Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 184f5126d -> 0e01cb7bc
Supporting Colm's refactoring related to EC JWS keys at JweUtils level too Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/0e01cb7b Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/0e01cb7b Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/0e01cb7b Branch: refs/heads/3.0.x-fixes Commit: 0e01cb7bc27a21e72c7029998717a36ee95f7024 Parents: 184f512 Author: Sergey Beryozkin <sberyoz...@talend.com> Authored: Wed Apr 29 10:52:15 2015 +0100 Committer: Sergey Beryozkin <sberyoz...@talend.com> Committed: Wed Apr 29 10:54:39 2015 +0100 ---------------------------------------------------------------------- .../jwe/EcdhAesWrapKeyEncryptionAlgorithm.java | 6 ++++ .../jose/jwe/EcdhDirectKeyJweEncryption.java | 12 ++++++- .../cxf/rs/security/jose/jwe/JweUtils.java | 36 +++++++++++--------- 3 files changed, 36 insertions(+), 18 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/0e01cb7b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java index c61f102..524a135 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhAesWrapKeyEncryptionAlgorithm.java @@ -40,6 +40,12 @@ public class EcdhAesWrapKeyEncryptionAlgorithm implements KeyEncryptionProvider public EcdhAesWrapKeyEncryptionAlgorithm(ECPublicKey peerPublicKey, String curve, + KeyAlgorithm keyAlgo) { + + this(peerPublicKey, curve, null, null, keyAlgo); + } + public EcdhAesWrapKeyEncryptionAlgorithm(ECPublicKey peerPublicKey, + String curve, String apuString, String apvString, KeyAlgorithm keyAlgo) { http://git-wip-us.apache.org/repos/asf/cxf/blob/0e01cb7b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java index fe01883..c1e3eef 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/EcdhDirectKeyJweEncryption.java @@ -77,7 +77,9 @@ public class EcdhDirectKeyJweEncryption extends JweEncryption { this.ctAlgo = ctAlgo; this.peerPublicKey = peerPublicKey; this.ecurve = curve; - this.apuBytes = toBytes(apuString); + // JWA spec suggests the "apu" field MAY either be omitted or + // represent a random 512-bit value (...) and the "apv" field SHOULD NOT be present." + this.apuBytes = toApuBytes(apuString); this.apvBytes = toBytes(apvString); } public byte[] getDerivedKey(JweHeaders headers) { @@ -94,6 +96,14 @@ public class EcdhDirectKeyJweEncryption extends JweEncryption { jwtAlgo.getJwaName(), jwtAlgo.getKeySizeBits()); } + private byte[] toApuBytes(String apuString) { + if (apuString != null) { + return toBytes(apuString); + } else { + return CryptoUtils.generateSecureRandomBytes(512 / 8); + } + + } private byte[] toBytes(String str) { return str == null ? null : StringUtils.toBytesUTF8(str); } http://git-wip-us.apache.org/repos/asf/cxf/blob/0e01cb7b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java index 119fcb6..c4d4764 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/JweUtils.java @@ -96,8 +96,8 @@ public final class JweUtils { JweEncryptionProvider jwe = getDirectKeyJweEncryption(key); return jwe.encrypt(content, toJweHeaders(ct)); } - public static byte[] decrypt(RSAPrivateKey key, String keyAlgo, String contentAlgo, String content) { - KeyDecryptionAlgorithm keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(key, keyAlgo); + public static byte[] decrypt(PrivateKey key, String keyAlgo, String contentAlgo, String content) { + KeyDecryptionAlgorithm keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(key, keyAlgo); return decrypt(keyDecryptionProvider, contentAlgo, content); } public static byte[] decrypt(SecretKey key, String keyAlgo, String contentAlgo, String content) { @@ -133,7 +133,9 @@ public final class JweUtils { keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(JwkUtils.toSecretKey(jwk), keyEncryptionAlgo); } else { - // TODO: support elliptic curve keys + keyEncryptionProvider = new EcdhAesWrapKeyEncryptionAlgorithm(JwkUtils.toECPublicKey(jwk), + jwk.getStringProperty(JsonWebKey.EC_CURVE), + KeyAlgorithm.getAlgorithm(keyEncryptionAlgo)); } return keyEncryptionProvider; } @@ -156,18 +158,23 @@ public final class JweUtils { String keyEncryptionAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : jwk.getAlgorithm(); KeyDecryptionAlgorithm keyDecryptionProvider = null; if (JsonWebKey.KEY_TYPE_RSA.equals(jwk.getKeyType())) { - keyDecryptionProvider = getRSAKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk), + keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(JwkUtils.toRSAPrivateKey(jwk), keyEncryptionAlgo); } else if (JsonWebKey.KEY_TYPE_OCTET.equals(jwk.getKeyType())) { keyDecryptionProvider = getSecretKeyDecryptionAlgorithm(JwkUtils.toSecretKey(jwk), keyEncryptionAlgo); } else { - // TODO: support elliptic curve keys + keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(JwkUtils.toECPrivateKey(jwk), + keyEncryptionAlgo); } return keyDecryptionProvider; } - public static KeyDecryptionAlgorithm getRSAKeyDecryptionAlgorithm(RSAPrivateKey key, String algo) { - return new RSAKeyDecryptionAlgorithm(key, KeyAlgorithm.getAlgorithm(algo)); + public static KeyDecryptionAlgorithm getPrivateKeyDecryptionAlgorithm(PrivateKey key, String algo) { + if (key instanceof RSAPrivateKey) { + return new RSAKeyDecryptionAlgorithm((RSAPrivateKey)key, KeyAlgorithm.getAlgorithm(algo)); + } else { + return new EcdhAesWrapKeyDecryptionAlgorithm((ECPrivateKey)key, KeyAlgorithm.getAlgorithm(algo)); + } } public static KeyDecryptionAlgorithm getSecretKeyDecryptionAlgorithm(SecretKey key, String algo) { if (AlgorithmUtils.isAesKeyWrap(algo)) { @@ -327,12 +334,8 @@ public final class JweUtils { KeyManagementUtils.validateCertificateChain(props, chain); PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, chain, JsonWebKey.KEY_OPER_DECRYPT); - if (!(privateKey instanceof RSAPrivateKey)) { - LOG.warning("Non-RSA private keys are not yet supported for encryption"); - return null; - } contentEncryptionAlgo = inHeaders.getContentEncryptionAlgorithm(); - keyDecryptionProvider = getRSAKeyDecryptionAlgorithm((RSAPrivateKey)privateKey, + keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm(privateKey, inHeaders.getKeyEncryptionAlgorithm()); } else { if (JwkUtils.JWK_KEY_STORE_TYPE.equals(props.get(KeyManagementUtils.RSSEC_KEY_STORE_TYPE))) { @@ -346,9 +349,8 @@ public final class JweUtils { keyDecryptionProvider = getKeyDecryptionAlgorithm(jwk, keyEncryptionAlgo); } } else { - keyDecryptionProvider = getRSAKeyDecryptionAlgorithm( - (RSAPrivateKey)KeyManagementUtils.loadPrivateKey( - m, props, JsonWebKey.KEY_OPER_DECRYPT), keyEncryptionAlgo); + keyDecryptionProvider = getPrivateKeyDecryptionAlgorithm( + KeyManagementUtils.loadPrivateKey(m, props, JsonWebKey.KEY_OPER_DECRYPT), keyEncryptionAlgo); } } return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentEncryptionAlgo); @@ -405,10 +407,10 @@ public final class JweUtils { getContentEncryptionAlgorithm(contentEncryptionAlgo)); } } - public static JweDecryptionProvider createJweDecryptionProvider(RSAPrivateKey key, + public static JweDecryptionProvider createJweDecryptionProvider(PrivateKey key, String keyAlgo, String contentDecryptionAlgo) { - return createJweDecryptionProvider(getRSAKeyDecryptionAlgorithm(key, keyAlgo), contentDecryptionAlgo); + return createJweDecryptionProvider(getPrivateKeyDecryptionAlgorithm(key, keyAlgo), contentDecryptionAlgo); } public static JweDecryptionProvider createJweDecryptionProvider(SecretKey key, String keyAlgo,