http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java deleted file mode 100644 index a1bd5cf..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJweDecryptingFilter.java +++ /dev/null @@ -1,134 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.IOException; -import java.io.InputStream; -import java.security.interfaces.RSAPrivateKey; -import java.util.Properties; - -import javax.crypto.SecretKey; - -import org.apache.cxf.Bus; -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweDecryption; -import org.apache.cxf.rs.security.jose.jwe.AesGcmContentDecryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.DirectKeyJweDecryption; -import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; -import org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider; -import org.apache.cxf.rs.security.jose.jwe.JweHeaders; -import org.apache.cxf.rs.security.jose.jwe.JweUtils; -import org.apache.cxf.rs.security.jose.jwe.KeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweDecryption; -import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; -import org.apache.cxf.rs.security.jose.jwk.JwkUtils; - -public class AbstractJweDecryptingFilter { - private static final String RSSEC_ENCRYPTION_IN_PROPS = "rs.security.encryption.in.properties"; - private static final String RSSEC_ENCRYPTION_PROPS = "rs.security.encryption.properties"; - private static final String JSON_WEB_ENCRYPTION_KEY_ALGO_PROP = "rs.security.jwe.key.encryption.algorithm"; - private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm"; - private JweDecryptionProvider decryption; - private String defaultMediaType; - protected JweDecryptionOutput decrypt(InputStream is) throws IOException { - JweDecryptionProvider theDecryptor = getInitializedDecryptionProvider(); - JweDecryptionOutput out = theDecryptor.decrypt(new String(IOUtils.readBytesFromStream(is), "UTF-8")); - validateHeaders(out.getHeaders()); - return out; - } - - protected void validateHeaders(JweHeaders headers) { - // complete - } - public void setDecryptionProvider(JweDecryptionProvider decryptor) { - this.decryption = decryptor; - } - protected JweDecryptionProvider getInitializedDecryptionProvider() { - if (decryption != null) { - return decryption; - } - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_IN_PROPS, RSSEC_ENCRYPTION_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - Bus bus = m.getExchange().getBus(); - try { - KeyDecryptionAlgorithm keyDecryptionProvider = null; - Properties props = ResourceUtils.loadProperties(propLoc, bus); - String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP); - SecretKey ctDecryptionKey = null; - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - String keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm()); - if ("direct".equals(keyEncryptionAlgo)) { - contentEncryptionAlgo = getContentEncryptionAlgo(props, contentEncryptionAlgo); - ctDecryptionKey = JweUtils.getContentDecryptionSecretKey(jwk, contentEncryptionAlgo); - } else { - keyDecryptionProvider = JweUtils.getKeyDecryptionAlgorithm(jwk, keyEncryptionAlgo); - } - } else { - keyDecryptionProvider = new RSAOaepKeyDecryptionAlgorithm( - (RSAPrivateKey)KeyManagementUtils.loadPrivateKey( - m, props, KeyManagementUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER)); - } - if (keyDecryptionProvider == null && ctDecryptionKey == null) { - throw new SecurityException(); - } - if (keyDecryptionProvider != null) { - if (Algorithm.isAesCbcHmac(contentEncryptionAlgo)) { - return new AesCbcHmacJweDecryption(keyDecryptionProvider, contentEncryptionAlgo); - } else { - return new WrappedKeyJweDecryption(keyDecryptionProvider, - new AesGcmContentDecryptionAlgorithm(contentEncryptionAlgo)); - } - } else { - return new DirectKeyJweDecryption(ctDecryptionKey, - new AesGcmContentDecryptionAlgorithm(contentEncryptionAlgo)); - } - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - - } - - private String getKeyEncryptionAlgo(Properties props, String algo) { - return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo; - } - private String getContentEncryptionAlgo(Properties props, String algo) { - return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo; - } - public String getDefaultMediaType() { - return defaultMediaType; - } - - public void setDefaultMediaType(String defaultMediaType) { - this.defaultMediaType = defaultMediaType; - } - -}
http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java deleted file mode 100644 index 6902e97..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsReaderProvider.java +++ /dev/null @@ -1,92 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.security.interfaces.RSAPublicKey; -import java.util.Properties; - -import org.apache.cxf.Bus; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; -import org.apache.cxf.rs.security.jose.jwk.JwkUtils; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.jose.jws.JwsUtils; -import org.apache.cxf.rs.security.jose.jws.PublicKeyJwsSignatureVerifier; - -public class AbstractJwsReaderProvider { - private static final String RSSEC_SIGNATURE_IN_PROPS = "rs.security.signature.in.properties"; - private static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties"; - private static final String JSON_WEB_SIGNATURE_ALGO_PROP = "rs.security.jws.content.signature.algorithm"; - - - private JwsSignatureVerifier sigVerifier; - private String defaultMediaType; - - public void setSignatureVerifier(JwsSignatureVerifier signatureVerifier) { - this.sigVerifier = signatureVerifier; - } - - protected JwsSignatureVerifier getInitializedSigVerifier() { - if (sigVerifier != null) { - return sigVerifier; - } - - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_IN_PROPS, RSSEC_SIGNATURE_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - Bus bus = m.getExchange().getBus(); - try { - Properties props = ResourceUtils.loadProperties(propLoc, bus); - JwsSignatureVerifier theVerifier = null; - String rsaSignatureAlgo = null; - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_VERIFY); - rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); - theVerifier = JwsUtils.getSignatureVerifier(jwk, rsaSignatureAlgo); - - } else { - theVerifier = new PublicKeyJwsSignatureVerifier( - (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props)); - } - return theVerifier; - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - - public String getDefaultMediaType() { - return defaultMediaType; - } - - public void setDefaultMediaType(String defaultMediaType) { - this.defaultMediaType = defaultMediaType; - } - - private String getSignatureAlgo(Properties props, String algo) { - return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java deleted file mode 100644 index 480f83d..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/AbstractJwsWriterProvider.java +++ /dev/null @@ -1,94 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.security.interfaces.RSAPrivateKey; -import java.util.Properties; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; -import org.apache.cxf.rs.security.jose.jwk.JwkUtils; -import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.jose.jws.JwsUtils; -import org.apache.cxf.rs.security.jose.jws.PrivateKeyJwsSignatureProvider; -import org.apache.cxf.rs.security.jose.jwt.JwtHeaders; - -public class AbstractJwsWriterProvider { - private static final String RSSEC_SIGNATURE_OUT_PROPS = "rs.security.signature.out.properties"; - private static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties"; - private static final String JSON_WEB_SIGNATURE_ALGO_PROP = "rs.security.jws.content.signature.algorithm"; - - private JwsSignatureProvider sigProvider; - - public void setSignatureProvider(JwsSignatureProvider signatureProvider) { - this.sigProvider = signatureProvider; - } - - protected JwsSignatureProvider getInitializedSigProvider(JwtHeaders headers) { - if (sigProvider != null) { - return sigProvider; - } - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_SIGNATURE_OUT_PROPS, RSSEC_SIGNATURE_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - try { - Properties props = ResourceUtils.loadProperties(propLoc, m.getExchange().getBus()); - JwsSignatureProvider theSigProvider = null; - String rsaSignatureAlgo = null; - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_SIGN); - rsaSignatureAlgo = getSignatureAlgo(props, jwk.getAlgorithm()); - theSigProvider = JwsUtils.getSignatureProvider(jwk, rsaSignatureAlgo); - } else { - rsaSignatureAlgo = getSignatureAlgo(props, null); - RSAPrivateKey pk = (RSAPrivateKey)KeyManagementUtils.loadPrivateKey(m, props, - KeyManagementUtils.RSSEC_SIG_KEY_PSWD_PROVIDER); - theSigProvider = new PrivateKeyJwsSignatureProvider(pk, rsaSignatureAlgo); - } - if (theSigProvider == null) { - throw new SecurityException(); - } - headers.setAlgorithm(rsaSignatureAlgo); - return theSigProvider; - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - protected void writeJws(JwsCompactProducer p, JwsSignatureProvider theSigProvider, OutputStream os) - throws IOException { - p.signWith(theSigProvider); - IOUtils.copy(new ByteArrayInputStream(p.getSignedEncodedJws().getBytes("UTF-8")), os); - } - private String getSignatureAlgo(Properties props, String algo) { - return algo == null ? props.getProperty(JSON_WEB_SIGNATURE_ALGO_PROP) : algo; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java deleted file mode 100644 index d04d4c2..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweClientResponseFilter.java +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.client.ClientRequestContext; -import javax.ws.rs.client.ClientResponseContext; -import javax.ws.rs.client.ClientResponseFilter; - -import org.apache.cxf.rs.security.jose.JoseUtils; -import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; - -@Priority(Priorities.JWE_CLIENT_READ_PRIORITY) -public class JweClientResponseFilter extends AbstractJweDecryptingFilter implements ClientResponseFilter { - @Override - public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException { - JweDecryptionOutput out = decrypt(res.getEntityStream()); - byte[] bytes = out.getContent(); - res.setEntityStream(new ByteArrayInputStream(bytes)); - res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - String ct = JoseUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - res.getHeaders().putSingle("Content-Type", ct); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java deleted file mode 100644 index c58fe7e..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweContainerRequestFilter.java +++ /dev/null @@ -1,46 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.container.PreMatching; - -import org.apache.cxf.rs.security.jose.JoseUtils; -import org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput; - -@PreMatching -@Priority(Priorities.JWE_SERVER_READ_PRIORITY) -public class JweContainerRequestFilter extends AbstractJweDecryptingFilter implements ContainerRequestFilter { - @Override - public void filter(ContainerRequestContext context) throws IOException { - JweDecryptionOutput out = decrypt(context.getEntityStream()); - byte[] bytes = out.getContent(); - context.setEntityStream(new ByteArrayInputStream(bytes)); - context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - String ct = JoseUtils.checkContentType(out.getHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - context.getHeaders().putSingle("Content-Type", ct); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java deleted file mode 100644 index d35c519..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JweWriterInterceptor.java +++ /dev/null @@ -1,200 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.security.interfaces.RSAPublicKey; -import java.util.Properties; -import java.util.zip.DeflaterOutputStream; - -import javax.annotation.Priority; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.ext.WriterInterceptor; -import javax.ws.rs.ext.WriterInterceptorContext; - -import org.apache.cxf.Bus; -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.io.CachedOutputStream; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.rs.security.jose.JoseConstants; -import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter; -import org.apache.cxf.rs.security.jose.JoseHeadersWriter; -import org.apache.cxf.rs.security.jose.jwa.Algorithm; -import org.apache.cxf.rs.security.jose.jwe.AesCbcHmacJweEncryption; -import org.apache.cxf.rs.security.jose.jwe.AesGcmContentEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.ContentEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.DirectKeyJweEncryption; -import org.apache.cxf.rs.security.jose.jwe.JweCompactProducer; -import org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider; -import org.apache.cxf.rs.security.jose.jwe.JweEncryptionState; -import org.apache.cxf.rs.security.jose.jwe.JweHeaders; -import org.apache.cxf.rs.security.jose.jwe.JweOutputStream; -import org.apache.cxf.rs.security.jose.jwe.JweUtils; -import org.apache.cxf.rs.security.jose.jwe.KeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.RSAOaepKeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.jose.jwe.WrappedKeyJweEncryption; -import org.apache.cxf.rs.security.jose.jwk.JsonWebKey; -import org.apache.cxf.rs.security.jose.jwk.JwkUtils; - -@Priority(Priorities.JWE_WRITE_PRIORITY) -public class JweWriterInterceptor implements WriterInterceptor { - private static final String RSSEC_ENCRYPTION_OUT_PROPS = "rs.security.encryption.out.properties"; - private static final String RSSEC_ENCRYPTION_PROPS = "rs.security.encryption.properties"; - private static final String JSON_WEB_ENCRYPTION_CEK_ALGO_PROP = "rs.security.jwe.content.encryption.algorithm"; - private static final String JSON_WEB_ENCRYPTION_KEY_ALGO_PROP = "rs.security.jwe.key.encryption.algorithm"; - private static final String JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP = "rs.security.jwe.zip.algorithm"; - private JweEncryptionProvider encryptionProvider; - private boolean contentTypeRequired = true; - private boolean useJweOutputStream; - private JoseHeadersWriter writer = new JoseHeadersReaderWriter(); - @Override - public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { - - OutputStream actualOs = ctx.getOutputStream(); - - JweEncryptionProvider theEncryptionProvider = getInitializedEncryptionProvider(); - - String ctString = null; - if (contentTypeRequired) { - MediaType mt = ctx.getMediaType(); - if (mt != null) { - if ("application".equals(mt.getType())) { - ctString = mt.getSubtype(); - } else { - ctString = JAXRSUtils.mediaTypeToString(mt); - } - } - } - - ctx.setMediaType(JAXRSUtils.toMediaType(JoseConstants.MEDIA_TYPE_JOSE_JSON)); - if (useJweOutputStream) { - JweEncryptionState encryption = theEncryptionProvider.createJweEncryptionState(ctString); - try { - JweCompactProducer.startJweContent(actualOs, - encryption.getHeaders(), - writer, - encryption.getContentEncryptionKey(), - encryption.getIv()); - } catch (IOException ex) { - throw new SecurityException(ex); - } - OutputStream jweStream = new JweOutputStream(actualOs, encryption.getCipher(), - encryption.getAuthTagProducer()); - if (encryption.isCompressionSupported()) { - jweStream = new DeflaterOutputStream(jweStream); - } - - ctx.setOutputStream(jweStream); - ctx.proceed(); - jweStream.flush(); - } else { - CachedOutputStream cos = new CachedOutputStream(); - ctx.setOutputStream(cos); - ctx.proceed(); - String jweContent = theEncryptionProvider.encrypt(cos.getBytes(), ctString); - IOUtils.copy(new ByteArrayInputStream(jweContent.getBytes("UTF-8")), actualOs); - actualOs.flush(); - } - } - - protected JweEncryptionProvider getInitializedEncryptionProvider() { - if (encryptionProvider != null) { - return encryptionProvider; - } - Message m = JAXRSUtils.getCurrentMessage(); - String propLoc = - (String)MessageUtils.getContextualProperty(m, RSSEC_ENCRYPTION_OUT_PROPS, RSSEC_ENCRYPTION_PROPS); - if (propLoc == null) { - throw new SecurityException(); - } - Bus bus = m.getExchange().getBus(); - try { - KeyEncryptionAlgorithm keyEncryptionProvider = null; - String keyEncryptionAlgo = null; - Properties props = ResourceUtils.loadProperties(propLoc, bus); - String contentEncryptionAlgo = props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP); - ContentEncryptionAlgorithm ctEncryptionProvider = null; - if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { - JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, JsonWebKey.KEY_OPER_ENCRYPT); - keyEncryptionAlgo = getKeyEncryptionAlgo(props, jwk.getAlgorithm()); - if ("direct".equals(keyEncryptionAlgo)) { - contentEncryptionAlgo = getContentEncryptionAlgo(props, jwk.getAlgorithm()); - ctEncryptionProvider = JweUtils.getContentEncryptionAlgorithm(jwk, contentEncryptionAlgo); - } else { - keyEncryptionProvider = JweUtils.getKeyEncryptionAlgorithm(jwk, keyEncryptionAlgo); - } - - } else { - keyEncryptionProvider = new RSAOaepKeyEncryptionAlgorithm( - (RSAPublicKey)KeyManagementUtils.loadPublicKey(m, props), - getKeyEncryptionAlgo(props, keyEncryptionAlgo)); - } - if (keyEncryptionProvider == null && ctEncryptionProvider == null) { - throw new SecurityException(); - } - - - JweHeaders headers = new JweHeaders(getKeyEncryptionAlgo(props, keyEncryptionAlgo), - contentEncryptionAlgo); - String compression = props.getProperty(JSON_WEB_ENCRYPTION_ZIP_ALGO_PROP); - if (compression != null) { - headers.setZipAlgorithm(compression); - } - if (keyEncryptionProvider != null) { - if (Algorithm.isAesCbcHmac(contentEncryptionAlgo)) { - return new AesCbcHmacJweEncryption(contentEncryptionAlgo, keyEncryptionProvider); - } else { - return new WrappedKeyJweEncryption(headers, - keyEncryptionProvider, - new AesGcmContentEncryptionAlgorithm(contentEncryptionAlgo)); - } - } else { - return new DirectKeyJweEncryption(ctEncryptionProvider); - } - } catch (SecurityException ex) { - throw ex; - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - private String getKeyEncryptionAlgo(Properties props, String algo) { - return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_KEY_ALGO_PROP) : algo; - } - private String getContentEncryptionAlgo(Properties props, String algo) { - return algo == null ? props.getProperty(JSON_WEB_ENCRYPTION_CEK_ALGO_PROP) : algo; - } - public void setUseJweOutputStream(boolean useJweOutputStream) { - this.useJweOutputStream = useJweOutputStream; - } - - public void setWriter(JoseHeadersWriter writer) { - this.writer = writer; - } - - public void setEncryptionProvider(JweEncryptionProvider encryptionProvider) { - this.encryptionProvider = encryptionProvider; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java deleted file mode 100644 index 64a1cfa..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsClientResponseFilter.java +++ /dev/null @@ -1,52 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.client.ClientRequestContext; -import javax.ws.rs.client.ClientResponseContext; -import javax.ws.rs.client.ClientResponseFilter; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.rs.security.jose.JoseUtils; -import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; - -@Priority(Priorities.JWS_CLIENT_READ_PRIORITY) -public class JwsClientResponseFilter extends AbstractJwsReaderProvider implements ClientResponseFilter { - @Override - public void filter(ClientRequestContext req, ClientResponseContext res) throws IOException { - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(res.getEntityStream())); - if (!p.verifySignatureWith(theSigVerifier)) { - throw new SecurityException(); - } - byte[] bytes = p.getDecodedJwsPayloadBytes(); - res.setEntityStream(new ByteArrayInputStream(bytes)); - res.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - String ct = JoseUtils.checkContentType(p.getJwsHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - res.getHeaders().putSingle("Content-Type", ct); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java deleted file mode 100644 index fbd051d..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsContainerRequestFilter.java +++ /dev/null @@ -1,56 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.ByteArrayInputStream; -import java.io.IOException; - -import javax.annotation.Priority; -import javax.ws.rs.container.ContainerRequestContext; -import javax.ws.rs.container.ContainerRequestFilter; -import javax.ws.rs.container.PreMatching; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.rs.security.jose.JoseUtils; -import org.apache.cxf.rs.security.jose.jws.JwsCompactConsumer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; - -@PreMatching -@Priority(Priorities.JWS_SERVER_READ_PRIORITY) -public class JwsContainerRequestFilter extends AbstractJwsReaderProvider implements ContainerRequestFilter { - @Override - public void filter(ContainerRequestContext context) throws IOException { - - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsCompactConsumer p = new JwsCompactConsumer(IOUtils.readStringFromStream(context.getEntityStream())); - if (!p.verifySignatureWith(theSigVerifier)) { - context.abortWith(JAXRSUtils.toResponse(400)); - return; - } - byte[] bytes = p.getDecodedJwsPayloadBytes(); - context.setEntityStream(new ByteArrayInputStream(bytes)); - context.getHeaders().putSingle("Content-Length", Integer.toString(bytes.length)); - - String ct = JoseUtils.checkContentType(p.getJwsHeaders().getContentType(), getDefaultMediaType()); - if (ct != null) { - context.getHeaders().putSingle("Content-Type", ct); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyReader.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyReader.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyReader.java deleted file mode 100644 index b1c1f53..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyReader.java +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.IOException; -import java.io.InputStream; -import java.lang.annotation.Annotation; -import java.lang.reflect.Type; - -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; -import javax.ws.rs.ext.MessageBodyReader; - -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactConsumer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureVerifier; -import org.apache.cxf.rs.security.jose.jwt.JwtToken; - -public class JwsJwtMessageBodyReader extends AbstractJwsReaderProvider - implements MessageBodyReader<JwtToken> { - - @Override - public boolean isReadable(Class<?> cls, Type type, Annotation[] anns, MediaType mt) { - return cls == JwtToken.class; - } - - @Override - public JwtToken readFrom(Class<JwtToken> cls, Type t, Annotation[] anns, MediaType mt, - MultivaluedMap<String, String> headers, InputStream is) throws IOException, - WebApplicationException { - JwsSignatureVerifier theSigVerifier = getInitializedSigVerifier(); - JwsJwtCompactConsumer p = new JwsJwtCompactConsumer(IOUtils.readStringFromStream(is)); - p.verifySignatureWith(theSigVerifier); - return p.getJwtToken(); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyWriter.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyWriter.java deleted file mode 100644 index e700ff7..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsJwtMessageBodyWriter.java +++ /dev/null @@ -1,60 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.IOException; -import java.io.OutputStream; -import java.lang.annotation.Annotation; -import java.lang.reflect.Type; - -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.core.MultivaluedMap; -import javax.ws.rs.ext.MessageBodyWriter; - -import org.apache.cxf.rs.security.jose.JoseConstants; -import org.apache.cxf.rs.security.jose.jws.JwsJwtCompactProducer; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.jose.jwt.JwtHeaders; -import org.apache.cxf.rs.security.jose.jwt.JwtToken; - -public class JwsJwtMessageBodyWriter extends AbstractJwsWriterProvider - implements MessageBodyWriter<JwtToken> { - - @Override - public long getSize(JwtToken token, Class<?> cls, Type type, Annotation[] anns, MediaType mt) { - return -1; - } - - @Override - public boolean isWriteable(Class<?> cls, Type type, Annotation[] anns, MediaType mt) { - return cls == JwtToken.class; - } - - @Override - public void writeTo(JwtToken token, Class<?> cls, Type type, Annotation[] anns, MediaType mt, - MultivaluedMap<String, Object> headers, OutputStream os) throws IOException, - WebApplicationException { - JwsJwtCompactProducer p = new JwsJwtCompactProducer(token); - JwtHeaders jwtHeaders = new JwtHeaders(); - JwsSignatureProvider sigProvider = getInitializedSigProvider(jwtHeaders); - jwtHeaders.setContentType(JoseConstants.TYPE_JWT); - writeJws(p, sigProvider, os); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java deleted file mode 100644 index 56279e5..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/JwsWriterInterceptor.java +++ /dev/null @@ -1,100 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.IOException; -import java.io.OutputStream; - -import javax.annotation.Priority; -import javax.ws.rs.WebApplicationException; -import javax.ws.rs.core.MediaType; -import javax.ws.rs.ext.WriterInterceptor; -import javax.ws.rs.ext.WriterInterceptorContext; - -import org.apache.cxf.common.util.Base64UrlOutputStream; -import org.apache.cxf.common.util.Base64UrlUtility; -import org.apache.cxf.io.CachedOutputStream; -import org.apache.cxf.jaxrs.utils.JAXRSUtils; -import org.apache.cxf.rs.security.jose.JoseConstants; -import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter; -import org.apache.cxf.rs.security.jose.JoseHeadersWriter; -import org.apache.cxf.rs.security.jose.jws.JwsCompactProducer; -import org.apache.cxf.rs.security.jose.jws.JwsHeaders; -import org.apache.cxf.rs.security.jose.jws.JwsOutputStream; -import org.apache.cxf.rs.security.jose.jws.JwsSignature; -import org.apache.cxf.rs.security.jose.jws.JwsSignatureProvider; -import org.apache.cxf.rs.security.jose.jwt.JwtHeaders; - -@Priority(Priorities.JWS_WRITE_PRIORITY) -public class JwsWriterInterceptor extends AbstractJwsWriterProvider implements WriterInterceptor { - private boolean contentTypeRequired = true; - private boolean useJwsOutputStream; - private JoseHeadersWriter writer = new JoseHeadersReaderWriter(); - @Override - public void aroundWriteTo(WriterInterceptorContext ctx) throws IOException, WebApplicationException { - JwsHeaders headers = new JwsHeaders(); - JwsSignatureProvider sigProvider = getInitializedSigProvider(headers); - setContentTypeIfNeeded(headers, ctx); - ctx.setMediaType(JAXRSUtils.toMediaType(JoseConstants.MEDIA_TYPE_JOSE_JSON)); - OutputStream actualOs = ctx.getOutputStream(); - if (useJwsOutputStream) { - JwsSignature jwsSignature = sigProvider.createJwsSignature(headers); - JwsOutputStream jwsStream = new JwsOutputStream(actualOs, jwsSignature); - byte[] headerBytes = writer.headersToJson(headers).getBytes("UTF-8"); - Base64UrlUtility.encodeAndStream(headerBytes, 0, headerBytes.length, jwsStream); - jwsStream.write(new byte[]{'.'}); - - Base64UrlOutputStream base64Stream = new Base64UrlOutputStream(jwsStream); - ctx.setOutputStream(base64Stream); - ctx.proceed(); - base64Stream.flush(); - jwsStream.flush(); - } else { - CachedOutputStream cos = new CachedOutputStream(); - ctx.setOutputStream(cos); - ctx.proceed(); - JwsCompactProducer p = new JwsCompactProducer(headers, new String(cos.getBytes(), "UTF-8")); - writeJws(p, sigProvider, actualOs); - } - } - - public void setContentTypeRequired(boolean contentTypeRequired) { - this.contentTypeRequired = contentTypeRequired; - } - - public void setUseJwsOutputStream(boolean useJwsOutputStream) { - this.useJwsOutputStream = useJwsOutputStream; - } - public void setWriter(JoseHeadersWriter writer) { - this.writer = writer; - } - private void setContentTypeIfNeeded(JwtHeaders headers, WriterInterceptorContext ctx) { - if (contentTypeRequired) { - MediaType mt = ctx.getMediaType(); - if (mt != null - && !JAXRSUtils.mediaTypeToString(mt).equals(JoseConstants.MEDIA_TYPE_JOSE_JSON)) { - if ("application".equals(mt.getType())) { - headers.setContentType(mt.getSubtype()); - } else { - headers.setContentType(JAXRSUtils.mediaTypeToString(mt)); - } - } - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java deleted file mode 100644 index 369e072..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/KeyManagementUtils.java +++ /dev/null @@ -1,145 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.io.InputStream; -import java.security.KeyStore; -import java.security.Principal; -import java.security.PrivateKey; -import java.security.PublicKey; -import java.util.Properties; - -import org.apache.cxf.Bus; -import org.apache.cxf.common.util.crypto.CryptoUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.message.MessageUtils; -import org.apache.cxf.security.SecurityContext; - - -/** - * Encryption helpers - */ -public final class KeyManagementUtils { - public static final String RSSEC_KEY_STORE_TYPE = "rs.security.keystore.type"; - public static final String RSSEC_KEY_STORE_PSWD = "rs.security.keystore.password"; - public static final String RSSEC_KEY_PSWD = "rs.security.key.password"; - public static final String RSSEC_KEY_STORE_ALIAS = "rs.security.keystore.alias"; - public static final String RSSEC_KEY_STORE_FILE = "rs.security.keystore.file"; - public static final String RSSEC_PRINCIPAL_NAME = "rs.security.principal.name"; - public static final String RSSEC_KEY_PSWD_PROVIDER = "rs.security.key.password.provider"; - public static final String RSSEC_SIG_KEY_PSWD_PROVIDER = "rs.security.signature.key.password.provider"; - public static final String RSSEC_DECRYPT_KEY_PSWD_PROVIDER = "rs.security.decryption.key.password.provider"; - - private KeyManagementUtils() { - } - - public static PublicKey loadPublicKey(Message m, Properties props) { - KeyStore keyStore = KeyManagementUtils.loadPersistKeyStore(m, props); - return CryptoUtils.loadPublicKey(keyStore, props.getProperty(RSSEC_KEY_STORE_ALIAS)); - } - public static PublicKey loadPublicKey(Message m, String keyStoreLocProp) { - return loadPublicKey(m, keyStoreLocProp, null); - } - public static PublicKey loadPublicKey(Message m, String keyStoreLocPropPreferred, String keyStoreLocPropDefault) { - String keyStoreLoc = getMessageProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault); - Bus bus = m.getExchange().getBus(); - try { - Properties props = ResourceUtils.loadProperties(keyStoreLoc, bus); - return KeyManagementUtils.loadPublicKey(m, props); - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - private static String getMessageProperty(Message m, String keyStoreLocPropPreferred, - String keyStoreLocPropDefault) { - String propLoc = - (String)MessageUtils.getContextualProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault); - if (propLoc == null) { - throw new SecurityException(); - } - return propLoc; - } - public static PrivateKey loadPrivateKey(Properties props, Bus bus, PrivateKeyPasswordProvider provider) { - KeyStore keyStore = loadKeyStore(props, bus); - return loadPrivateKey(keyStore, props, bus, provider); - } - public static PrivateKey loadPrivateKey(KeyStore keyStore, - Properties props, - Bus bus, - PrivateKeyPasswordProvider provider) { - - String keyPswd = props.getProperty(RSSEC_KEY_PSWD); - String alias = props.getProperty(RSSEC_KEY_STORE_ALIAS); - char[] keyPswdChars = provider != null ? provider.getPassword(props) - : keyPswd != null ? keyPswd.toCharArray() : null; - return CryptoUtils.loadPrivateKey(keyStore, keyPswdChars, alias); - } - - public static PrivateKey loadPrivateKey(Message m, String keyStoreLocProp, String passwordProviderProp) { - return loadPrivateKey(m, keyStoreLocProp, null, passwordProviderProp); - } - public static PrivateKey loadPrivateKey(Message m, String keyStoreLocPropPreferred, - String keyStoreLocPropDefault, String passwordProviderProp) { - String keyStoreLoc = getMessageProperty(m, keyStoreLocPropPreferred, keyStoreLocPropDefault); - Bus bus = m.getExchange().getBus(); - try { - Properties props = ResourceUtils.loadProperties(keyStoreLoc, bus); - return KeyManagementUtils.loadPrivateKey(m, props, passwordProviderProp); - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - public static PrivateKey loadPrivateKey(Message m, Properties props, String passwordProviderProp) { - Bus bus = m.getExchange().getBus(); - KeyStore keyStore = KeyManagementUtils.loadPersistKeyStore(m, props); - PrivateKeyPasswordProvider cb = - (PrivateKeyPasswordProvider)m.getContextualProperty(passwordProviderProp); - if (cb != null && m.getExchange().getInMessage() != null) { - SecurityContext sc = m.getExchange().getInMessage().get(SecurityContext.class); - if (sc != null) { - Principal p = sc.getUserPrincipal(); - if (p != null) { - props.setProperty(RSSEC_PRINCIPAL_NAME, p.getName()); - } - } - } - return KeyManagementUtils.loadPrivateKey(keyStore, props, bus, cb); - } - public static KeyStore loadPersistKeyStore(Message m, Properties props) { - KeyStore keyStore = (KeyStore)m.getExchange().get(props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE)); - if (keyStore == null) { - keyStore = KeyManagementUtils.loadKeyStore(props, m.getExchange().getBus()); - m.getExchange().put((String)props.get(KeyManagementUtils.RSSEC_KEY_STORE_FILE), keyStore); - } - return keyStore; - } - public static KeyStore loadKeyStore(Properties props, Bus bus) { - String keyStoreType = props.getProperty(RSSEC_KEY_STORE_TYPE); - String keyStoreLoc = props.getProperty(RSSEC_KEY_STORE_FILE); - String keyStorePswd = props.getProperty(RSSEC_KEY_STORE_PSWD); - try { - InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus); - return CryptoUtils.loadKeyStore(is, keyStorePswd.toCharArray(), keyStoreType); - } catch (Exception ex) { - throw new SecurityException(ex); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java deleted file mode 100644 index fc48ebc..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/Priorities.java +++ /dev/null @@ -1,31 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -public final class Priorities { - public static final int JWE_SERVER_READ_PRIORITY = 1000; - public static final int JWE_WRITE_PRIORITY = 1000; - public static final int JWE_CLIENT_READ_PRIORITY = 1001; - public static final int JWS_SERVER_READ_PRIORITY = 1001; - public static final int JWS_WRITE_PRIORITY = 1001; - public static final int JWS_CLIENT_READ_PRIORITY = 1000; - private Priorities() { - - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java deleted file mode 100644 index bfcde49..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jaxrs/PrivateKeyPasswordProvider.java +++ /dev/null @@ -1,25 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jaxrs; - -import java.util.Properties; - -public interface PrivateKeyPasswordProvider { - char[] getPassword(Properties storeProperties); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java deleted file mode 100644 index 89ac29d..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java +++ /dev/null @@ -1,227 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rs.security.jose.jwa; - -import java.util.HashMap; -import java.util.Map; - -import org.apache.cxf.rs.security.jose.JoseConstants; - - - -public enum Algorithm { - // Signature - HmacSHA256(JoseConstants.HMAC_SHA_256_ALGO, 256), - HmacSHA384(JoseConstants.HMAC_SHA_384_ALGO, 384), - HmacSHA512(JoseConstants.HMAC_SHA_512_ALGO, 512), - - SHA256withRSA(JoseConstants.RS_SHA_256_ALGO, 256), - SHA384withRSA(JoseConstants.RS_SHA_384_ALGO, 384), - SHA512withRSA(JoseConstants.RS_SHA_512_ALGO, 512), - - SHA256withECDSA(JoseConstants.ES_SHA_256_ALGO, 256), - SHA384withECDSA(JoseConstants.ES_SHA_384_ALGO, 384), - SHA512withECDSA(JoseConstants.ES_SHA_512_ALGO, 512), - - // Key Encryption - RSA_OAEP(JoseConstants.RSA_OAEP_ALGO, "RSA/ECB/OAEPWithSHA-1AndMGF1Padding", -1), - RSA_OAEP_256(JoseConstants.RSA_OAEP_256_ALGO, "RSA/ECB/OAEPWithSHA-256AndMGF1Padding", -1), - RSA_1_5(JoseConstants.RSA_1_5_ALGO, "RSA/ECB/PKCS1Padding", -1), - A128KW(JoseConstants.A128KW_ALGO, "AESWrap", 128), - A192KW(JoseConstants.A192KW_ALGO, "AESWrap", 192), - A256KW(JoseConstants.A256KW_ALGO, "AESWrap", 256), - A128GCMKW(JoseConstants.A128GCMKW_ALGO, "AES/GCM/NoPadding", 128), - A192GCMKW(JoseConstants.A192GCMKW_ALGO, "AES/GCM/NoPadding", 192), - A256GCMKW(JoseConstants.A256GCMKW_ALGO, "AES/GCM/NoPadding", 256), - PBES2_HS256_A128KW(JoseConstants.PBES2_HS256_A128KW_ALGO, "AESWrap", 128), - PBES2_HS384_A192KW(JoseConstants.PBES2_HS384_A192KW_ALGO, "AESWrap", 192), - PBES2_HS512_A256KW(JoseConstants.PBES2_HS512_A256KW_ALGO, "AESWrap", 256), - - // Content Encryption - A128GCM(JoseConstants.A128GCM_ALGO, "AES/GCM/NoPadding", 128), - A192GCM(JoseConstants.A192GCM_ALGO, "AES/GCM/NoPadding", 192), - A256GCM(JoseConstants.A256GCM_ALGO, "AES/GCM/NoPadding", 256), - A128CBC_HS256(JoseConstants.A128CBC_HS256_ALGO, "AES/CBC/PKCS7Padding", 128), - A192CBC_HS384(JoseConstants.A192CBC_HS384_ALGO, "AES/CBC/PKCS7Padding", 192), - A256CBC_HS512(JoseConstants.A256CBC_HS512_ALGO, "AES/CBC/PKCS7Padding", 256); - - public static final String HMAC_SHA_256_JAVA = "HmacSHA256"; - public static final String HMAC_SHA_384_JAVA = "HmacSHA384"; - public static final String HMAC_SHA_512_JAVA = "HmacSHA512"; - public static final String RS_SHA_256_JAVA = "SHA256withRSA"; - public static final String RS_SHA_384_JAVA = "SHA384withRSA"; - public static final String RS_SHA_512_JAVA = "SHA512withRSA"; - public static final String ES_SHA_256_JAVA = "SHA256withECDSA"; - public static final String ES_SHA_384_JAVA = "SHA384withECDSA"; - public static final String ES_SHA_512_JAVA = "SHA512withECDSA"; - public static final String RSA_OAEP_ALGO_JAVA = "RSA/ECB/OAEPWithSHA-1AndMGF1Padding"; - public static final String RSA_OAEP_256_ALGO_JAVA = "RSA/ECB/OAEPWithSHA-256AndMGF1Padding"; - public static final String RSA_1_5_ALGO_JAVA = "RSA/ECB/PKCS1Padding"; - public static final String AES_ALGO_JAVA = "AES"; - public static final String AES_WRAP_ALGO_JAVA = "AESWrap"; - public static final String AES_GCM_ALGO_JAVA = "AES/GCM/NoPadding"; - public static final String AES_CBC_ALGO_JAVA = "AES/CBC/PKCS7Padding"; - - private static final Map<String, String> JAVA_TO_JWT_NAMES; - private static final Map<String, String> JWT_TO_JAVA_NAMES; - static { - JAVA_TO_JWT_NAMES = new HashMap<String, String>(); - JAVA_TO_JWT_NAMES.put(HMAC_SHA_256_JAVA, JoseConstants.HMAC_SHA_256_ALGO); - JAVA_TO_JWT_NAMES.put(HMAC_SHA_384_JAVA, JoseConstants.HMAC_SHA_384_ALGO); - JAVA_TO_JWT_NAMES.put(HMAC_SHA_512_JAVA, JoseConstants.HMAC_SHA_512_ALGO); - JAVA_TO_JWT_NAMES.put(RS_SHA_256_JAVA, JoseConstants.RS_SHA_256_ALGO); - JAVA_TO_JWT_NAMES.put(RS_SHA_384_JAVA, JoseConstants.RS_SHA_384_ALGO); - JAVA_TO_JWT_NAMES.put(RS_SHA_512_JAVA, JoseConstants.RS_SHA_512_ALGO); - JAVA_TO_JWT_NAMES.put(ES_SHA_256_JAVA, JoseConstants.ES_SHA_256_ALGO); - JAVA_TO_JWT_NAMES.put(ES_SHA_384_JAVA, JoseConstants.ES_SHA_384_ALGO); - JAVA_TO_JWT_NAMES.put(ES_SHA_512_JAVA, JoseConstants.ES_SHA_512_ALGO); - JAVA_TO_JWT_NAMES.put(RSA_OAEP_ALGO_JAVA, JoseConstants.RSA_OAEP_ALGO); - JAVA_TO_JWT_NAMES.put(RSA_OAEP_256_ALGO_JAVA, JoseConstants.RSA_OAEP_256_ALGO); - JAVA_TO_JWT_NAMES.put(RSA_1_5_ALGO_JAVA, JoseConstants.RSA_1_5_ALGO); - JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JoseConstants.A256GCM_ALGO); - JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JoseConstants.A192GCM_ALGO); - JAVA_TO_JWT_NAMES.put(AES_GCM_ALGO_JAVA, JoseConstants.A128GCM_ALGO); - JAVA_TO_JWT_NAMES.put(AES_WRAP_ALGO_JAVA, JoseConstants.A128KW_ALGO); - JAVA_TO_JWT_NAMES.put(AES_WRAP_ALGO_JAVA, JoseConstants.A192KW_ALGO); - JAVA_TO_JWT_NAMES.put(AES_WRAP_ALGO_JAVA, JoseConstants.A256KW_ALGO); - JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JoseConstants.A128CBC_HS256_ALGO); - JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JoseConstants.A192CBC_HS384_ALGO); - JAVA_TO_JWT_NAMES.put(AES_CBC_ALGO_JAVA, JoseConstants.A256CBC_HS512_ALGO); - JWT_TO_JAVA_NAMES = new HashMap<String, String>(); - JWT_TO_JAVA_NAMES.put(JoseConstants.HMAC_SHA_256_ALGO, HMAC_SHA_256_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.HMAC_SHA_384_ALGO, HMAC_SHA_384_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.HMAC_SHA_512_ALGO, HMAC_SHA_512_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.RS_SHA_256_ALGO, RS_SHA_256_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.RS_SHA_384_ALGO, RS_SHA_384_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.RS_SHA_512_ALGO, RS_SHA_512_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.ES_SHA_256_ALGO, ES_SHA_256_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.ES_SHA_384_ALGO, ES_SHA_384_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.ES_SHA_512_ALGO, ES_SHA_512_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.RSA_OAEP_ALGO, RSA_OAEP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.RSA_OAEP_256_ALGO, RSA_OAEP_256_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.RSA_1_5_ALGO, RSA_1_5_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A128KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A192KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A256KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A256GCM_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A192GCM_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A128GCM_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A256GCMKW_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A192GCMKW_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A128GCMKW_ALGO, AES_GCM_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A128CBC_HS256_ALGO, AES_CBC_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A192CBC_HS384_ALGO, AES_CBC_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.A256CBC_HS512_ALGO, AES_CBC_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.PBES2_HS256_A128KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.PBES2_HS384_A192KW_ALGO, AES_WRAP_ALGO_JAVA); - JWT_TO_JAVA_NAMES.put(JoseConstants.PBES2_HS512_A256KW_ALGO, AES_WRAP_ALGO_JAVA); - } - private final String jwtName; - private final String javaName; - private final int keySizeBits; - - private Algorithm(String jwtName, int keySizeBits) { - this(jwtName, null, keySizeBits); - } - private Algorithm(String jwtName, String javaName, int keySizeBits) { - this.jwtName = jwtName; - this.javaName = javaName; - this.keySizeBits = keySizeBits; - } - - public String getJwtName() { - return jwtName; - } - - public String getJavaName() { - return javaName == null ? name() : javaName; - } - - public String getJavaAlgoName() { - return stripAlgoProperties(getJavaName()); - } - - public int getKeySizeBits() { - return keySizeBits; - } - - public static String toJwtName(String javaName, int keyBitSize) { - //TODO: perhaps a key should be a name+keysize pair - String name = JAVA_TO_JWT_NAMES.get(javaName); - if (name == null && javaName.startsWith(AES_ALGO_JAVA)) { - name = "A" + keyBitSize + "GCM"; - } - return name; - } - public static String toJavaName(String jwtName) { - return JWT_TO_JAVA_NAMES.get(jwtName); - } - public static String toJavaAlgoNameOnly(String jwtName) { - return stripAlgoProperties(toJavaName(jwtName)); - } - public static String stripAlgoProperties(String javaName) { - if (javaName != null) { - int index = javaName.indexOf('/'); - if (index != -1) { - javaName = javaName.substring(0, index); - } - } - return javaName; - } - public static boolean isRsaOaep(String algo) { - return JoseConstants.RSA_OAEP_ALGO.equals(algo) - || JoseConstants.RSA_OAEP_256_ALGO.equals(algo); - } - public static boolean isAesKeyWrap(String algo) { - return JoseConstants.A128KW_ALGO.equals(algo) - || JoseConstants.A192KW_ALGO.equals(algo) - || JoseConstants.A256KW_ALGO.equals(algo); - } - public static boolean isAesGcmKeyWrap(String algo) { - return JoseConstants.A128GCMKW_ALGO.equals(algo) - || JoseConstants.A192GCMKW_ALGO.equals(algo) - || JoseConstants.A256GCMKW_ALGO.equals(algo); - } - public static boolean isAesGcm(String algo) { - return JoseConstants.A128GCM_ALGO.equals(algo) - || JoseConstants.A192GCM_ALGO.equals(algo) - || JoseConstants.A256GCM_ALGO.equals(algo); - } - public static boolean isAesCbcHmac(String algo) { - return JoseConstants.A128CBC_HS256_ALGO.equals(algo) - || JoseConstants.A192CBC_HS384_ALGO.equals(algo) - || JoseConstants.A256CBC_HS512_ALGO.equals(algo); - } - public static boolean isHmacSign(String algo) { - return JoseConstants.HMAC_SHA_256_ALGO.equals(algo) - || JoseConstants.HMAC_SHA_384_ALGO.equals(algo) - || JoseConstants.HMAC_SHA_512_ALGO.equals(algo); - } - public static boolean isRsaShaSign(String algo) { - return JoseConstants.RS_SHA_256_ALGO.equals(algo) - || JoseConstants.RS_SHA_384_ALGO.equals(algo) - || JoseConstants.RS_SHA_512_ALGO.equals(algo); - } - public static boolean isEcDsaSign(String algo) { - return JoseConstants.ES_SHA_256_ALGO.equals(algo) - || JoseConstants.ES_SHA_384_ALGO.equals(algo) - || JoseConstants.ES_SHA_512_ALGO.equals(algo); - } -} \ No newline at end of file http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java deleted file mode 100644 index 770ee56..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java +++ /dev/null @@ -1,61 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.util.concurrent.atomic.AtomicInteger; - -import org.apache.cxf.common.util.crypto.CryptoUtils; - - -public abstract class AbstractContentEncryptionAlgorithm extends AbstractContentEncryptionCipherProperties - implements ContentEncryptionAlgorithm { - private static final int DEFAULT_IV_SIZE = 128; - private byte[] cek; - private byte[] iv; - private AtomicInteger providedIvUsageCount; - private String algorithm; - - protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv, String algo) { - this.cek = cek; - this.iv = iv; - if (iv != null && iv.length > 0) { - providedIvUsageCount = new AtomicInteger(); - } - this.algorithm = algo; - } - @Override - public String getAlgorithm() { - return algorithm; - } - public byte[] getContentEncryptionKey(JweHeaders headers) { - return cek; - } - public byte[] getInitVector() { - if (iv == null) { - return CryptoUtils.generateSecureRandomBytes(getIvSize() / 8); - } else if (iv.length > 0 && providedIvUsageCount.addAndGet(1) > 1) { - throw new SecurityException(); - } else { - return iv; - } - } - protected int getIvSize() { - return DEFAULT_IV_SIZE; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java deleted file mode 100644 index bc30979..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.spec.AlgorithmParameterSpec; - -import org.apache.cxf.common.util.crypto.CryptoUtils; - - -public abstract class AbstractContentEncryptionCipherProperties implements ContentEncryptionCipherProperties { - private static final int DEFAULT_AUTH_TAG_LENGTH = 128; - private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; - - public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { - return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); - } - public byte[] getAdditionalAuthenticationData(String headersJson) { - return JweHeaders.toCipherAdditionalAuthData(headersJson); - } - protected int getAuthTagLen() { - return authTagLen; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/9c053334/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java deleted file mode 100644 index 45d3ee7..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweDecryption.java +++ /dev/null @@ -1,105 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.jose.jwe; - -import java.security.Key; -import java.security.spec.AlgorithmParameterSpec; - -import org.apache.cxf.common.util.crypto.CryptoUtils; -import org.apache.cxf.common.util.crypto.KeyProperties; -import org.apache.cxf.rs.security.jose.JoseConstants; -import org.apache.cxf.rs.security.jose.JoseHeadersReader; -import org.apache.cxf.rs.security.jose.JoseHeadersReaderWriter; -import org.apache.cxf.rs.security.jose.jwa.Algorithm; - -public abstract class AbstractJweDecryption implements JweDecryptionProvider { - private KeyDecryptionAlgorithm keyDecryptionAlgo; - private ContentDecryptionAlgorithm contentDecryptionAlgo; - private JoseHeadersReader reader = new JoseHeadersReaderWriter(); - protected AbstractJweDecryption(JoseHeadersReader theReader, - KeyDecryptionAlgorithm keyDecryptionAlgo, - ContentDecryptionAlgorithm contentDecryptionAlgo) { - if (theReader != null) { - reader = theReader; - } - this.keyDecryptionAlgo = keyDecryptionAlgo; - this.contentDecryptionAlgo = contentDecryptionAlgo; - } - - protected byte[] getContentEncryptionKey(JweCompactConsumer consumer) { - return this.keyDecryptionAlgo.getDecryptedContentEncryptionKey(consumer); - } - - public JweDecryptionOutput decrypt(String content) { - JweCompactConsumer consumer = new JweCompactConsumer(content, reader); - return doDecrypt(consumer); - } - public byte[] decrypt(JweCompactConsumer consumer) { - return doDecrypt(consumer).getContent(); - } - - protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer) { - byte[] cek = getContentEncryptionKey(consumer); - return doDecrypt(consumer, cek); - } - protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) { - KeyProperties keyProperties = new KeyProperties(getContentEncryptionAlgorithm(consumer)); - keyProperties.setAdditionalData(getContentEncryptionCipherAAD(consumer)); - AlgorithmParameterSpec spec = getContentEncryptionCipherSpec(consumer); - keyProperties.setAlgoSpec(spec); - boolean compressionSupported = - JoseConstants.DEFLATE_ZIP_ALGORITHM.equals(consumer.getJweHeaders().getZipAlgorithm()); - keyProperties.setCompressionSupported(compressionSupported); - byte[] actualCek = getActualCek(cek, consumer.getJweHeaders().getContentEncryptionAlgorithm()); - Key secretKey = CryptoUtils.createSecretKeySpec(actualCek, keyProperties.getKeyAlgo()); - byte[] bytes = - CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(consumer), secretKey, keyProperties); - return new JweDecryptionOutput(consumer.getJweHeaders(), bytes); - } - protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) { - return consumer.getEncryptedContentEncryptionKey(); - } - protected AlgorithmParameterSpec getContentEncryptionCipherSpec(JweCompactConsumer consumer) { - return contentDecryptionAlgo.getAlgorithmParameterSpec(getContentEncryptionCipherInitVector(consumer)); - } - protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) { - return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm()); - } - protected byte[] getContentEncryptionCipherAAD(JweCompactConsumer consumer) { - return contentDecryptionAlgo.getAdditionalAuthenticationData(consumer.getDecodedJsonHeaders()); - } - protected byte[] getEncryptedContentWithAuthTag(JweCompactConsumer consumer) { - return contentDecryptionAlgo.getEncryptedSequence(consumer.getJweHeaders(), - consumer.getEncryptedContent(), - getEncryptionAuthenticationTag(consumer)); - } - protected byte[] getContentEncryptionCipherInitVector(JweCompactConsumer consumer) { - return consumer.getContentDecryptionCipherInitVector(); - } - protected byte[] getEncryptionAuthenticationTag(JweCompactConsumer consumer) { - return consumer.getEncryptionAuthenticationTag(); - } - protected int getEncryptionAuthenticationTagLenBits(JweCompactConsumer consumer) { - return getEncryptionAuthenticationTag(consumer).length * 8; - } - protected byte[] getActualCek(byte[] theCek, String algoJwt) { - return theCek; - } - -}