[
https://issues.apache.org/jira/browse/CXF-8177?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh closed CXF-8177.
------------------------------------
> JWE API does not support ECDH Direct Encryption/Decryption
> -----------------------------------------------------------
>
> Key: CXF-8177
> URL: https://issues.apache.org/jira/browse/CXF-8177
> Project: CXF
> Issue Type: Improvement
> Components: JAX-RS Security
> Affects Versions: 3.3.4
> Reporter: Frederik Libert
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Fix For: 3.4.0, 3.3.5
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Although the Apache CXF implementation of JWE supports ECDH Direct
> encryption/decryption, the API is not sufficiently open for it.
> A few problems:
> * KeyAlgorithm.getAlgorithm(String) does not support parsing ECDH
> * EcdhDirectKeyDecryptionAlgorithm is a private innerclass so cannot be used
> from the clientview perspective (different approach for different algorithms,
> why?)
> * EcdhDirectKeyJweDecryption makes an assumption that AES GCM is used
> without verifying (could be AES CBC as well)
> * JweUtils.getPrivateKeyDecryptionProvider(PrivateKey,KeyAlgorithm) makes
> an assumption that AESWrap is used in case of an EC Key without veryfing the
> KeyAlgorithm (could be Direct as well)
> The API should support proper handling of key algorithm between client and
> library and should verify what is given as input to decide which key and
> content decrypters to use.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
