Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 985b6be4c -> d974aaa40
[CXF-5954] Adding AesGcm Key Wrap test Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/d974aaa4 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/d974aaa4 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/d974aaa4 Branch: refs/heads/3.0.x-fixes Commit: d974aaa4070ef29e3873c66d380fbf6d1364d7a0 Parents: 985b6be Author: Sergey Beryozkin <[email protected]> Authored: Tue Sep 2 13:39:56 2014 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Tue Sep 2 13:43:12 2014 +0100 ---------------------------------------------------------------------- .../jwe/AbstractWrapKeyEncryptionAlgorithm.java | 4 +- .../jwe/AesGcmContentDecryptionAlgorithm.java | 2 +- .../jwe/AesGcmWrapKeyDecryptionAlgorithm.java | 57 +++++++++++++++++ .../jwe/AesGcmWrapKeyEncryptionAlgorithm.java | 64 ++++++++++++++++++++ .../security/oauth2/jwe/JweCompactConsumer.java | 4 +- .../jwe/WrappedKeyDecryptionAlgorithm.java | 16 ++++- .../cxf/rs/security/oauth2/jwt/Algorithm.java | 6 ++ .../rs/security/oauth2/jwt/JwtConstants.java | 4 +- .../oauth2/jwe/JweCompactReaderWriterTest.java | 25 +++++++- 9 files changed, 173 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryptionAlgorithm.java index ada022c..a689529 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryptionAlgorithm.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractWrapKeyEncryptionAlgorithm.java @@ -51,7 +51,7 @@ public abstract class AbstractWrapKeyEncryptionAlgorithm implements KeyEncryptio public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { checkAlgorithms(headers, algorithm); KeyProperties secretKeyProperties = new KeyProperties(getKeyEncryptionAlgoJava(headers)); - AlgorithmParameterSpec spec = getAlgorithmParameterSpec(); + AlgorithmParameterSpec spec = getAlgorithmParameterSpec(headers); if (spec != null) { secretKeyProperties.setAlgoSpec(spec); } @@ -70,7 +70,7 @@ public abstract class AbstractWrapKeyEncryptionAlgorithm implements KeyEncryptio protected String getContentEncryptionAlgoJava(JweHeaders headers) { return Algorithm.toJavaName(headers.getContentEncryptionAlgorithm()); } - protected AlgorithmParameterSpec getAlgorithmParameterSpec() { + protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweHeaders headers) { return null; } private static String checkAlgorithm(Set<String> supportedAlgorithms, String algo) { http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java index 7c3f3ca..872d565 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmContentDecryptionAlgorithm.java @@ -25,6 +25,6 @@ public class AesGcmContentDecryptionAlgorithm extends AbstractContentEncryptionC @Override public byte[] getEncryptedSequence(byte[] cipher, byte[] authTag) { - return JweCompactConsumer.getEncryptedContentWithAuthTag(cipher, authTag); + return JweCompactConsumer.getCipherWithAuthTag(cipher, authTag); } } http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmWrapKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmWrapKeyDecryptionAlgorithm.java new file mode 100644 index 0000000..d089eec --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmWrapKeyDecryptionAlgorithm.java @@ -0,0 +1,57 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.spec.AlgorithmParameterSpec; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; +import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; + +public class AesGcmWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm { + public AesGcmWrapKeyDecryptionAlgorithm(String encodedKey) { + this(CryptoUtils.decodeSequence(encodedKey)); + } + public AesGcmWrapKeyDecryptionAlgorithm(byte[] secretKey) { + this(CryptoUtils.createSecretKeySpec(secretKey, Algorithm.AES_ALGO_JAVA)); + } + public AesGcmWrapKeyDecryptionAlgorithm(SecretKey secretKey) { + super(secretKey, true); + } + @Override + protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) { + byte[] encryptedCekKey = super.getEncryptedContentEncryptionKey(consumer); + byte[] tag = getDecodedBytes(consumer, "tag"); + return JweCompactConsumer.getCipherWithAuthTag(encryptedCekKey, tag); + } + protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) { + byte[] iv = getDecodedBytes(consumer, "iv"); + return CryptoUtils.getContentEncryptionCipherSpec(128, iv); + } + private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) { + try { + Object ivHeader = consumer.getJweHeaders().getHeader(headerName); + return Base64UrlUtility.decode(ivHeader.toString()); + } catch (Exception ex) { + throw new SecurityException(ex); + } + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmWrapKeyEncryptionAlgorithm.java new file mode 100644 index 0000000..9d8861b --- /dev/null +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AesGcmWrapKeyEncryptionAlgorithm.java @@ -0,0 +1,64 @@ +/** + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.cxf.rs.security.oauth2.jwe; + +import java.security.spec.AlgorithmParameterSpec; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; + +import javax.crypto.SecretKey; + +import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; +import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; +import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; + +public class AesGcmWrapKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm { + private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( + Arrays.asList(Algorithm.A128GCMKW.getJwtName(), + Algorithm.A192GCMKW.getJwtName(), + Algorithm.A256GCMKW.getJwtName())); + public AesGcmWrapKeyEncryptionAlgorithm(String encodedKey, String keyAlgoJwt) { + this(CryptoUtils.decodeSequence(encodedKey), keyAlgoJwt); + } + public AesGcmWrapKeyEncryptionAlgorithm(byte[] keyBytes, String keyAlgoJwt) { + this(CryptoUtils.createSecretKeySpec(keyBytes, Algorithm.AES_ALGO_JAVA), + keyAlgoJwt); + } + public AesGcmWrapKeyEncryptionAlgorithm(SecretKey key, String keyAlgoJwt) { + super(key, keyAlgoJwt, true, SUPPORTED_ALGORITHMS); + } + + @Override + public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { + byte[] wrappedKeyAndTag = super.getEncryptedContentEncryptionKey(headers, cek); + byte[] wrappedKey = new byte[wrappedKeyAndTag.length - 128 / 8]; + System.arraycopy(wrappedKeyAndTag, 0, wrappedKey, 0, wrappedKeyAndTag.length - 128 / 8); + String encodedTag = Base64UrlUtility.encodeChunk(wrappedKeyAndTag, + wrappedKeyAndTag.length - 128 / 8, 128 / 8); + headers.setHeader("tag", encodedTag); + return wrappedKey; + } + protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweHeaders headers) { + byte[] iv = CryptoUtils.generateSecureRandomBytes(96 / 8); + String encodedIv = Base64UrlUtility.encode(iv); + headers.setHeader("iv", encodedIv); + return CryptoUtils.getContentEncryptionCipherSpec(128, iv); + } +} http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java index 24631ed..9a80e4f 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactConsumer.java @@ -90,10 +90,10 @@ public class JweCompactConsumer { } public byte[] getEncryptedContentWithAuthTag() { - return getEncryptedContentWithAuthTag(encryptedContent, authTag); + return getCipherWithAuthTag(encryptedContent, authTag); } - public static byte[] getEncryptedContentWithAuthTag(byte[] cipher, byte[] authTag) { + public static byte[] getCipherWithAuthTag(byte[] cipher, byte[] authTag) { byte[] encryptedContentWithTag = new byte[cipher.length + authTag.length]; System.arraycopy(cipher, 0, encryptedContentWithTag, 0, cipher.length); System.arraycopy(authTag, 0, encryptedContentWithTag, cipher.length, authTag.length); http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java index 18979a0..40cf8d9 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java @@ -19,6 +19,7 @@ package org.apache.cxf.rs.security.oauth2.jwe; import java.security.Key; +import java.security.spec.AlgorithmParameterSpec; import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; @@ -36,17 +37,22 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm { } public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) { KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer)); + AlgorithmParameterSpec spec = getAlgorithmParameterSpec(consumer); + if (spec != null) { + keyProps.setAlgoSpec(spec); + } if (!unwrap) { keyProps.setBlockSize(getKeyCipherBlockSize()); - return CryptoUtils.decryptBytes(consumer.getEncryptedContentEncryptionKey(), + return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer), getCekDecryptionKey(), keyProps); } else { - return CryptoUtils.unwrapSecretKey(consumer.getEncryptedContentEncryptionKey(), + return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer), getContentEncryptionAlgorithm(consumer), getCekDecryptionKey(), keyProps).getEncoded(); } } + protected Key getCekDecryptionKey() { return cekDecryptionKey; } @@ -59,4 +65,10 @@ public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm { protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) { return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm()); } + protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) { + return null; + } + protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) { + return consumer.getEncryptedContentEncryptionKey(); + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java index e2807f9..b3e7914 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/Algorithm.java @@ -46,6 +46,9 @@ public enum Algorithm { A128KW(JwtConstants.A128KW_ALGO, "AESWrap", 128), A192KW(JwtConstants.A192KW_ALGO, "AESWrap", 192), A256KW(JwtConstants.A256KW_ALGO, "AESWrap", 256), + A128GCMKW(JwtConstants.A128GCMKW_ALGO, "AES/GCM/NoPadding", 128), + A192GCMKW(JwtConstants.A192GCMKW_ALGO, "AES/GCM/NoPadding", 192), + A256GCMKW(JwtConstants.A256GCMKW_ALGO, "AES/GCM/NoPadding", 256), // Content Encryption A128GCM(JwtConstants.A128GCM_ALGO, "AES/GCM/NoPadding", 128), A192GCM(JwtConstants.A192GCM_ALGO, "AES/GCM/NoPadding", 192), @@ -115,6 +118,9 @@ public enum Algorithm { JWT_TO_JAVA_NAMES.put(JwtConstants.A256GCM_ALGO, AES_GCM_ALGO_JAVA); JWT_TO_JAVA_NAMES.put(JwtConstants.A192GCM_ALGO, AES_GCM_ALGO_JAVA); JWT_TO_JAVA_NAMES.put(JwtConstants.A128GCM_ALGO, AES_GCM_ALGO_JAVA); + JWT_TO_JAVA_NAMES.put(JwtConstants.A256GCMKW_ALGO, AES_GCM_ALGO_JAVA); + JWT_TO_JAVA_NAMES.put(JwtConstants.A192GCMKW_ALGO, AES_GCM_ALGO_JAVA); + JWT_TO_JAVA_NAMES.put(JwtConstants.A128GCMKW_ALGO, AES_GCM_ALGO_JAVA); JWT_TO_JAVA_NAMES.put(JwtConstants.A128CBC_HS256_ALGO, AES_CBC_ALGO_JAVA); JWT_TO_JAVA_NAMES.put(JwtConstants.A192CBC_HS384_ALGO, AES_CBC_ALGO_JAVA); JWT_TO_JAVA_NAMES.put(JwtConstants.A256CBC_HS512_ALGO, AES_CBC_ALGO_JAVA); http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java index 461d7b2..b4e8fce 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/JwtConstants.java @@ -68,7 +68,9 @@ public final class JwtConstants { public static final String A128KW_ALGO = "A128KW"; public static final String A192KW_ALGO = "A192KW"; public static final String A256KW_ALGO = "A256KW"; - + public static final String A128GCMKW_ALGO = "A128GCMKW"; + public static final String A192GCMKW_ALGO = "A192GCMKW"; + public static final String A256GCMKW_ALGO = "A256GCMKW"; // Content Encryption public static final String A128CBC_HS256_ALGO = "A128CBC-HS256"; public static final String A192CBC_HS384_ALGO = "A192CBC-HS384"; http://git-wip-us.apache.org/repos/asf/cxf/blob/d974aaa4/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java index cd7312b..f59e602 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java @@ -27,6 +27,7 @@ import javax.crypto.SecretKey; import org.apache.cxf.rs.security.oauth2.jws.JwsCompactReaderWriterTest; import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; +import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants; import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; import org.bouncycastle.jce.provider.BouncyCastleProvider; @@ -93,7 +94,7 @@ public class JweCompactReaderWriterTest extends Assert { } @Test - public void testEncryptDecryptA128CBCHS256() throws Exception { + public void testEncryptDecryptAesWrapA128CBCHS256() throws Exception { final String specPlainText = "Live long and prosper."; JweHeaders headers = new JweHeaders(); headers.setAlgorithm(Algorithm.A128KW.getJwtName()); @@ -115,6 +116,28 @@ public class JweCompactReaderWriterTest extends Assert { String decryptedText = decryption.decrypt(jweContent).getContentText(); assertEquals(specPlainText, decryptedText); } + @Test + public void testEncryptDecryptAesGcmWrapA128CBCHS256() throws Exception { + final String specPlainText = "Live long and prosper."; + JweHeaders headers = new JweHeaders(); + headers.setAlgorithm(JwtConstants.A128GCMKW_ALGO); + headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName()); + + byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3); + + AesGcmWrapKeyEncryptionAlgorithm keyEncryption = + new AesGcmWrapKeyEncryptionAlgorithm(cekEncryptionKey, JwtConstants.A128GCMKW_ALGO); + JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(headers, + CONTENT_ENCRYPTION_KEY_A3, + INIT_VECTOR_A3, + keyEncryption); + String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); + + AesGcmWrapKeyDecryptionAlgorithm keyDecryption = new AesGcmWrapKeyDecryptionAlgorithm(cekEncryptionKey); + JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption); + String decryptedText = decryption.decrypt(jweContent).getContentText(); + assertEquals(specPlainText, decryptedText); + } @Test public void testEncryptDecryptSpecExample() throws Exception {
