Repository: cxf Updated Branches: refs/heads/master 1f4ecb274 -> c392f8cac
Making it easier to configure Jwe Content algo when using a client secret Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/c392f8ca Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/c392f8ca Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/c392f8ca Branch: refs/heads/master Commit: c392f8cac8692d5f12cd3d7dd6e478e1871379ce Parents: 1f4ecb2 Author: Sergey Beryozkin <[email protected]> Authored: Thu Nov 12 14:17:36 2015 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Thu Nov 12 14:17:36 2015 +0000 ---------------------------------------------------------------------- .../cxf/rs/security/jose/jwe/JweUtils.java | 49 +++++++++++++------- .../provider/AbstractOAuthJoseJwtConsumer.java | 4 +- .../provider/AbstractOAuthJoseJwtProducer.java | 6 ++- 3 files changed, 39 insertions(+), 20 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/c392f8ca/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 191a8a7..08e5bf9 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -307,16 +307,18 @@ public final class JweUtils { KeyEncryptionProvider keyEncryptionProvider = null; KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null); - String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null); + ContentAlgorithm contentAlgo = getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM); if (m != null) { - m.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, contentEncryptionAlgo); + m.put(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, contentAlgo.getJwaName()); } ContentEncryptionProvider ctEncryptionProvider = null; if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) { JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.ENCRYPT); if ("direct".equals(keyAlgo.getJwaName())) { - contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm()); - ctEncryptionProvider = getContentEncryptionProvider(jwk, contentEncryptionAlgo); + contentAlgo = getContentEncryptionAlgorithm(m, props, + ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()), + ContentAlgorithm.A128GCM); + ctEncryptionProvider = getContentEncryptionProvider(jwk, contentAlgo.getJwaName()); } else { keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), @@ -365,7 +367,7 @@ public final class JweUtils { } return createJweEncryptionProvider(keyEncryptionProvider, ctEncryptionProvider, - contentEncryptionAlgo, + contentAlgo.getJwaName(), compression); } public static JweDecryptionProvider loadDecryptionProvider(boolean required) { @@ -386,7 +388,8 @@ public final class JweUtils { Message m = PhaseInterceptorChain.getCurrentMessage(); KeyDecryptionProvider keyDecryptionProvider = null; - String contentEncryptionAlgo = getContentEncryptionAlgo(m, props, null); + ContentAlgorithm contentAlgo = + getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM); SecretKey ctDecryptionKey = null; KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null); if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) { @@ -396,7 +399,7 @@ public final class JweUtils { X509Certificate cert = chain == null ? null : chain.get(0); PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT); - contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm().getJwaName(); + contentAlgo = inHeaders.getContentEncryptionAlgorithm(); keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, inHeaders.getKeyEncryptionAlgorithm()); } else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) { @@ -407,7 +410,7 @@ public final class JweUtils { if (foundCert != null) { PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT); - contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm().getJwaName(); + contentAlgo = inHeaders.getContentEncryptionAlgorithm(); keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, inHeaders.getKeyEncryptionAlgorithm()); } @@ -420,8 +423,10 @@ public final class JweUtils { } if ("direct".equals(keyAlgo.getJwaName())) { - contentEncryptionAlgo = getContentEncryptionAlgo(m, props, jwk.getAlgorithm()); - ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentEncryptionAlgo); + contentAlgo = getContentEncryptionAlgorithm(m, props, + ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()), + ContentAlgorithm.A128GCM); + ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentAlgo.getJwaName()); } else { keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), @@ -435,7 +440,7 @@ public final class JweUtils { } } return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, - getContentAlgo(contentEncryptionAlgo)); + contentAlgo); } public static JweEncryptionProvider createJweEncryptionProvider(PublicKey key, KeyAlgorithm keyAlgo, @@ -694,7 +699,10 @@ public final class JweUtils { } } @SuppressWarnings("deprecation") - private static String getContentEncryptionAlgo(Message m, Properties props, String algo) { + public static ContentAlgorithm getContentEncryptionAlgorithm(Message m, + Properties props, + ContentAlgorithm algo, + ContentAlgorithm defaultAlgo) { if (algo == null) { // Check for deprecated identifier first String encAlgo = props.getProperty(JoseConstants.DEPR_RSSEC_ENCRYPTION_CONTENT_ALGORITHM); @@ -702,16 +710,23 @@ public final class JweUtils { encAlgo = (String)m.getContextualProperty(JoseConstants.DEPR_RSSEC_ENCRYPTION_CONTENT_ALGORITHM); } if (encAlgo != null) { - return encAlgo; + return ContentAlgorithm.getAlgorithm(encAlgo); } - // Otherwise check newer identifier - return KeyManagementUtils.getKeyAlgorithm(m, props, - JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, - AlgorithmUtils.A128GCM_ALGO); + return getContentEncryptionAlgorithm(props, defaultAlgo); } return algo; } + + public static ContentAlgorithm getContentEncryptionAlgorithm(Properties props, + ContentAlgorithm defaultAlgo) { + String algo = KeyManagementUtils.getKeyAlgorithm(PhaseInterceptorChain.getCurrentMessage(), + props, + JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM, + defaultAlgo == null ? null : defaultAlgo.getJwaName()); + return ContentAlgorithm.getAlgorithm(algo); + } + private static String encrypt(KeyEncryptionProvider keyEncryptionProvider, ContentAlgorithm contentAlgo, byte[] content, String ct) { JweEncryptionProvider jwe = createJweEncryptionProvider(keyEncryptionProvider, contentAlgo, null); http://git-wip-us.apache.org/repos/asf/cxf/blob/c392f8ca/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java index e799e35..5d2fa3b 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtConsumer.java @@ -58,7 +58,9 @@ public abstract class AbstractOAuthJoseJwtConsumer extends AbstractJoseJwtConsum JweDecryptionProvider theDecryptionProvider = null; if (decryptWithClientSecret) { SecretKey key = CryptoUtils.decodeSecretKey(clientSecret); - theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ContentAlgorithm.A128GCM); + Properties props = JweUtils.loadEncryptionInProperties(false); + ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM); + theDecryptionProvider = JweUtils.getDirectKeyJweDecryption(key, ctAlgo); } return theDecryptionProvider; http://git-wip-us.apache.org/repos/asf/cxf/blob/c392f8ca/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java index 1bd78fe..b0a7414 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/provider/AbstractOAuthJoseJwtProducer.java @@ -48,7 +48,7 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc Properties props = JwsUtils.loadSignatureOutProperties(false); SignatureAlgorithm sigAlgo = JwsUtils.getSignatureAlgorithm(props, SignatureAlgorithm.HS256); if (AlgorithmUtils.isHmacSign(sigAlgo)) { - return JwsUtils.getHmacSignatureProvider(clientSecret, SignatureAlgorithm.HS256); + return JwsUtils.getHmacSignatureProvider(clientSecret, sigAlgo); } } return null; @@ -56,7 +56,9 @@ public abstract class AbstractOAuthJoseJwtProducer extends AbstractJoseJwtProduc protected JweEncryptionProvider getInitializedEncryptionProvider(String clientSecret) { if (encryptWithClientSecret) { SecretKey key = CryptoUtils.decodeSecretKey(clientSecret); - return JweUtils.getDirectKeyJweEncryption(key, ContentAlgorithm.A128GCM); + Properties props = JweUtils.loadEncryptionOutProperties(false); + ContentAlgorithm ctAlgo = JweUtils.getContentEncryptionAlgorithm(props, ContentAlgorithm.A128GCM); + return JweUtils.getDirectKeyJweEncryption(key, ctAlgo); } return null; }
