).asMap()); + enforceJweCryptoProperties(props); } catch (Base64Exception ex) { throw new SecurityException(ex); } } + private void enforceJweCryptoProperties(JweCryptoProperties props) { + if (props != null) { + //TODO: Validate + } + } + public String getDecodedJsonHeaders() { return headersJson; } http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java index cb61690..82945b7 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactProducer.java @@ -89,9 +89,9 @@ public class JweCompactProducer { StringBuilder sb = new StringBuilder(); return sb.append(encodedHeaders) .append('.') - .append(encodedContentEncryptionKey) + .append(encodedContentEncryptionKey == null ? "" : encodedContentEncryptionKey) .append('.') - .append(encodedInitVector) + .append(encodedInitVector == null ? "" : encodedInitVector) .append('.') .append(encodedEncryptedContent) .append('.') http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java index cb4666f..17a53d1 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAJweDecryptor.java @@ -23,12 +23,18 @@ import java.security.interfaces.RSAPublicKey; public class RSAJweDecryptor extends WrappedKeyJweDecryptor { - public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) { - super(jweContent, privateKey, unwrap); - } + public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey) { this(jweContent, privateKey, true); } + public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap) { + this(jweContent, privateKey, unwrap, null); + } + public RSAJweDecryptor(String jweContent, RSAPrivateKey privateKey, boolean unwrap, + JweCryptoProperties props) { + super(jweContent, privateKey, unwrap, props); + } + protected int getKeyCipherBlockSize() { return ((RSAPublicKey)getCekDecryptionKey()).getModulus().toByteArray().length; } http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java index 0145909..1798c55 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryptor.java @@ -20,11 +20,44 @@ package org.apache.cxf.rs.security.oauth2.jwe; import java.security.Key; +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; +import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; + public class WrappedKeyJweDecryptor extends AbstractJweDecryptor { - public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) { - super(jweContent, cekDecryptionKey, unwrap); - } + private Key cekDecryptionKey; + private boolean unwrap; public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey) { this(jweContent, cekDecryptionKey, true); } + public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap) { + this(jweContent, cekDecryptionKey, unwrap, null); + } + public WrappedKeyJweDecryptor(String jweContent, Key cekDecryptionKey, boolean unwrap, + JweCryptoProperties props) { + super(jweContent, props); + this.cekDecryptionKey = cekDecryptionKey; + this.unwrap = unwrap; + } + protected byte[] getContentEncryptionKey() { + KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm()); + if (!unwrap) { + keyProps.setBlockSize(getKeyCipherBlockSize()); + return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(), getCekDecryptionKey(), keyProps); + } else { + return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(), + getContentEncryptionAlgorithm(), + getCekDecryptionKey(), + keyProps).getEncoded(); + } + } + protected Key getCekDecryptionKey() { + return cekDecryptionKey; + } + protected int getKeyCipherBlockSize() { + return -1; + } + protected String getKeyEncryptionAlgorithm() { + return Algorithm.toJavaName(getHeaders().getKeyEncryptionAlgorithm()); + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java index 6486604..ad6b905 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryptor.java @@ -20,22 +20,49 @@ package org.apache.cxf.rs.security.oauth2.jwe; import java.security.Key; +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; +import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; public class WrappedKeyJweEncryptor extends AbstractJweEncryptor { + private Key cekEncryptionKey; + private boolean wrap; public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey) { - super(headers, cekEncryptionKey); + this(headers, cekEncryptionKey, null, null); } public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv) { - super(headers, cekEncryptionKey, cek, iv); + this(headers, cekEncryptionKey, cek, iv, DEFAULT_AUTH_TAG_LENGTH, true); } public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, boolean wrap) { - super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap); + this(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, null); } public WrappedKeyJweEncryptor(JweHeaders headers, Key cekEncryptionKey, byte[] cek, byte[] iv, int authTagLen, boolean wrap, JwtHeadersWriter writer) { - super(headers, cekEncryptionKey, cek, iv, authTagLen, wrap, writer); + super(headers, cek, iv, authTagLen, writer); + this.cekEncryptionKey = cekEncryptionKey; + this.wrap = wrap; + } + protected byte[] getContentEncryptionKey() { + byte[] theCek = super.getContentEncryptionKey(); + if (theCek == null) { + String algo = getContentEncryptionAlgo(); + theCek = CryptoUtils.getSecretKey(algo, Algorithm.valueOf(algo).getKeySizeBits()).getEncoded(); + } + return theCek; + } + protected byte[] getEncryptedContentEncryptionKey(byte[] theCek) { + KeyProperties secretKeyProperties = new KeyProperties(getContentEncryptionKeyEncryptionAlgo()); + if (!wrap) { + return CryptoUtils.encryptBytes(theCek, cekEncryptionKey, secretKeyProperties); + } else { + return CryptoUtils.wrapSecretKey(theCek, getContentEncryptionAlgo(), cekEncryptionKey, + secretKeyProperties.getKeyAlgo()); + } + } + protected String getContentEncryptionKeyEncryptionAlgo() { + return Algorithm.toJavaName(getJweHeaders().getKeyEncryptionAlgorithm()); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java index abec1a6..d149587 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java @@ -37,14 +37,21 @@ public class JwsCompactConsumer { private String headersJson; private String claimsJson; private JwtToken token; + private JwsSignatureProperties props; public JwsCompactConsumer(String encodedJws) { - this(encodedJws, null); + this(encodedJws, null, null); + } + public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props) { + this(encodedJws, props, null); } public JwsCompactConsumer(String encodedJws, JwtTokenReader r) { + this(encodedJws, null, r); + } + public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props, JwtTokenReader r) { if (r != null) { this.reader = r; } - + this.props = props; String[] parts = encodedJws.split("\\."); if (parts.length != 3) { if (parts.length == 2 && encodedJws.endsWith(".")) { @@ -87,16 +94,22 @@ public class JwsCompactConsumer { } public JwtToken getJwtToken() { if (token == null) { - token = reader.fromJson(headersJson, claimsJson); + token = reader.fromJson(new JwtTokenJson(headersJson, claimsJson)); } return token; } public boolean verifySignatureWith(JwsSignatureVerifier validator) { + enforceJweSignatureProperties(); if (!validator.verify(getJwtHeaders(), getUnsignedEncodedToken(), getDecodedSignature())) { throw new SecurityException(); } return true; } + private void enforceJweSignatureProperties() { + if (props != null) { + //TODO: + } + } private static String decodeToString(String encoded) { try { return new String(decode(encoded), "UTF-8"); http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java index 9be3a0a..f916df7 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReader.java @@ -21,6 +21,5 @@ package org.apache.cxf.rs.security.oauth2.jwt; public interface JwtTokenReader extends JwtHeadersReader { JwtClaims fromJsonClaims(String jsonClaims); - JwtToken fromJson(String jsonHeaders, String jsonClaims); JwtToken fromJson(JwtTokenJson jsonPair); } http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java index 9d95771..d8d6dd4 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtTokenReaderWriter.java @@ -68,8 +68,7 @@ public class JwtTokenReaderWriter implements JwtTokenReader, JwtTokenWriter { } - @Override - public JwtToken fromJson(String headersJson, String claimsJson) { + private JwtToken fromJson(String headersJson, String claimsJson) { JwtHeaders headers = fromJsonHeaders(headersJson); JwtClaims claims = fromJsonClaims(claimsJson); return new JwtToken(headers, claims); http://git-wip-us.apache.org/repos/asf/cxf/blob/117061fe/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java index 9b5db48..d8d795c 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/utils/Base64UrlUtility.java @@ -73,8 +73,13 @@ public final class Base64UrlUtility { } public static String encodeChunk(byte[] id, int offset, int length) { - String encoded = new String(Base64Utility.encodeChunk(id, offset, length)); - return encoded.replace("+", "-").replace('/', '_').replace("=", ""); + char[] chunk = Base64Utility.encodeChunk(id, offset, length); + if (chunk != null) { + String encoded = new String(chunk); + return encoded.replace("+", "-").replace('/', '_').replace("=", ""); + } else { + return null; + } }
