Hi
I've fixed the per-recipient headers issue (for the incoming CXF 3.1.7),
updated the producer and added a missing consumer test for multiple
recipients, see
https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java#L272,
the output is here:
https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java#L98
and the consumer test is here:
https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonConsumerTest.java#L133
Note the reason this test works is here:
https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java#L229
The CEK and IV is indeed shared, I forgot, when documenting to point it
out. I'm going to update the docs, but will also look later on how to
avoid having to specify CEK manually
Thanks, Sergey
On 19/07/16 11:49, Sergey Beryozkin wrote:
Hi Ella
Many thanks for starting experimenting with the JOSE code and JWE JSON
in particular which I'd say is the probably the most complex one when we
talk about multiple recipients.
Please see comments inline
On 19/07/16 04:27, Ella Chen wrote:
Hi All,
When I tried to setup a POC for multiple recipients for JWE by
following the example under section "JWE JSON", I went quite a journey
and could not make it working.
The first thing that I found was that the example itself never works
for the second recipient for below reasons:
· it generates different unencrypted CEK for each recipient.
However, i think the CEK should be shared across different recipients.
I think you have identified a design flaw when it comes to supporting
multiple recipients.
You are right CEK should be shared, ContentEncryptionProvider can be
initialized with pre-generated CEK, but I'll need to look at making sure
it is enforced.
I have a producer test:
https://github.com/apache/cxf/blob/master/rt/rs/security/jose-parent/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweJsonProducerTest.java#L270
This sort of works only because JweJsonProducer assumes the CEK is
shared when producing the final JWE JSON output sequence and
unfortunately JweJsonConsumer test for multiple recipients is missing.
· it didn't have per-recipient headers that allows decryption
side to locate to the right "encrypted_key".
(https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.4.7)
After realize that, I created a shared unencrypted CEK to both
recipients with method:
JweUtils.getContentEncryptionProvider(CONTENT_KEY,
ContentAlgorithm.A128GCM);
Right, I'll need to see if I can enforce it at JweJsonProducer
, and try to set per-recipient headers to identify the recipients
(like using "kid") with method:
p.encryptWith(jweList, jweheadersList);
//jweheadersList contains per-recipient headers.
However, it didn’t allow me to do so. The code that I found prevent me
from doing so is in class: JweJsonProducer, line 116-117:
jsonHeaders = new JweHeaders(unionHeaders.asMap());
jsonHeaders.asMap().putAll(perRecipientUnprotected.asMap());
I see
These lines obtain a reference to the map of unionHeaders, and when
add the current recipient's headers to jsonHeaders, as a side effect,
unionHeaders is changed as well. And when it try to check the
uniqueness of headers for the second recipient, it failed.
Could anybody please advise whether it is the expected behavior? If it
is, what is the correct way to make multiple recipients working? If it
is not, when can we expect multiple recipients works?
Let me address the above issues. I can not guarantee it will make it
into CXF 3.1.7 which is coming soon, but I'll work on it and let you
know once it is fixed
Thanks again, more feedback is welcome
Sergey
Cheers,
Ella
--
Sergey Beryozkin
Talend Community Coders
http://coders.talend.com/
