Author: buildbot
Date: Wed May 18 16:47:35 2016
New Revision: 988543
Log:
Production update by buildbot for cxf
Modified:
websites/production/cxf/content/cache/docs.pageCache
websites/production/cxf/content/docs/jax-rs-jose.html
Modified: websites/production/cxf/content/cache/docs.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/cxf/content/docs/jax-rs-jose.html
==============================================================================
--- websites/production/cxf/content/docs/jax-rs-jose.html (original)
+++ websites/production/cxf/content/docs/jax-rs-jose.html Wed May 18 16:47:35
2016
@@ -119,14 +119,14 @@ Apache CXF -- JAX-RS JOSE
<!-- Content -->
<div class="wiki-content">
<div id="ConfluenceContent"><p> </p><p> </p><p><style
type="text/css">/*<![CDATA[*/
-div.rbtoc1463582822610 {padding: 0px;}
-div.rbtoc1463582822610 ul {list-style: disc;margin-left: 0px;}
-div.rbtoc1463582822610 li {margin-left: 0px;padding-left: 0px;}
+div.rbtoc1463590020407 {padding: 0px;}
+div.rbtoc1463590020407 ul {list-style: disc;margin-left: 0px;}
+div.rbtoc1463590020407 li {margin-left: 0px;padding-left: 0px;}
-/*]]>*/</style></p><div class="toc-macro rbtoc1463582822610">
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</a>
+/*]]>*/</style></p><div class="toc-macro rbtoc1463590020407">
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-Introduction">Introduction</a></li><li><a shape="rect"
href="#JAX-RSJOSE-MavenDependencies">Maven Dependencies</a></li><li><a
shape="rect" href="#JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </a></li><li><a shape="rect"
href="#JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWKKeys">JWK Keys</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSSignature">JWS Signature</a>
-<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithClearPayload">JWS
with Clear Payload</a></li></ul>
+<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSCompact">JWS
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSJSON">JWS
JSON</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWSwithDetachedContent">JWS
with Detached Content</a></li><li><a shape="rect"
href="#JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-JWEEncryption">JWE Encryption</a>
<ul class="toc-indentation"><li><a shape="rect"
href="#JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption
Providers</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWECompact">JWE
Compact</a></li><li><a shape="rect" href="#JAX-RSJOSE-JWEJSON">JWE
JSON</a></li></ul>
</li><li><a shape="rect" href="#JAX-RSJOSE-JSONWebToken">JSON Web
Token</a></li></ul>
@@ -149,7 +149,14 @@ div.rbtoc1463582822610 li {margin-left:
<version>3.1.7</version>
</dependency>
</pre>
-</div></div><pre> </pre><h1
id="JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JWA</a> - JSON Web Algorithms where all supported signature and
encryption algorithms are listed</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> - JSON Web
Keys - introduces a JSON format for describing the public and private keys used
by JWA algorithms</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515"; rel="nofollow">JWS</a> - JSON Web
Signature - describes how the data can be signed or validated and introduces
compact and JSON JWS formats for representing the signed data</li><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JWE</a> - JSON Web Encryption - describes how
the data can be encrypted or decrypted and introduces compact and JSON JWE
formats for representing the encrypted
data  </li></ul><p>Additionally, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token), while technically being not part of
JOSE, is often used as an input material to JWS and JWE processors, especially
in OAuth2 flows (example: OAuth2 access tokens can be represented internally as
JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> describes how a set of claims in JSON format can be
either JWS-signed and/or JWE-enctypted. </p><h2
id="JAX-RSJOSE-JWAAlgorithms">JWA Algorithms</h2><p>All JOSE signature and
encryption algorithms are grouped and described in the <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JWA</a> (JSON Web Algori
thms) specification.</p><p>The algorithms are split into 3 categories:
signature algorithms (HMAC, RSA, Elliptic Curve), algorithms for supporting the
encryption of content encryption keys (RSA-OAEP, AES Key Wrap, etc), and
algorithms for encrypting the actual content (AES GCM, etc).</p><div>The
specification lists all the algorithms that can be used either for signing or
encrypting and also describes how some of these algorithms work in
cases</div><div>where JCA (or BouncyCastle) does not support them directly,
example, AES-CBC-HMAC-SHA2.</div><div>Algorithm name is a type + hint, example:
HS256 (HMAC with SHA-256), RSA-OAEP-256 (RSA OAEP key encryption with SHA-256),
etc.</div><p>All JWS and JWE algorithms process not only the actual data but
also the meta-data (the algorithm properties) thus ensuring the algorithm
properties are integrity-protected, additionally JWE algorithms produce
authentication tags which ensure the already encrypted content won't be
manipulated.</p><p>Pleas
e refer to <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">the specification</a>
to get all the information needed (with the follow up links to the
corresponding RFC when applicable) about a particular signature or encryption
algorithm: the properties, recommended key sizes, other security considerations
related to all of or some specific algorithms. CXF JOSE code already enforces a
number of the recommended constraints.</p><p>CXF offers the utility support for
working with JWA algorithms in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa";
rel="nofollow">this package</a>.</p><p>Typically one would supply an algorithm
property in a type-safe way either to JWS or JWE processor, for example, 
SignatureAlgorithm.HS256 for JWS, KeyAlgorithm.A256KW plus
ContentAlgorithm.A256GCM for JWE, etc. Each enum has methods
for checking a key size, JWA and Java JCA algorithm names.</p><h2
id="JAX-RSJOSE-JWKKeys">JWK Keys</h2><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> (JSON Web
Key) is a JSON document describing the cryptographic key properties. JWKs are
very flexible and one can expect JWKs becoming one of the major mechanisms for
representing and storing cryptographic keys. While one does not have to
represent the keys as JWK in order to sign or encrypt the document and rely on
Java JCA secret and asymmetric keys instead, JWK is a preferred representation
of signature or encryption keys in JOSE.</p><p>For example:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Secret HMAC Key</b></div><div
class="codeContent panelContent pdl">
+</div></div><p>You may also need to include Bouncy Castle:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+<pre class="brush: xml; gutter: false; theme: Default"
style="font-size:12px;"><dependency>
+ <groupId>org.bouncycastle</groupId>
+ <artifactId>bcprov-ext-jdk15on</artifactId>
+ <version>1.54</version>
+</dependency>
+</pre>
+</div></div><h1 id="JAX-RSJOSE-JavaandJCEPolicy">Java and JCE
Policy </h1><p>Java7 or higher is recommended for most cases: Java6 does
not support JWE AES-GCM at all while with BouncyCastle it is not possible to
submit JWE Header properties as an extra input to the encryption process to get
them integrity protected which is not JWE compliant.</p><p>Unlimited JCE Policy
for Java 7/8/9 needs to be installed if the size of the encrypting key is 256
bits (example, JWE A256GCM).</p><h1
id="JAX-RSJOSE-JOSEOverviewandImplementation">JOSE Overview and
Implementation</h1><p>JOSE consists of the following key parts:</p><ul><li><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7518";
rel="nofollow">JWA</a> - JSON Web Algorithms where all supported signature and
encryption algorithms are listed</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> - JSON Web
Keys - introduces a JSON format for describing the
public and private keys used by JWA algorithms</li><li><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> - JSON Web Signature - describes how the data can be
signed or validated and introduces compact and JSON JWS formats for
representing the signed data</li><li><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7516"; rel="nofollow">JWE</a> - JSON Web
Encryption - describes how the data can be encrypted or decrypted and
introduces compact and JSON JWE formats for representing the encrypted
data  </li></ul><p>Additionally, <a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7519";
rel="nofollow">JWT</a> (JSON Web Token), while technically being not part of
JOSE, is often used as an input material to JWS and JWE processors, especially
in OAuth2 flows (example: OAuth2 access tokens can be represented internally as
JWT, OpenIdConnect IdToken and UserInfo are effectively JWTs). <
a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7519"; rel="nofollow">JWT</a> describes how
a set of claims in JSON format can be either JWS-signed and/or
JWE-enctypted. </p><h2 id="JAX-RSJOSE-JWAAlgorithms">JWA
Algorithms</h2><p>All JOSE signature and encryption algorithms are grouped and
described in the <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">JWA</a> (JSON Web
Algorithms) specification.</p><p>The algorithms are split into 3 categories:
signature algorithms (HMAC, RSA, Elliptic Curve), algorithms for supporting the
encryption of content encryption keys (RSA-OAEP, AES Key Wrap, etc), and
algorithms for encrypting the actual content (AES GCM, etc).</p><div>The
specification lists all the algorithms that can be used either for signing or
encrypting and also describes how some of these algorithms work in
cases</div><div>where JCA (or BouncyCastle) does not support them directly,
example, AES-CBC-HMAC
-SHA2.</div><div>Algorithm name is a type + hint, example: HS256 (HMAC with
SHA-256), RSA-OAEP-256 (RSA OAEP key encryption with SHA-256), etc.</div><p>All
JWS and JWE algorithms process not only the actual data but also the meta-data
(the algorithm properties) thus ensuring the algorithm properties are
integrity-protected, additionally JWE algorithms produce authentication tags
which ensure the already encrypted content won't be manipulated.</p><p>Please
refer to <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518"; rel="nofollow">the specification</a>
to get all the information needed (with the follow up links to the
corresponding RFC when applicable) about a particular signature or encryption
algorithm: the properties, recommended key sizes, other security considerations
related to all of or some specific algorithms. CXF JOSE code already enforces a
number of the recommended constraints.</p><p>CXF offers the utility support for
working with JWA algorith
ms in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa";
rel="nofollow">this package</a>.</p><p>Typically one would supply an algorithm
property in a type-safe way either to JWS or JWE processor, for example, 
SignatureAlgorithm.HS256 for JWS, KeyAlgorithm.A256KW plus
ContentAlgorithm.A256GCM for JWE, etc. Each enum has methods for checking a key
size, JWA and Java JCA algorithm names.</p><h2 id="JAX-RSJOSE-JWKKeys">JWK
Keys</h2><p><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7517"; rel="nofollow">JWK</a> (JSON Web
Key) is a JSON document describing the cryptographic key properties. JWKs are
very flexible and one can expect JWKs becoming one of the major mechanisms for
representing and storing cryptographic keys. While one does not have to
represent the keys as JWK in order to sign or encrypt the document and rely on
Java JCA se
cret and asymmetric keys instead, JWK is a preferred representation of
signature or encryption keys in JOSE.</p><p>For example:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>Secret HMAC Key</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: js; gutter: false; theme: Default" style="font-size:12px;">{
"kty":"oct",
"k":"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQLr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow",
@@ -167,7 +174,7 @@ div.rbtoc1463582822610 li {margin-left:
"e":"AQAB",
"alg":"RS256",
"kid":"Public RSA Key"}</pre>
-</div></div><p> </p><p>A collection of JWK keys is called a JWK Key Set
which is represented as JSON array of JWKs.</p><p>CXF offers a utility support
for reading and writing JWK keys and key sets and for working with the
encrypted inlined and standalone JWK stores in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk";
rel="nofollow">this package</a>.</p><p>For example, a key set containing
public JWK keys can be seen <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPublicSet.txt";
rel="nofollow">here</a> and referred to from the <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19";
rel="nofollow">configu
ration properties</a>. The private (test) key set can be represented in a <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt";
rel="nofollow">clear form</a>, though most likely you'd want a private key set
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt";
rel="nofollow">encrypted</a> and referred to <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19";
rel="nofollow">like this</a>. </p><p>One can inline the encrypted key or
the key set directly in the configuration properties. For example, here is how
an encrypted <a shape="rect" class="external-link" href="
https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18";
rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an
encrypted <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18";
rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that the
JWK keys have been encrypted if a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java";
rel="nofollow">password provider</a> is available in scope, it is typically
registered with JAX-RS endpoints. The encryption is done with a password based
<a shape="rect" class="external-link" href="https://tools.ietf.org/html/r
fc7518#section-4.8" rel="nofollow">PBES2 algorithm</a>. </p><p>Support
for the pluggable strategies for loading JWKs is on the map.</p><p>Here are
some code examples:</p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>JWK examples</b></div><div class="codeContent panelContent pdl">
+</div></div><p>A 'kid' property can be of special interest as it allows to
identify a key but also help with the simple key rotation mechanism realized
(ex, <a shape="rect" class="external-link"
href="http://openid.net/specs/openid-connect-core-1_0.html#RotateSigKeys";
rel="nofollow">OIDC Asymmetric Key Rotation</a>).</p><p>A collection of JWK
keys is called a JWK Key Set which is represented as JSON array of
JWKs.</p><p>CXF offers a utility support for reading and writing JWK keys and
key sets and for working with the encrypted inlined and standalone JWK stores
in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwk";
rel="nofollow">this package</a>.</p><p>For example, a key set containing
public JWK keys can be seen <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/s
ecurity/certs/jwkPublicSet.txt" rel="nofollow">here</a> and referred to from
the <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/jws.ec.public.properties#L19";
rel="nofollow">configuration properties</a>. The private (test) key set can be
represented in a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/jwkPrivateSet.txt";
rel="nofollow">clear form</a>, though most likely you'd want a private key set
<a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/certs/encryptedJwkPrivateSet.txt";
rel="nofollow">encrypted</a> and referred to <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test
/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.properties#L19"
rel="nofollow">like this</a>. </p><p>One can inline the encrypted key or
the key set directly in the configuration properties. For example, here is how
an encrypted <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlinejwk.properties#L18";
rel="nofollow">single JWK key is inlined</a>. Similarly, here is how an
encrypted <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/systests/rs-security/src/test/resources/org/apache/cxf/systest/jaxrs/security/secret.aescbchmac.inlineset.properties#L18";
rel="nofollow">collection of keys is inlined</a>.</p><p>CXF assumes that the
JWK keys have been encrypted if a <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org
/apache/cxf/rs/security/jose/common/PrivateKeyPasswordProvider.java"
rel="nofollow">password provider</a> is available in scope, it is typically
registered with JAX-RS endpoints. The encryption is done with a password based
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-4.8"; rel="nofollow">PBES2
algorithm</a>. </p><p>Support for the pluggable strategies for loading
JWKs is on the map.</p><p>Here are some code examples:</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>JWK examples</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">InputStream is =
JsonWebKeyTest.class.getResourceAsStream(fileName);
JsonWebKeys keySet = JwkUtils.readJwkSet(is);
JsonWebKey key = keySet.getKey("Public RSA Key");
@@ -175,7 +182,7 @@ String thumbprint = JwkUtils.getThumbpri
assertEquals("NzbLsXh8uDCcd-6MNwXF4W_7noWXFZAfHkxZsRGC9Xs", thumbprint);
KeyType keyType = key.getKeyType();
assertEquals(KeyType.RSA, thumbprint);</pre>
-</div></div><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS
related classes in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws";
rel="nofollow">this package</a> and offers a support for all of JWA <a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3"; rel="nofollow">signature
algorithms</a>.</p><h3
id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</h3><p><a shape="rect" class="external-link" href="https
://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java"
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java";
rel="nofollow">JwsSignatureVerifier</a> - validating the
signatures.</p><p>Note the signature and verification capabilities are
represented by 2 different interfaces - it was done to keep the interfaces
minimalistic and have the concerns separated which can be appreciated most in
the cases where the code only signs or only validates.</p><p>The following
table shows the algorithms and the corresponding providers:</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"> </td><td colspan="1" rowspan="1"
class="conflu
enceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1" rowspan="1"
class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2";
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>HmacJwsSignatureProvider</pre></td><td colspan="1"
rowspan="1"
class="confluenceTd"><pre>HmacJwsSignatureVerifier</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3";
rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#se
ction-3.4" rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.5";
rel="nofollow">RSASSA-PSS</a></td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.6";
rel="nofollow">None</a></td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers (except for None) can be initialized with the keys loade
d from JWK or JCA stores or from the in-memory representations.</p><h3
id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7515#section-3.3";
rel="nofollow">JWS Compact representation</a> is the most often used JOSE
sequence. It is the concatenation of Base64URL-encoded sequence if JWS headers
(algorithm and other properties),  Base64URL-encoded sequence of the
actual data being protected and Base64URL-encoded sequence of the signature
algorithm output bytes.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java";
rel="nofollow">JwsCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java";
rel="nofollow">JwsCompactC
onsumer</a> offer a support for producing and consuming compact JWS sequences,
protecting the data in JSON or non-JSON formats.</p><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java";
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java";
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which
help with processing typed JWT Tokens.</p><p> For example, here is how an
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl" style="b
order-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div
class="codeContent panelContent pdl">
+</div></div><h2 id="JAX-RSJOSE-JWSSignature">JWS Signature</h2><p><a
shape="rect" class="external-link" href="https://tools.ietf.org/html/rfc7515";
rel="nofollow">JWS</a> (JSON Web Signature) document describes how a document
content can be signed. For example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be signed with an HMAC key</p><p>CXF ships JWS
related classes in <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws";
rel="nofollow">this package</a> and offers a support for all of JWA <a
shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3"; rel="nofollow">signature
algorithms</a>.</p><h3
id="JAX-RSJOSE-SignatureandVerificationProviders">Signature and Verification
Providers</h3><p><a shape="rect" class="external-link" href="https
://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java"
rel="nofollow">JwsSignatureProvider</a> supports signing the content, <a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureVerifier.java";
rel="nofollow">JwsSignatureVerifier</a> - validating the
signatures.</p><p>Note the signature and verification capabilities are
represented by 2 different interfaces - it was done to keep the interfaces
minimalistic and have the concerns separated which can be appreciated most in
the cases where the code only signs or only validates.</p><p>The following
table shows the algorithms and the corresponding providers:</p><div
class="table-wrap"><table class="confluenceTable"><tbody><tr><td colspan="1"
rowspan="1" class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1"
rowsp
an="1" class="confluenceTd"><strong>JWS Header 'alg'</strong></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>JwsSignatureProvider</strong></td><td colspan="1"
rowspan="1"
class="confluenceTd"><strong>JwsSignatureVerifier</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.2";
rel="nofollow">HMAC</a></td><td colspan="1" rowspan="1"
class="confluenceTd">HS256, HS384, HS512</td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>HmacJwsSignatureProvider</pre></td><td colspan="1"
rowspan="1"
class="confluenceTd"><pre>HmacJwsSignatureVerifier</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-3.3";
rel="nofollow">RSASSA-PKCS1-v1_5</a></td><td colspan="1" rowspan="1"
class="confluenceTd">RS256, RS384, RS512</td><td colspan="1" rowspan="1"
class="confluenceTd">Priva
teKeyJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.4";
rel="nofollow">ECDSA</a></td><td colspan="1" rowspan="1"
class="confluenceTd">ES256, ES384, ES512</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">EcDsaJwsSignatureVerifier</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.5";
rel="nofollow">RSASSA-PSS</a></td><td colspan="1" rowspan="1"
class="confluenceTd">PS256, PS384, PS512</td><td colspan="1" rowspan="1"
class="confluenceTd">PrivateKeyJwsSignatureProvider</td><td colspan="1"
rowspan="1" class="confluenceTd">PublicKeyJwsSignatureVerifier</td></tr><tr><td
colspan="1" rowspan="1" class="conf
luenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-3.6";
rel="nofollow">None</a></td><td colspan="1" rowspan="1"
class="confluenceTd">none</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureProvider</td><td colspan="1" rowspan="1"
class="confluenceTd">NoneJwsSignatureVerifier</td></tr></tbody></table></div><p>Either
of these providers (except for None) can be initialized with the keys loaded
from JWK or JCA stores or from the in-memory
representations.</p><p>RS256/384/512 algorithms are likely to be used most
often at the moment due to existing JKS stores being available everywhere and a
relatively easy way of making the public validation keys available. 'None'
algorithm might be useful when a JWS sequence is subsequently JWE-encrypted or
when a 2-way TLS (with client and server certificates) is used.</p><h3
id="JAX-RSJOSE-JWSCompact">JWS Compact</h3><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/
html/rfc7515#section-3.3" rel="nofollow">JWS Compact representation</a> is the
most often used JOSE sequence. It is the concatenation of Base64URL-encoded
sequence if JWS headers (algorithm and other properties), 
Base64URL-encoded sequence of the actual data being protected and
Base64URL-encoded sequence of the signature algorithm output bytes.</p><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactProducer.java";
rel="nofollow">JwsCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsCompactConsumer.java";
rel="nofollow">JwsCompactConsumer</a> offer a support for producing and
consuming compact JWS sequences, protecting the data in JSON or non-JSON
formats.</p><p><a shape="rect" class="external-link" href="https:
//github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactProducer.java"
rel="nofollow">JwsJwtCompactProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJwtCompactConsumer.java";
rel="nofollow">JwsJwtCompactConsumer</a> are their simple extensions which
help with processing typed JWT Tokens.</p><p> For example, here is how an
<a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.1"; rel="nofollow">Appendix
A1</a> example can be done in CXF:</p><p> </p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeHeader panelHeader pdl"
style="border-bottom-width: 1px;"><b>CXF JWS Compact HMac</b></div><div
class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">// Sign
// Algorithm properties are set in the headers
JoseHeaders headers = new JoseHeaders();
@@ -201,7 +208,31 @@ JwtToken token = jws.getJwtToken();
JoseHeaders headers = token.getHeaders();
assertEquals(SignatureAlgorithm.HS256, headers.getAlgorithm());
validateClaims(token.getClaims());</pre>
-</div></div><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><h3
id="JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</h3><h2
id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document
content, and, when applicable, a content encryption key, can be encrypted. For
example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7516#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be encrypted with a secret key using AesGcm
with the actual content encryption key being encrypted using
RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe";
rel="nofollow">this package</a> and offers a support for all of JWA <a
shape="rect" class="external
-link" href="https://tools.ietf.org/html/rfc7518#section-4"; rel="nofollow">key
encryption</a> and <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-5"; rel="nofollow">content
encryption</a> algorithms.</p><h3
id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption
Providers</h3><p>JWE Encryption process typically involves a content-encryption
key being generated with this key being subsequently encrypted/wrapped with a
key known to the consumer. Thus CXF offers the providers for supporting the
key-encryption algorithms and providers for supporting the content-encryption
algorithms. Direct key encryption (where the content-encryption key is
established out of band) is also supported.</p><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProvider.java";
rel="nofollow">KeyEncryptionProvider</a> suppo
rts encrypting a content-encryption key, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java";
rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following
table shows the key encryption algorithms and the corresponding
providers:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> </td><td colspan="1" rowspan="1"
class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td colspan="1"
rowspan="1"
class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.2";
rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>RSAKeyEncryptionAlgorithm</pre></td><td colspan="
1" rowspan="1"
class="confluenceTd"><pre>RSAKeyDecryptionAlgorithm</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3";
rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1"
class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1"
class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-4.4"; rel="nofollow">AES Key
Wrap</a></td><td colspan="1" rowspan="1"
class="confluenceTd">AesKeyWrapEncryptionAlgorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">AesKeyWrapDecryptionAlgorithm</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.5";
rel="nofollow">Direct</a></td><td colspan="1" rowspan="1" class="confluen
ceTd">DirectKeyEncryptionAlgorithm</td><td colspan="1" rowspan="1"
class="confluenceTd">DirectKeyDecryptionAlgorithm</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#page-15"; rel="nofollow">ECDH-ES
Wrap</a></td><td colspan="1" rowspan="1"
class="confluenceTd">EcdhAesWrapKeyEncryptionAlgorithm</td><td colspan="1"
rowspan="1"
class="confluenceTd">EcdhAesWrapKeyDecryptionAlgorithm</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15";
rel="nofollow">ECDH-ES Direct</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><span
class="pl-en">EcdhDirectKeyJweEncryption</span></td><td colspan="1" rowspan="1"
class="confluenceTd"><span
class="pl-en">EcdhDirectKeyJweDecryption</span></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf
.org/html/rfc7518#section-4.7" rel="nofollow">AES-GCM</a></td><td colspan="1"
rowspan="1" class="confluenceTd">AesGcmWrapKeyEncryptionAlgorithm</td><td
colspan="1" rowspan="1"
class="confluenceTd">AesGcmWrapKeyDecryptionAlgorithm</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8";
rel="nofollow">PBES2</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><span
class="separator"> </span>PbesHmacAesWrapKeyEncryptionAlgorithm</td><td
colspan="1" rowspan="1" class="confluenceTd"><span
class="separator"> </span>PbesHmacAesWrapKeyDecryptionAlgorithm</td></tr></tbody></table></div><p> </p><p><a
shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionProvider.java";
rel="nofollow">ContentEncryptionProvider</a> supports encrypting a generated
content
-encryption key, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionProvider.java";
rel="nofollow">ContentDecryptionProvider</a> - decrypting it.</p><p>The
following table shows the content encryption algorithms and the corresponding
providers:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"> </td><td colspan="1" rowspan="1"
class="confluenceTd"><strong>ContentEncryptionProvider</strong></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>ContentDecryptionProvider</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.2";
rel="nofollow">AES_CBC_HMAC_SHA2</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>AesCbcHmacJweEncryption</pre></td><td colspan="1" ro
wspan="1"
class="confluenceTd"><pre>AesCbcHmacJweDecryption</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.3";
rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1"
class="confluenceTd">AesGcmContentEncryptionAlgorithm</td><td colspan="1"
rowspan="1"
class="confluenceTd">AesGcmContentDecryptionAlgorithm</td></tr></tbody></table></div><p>All
of the above providers can be initialized with the keys loaded from JWK or JCA
stores or from the in-memory representations.</p><h3
id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link"
href="https:
//git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD">JweDecryptionProvider</a>
- decrypting the content. Encryptors and Decryptors for all of JWE algorithms
are shipped.</p><p>Here is the example of doing AES CBC HMAC and AES Key Wrap
in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><b>CXF Jwe
AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
+</div></div><h3 id="JAX-RSJOSE-JWSJSON">JWS JSON</h3><p>While JWS Compact is
optimized and represents a concatenation of up to 3 Base64URL values, JWS JSON
is an open JSON container, see <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7515#appendix-A.6"; rel="nofollow">Appendix
6</a>.</p><p>The most interesting feature of JWS JSON is that allows a content
be signed for multiple recipients. For example,  the immediate consumer
will validate a signature with one key, forward the payload to the next
consumer which will also validate the content with another key, etc.
 </p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsSignatureProvider.java";
rel="nofollow"></a><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/
JwsJsonProducer.java" rel="nofollow">JwsJsonProducer</a> and <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/JwsJsonConsumer.java";
rel="nofollow">JwsJsonConsumer</a> support producing and consuming JWS JSON
sequences.</p><p> </p><div class="code panel pdl" style="border-width:
1px;"><div class="codeHeader panelHeader pdl" style="border-bottom-width:
1px;"><b>CXF JWS JSON</b></div><div class="codeContent panelContent pdl">
+<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">JwsJsonProducer producer = new
JwsJsonProducer(UNSIGNED_PLAIN_JSON_DOCUMENT);
+JwsHeaders headerEntries = new JwsHeaders(SignatureAlgorithm.HS256);
+
+producer.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY_1,
SignatureAlgorithm.HS256),
+ headerEntries);
+producer.signWith(new HmacJwsSignatureProvider(ENCODED_MAC_KEY_2,
SignatureAlgorithm.HS256),
+ headerEntries);
+assertEquals(DUAL_SIGNED_JWS_JSON_DOCUMENT,
producer.getJwsJsonSignedDocument());
+
+JwsJsonConsumer consumer = new JwsJsonConsumer(DUAL_SIGNED_DOCUMENT);
+JsonWebKeys jwks = readKeySet("jwkPublicJsonConsumerSet.txt");
+
+List<JwsJsonSignatureEntry> sigEntries = consumer.getSignatureEntries();
+assertEquals(2, sigEntries.size());
+
+// 1st signature
+String firstKid = (String)sigEntries.get(0).getKeyId();
+JsonWebKey rsaKey = jwks.getKey(firstKid);
+assertTrue(sigEntries.get(0).verifySignatureWith(rsaKey));
+// 2nd signature
+String secondKid = (String)sigEntries.get(1).getKeyId();
+JsonWebKey ecKey = jwks.getKey(secondKid);
+assertTrue(sigEntries.get(1).verifySignatureWith(ecKey));</pre>
+</div></div><p>   </p><h3
id="JAX-RSJOSE-JWSwithDetachedContent">JWS with Detached Content</h3><h3
id="JAX-RSJOSE-JWSwithClearPayload">JWS with Clear Payload</h3><h2
id="JAX-RSJOSE-JWEEncryption">JWE Encryption</h2><p><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7516";
rel="nofollow">JWE</a> (JSON Web Encryption) document describes how a document
content, and, when applicable, a content encryption key, can be encrypted. For
example, <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7516#appendix-A.1"; rel="nofollow">Appendix
A1</a> shows how the content can be encrypted with a secret key using AesGcm
with the actual content encryption key being encrypted using
RSA-OAEP.</p><p>CXF ships JWE related classes in <a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/tree/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe";
rel="nofollow">this package</a> and offers
a support for all of JWA <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-4"; rel="nofollow">key
encryption</a> and <a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-5"; rel="nofollow">content
encryption</a> algorithms.</p><h3
id="JAX-RSJOSE-KeyandContentEncryptionProviders">Key and Content Encryption
Providers</h3><p>JWE Encryption process typically involves a content-encryption
key being generated with this key being subsequently encrypted/wrapped with a
key known to the consumer. Thus CXF offers the providers for supporting the
key-encryption algorithms and providers for supporting the content-encryption
algorithms. Direct key encryption (where the content-encryption key is
established out of band) is also supported.</p><p><a shape="rect"
class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyEncryptionProv
ider.java" rel="nofollow">KeyEncryptionProvider</a> supports encrypting a
content-encryption key, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/KeyDecryptionProvider.java";
rel="nofollow">KeyDecryptionProvider</a> - decrypting it.</p><p>The following
table shows the key encryption algorithms and the corresponding
prov,iders:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1"
class="confluenceTd"><strong>JWE Header 'alg'</strong></td><td colspan="1"
rowspan="1" class="confluenceTd"><strong>KeyEncryptionProvider</strong></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>KeyDecryptionProvider</strong></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html
/rfc7518#section-4.2" rel="nofollow">RSAES-PKCS1-v1_5</a></td><td colspan="1"
rowspan="1" class="confluenceTd"><pre class="newpage">RSA1_5</pre></td><td
colspan="1" rowspan="1"
class="confluenceTd"><pre>RSAKeyEncryptionAlgorithm</pre></td><td colspan="1"
rowspan="1"
class="confluenceTd"><pre>RSAKeyDecryptionAlgorithm</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.3";
rel="nofollow">RSAES OAEP</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre class="newpage">RSA-OAEP, RSA-OAEP-256</pre></td><td
colspan="1" rowspan="1" class="confluenceTd">RSAKeyEncryptionAlgorithm</td><td
colspan="1" rowspan="1"
class="confluenceTd">RSAKeyDecryptionAlgorithm</td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-4.4"; rel="nofollow">AES Key
Wrap</a></td><td colspan="1" rowspan="1" class="
confluenceTd"><pre class="newpage">A128KW, A192KW, A256KW</pre></td><td
colspan="1" rowspan="1"
class="confluenceTd">AesKeyWrapEncryptionAlgorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">AesKeyWrapDecryptionAlgorithm</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.5";
rel="nofollow">Direct</a></td><td colspan="1" rowspan="1"
class="confluenceTd">dir</td><td colspan="1" rowspan="1"
class="confluenceTd">DirectKeyEncryptionAlgorithm</td><td colspan="1"
rowspan="1" class="confluenceTd">DirectKeyDecryptionAlgorithm</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15";
rel="nofollow">ECDH-ES Wrap</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre class="newpage">ECDH-ES+A128KW (+A192KW,
+256KW)</pre></td><td colspan="1" rowspan="1"
class="confluenceTd">EcdhAesWrapKeyEn
cryptionAlgorithm</td><td colspan="1" rowspan="1"
class="confluenceTd">EcdhAesWrapKeyDecryptionAlgorithm</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#page-15";
rel="nofollow">ECDH-ES Direct</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre class="newpage">ECDH-ES</pre></td><td colspan="1"
rowspan="1" class="confluenceTd"><span
class="pl-en">EcdhDirectKeyJweEncryption</span></td><td colspan="1" rowspan="1"
class="confluenceTd"><span
class="pl-en">EcdhDirectKeyJweDecryption</span></td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-4.7";
rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre class="newpage">A128GCMKW, A192GCMKW,
A256GCMKW</pre></td><td colspan="1" rowspan="1"
class="confluenceTd">AesGcmWrapKeyEncryptionAlgorithm</td><td colspan="1" rowsp
an="1" class="confluenceTd">AesGcmWrapKeyDecryptionAlgorithm</td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-4.8";
rel="nofollow">PBES2</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre class="newpage">PBES2-HS256+A128KW </pre><pre
class="newpage">PBES2-HS384+A192KW</pre><pre class="newpage">PBES2-HS512+A256KW
</pre></td><td colspan="1" rowspan="1"
class="confluenceTd">PbesHmacAesWrapKeyEncryptionAlgorithm</td><td colspan="1"
rowspan="1"
class="confluenceTd">PbesHmacAesWrapKeyDecryptionAlgorithm</td></tr></tbody></table></div><p> </p><p>RSA-OAEP
algorithms are likely to be used most often at the moment due to existing JKS
stores being available everywhere and a relatively easy way of making the
public validation keys available.</p><p><a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org
/apache/cxf/rs/security/jose/jwe/ContentEncryptionProvider.java"
rel="nofollow">ContentEncryptionProvider</a> supports encrypting a generated
content-encryption key, <a shape="rect" class="external-link"
href="https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentDecryptionProvider.java";
rel="nofollow">ContentDecryptionProvider</a> - decrypting it.</p><p>The
following table shows the content encryption algorithms and the corresponding
providers:</p><div class="table-wrap"><table
class="confluenceTable"><tbody><tr><td colspan="1" rowspan="1"
class="confluenceTd"><strong>Algorithm</strong></td><td colspan="1" rowspan="1"
class="confluenceTd"><strong>JWE Header 'enc'</strong></td><td colspan="1"
rowspan="1"
class="confluenceTd"><strong>ContentEncryptionProvider</strong></td><td
colspan="1" rowspan="1"
class="confluenceTd"><strong>ContentDecryptionProvider</strong></td></tr><tr><td
colspan="1" rowspan="1" class
="confluenceTd"><a shape="rect" class="external-link"
href="https://tools.ietf.org/html/rfc7518#section-5.2";
rel="nofollow">AES_CBC_HMAC_SHA2</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre class="newpage">A128CBC-HS256(-HS384,
-HS512)</pre></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre>AesCbcHmacJweEncryption,</pre></td><td colspan="1"
rowspan="1"
class="confluenceTd"><pre>AesCbcHmacJweDecryption</pre></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><a shape="rect"
class="external-link" href="https://tools.ietf.org/html/rfc7518#section-5.3";
rel="nofollow">AES-GCM</a></td><td colspan="1" rowspan="1"
class="confluenceTd"><pre class="newpage">A128GCM, A92GCM,
A256GCM</pre></td><td colspan="1" rowspan="1"
class="confluenceTd">AesGcmContentEncryptionAlgorithm</td><td colspan="1"
rowspan="1"
class="confluenceTd">AesGcmContentDecryptionAlgorithm</td></tr></tbody></table></div><p>All
of the above providers can be initialized with the keys loaded from
JWK or JCA stores or from the in-memory representations.</p><h3
id="JAX-RSJOSE-JWECompact">JWE Compact</h3><p><a shape="rect"
class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionProvider.java;h=615212b1622abb1c0a8b06a3b5498d8b6199d0cc;hb=HEAD";>JweEncryptionProvider</a>
supports encrypting the content, <a shape="rect" class="external-link"
href="https://git-wip-us.apache.org/repos/asf?p=cxf.git;a=blob;f=rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweDecryptionProvider.java;h=1f4861a2d78df5514ff74c40330c1a5f5933f47d;hb=HEAD";>JweDecryptionProvider</a>
- decrypting the content. Encryptors and Decryptors for all of JWE algorithms
are shipped.</p><p>Here is the example of doing AES CBC HMAC and AES Key Wrap
in CXF:</p><div class="code panel pdl" style="border-width: 1px;"><div
class="codeHeader panelHeader pdl" style="border-bottom-width: 1px;"><
b>CXF Jwe AesWrapAesCbcHMac</b></div><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default"
style="font-size:12px;">final String specPlainText = "Live long and prosper.";
byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
