Repository: cxf Updated Branches: refs/heads/3.0.x-fixes cc5903ca8 -> 46dd6627e
[CXF-5902] More refactoring to get the utility AesCbcHmac decryption working Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/46dd6627 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/46dd6627 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/46dd6627 Branch: refs/heads/3.0.x-fixes Commit: 46dd6627e2a5c7d0fef9f7426739a8025d28ca4e Parents: cc5903c Author: Sergey Beryozkin <sberyoz...@talend.com> Authored: Tue Aug 12 11:35:10 2014 +0100 Committer: Sergey Beryozkin <sberyoz...@talend.com> Committed: Tue Aug 12 21:11:22 2014 +0100 ---------------------------------------------------------------------- .../jwe/AbstractContentEncryptionAlgorithm.java | 17 +-------- ...stractContentEncryptionCipherProperties.java | 39 ++++++++++++++++++++ .../oauth2/jwe/AbstractJweDecryption.java | 10 +++-- .../oauth2/jwe/AbstractJweEncryption.java | 2 +- .../oauth2/jwe/AesCbcHmacJweEncryption.java | 2 +- .../jwe/AesGcmContentDecryptionAlgorithm.java | 24 ++++++++++++ .../oauth2/jwe/ContentEncryptionAlgorithm.java | 7 +--- .../jwe/ContentEncryptionCipherProperties.java | 27 ++++++++++++++ .../oauth2/jwe/DirectKeyJweDecryption.java | 10 ++++- .../oauth2/jwe/WrappedKeyJweDecryption.java | 7 +++- 10 files changed, 116 insertions(+), 29 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java index c452992..9dde55d 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionAlgorithm.java @@ -18,22 +18,19 @@ */ package org.apache.cxf.rs.security.oauth2.jwe; -import java.security.spec.AlgorithmParameterSpec; import java.util.concurrent.atomic.AtomicInteger; import javax.crypto.SecretKey; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -public abstract class AbstractContentEncryptionAlgorithm implements ContentEncryptionAlgorithm { +public abstract class AbstractContentEncryptionAlgorithm extends AbstractContentEncryptionCipherProperties + implements ContentEncryptionAlgorithm { private static final int DEFAULT_IV_SIZE = 128; - private static final int DEFAULT_AUTH_TAG_LENGTH = 128; private byte[] cek; private byte[] iv; private AtomicInteger providedIvUsageCount; - private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; protected AbstractContentEncryptionAlgorithm(SecretKey key, byte[] iv) { this(key.getEncoded(), iv); } @@ -45,16 +42,9 @@ public abstract class AbstractContentEncryptionAlgorithm implements ContentEncry } } - public byte[] getContentEncryptionKey(JweHeaders headers) { return cek; } - public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { - return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); - } - public byte[] getAAD(JweHeaders theHeaders, JwtHeadersWriter writer) { - return theHeaders.toCipherAdditionalAuthData(writer); - } public byte[] getInitVector() { if (iv == null) { return CryptoUtils.generateSecureRandomBytes(getIvSize()); @@ -64,9 +54,6 @@ public abstract class AbstractContentEncryptionAlgorithm implements ContentEncry return iv; } } - protected int getAuthTagLen() { - return authTagLen; - } protected int getIvSize() { return DEFAULT_IV_SIZE; } http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionCipherProperties.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionCipherProperties.java new file mode 100644 index 0000000..7f06abf --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractContentEncryptionCipherProperties.java @@ -0,0 +1,39 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.spec.AlgorithmParameterSpec; + +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; + + +public abstract class AbstractContentEncryptionCipherProperties implements ContentEncryptionCipherProperties { + private static final int DEFAULT_AUTH_TAG_LENGTH = 128; + private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; + + public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { + return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); + } + public byte[] getAdditionalAuthenticationData(String headersJson) { + return JweHeaders.toCipherAdditionalAuthData(headersJson); + } + protected int getAuthTagLen() { + return authTagLen; + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java index e4ea003..04bcde6 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweDecryption.java @@ -31,15 +31,18 @@ import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; public abstract class AbstractJweDecryption implements JweDecryption { private JweCryptoProperties props; private KeyDecryptionAlgorithm keyDecryptionAlgo; + private ContentEncryptionCipherProperties contentEncryptionProps; private JwtHeadersReader reader = new JwtTokenReaderWriter(); protected AbstractJweDecryption(JweCryptoProperties props, JwtHeadersReader theReader, - KeyDecryptionAlgorithm keyDecryptionAlgo) { + KeyDecryptionAlgorithm keyDecryptionAlgo, + ContentEncryptionCipherProperties contentEncryptionProps) { this.props = props; if (theReader != null) { reader = theReader; } this.keyDecryptionAlgo = keyDecryptionAlgo; + this.contentEncryptionProps = contentEncryptionProps; } protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) { @@ -73,14 +76,13 @@ public abstract class AbstractJweDecryption implements JweDecryption { return consumer.getEncryptedContentEncryptionKey(); } protected AlgorithmParameterSpec getContentEncryptionCipherSpec(JweCompactConsumer consumer) { - return CryptoUtils.getContentEncryptionCipherSpec(getEncryptionAuthenticationTagLenBits(consumer), - getContentEncryptionCipherInitVector(consumer)); + return contentEncryptionProps.getAlgorithmParameterSpec(getContentEncryptionCipherInitVector(consumer)); } protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) { return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm()); } protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) { - return consumer.getContentEncryptionCipherAAD(); + return contentEncryptionProps.getAdditionalAuthenticationData(consumer.getDecodedJsonHeaders()); } protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) { return consumer.getEncryptedContentWithAuthTag(); http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java index 1d0f8eb..357a300 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java @@ -85,7 +85,7 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider { return DEFAULT_AUTH_TAG_LENGTH; } protected byte[] getAAD(JweHeaders theHeaders) { - return contentEncryptionAlgo.getAAD(theHeaders, writer); + return contentEncryptionAlgo.getAdditionalAuthenticationData(writer.headersToJson(theHeaders)); } public String encrypt(byte[] content, String contentType) { JweEncryptionInternal state = getInternalState(contentType); http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java index c40a7dc..d79452a 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesCbcHmacJweEncryption.java @@ -159,7 +159,7 @@ public class AesCbcHmacJweEncryption extends AbstractJweEncryption { return new IvParameterSpec(theIv); } @Override - public byte[] getAAD(JweHeaders theHeaders, JwtHeadersWriter writer) { + public byte[] getAdditionalAuthenticationData(String headersJson) { return null; } } http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java new file mode 100644 index 0000000..9397bd4 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java @@ -0,0 +1,24 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + + + +public class AesGcmContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties { +} http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java index 709cffc..1fcf25c 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionAlgorithm.java @@ -18,14 +18,9 @@ */ package org.apache.cxf.rs.security.oauth2.jwe; -import java.security.spec.AlgorithmParameterSpec; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; - -interface ContentEncryptionAlgorithm { +interface ContentEncryptionAlgorithm extends ContentEncryptionCipherProperties { byte[] getInitVector(); byte[] getContentEncryptionKey(JweHeaders headers); - byte[] getAAD(JweHeaders headers, JwtHeadersWriter writer); - AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv); } http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionCipherProperties.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionCipherProperties.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionCipherProperties.java new file mode 100644 index 0000000..6cbe869 --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/ContentEncryptionCipherProperties.java @@ -0,0 +1,27 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.spec.AlgorithmParameterSpec; + + +interface ContentEncryptionCipherProperties { + byte[] getAdditionalAuthenticationData(String headersJson); + AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv); +} http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java index 3ab3f31..9ef9ae1 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/DirectKeyJweDecryption.java @@ -31,7 +31,15 @@ public class DirectKeyJweDecryption extends AbstractJweDecryption { } public DirectKeyJweDecryption(Key contentDecryptionKey, JweCryptoProperties props, JwtHeadersReader reader) { - super(props, reader, new DirectKeyDecryptionAlgorithm(contentDecryptionKey)); + this(contentDecryptionKey, props, reader, + new AesGcmContentDecryptionAlgorithm()); + } + public DirectKeyJweDecryption(Key contentDecryptionKey, + JweCryptoProperties props, + JwtHeadersReader reader, + ContentEncryptionCipherProperties cipherProps) { + super(props, reader, new DirectKeyDecryptionAlgorithm(contentDecryptionKey), + cipherProps); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/46dd6627/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java index 962261e..05d1098 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java @@ -43,6 +43,11 @@ public class WrappedKeyJweDecryption extends AbstractJweDecryption { } public WrappedKeyJweDecryption(WrappedKeyDecryptionAlgorithm keyDecryptionAlgo, JweCryptoProperties props, JwtHeadersReader reader) { - super(props, reader, keyDecryptionAlgo); + this(keyDecryptionAlgo, props, reader, new AesGcmContentDecryptionAlgorithm()); + } + public WrappedKeyJweDecryption(WrappedKeyDecryptionAlgorithm keyDecryptionAlgo, + JweCryptoProperties props, JwtHeadersReader reader, + ContentEncryptionCipherProperties cipherProps) { + super(props, reader, keyDecryptionAlgo, cipherProps); } }