[CXF-6972] Avoiding unnecessary CEK Cipher creation for 2nd or higher recipient
Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/8993a3d7 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/8993a3d7 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/8993a3d7 Branch: refs/heads/master-jaxrs-2.1 Commit: 8993a3d7c96df930ec749750e031d7455238f512 Parents: c7ebda6 Author: Sergey Beryozkin <[email protected]> Authored: Wed Jul 20 22:02:32 2016 +0300 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Jul 20 22:44:13 2016 +0300 ---------------------------------------------------------------------- .../jose/jwe/AbstractJweEncryption.java | 22 ++++++++++++-------- .../security/jose/jwe/JweEncryptionInput.java | 7 +++++++ .../rs/security/jose/jwe/JweJsonProducer.java | 1 + 3 files changed, 21 insertions(+), 9 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/8993a3d7/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java index a7117ff..0260f70 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractJweEncryption.java @@ -106,15 +106,19 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider { AuthenticationTagProducer authTagProducer = null; byte[] cipher = null; byte[] authTag = null; - if (jweInput.getContent() == null) { - c = CryptoUtils.initCipher(createCekSecretKey(state), state.keyProps, - Cipher.ENCRYPT_MODE); - authTagProducer = getAuthenticationTagProducer(state); - } else { - byte[] encryptedContent = encryptInternal(state, jweInput.getContent()); - cipher = getActualCipher(encryptedContent); - authTag = getAuthenticationTag(state, encryptedContent); - } + if (jweInput.isContentEncryptionRequired()) { + if (jweInput.getContent() == null) { + // Streaming + c = CryptoUtils.initCipher(createCekSecretKey(state), state.keyProps, + Cipher.ENCRYPT_MODE); + authTagProducer = getAuthenticationTagProducer(state); + } else { + byte[] encryptedContent = encryptInternal(state, jweInput.getContent()); + cipher = getActualCipher(encryptedContent); + authTag = getAuthenticationTag(state, encryptedContent); + } + } + // else only CEK is encrypted return new JweEncryptionOutput(c, state.theHeaders, state.jweContentEncryptionKey, http://git-wip-us.apache.org/repos/asf/cxf/blob/8993a3d7/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java index a1336ca..10cff80 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweEncryptionInput.java @@ -24,6 +24,7 @@ public class JweEncryptionInput { private byte[] iv; private byte[] aad; private byte[] content; + private boolean contentEncryptionRequired = true; public JweEncryptionInput() { } @@ -87,4 +88,10 @@ public class JweEncryptionInput { public void setContent(byte[] content) { this.content = content; } + public boolean isContentEncryptionRequired() { + return contentEncryptionRequired; + } + public void setContentEncryptionRequired(boolean required) { + this.contentEncryptionRequired = required; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/8993a3d7/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java index 3a3d745..4e8cf71 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducer.java @@ -123,6 +123,7 @@ public class JweJsonProducer { JweEncryptionInput input = createEncryptionInput(jsonHeaders); if (i > 0) { input.setContent(null); + input.setContentEncryptionRequired(false); } JweEncryptionOutput state = encryptor.getEncryptionOutput(input); byte[] currentCipherText = state.getEncryptedContent();
