[jira] [Work logged] (CXF-8177) JWE API does not support ECDH Direct Encryption/Decryption

Fri, 20 Dec 2019 02:59:31 -0800 


     [ 
https://issues.apache.org/jira/browse/CXF-8177?focusedWorklogId=361592&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-361592
 ]

ASF GitHub Bot logged work on CXF-8177:
---------------------------------------

                Author: ASF GitHub Bot
            Created on: 20/Dec/19 10:58
            Start Date: 20/Dec/19 10:58
    Worklog Time Spent: 10m 
      Work Description: coheigea commented on pull request #612: CXF-8177 
CXF-8178 ECDH Algorithm Fixes
URL: https://github.com/apache/cxf/pull/612
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


Issue Time Tracking
-------------------

    Worklog Id:     (was: 361592)
    Time Spent: 20m  (was: 10m)

> JWE API does not support ECDH Direct Encryption/Decryption 
> -----------------------------------------------------------
>
>                 Key: CXF-8177
>                 URL: https://issues.apache.org/jira/browse/CXF-8177
>             Project: CXF
>          Issue Type: Improvement
>          Components: JAX-RS Security
>    Affects Versions: 3.3.4
>            Reporter: Frederik Libert
>            Assignee: Colm O hEigeartaigh
>            Priority: Major
>             Fix For: 3.4.0, 3.3.5
>
>          Time Spent: 20m
>  Remaining Estimate: 0h
>
> Although the Apache CXF implementation of JWE supports ECDH Direct 
> encryption/decryption, the API is not sufficiently open for it.
> A few problems:
>  * KeyAlgorithm.getAlgorithm(String) does not support parsing ECDH
>  * EcdhDirectKeyDecryptionAlgorithm is a private innerclass so cannot be used 
> from the clientview perspective (different approach for different algorithms, 
> why?)
>  * EcdhDirectKeyJweDecryption makes an assumption that AES GCM is used 
> without verifying (could be AES CBC as well)
>  * JweUtils.getPrivateKeyDecryptionProvider(PrivateKey,KeyAlgorithm)  makes 
> an assumption that AESWrap is used in case of an EC Key without veryfing the 
> KeyAlgorithm (could be Direct as well)
> The API should support proper handling of key algorithm between client and 
> library and should verify what is given as input to decide which key and 
> content decrypters to use.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to