Frederik Libert created CXF-8177:
------------------------------------
Summary: JWE API does not support ECDH Direct
Encryption/Decryption
Key: CXF-8177
URL: https://issues.apache.org/jira/browse/CXF-8177
Project: CXF
Issue Type: Improvement
Components: JAX-RS Security
Affects Versions: 3.3.4
Reporter: Frederik Libert
Although the Apache CXF implementation of JWE supports ECDH Direct
encryption/decryption, the API is not sufficiently open for it.
A few problems:
* KeyAlgorithm.getAlgorithm(String) does not support parsing ECDH
* EcdhDirectKeyDecryptionAlgorithm is a private innerclass so cannot be used
from the clientview perspective (different approach for different algorithms,
why?)
* EcdhDirectKeyJweDecryption makes an assumption that AES GCM is used without
verifying (could be AES CBC as well)
* JweUtils.getPrivateKeyDecryptionProvider(PrivateKey,KeyAlgorithm) makes an
assumption that AESWrap is used in case of an EC Key without veryfing the
KeyAlgorithm (could be Direct as well)
The API should support proper handling of key algorithm between client and
library and should verify what is given as input to decide which key and
content decrypters to use.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
