[ https://issues.apache.org/jira/browse/CXF-8162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh closed CXF-8162. ------------------------------------ > JWE with multiple recipients does not work for AES CBC Encryption > ----------------------------------------------------------------- > > Key: CXF-8162 > URL: https://issues.apache.org/jira/browse/CXF-8162 > Project: CXF > Issue Type: Bug > Components: JAX-RS Security > Affects Versions: 3.3.4 > Reporter: Frederik Libert > Assignee: Colm O hEigeartaigh > Priority: Major > Fix For: 3.4.0, 3.3.5 > > Time Spent: 20m > Remaining Estimate: 0h > > When encrypting for multiple recipients, the plaintext, the CEK, JWE > Initialization Vector, and JWE Protected Header are shared by all recipients > (which must be the case, since > the ciphertext and Authentication Tag are also shared). > The Apache CXF API for encrypting the content with AES GCM allows this by > initializing a ContentEncryptionProvider of type > AesGcmContentEncryptionAlgorithm which can be used as reference when > initializing the list of JweEncryptionProviders (which take a > KeyEncryptionProvider and an ContentEncryptionProvider). > When using AES CBC, the API is different. > The class AesCbcContentEncryptionAlgorithm is a private innerclass of > JweEncryptionProvider AesCbcHmacJweEncryption so you can't initialize it once > and reuse it in all JweEncryptionProviders of the list. > There is a workaround as the API allows to build the CEK and > InitializationVector yourself (not very nice), the API for AES CBC encryption > should allow the initialization of the ContentEncryptionProvider from outside > the JweEncryptionProvider so it can be referenced in all > JweEncryptionProviders. > Without that, you can only encrypt for 1 recipient or the validation will > fail (invalid authentication tag) for all but 1 recipient. -- This message was sent by Atlassian Jira (v8.3.4#803005)