http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java deleted file mode 100644 index 220763a..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmWrapKeyEncryptionAlgorithm.java +++ /dev/null @@ -1,64 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.spec.AlgorithmParameterSpec; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -public class AesGcmWrapKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm { - private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( - Arrays.asList(Algorithm.A128GCMKW.getJwtName(), - Algorithm.A192GCMKW.getJwtName(), - Algorithm.A256GCMKW.getJwtName())); - public AesGcmWrapKeyEncryptionAlgorithm(String encodedKey, String keyAlgoJwt) { - this(CryptoUtils.decodeSequence(encodedKey), keyAlgoJwt); - } - public AesGcmWrapKeyEncryptionAlgorithm(byte[] keyBytes, String keyAlgoJwt) { - this(CryptoUtils.createSecretKeySpec(keyBytes, Algorithm.AES_ALGO_JAVA), - keyAlgoJwt); - } - public AesGcmWrapKeyEncryptionAlgorithm(SecretKey key, String keyAlgoJwt) { - super(key, keyAlgoJwt, true, SUPPORTED_ALGORITHMS); - } - - @Override - public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { - byte[] wrappedKeyAndTag = super.getEncryptedContentEncryptionKey(headers, cek); - byte[] wrappedKey = new byte[wrappedKeyAndTag.length - 128 / 8]; - System.arraycopy(wrappedKeyAndTag, 0, wrappedKey, 0, wrappedKeyAndTag.length - 128 / 8); - String encodedTag = Base64UrlUtility.encodeChunk(wrappedKeyAndTag, - wrappedKeyAndTag.length - 128 / 8, 128 / 8); - headers.setHeader("tag", encodedTag); - return wrappedKey; - } - protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweHeaders headers) { - byte[] iv = CryptoUtils.generateSecureRandomBytes(96 / 8); - String encodedIv = Base64UrlUtility.encode(iv); - headers.setHeader("iv", encodedIv); - return CryptoUtils.getContentEncryptionCipherSpec(128, iv); - } -}
http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java deleted file mode 100644 index 14c273f..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,38 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -public class AesWrapKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm { - public AesWrapKeyDecryptionAlgorithm(String encodedKey) { - this(CryptoUtils.decodeSequence(encodedKey)); - } - public AesWrapKeyDecryptionAlgorithm(byte[] secretKey) { - this(CryptoUtils.createSecretKeySpec(secretKey, Algorithm.AES_WRAP_ALGO_JAVA)); - } - public AesWrapKeyDecryptionAlgorithm(SecretKey secretKey) { - super(secretKey, true); - } - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java deleted file mode 100644 index a0b01b9..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesWrapKeyEncryptionAlgorithm.java +++ /dev/null @@ -1,48 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - -public class AesWrapKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm { - private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( - Arrays.asList(Algorithm.A128KW.getJwtName(), - Algorithm.A192KW.getJwtName(), - Algorithm.A256KW.getJwtName())); - public AesWrapKeyEncryptionAlgorithm(String encodedKey, String keyAlgoJwt) { - this(CryptoUtils.decodeSequence(encodedKey), keyAlgoJwt); - } - public AesWrapKeyEncryptionAlgorithm(byte[] keyBytes, String keyAlgoJwt) { - this(CryptoUtils.createSecretKeySpec(keyBytes, Algorithm.toJavaName(keyAlgoJwt)), - keyAlgoJwt); - } - public AesWrapKeyEncryptionAlgorithm(SecretKey key, String keyAlgoJwt) { - super(key, keyAlgoJwt, SUPPORTED_ALGORITHMS); - } - - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AuthenticationTagProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AuthenticationTagProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AuthenticationTagProducer.java deleted file mode 100644 index 897e68c..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/AuthenticationTagProducer.java +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -public interface AuthenticationTagProducer { - void update(byte[] cipher, int off, int len); - byte[] getTag(); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java deleted file mode 100644 index eaf6f61..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionAlgorithm.java +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - - -interface ContentDecryptionAlgorithm extends ContentEncryptionCipherProperties { - byte[] getEncryptedSequence(byte[] cipher, byte[] authTag); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java deleted file mode 100644 index 07b370e..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionAlgorithm.java +++ /dev/null @@ -1,27 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - - - -public interface ContentEncryptionAlgorithm extends ContentEncryptionCipherProperties { - String getAlgorithm(); - byte[] getInitVector(); - byte[] getContentEncryptionKey(JweHeaders headers); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java deleted file mode 100644 index 54da6fd..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java +++ /dev/null @@ -1,27 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.spec.AlgorithmParameterSpec; - - -public interface ContentEncryptionCipherProperties { - byte[] getAdditionalAuthenticationData(String headersJson); - AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java deleted file mode 100644 index c1803c6..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.Key; - -public class DirectKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm { - private byte[] contentDecryptionKey; - public DirectKeyDecryptionAlgorithm(Key contentDecryptionKey) { - this(contentDecryptionKey.getEncoded()); - } - public DirectKeyDecryptionAlgorithm(byte[] contentDecryptionKey) { - this.contentDecryptionKey = contentDecryptionKey; - } - @Override - public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) { - byte[] encryptedCEK = consumer.getEncryptedContentEncryptionKey(); - if (encryptedCEK != null && encryptedCEK.length > 0) { - throw new SecurityException(); - } - return contentDecryptionKey; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java deleted file mode 100644 index 6714c3c..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyEncryptionAlgorithm.java +++ /dev/null @@ -1,34 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - - -public class DirectKeyEncryptionAlgorithm implements KeyEncryptionAlgorithm { - public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] theCek) { - if (headers.getKeyEncryptionAlgorithm() != null) { - throw new SecurityException(); - } - return new byte[0]; - } - - @Override - public String getAlgorithm() { - return null; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java deleted file mode 100644 index 0f1611e..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweDecryption.java +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.Key; - -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersReader; - -public class DirectKeyJweDecryption extends AbstractJweDecryption { - public DirectKeyJweDecryption(Key contentDecryptionKey) { - this(contentDecryptionKey, null); - } - public DirectKeyJweDecryption(Key contentDecryptionKey, JweCryptoProperties props) { - this(contentDecryptionKey, props, null); - } - public DirectKeyJweDecryption(Key contentDecryptionKey, JweCryptoProperties props, - JwtHeadersReader reader) { - this(contentDecryptionKey, props, reader, - new AesGcmContentDecryptionAlgorithm()); - } - public DirectKeyJweDecryption(Key contentDecryptionKey, - JweCryptoProperties props, - JwtHeadersReader reader, - ContentDecryptionAlgorithm cipherProps) { - super(props, reader, new DirectKeyDecryptionAlgorithm(contentDecryptionKey), - cipherProps); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java deleted file mode 100644 index fdd8658..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/DirectKeyJweEncryption.java +++ /dev/null @@ -1,47 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; - -public class DirectKeyJweEncryption extends AbstractJweEncryption { - public DirectKeyJweEncryption(SecretKey cek, byte[] iv) { - this(new JweHeaders(Algorithm.toJwtName(cek.getAlgorithm(), - cek.getEncoded().length * 8)), cek.getEncoded(), iv); - } - public DirectKeyJweEncryption(JweHeaders headers, byte[] cek, byte[] iv) { - this(headers, new AesGcmContentEncryptionAlgorithm(cek, iv, headers.getContentEncryptionAlgorithm())); - } - public DirectKeyJweEncryption(JweHeaders headers, ContentEncryptionAlgorithm ceAlgo) { - super(headers, ceAlgo, new DirectKeyEncryptionAlgorithm()); - } - protected byte[] getProvidedContentEncryptionKey() { - return validateCek(super.getProvidedContentEncryptionKey()); - } - private static byte[] validateCek(byte[] cek) { - if (cek == null) { - // to prevent the cek from being auto-generated which - // does not make sense for the direct key case - throw new NullPointerException("CEK must not be null"); - } - return cek; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java deleted file mode 100644 index 5cfe012..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactConsumer.java +++ /dev/null @@ -1,113 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rs.security.jose.jwe; - -import java.io.UnsupportedEncodingException; - -import org.apache.cxf.common.util.Base64Exception; -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersReader; -import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - - -public class JweCompactConsumer { - private String headersJson; - private byte[] encryptedCEK; - private byte[] initVector; - private byte[] encryptedContent; - private byte[] authTag; - private JweHeaders jweHeaders; - public JweCompactConsumer(String jweContent) { - this(jweContent, new JwtTokenReaderWriter()); - } - public JweCompactConsumer(String jweContent, JwtHeadersReader reader) { - String[] parts = jweContent.split("\\."); - if (parts.length != 5) { - throw new SecurityException("5 JWE parts are expected"); - } - try { - headersJson = new String(Base64UrlUtility.decode(parts[0])); - encryptedCEK = Base64UrlUtility.decode(parts[1]); - initVector = Base64UrlUtility.decode(parts[2]); - - encryptedContent = Base64UrlUtility.decode(parts[3]); - authTag = Base64UrlUtility.decode(parts[4]); - jweHeaders = new JweHeaders(reader.fromJsonHeaders(headersJson).asMap()); - } catch (Base64Exception ex) { - throw new SecurityException(ex); - } - } - - public void enforceJweCryptoProperties(JweCryptoProperties props) { - if (props != null) { - //TODO - } - } - - public String getDecodedJsonHeaders() { - return headersJson; - } - - public JweHeaders getJweHeaders() { - return jweHeaders; - } - - public byte[] getEncryptedContentEncryptionKey() { - return encryptedCEK; - } - - public byte[] getContentDecryptionCipherInitVector() { - return initVector; - } - - public byte[] getContentEncryptionCipherAAD() { - return JweHeaders.toCipherAdditionalAuthData(headersJson); - } - - public byte[] getEncryptionAuthenticationTag() { - return authTag; - } - - public byte[] getEncryptedContent() { - return encryptedContent; - } - - public byte[] getEncryptedContentWithAuthTag() { - return getCipherWithAuthTag(encryptedContent, authTag); - } - - public static byte[] getCipherWithAuthTag(byte[] cipher, byte[] authTag) { - byte[] encryptedContentWithTag = new byte[cipher.length + authTag.length]; - System.arraycopy(cipher, 0, encryptedContentWithTag, 0, cipher.length); - System.arraycopy(authTag, 0, encryptedContentWithTag, cipher.length, authTag.length); - return encryptedContentWithTag; - } - - public byte[] getDecryptedContent(JweDecryptionProvider decryption) { - return decryption.decrypt(this); - } - public String getDecryptedContentText(JweDecryptionProvider decryption) { - try { - return new String(getDecryptedContent(decryption), "UTF-8"); - } catch (UnsupportedEncodingException ex) { - throw new SecurityException(ex); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactProducer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactProducer.java deleted file mode 100644 index ca0cda8..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCompactProducer.java +++ /dev/null @@ -1,155 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rs.security.jose.jwe; - -import java.io.IOException; -import java.io.OutputStream; - -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.jose.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - - -public class JweCompactProducer { - private StringBuilder jweContentBuilder; - private String encodedEncryptedContent; - private String encodedAuthTag; - public JweCompactProducer(JweHeaders headers, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector, - byte[] encryptedContentNoTag, - byte[] authenticationTag) { - this(headers, null, encryptedContentEncryptionKey, - cipherInitVector, encryptedContentNoTag, authenticationTag); - } - - public JweCompactProducer(JweHeaders headers, - JwtHeadersWriter writer, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector, - byte[] encryptedContentNoTag, - byte[] authenticationTag) { - this(getHeadersJson(headers, writer), - encryptedContentEncryptionKey, - cipherInitVector, - encryptedContentNoTag, - authenticationTag); - } - public JweCompactProducer(String headersJson, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector, - byte[] encryptedContentNoTag, - byte[] authenticationTag) { - jweContentBuilder = startJweContent(new StringBuilder(), headersJson, - encryptedContentEncryptionKey, cipherInitVector); - this.encodedEncryptedContent = Base64UrlUtility.encode(encryptedContentNoTag); - this.encodedAuthTag = Base64UrlUtility.encode(authenticationTag); - - } - - public JweCompactProducer(JweHeaders headers, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector, - byte[] encryptedContentWithTag, - int authTagLengthBits) { - this(headers, null, encryptedContentEncryptionKey, - cipherInitVector, encryptedContentWithTag, authTagLengthBits); - } - public JweCompactProducer(JweHeaders headers, - JwtHeadersWriter writer, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector, - byte[] encryptedContentWithTag, - int authTagLengthBits) { - jweContentBuilder = startJweContent(new StringBuilder(), headers, writer, - encryptedContentEncryptionKey, cipherInitVector); - this.encodedEncryptedContent = Base64UrlUtility.encodeChunk( - encryptedContentWithTag, - 0, - encryptedContentWithTag.length - authTagLengthBits / 8); - this.encodedAuthTag = Base64UrlUtility.encodeChunk( - encryptedContentWithTag, - encryptedContentWithTag.length - authTagLengthBits / 8, - authTagLengthBits / 8); - - } - public static String startJweContent(JweHeaders headers, - JwtHeadersWriter writer, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector) { - return startJweContent(new StringBuilder(), - headers, writer, encryptedContentEncryptionKey, cipherInitVector).toString(); - } - public static StringBuilder startJweContent(StringBuilder sb, - JweHeaders headers, - JwtHeadersWriter writer, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector) { - return startJweContent(sb, - getHeadersJson(headers, writer), - encryptedContentEncryptionKey, - cipherInitVector); - } - private static String getHeadersJson(JweHeaders headers, - JwtHeadersWriter writer) { - writer = writer == null ? new JwtTokenReaderWriter() : writer; - return writer.headersToJson(headers); - - } - public static StringBuilder startJweContent(StringBuilder sb, - String headersJson, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector) { - String encodedHeaders = Base64UrlUtility.encode(headersJson); - String encodedContentEncryptionKey = Base64UrlUtility.encode(encryptedContentEncryptionKey); - String encodedInitVector = Base64UrlUtility.encode(cipherInitVector); - sb.append(encodedHeaders) - .append('.') - .append(encodedContentEncryptionKey == null ? "" : encodedContentEncryptionKey) - .append('.') - .append(encodedInitVector == null ? "" : encodedInitVector) - .append('.'); - return sb; - } - - public static void startJweContent(OutputStream os, - JweHeaders headers, - JwtHeadersWriter writer, - byte[] encryptedContentEncryptionKey, - byte[] cipherInitVector) throws IOException { - writer = writer == null ? new JwtTokenReaderWriter() : writer; - byte[] jsonBytes = writer.headersToJson(headers).getBytes("UTF-8"); - Base64UrlUtility.encodeAndStream(jsonBytes, 0, jsonBytes.length, os); - byte[] dotBytes = new byte[]{'.'}; - os.write(dotBytes); - Base64UrlUtility.encodeAndStream(encryptedContentEncryptionKey, 0, - encryptedContentEncryptionKey.length, os); - os.write(dotBytes); - Base64UrlUtility.encodeAndStream(cipherInitVector, 0, cipherInitVector.length, os); - os.write(dotBytes); - } - - public String getJweContent() { - return jweContentBuilder.append(encodedEncryptedContent) - .append('.') - .append(encodedAuthTag) - .toString(); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCryptoProperties.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCryptoProperties.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCryptoProperties.java deleted file mode 100644 index 54150e4..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweCryptoProperties.java +++ /dev/null @@ -1,22 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -public class JweCryptoProperties { -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java deleted file mode 100644 index f3cf255..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionOutput.java +++ /dev/null @@ -1,43 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.io.UnsupportedEncodingException; - -public class JweDecryptionOutput { - private JweHeaders headers; - private byte[] content; - public JweDecryptionOutput(JweHeaders headers, byte[] content) { - this.headers = headers; - this.content = content; - } - public JweHeaders getHeaders() { - return headers; - } - public byte[] getContent() { - return content; - } - public String getContentText() { - try { - return new String(getContent(), "UTF-8"); - } catch (UnsupportedEncodingException ex) { - throw new SecurityException(ex); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java deleted file mode 100644 index d20401b..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java +++ /dev/null @@ -1,26 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - - - -public interface JweDecryptionProvider { - JweDecryptionOutput decrypt(String jweContent); - byte[] decrypt(JweCompactConsumer consumer); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java deleted file mode 100644 index 5b9afee..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java +++ /dev/null @@ -1,26 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - - - -public interface JweEncryptionProvider { - String encrypt(byte[] jweContent, String contentType); - JweEncryptionState createJweEncryptionState(String contentType); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionState.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionState.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionState.java deleted file mode 100644 index 0732250..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionState.java +++ /dev/null @@ -1,63 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import javax.crypto.Cipher; - -public class JweEncryptionState { - private Cipher cipher; - private JweHeaders headers; - private byte[] contentEncryptionKey; - private byte[] iv; - private boolean compressionSupported; - private AuthenticationTagProducer authTagProducer; - - public JweEncryptionState(Cipher cipher, - JweHeaders headers, - byte[] contentEncryptionKey, - byte[] iv, - AuthenticationTagProducer authTagProducer, - boolean compressionSupported) { - this.cipher = cipher; - this.headers = headers; - this.contentEncryptionKey = contentEncryptionKey; - this.iv = iv; - this.authTagProducer = authTagProducer; - this.compressionSupported = compressionSupported; - } - public Cipher getCipher() { - return cipher; - } - public JweHeaders getHeaders() { - return headers; - } - public byte[] getContentEncryptionKey() { - return contentEncryptionKey; - } - public byte[] getIv() { - return iv; - } - public boolean isCompressionSupported() { - return compressionSupported; - } - public AuthenticationTagProducer getAuthTagProducer() { - return authTagProducer; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java deleted file mode 100644 index 7fe91d6..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweHeaders.java +++ /dev/null @@ -1,102 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rs.security.jose.jwe; - -import java.io.UnsupportedEncodingException; -import java.util.Map; - -import org.apache.cxf.rs.security.jose.jwt.JwtConstants; -import org.apache.cxf.rs.security.jose.jwt.JwtHeaders; -import org.apache.cxf.rs.security.jose.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - - - - -public class JweHeaders extends JwtHeaders { - - public JweHeaders() { - } - - public JweHeaders(Map<String, Object> values) { - super(values); - } - public JweHeaders(String keyEncAlgo, String ctEncAlgo) { - this(keyEncAlgo, ctEncAlgo, false); - } - public JweHeaders(String ctEncAlgo) { - this(null, ctEncAlgo, false); - } - public JweHeaders(String ctEncAlgo, boolean deflate) { - this(null, ctEncAlgo, deflate); - } - public JweHeaders(String keyEncAlgo, String ctEncAlgo, boolean deflate) { - init(keyEncAlgo, ctEncAlgo, deflate); - } - private void init(String keyEncAlgo, String ctEncAlgo, boolean deflate) { - if (keyEncAlgo != null) { - setKeyEncryptionAlgorithm(keyEncAlgo); - } - setContentEncryptionAlgorithm(ctEncAlgo); - if (deflate) { - setZipAlgorithm(JwtConstants.DEFLATE_ZIP_ALGORITHM); - } - } - - public void setKeyEncryptionAlgorithm(String type) { - super.setAlgorithm(type); - } - - public String getKeyEncryptionAlgorithm() { - return super.getAlgorithm(); - } - - public void setContentEncryptionAlgorithm(String type) { - setHeader(JwtConstants.JWE_HEADER_CONTENT_ENC_ALGORITHM, type); - } - - public String getContentEncryptionAlgorithm() { - return (String)getHeader(JwtConstants.JWE_HEADER_CONTENT_ENC_ALGORITHM); - } - - public void setZipAlgorithm(String type) { - setHeader(JwtConstants.JWE_HEADER_ZIP_ALGORITHM, type); - } - - public String getZipAlgorithm() { - return (String)getHeader(JwtConstants.JWE_HEADER_ZIP_ALGORITHM); - } - - @Override - public JwtHeaders setHeader(String name, Object value) { - return (JwtHeaders)super.setHeader(name, value); - } - public byte[] toCipherAdditionalAuthData(JwtHeadersWriter writer) { - return toCipherAdditionalAuthData(writer.headersToJson(this)); - } - public static byte[] toCipherAdditionalAuthData(String headersJson) { - try { - String base64UrlHeadersInJson = Base64UrlUtility.encode(headersJson.getBytes("UTF-8")); - return base64UrlHeadersInJson.getBytes("US-ASCII"); - } catch (UnsupportedEncodingException ex) { - throw new RuntimeException(ex); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java deleted file mode 100644 index 5abe38c..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweOutputStream.java +++ /dev/null @@ -1,145 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.io.FilterOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.nio.ByteBuffer; - -import javax.crypto.Cipher; - -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - -public class JweOutputStream extends FilterOutputStream { - private Cipher encryptingCipher; - private int blockSize; - private AuthenticationTagProducer authTagProducer; - private byte[] lastRawDataChunk; - private byte[] lastEncryptedDataChunk; - private boolean flushed; - public JweOutputStream(OutputStream out, - Cipher encryptingCipher, - AuthenticationTagProducer authTagProducer) { - super(out); - this.encryptingCipher = encryptingCipher; - this.blockSize = encryptingCipher.getBlockSize(); - this.authTagProducer = authTagProducer; - } - - @Override - public void write(int value) throws IOException { - byte[] bytes = ByteBuffer.allocate(Integer.SIZE / 8).putInt(value).array(); - write(bytes, 0, bytes.length); - } - - @Override - public void write(byte b[], int off, int len) throws IOException { - if (lastRawDataChunk != null) { - int remaining = blockSize - lastRawDataChunk.length; - int lenToCopy = remaining < len ? remaining : len; - lastRawDataChunk = newArray(lastRawDataChunk, 0, lastRawDataChunk.length, b, off, lenToCopy); - off = off + lenToCopy; - len -= lenToCopy; - if (lastRawDataChunk.length < blockSize) { - return; - } else { - encryptAndWrite(lastRawDataChunk, 0, lastRawDataChunk.length); - lastRawDataChunk = null; - } - } - int offset = 0; - int chunkSize = blockSize > len ? blockSize : blockSize * (len / blockSize); - for (; offset + chunkSize <= len; offset += chunkSize, off += chunkSize) { - encryptAndWrite(b, off, chunkSize); - } - if (offset < len) { - lastRawDataChunk = newArray(b, off, len - offset); - } - - } - - private void encryptAndWrite(byte[] chunk, int off, int len) throws IOException { - byte[] encrypted = encryptingCipher.update(chunk, off, len); - if (authTagProducer != null) { - authTagProducer.update(encrypted, 0, encrypted.length); - } - encodeAndWrite(encrypted, 0, encrypted.length, false); - } - private void encodeAndWrite(byte[] encryptedChunk, int off, int len, boolean finalWrite) throws IOException { - byte[] theChunk = lastEncryptedDataChunk; - int lenToEncode = len; - if (theChunk != null) { - theChunk = newArray(theChunk, 0, theChunk.length, encryptedChunk, off, len); - lenToEncode = theChunk.length; - off = 0; - } else { - theChunk = encryptedChunk; - } - int rem = finalWrite ? 0 : lenToEncode % 3; - Base64UrlUtility.encodeAndStream(theChunk, off, lenToEncode - rem, out); - - if (rem > 0) { - lastEncryptedDataChunk = newArray(theChunk, lenToEncode - rem, rem); - } else { - lastEncryptedDataChunk = null; - } - } - - @Override - public void flush() throws IOException { - if (flushed) { - return; - } - try { - byte[] finalBytes = lastRawDataChunk == null - ? encryptingCipher.doFinal() - : encryptingCipher.doFinal(lastRawDataChunk, 0, lastRawDataChunk.length); - final int authTagLengthBits = 128; - if (authTagProducer != null) { - authTagProducer.update(finalBytes, 0, finalBytes.length); - encodeAndWrite(finalBytes, 0, finalBytes.length, true); - } else { - encodeAndWrite(finalBytes, 0, finalBytes.length - authTagLengthBits / 8, true); - } - out.write(new byte[]{'.'}); - - if (authTagProducer == null) { - encodeAndWrite(finalBytes, finalBytes.length - authTagLengthBits / 8, authTagLengthBits / 8, true); - } else { - byte[] authTag = authTagProducer.getTag(); - encodeAndWrite(authTag, 0, authTagLengthBits / 8, true); - } - } catch (Exception ex) { - throw new SecurityException(); - } - flushed = true; - } - private byte[] newArray(byte[] src, int srcPos, int srcLen) { - byte[] buf = new byte[srcLen]; - System.arraycopy(src, srcPos, buf, 0, srcLen); - return buf; - } - private byte[] newArray(byte[] src, int srcPos, int srcLen, byte[] src2, int srcPos2, int srcLen2) { - byte[] buf = new byte[srcLen + srcLen2]; - System.arraycopy(src, srcPos, buf, 0, srcLen); - System.arraycopy(src2, srcPos2, buf, srcLen, srcLen2); - return buf; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java deleted file mode 100644 index c3aa6d4..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ /dev/null @@ -1,68 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import javax.crypto.SecretKey; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; -import org.apache.cxf.rs.security.jose.jwk.JwkUtils; - -public final class JweUtils { - private JweUtils() { - - } - public static KeyEncryptionAlgorithm getKeyEncryptionAlgorithm(JsonWebKey jwk) { - return getKeyEncryptionAlgorithm(jwk, null); - } - public static KeyEncryptionAlgorithm getKeyEncryptionAlgorithm(JsonWebKey jwk, String defaultAlgorithm) { - String keyEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); - KeyEncryptionAlgorithm keyEncryptionProvider = null; - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm(JwkUtils.toRSAPublicKey(jwk), - keyEncryptionAlgo); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = JwkUtils.toSecretKey(jwk); - if (Algorithm.isAesKeyWrap(keyEncryptionAlgo)) { - keyEncryptionProvider = new AesWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); - } else if (Algorithm.isAesGcmKeyWrap(keyEncryptionAlgo)) { - keyEncryptionProvider = new AesGcmWrapKeyEncryptionAlgorithm(key, keyEncryptionAlgo); - } - } else { - // TODO: support elliptic curve keys - } - return keyEncryptionProvider; - } - public static KeyDecryptionAlgorithm getKeyDecryptionAlgorithm(JsonWebKey jwk) { - KeyDecryptionAlgorithm keyDecryptionProvider = null; - if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk)); - } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { - SecretKey key = JwkUtils.toSecretKey(jwk); - if (Algorithm.isAesKeyWrap(jwk.getAlgorithm())) { - keyDecryptionProvider = new AesWrapKeyDecryptionAlgorithm(key); - } else if (Algorithm.isAesGcmKeyWrap(jwk.getAlgorithm())) { - keyDecryptionProvider = new AesGcmWrapKeyDecryptionAlgorithm(key); - } - } else { - // TODO: support elliptic curve keys - } - return keyDecryptionProvider; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java deleted file mode 100644 index 9932ab2..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionAlgorithm.java +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - - -public interface KeyDecryptionAlgorithm { - byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionAlgorithm.java deleted file mode 100644 index 3885291..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionAlgorithm.java +++ /dev/null @@ -1,25 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - - -public interface KeyEncryptionAlgorithm { - String getAlgorithm(); - byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java deleted file mode 100644 index ac66535..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - -public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm { - private byte[] password; - public PbesHmacAesWrapKeyDecryptionAlgorithm(String password) { - this(PbesHmacAesWrapKeyEncryptionAlgorithm.stringToBytes(password)); - } - public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password) { - this(PbesHmacAesWrapKeyEncryptionAlgorithm.charsToBytes(password)); - } - public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password) { - this.password = password; - } - @Override - public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) { - byte[] saltInput = getDecodedBytes(consumer, "p2s"); - int pbesCount = consumer.getJweHeaders().getIntegerHeader("p2c"); - String keyAlgoJwt = consumer.getJweHeaders().getAlgorithm(); - int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt); - byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm - .createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount); - KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey); - return aesWrap.getDecryptedContentEncryptionKey(consumer); - } - private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) { - try { - Object headerValue = consumer.getJweHeaders().getHeader(headerName); - return Base64UrlUtility.decode(headerValue.toString()); - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java deleted file mode 100644 index 377e186..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java +++ /dev/null @@ -1,173 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.io.UnsupportedEncodingException; -import java.nio.ByteBuffer; -import java.nio.CharBuffer; -import java.nio.charset.Charset; -import java.util.Arrays; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.digests.SHA256Digest; -import org.bouncycastle.crypto.digests.SHA384Digest; -import org.bouncycastle.crypto.digests.SHA512Digest; -import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator; -import org.bouncycastle.crypto.params.KeyParameter; - -public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgorithm { - private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( - Arrays.asList(Algorithm.PBES2_HS256_A128KW.getJwtName(), - Algorithm.PBES2_HS384_A192KW.getJwtName(), - Algorithm.PBES2_HS512_A256KW.getJwtName())); - private static final Map<String, Integer> PBES_HMAC_MAP; - private static final Map<String, String> PBES_AES_MAP; - private static final Map<String, Integer> DERIVED_KEY_SIZE_MAP; - static { - PBES_HMAC_MAP = new HashMap<String, Integer>(); - PBES_HMAC_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), 256); - PBES_HMAC_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), 384); - PBES_HMAC_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), 512); - - PBES_AES_MAP = new HashMap<String, String>(); - PBES_AES_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), Algorithm.A128KW.getJwtName()); - PBES_AES_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), Algorithm.A192KW.getJwtName()); - PBES_AES_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), Algorithm.A256KW.getJwtName()); - - DERIVED_KEY_SIZE_MAP = new HashMap<String, Integer>(); - DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), 16); - DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), 24); - DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), 32); - } - - - private byte[] password; - private int pbesCount; - private String keyAlgoJwt; - public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, String keyAlgoJwt) { - this(stringToBytes(password), keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, int pbesCount, String keyAlgoJwt) { - this(stringToBytes(password), pbesCount, keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, String keyAlgoJwt) { - this(password, 4096, keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, int pbesCount, String keyAlgoJwt) { - this(charsToBytes(password), pbesCount, keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, String keyAlgoJwt) { - this(password, 4096, keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, int pbesCount, String keyAlgoJwt) { - this.password = password; - this.keyAlgoJwt = validateKeyAlgorithm(keyAlgoJwt); - this.pbesCount = validatePbesCount(pbesCount); - } - - @Override - public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { - int keySize = getKeySize(keyAlgoJwt); - byte[] saltInput = CryptoUtils.generateSecureRandomBytes(keySize); - byte[] derivedKey = createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount); - - headers.setHeader("p2s", Base64UrlUtility.encode(saltInput)); - headers.setIntegerHeader("p2c", pbesCount); - - final String aesAlgoJwt = PBES_AES_MAP.get(keyAlgoJwt); - KeyEncryptionAlgorithm aesWrap = new AesWrapKeyEncryptionAlgorithm(derivedKey, aesAlgoJwt) { - protected void checkAlgorithms(JweHeaders headers) { - // complete - } - protected String getKeyEncryptionAlgoJava(JweHeaders headers) { - return Algorithm.AES_WRAP_ALGO_JAVA; - } - }; - return aesWrap.getEncryptedContentEncryptionKey(headers, cek); - - - } - static int getKeySize(String keyAlgoJwt) { - return DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt); - } - static byte[] createDerivedKey(String keyAlgoJwt, int keySize, - byte[] password, byte[] saltInput, int pbesCount) { - byte[] saltValue = createSaltValue(keyAlgoJwt, saltInput); - Digest digest = null; - int macSigSize = PBES_HMAC_MAP.get(keyAlgoJwt); - if (macSigSize == 256) { - digest = new SHA256Digest(); - } else if (macSigSize == 384) { - digest = new SHA384Digest(); - } else { - digest = new SHA512Digest(); - } - PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest); - gen.init(password, saltValue, pbesCount); - return ((KeyParameter) gen.generateDerivedParameters(keySize * 8)).getKey(); - } - - - private static byte[] createSaltValue(String keyAlgoJwt, byte[] saltInput) { - byte[] algoBytes = stringToBytes(keyAlgoJwt); - byte[] saltValue = new byte[algoBytes.length + 1 + saltInput.length]; - System.arraycopy(algoBytes, 0, saltValue, 0, algoBytes.length); - saltValue[algoBytes.length] = 0; - System.arraycopy(saltInput, 0, saltValue, algoBytes.length + 1, saltInput.length); - return saltValue; - } - static String validateKeyAlgorithm(String algo) { - if (!SUPPORTED_ALGORITHMS.contains(algo)) { - throw new SecurityException(); - } - return algo; - } - static int validatePbesCount(int count) { - if (count < 1000) { - throw new SecurityException(); - } - return count; - } - - static byte[] stringToBytes(String str) { - try { - return str.getBytes("UTF-8"); - } catch (UnsupportedEncodingException ex) { - throw new SecurityException(ex); - } - } - static byte[] charsToBytes(char[] chars) { - ByteBuffer bb = Charset.forName("UTF-8").encode(CharBuffer.wrap(chars)); - byte[] b = new byte[bb.remaining()]; - bb.get(b); - return b; - } - @Override - public String getAlgorithm() { - return keyAlgoJwt; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java deleted file mode 100644 index c0e2f28..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,33 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.interfaces.RSAPrivateKey; - -public class RSAOaepKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm { - public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey) { - this(privateKey, true); - } - public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey, boolean unwrap) { - super(privateKey, unwrap); - } - protected int getKeyCipherBlockSize() { - return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyEncryptionAlgorithm.java deleted file mode 100644 index b658e36..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/RSAOaepKeyEncryptionAlgorithm.java +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.interfaces.RSAPublicKey; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; - -public class RSAOaepKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm { - private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( - Arrays.asList(Algorithm.RSA_OAEP.getJwtName(), - Algorithm.RSA_OAEP_256.getJwtName())); - public RSAOaepKeyEncryptionAlgorithm(RSAPublicKey publicKey, String jweAlgo) { - this(publicKey, jweAlgo, true); - } - public RSAOaepKeyEncryptionAlgorithm(RSAPublicKey publicKey, String jweAlgo, boolean wrap) { - super(publicKey, jweAlgo, wrap, SUPPORTED_ALGORITHMS); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/2e5f5a13/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java deleted file mode 100644 index 789e8cd..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/jose/jwe/WrappedKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,74 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.Key; -import java.security.spec.AlgorithmParameterSpec; - -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; - -public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm { - private Key cekDecryptionKey; - private boolean unwrap; - public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey) { - this(cekDecryptionKey, true); - } - public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey, boolean unwrap) { - this.cekDecryptionKey = cekDecryptionKey; - this.unwrap = unwrap; - } - public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) { - KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer)); - AlgorithmParameterSpec spec = getAlgorithmParameterSpec(consumer); - if (spec != null) { - keyProps.setAlgoSpec(spec); - } - if (!unwrap) { - keyProps.setBlockSize(getKeyCipherBlockSize()); - return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer), - getCekDecryptionKey(), keyProps); - } else { - return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer), - getContentEncryptionAlgorithm(consumer), - getCekDecryptionKey(), - keyProps).getEncoded(); - } - } - - protected Key getCekDecryptionKey() { - return cekDecryptionKey; - } - protected int getKeyCipherBlockSize() { - return -1; - } - protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) { - return Algorithm.toJavaName(consumer.getJweHeaders().getKeyEncryptionAlgorithm()); - } - protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) { - return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm()); - } - protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) { - return null; - } - protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) { - return consumer.getEncryptedContentEncryptionKey(); - } -}
