[
https://issues.apache.org/jira/browse/CXF-8162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed CXF-8162.
------------------------------------
> JWE with multiple recipients does not work for AES CBC Encryption
> -----------------------------------------------------------------
>
> Key: CXF-8162
> URL: https://issues.apache.org/jira/browse/CXF-8162
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.3.4
> Reporter: Frederik Libert
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 3.4.0, 3.3.5
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When encrypting for multiple recipients, the plaintext, the CEK, JWE
> Initialization Vector, and JWE Protected Header are shared by all recipients
> (which must be the case, since
> the ciphertext and Authentication Tag are also shared).
> The Apache CXF API for encrypting the content with AES GCM allows this by
> initializing a ContentEncryptionProvider of type
> AesGcmContentEncryptionAlgorithm which can be used as reference when
> initializing the list of JweEncryptionProviders (which take a
> KeyEncryptionProvider and an ContentEncryptionProvider).
> When using AES CBC, the API is different.
> The class AesCbcContentEncryptionAlgorithm is a private innerclass of
> JweEncryptionProvider AesCbcHmacJweEncryption so you can't initialize it once
> and reuse it in all JweEncryptionProviders of the list.
> There is a workaround as the API allows to build the CEK and
> InitializationVector yourself (not very nice), the API for AES CBC encryption
> should allow the initialization of the ContentEncryptionProvider from outside
> the JweEncryptionProvider so it can be referenced in all
> JweEncryptionProviders.
> Without that, you can only encrypt for 1 recipient or the validation will
> fail (invalid authentication tag) for all but 1 recipient.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
