Repository: cxf Updated Branches: refs/heads/3.0.x-fixes e1885f1a2 -> 103a6aef9
[CXF-5954] Completing the initial PbesHmacAesWrap code Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/103a6aef Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/103a6aef Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/103a6aef Branch: refs/heads/3.0.x-fixes Commit: 103a6aef91a0760a4bf78e53c94f5624a0af30f4 Parents: e1885f1 Author: Sergey Beryozkin <sberyoz...@talend.com> Authored: Mon Sep 15 17:30:58 2014 +0100 Committer: Sergey Beryozkin <sberyoz...@talend.com> Committed: Mon Sep 15 17:33:13 2014 +0100 ---------------------------------------------------------------------- .../oauth2/jwe/AbstractJweEncryption.java | 7 +++- .../PbesHmacAesWrapKeyEncryptionAlgorithm.java | 43 +++++++++++--------- .../oauth2/jwe/WrappedKeyJweDecryption.java | 4 +- .../jwt/AbstractJwtObjectReaderWriter.java | 2 +- .../oauth2/jwe/JweCompactReaderWriterTest.java | 17 -------- .../oauth2/jwe/JwePbeHmacAesWrapTest.java | 26 +++++++++++- 6 files changed, 55 insertions(+), 44 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java index 885e29d..cd21354 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/AbstractJweEncryption.java @@ -151,13 +151,16 @@ public abstract class AbstractJweEncryption implements JweEncryptionProvider { String contentEncryptionAlgoJavaName = Algorithm.toJavaName(theHeaders.getContentEncryptionAlgorithm()); KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName); keyProps.setCompressionSupported(compressionRequired(theHeaders)); - byte[] additionalEncryptionParam = getAAD(theHeaders); - keyProps.setAdditionalData(additionalEncryptionParam); byte[] theIv = contentEncryptionAlgo.getInitVector(); AlgorithmParameterSpec specParams = getAlgorithmParameterSpec(theIv); keyProps.setAlgoSpec(specParams); byte[] jweContentEncryptionKey = getEncryptedContentEncryptionKey(theCek); + + byte[] additionalEncryptionParam = getAAD(theHeaders); + keyProps.setAdditionalData(additionalEncryptionParam); + + JweEncryptionInternal state = new JweEncryptionInternal(); state.theHeaders = theHeaders; state.jweContentEncryptionKey = jweContentEncryptionKey; http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java index 892086e..b5ffa53 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java @@ -81,11 +81,9 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgor @Override public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { - int keySize = DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt); - byte[] saltInput = createSaltInputValue(keySize); - PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(createShaDigest()); - gen.init(password, saltInput, pbesCount); - byte[] derivedKey = ((KeyParameter) gen.generateDerivedParameters(keySize * 8)).getKey(); + int keySize = getKeySize(keyAlgoJwt); + byte[] saltInput = CryptoUtils.generateSecureRandomBytes(keySize); + byte[] derivedKey = createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount); headers.setHeader("p2s", Base64UrlUtility.encode(saltInput)); headers.setHeader("p2c", Integer.valueOf(pbesCount)); @@ -101,46 +99,51 @@ public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgor }; return aesWrap.getEncryptedContentEncryptionKey(headers, cek); + } - - private Digest createShaDigest() { + static int getKeySize(String keyAlgoJwt) { + return DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt); + } + static byte[] createDerivedKey(String keyAlgoJwt, int keySize, + byte[] password, byte[] saltInput, int pbesCount) { + byte[] saltValue = createSaltValue(keyAlgoJwt, saltInput); + Digest digest = null; int macSigSize = PBES_HMAC_MAP.get(keyAlgoJwt); if (macSigSize == 256) { - return new SHA256Digest(); + digest = new SHA256Digest(); } else if (macSigSize == 384) { - return new SHA384Digest(); + digest = new SHA384Digest(); } else { - return new SHA512Digest(); + digest = new SHA512Digest(); } - - + PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest); + gen.init(password, saltValue, pbesCount); + return ((KeyParameter) gen.generateDerivedParameters(keySize * 8)).getKey(); } - private byte[] createSaltInputValue(int keySize) { + + private static byte[] createSaltValue(String keyAlgoJwt, byte[] saltInput) { byte[] algoBytes = stringToBytes(keyAlgoJwt); - - - byte[] saltInput = CryptoUtils.generateSecureRandomBytes(keySize); - byte[] saltValue = new byte[algoBytes.length + 1 + keySize]; + byte[] saltValue = new byte[algoBytes.length + 1 + saltInput.length]; System.arraycopy(algoBytes, 0, saltValue, 0, algoBytes.length); saltValue[algoBytes.length] = 0; System.arraycopy(saltInput, 0, saltValue, algoBytes.length + 1, saltInput.length); return saltValue; } - private static String validateKeyAlgorithm(String algo) { + static String validateKeyAlgorithm(String algo) { if (!SUPPORTED_ALGORITHMS.contains(algo)) { throw new SecurityException(); } return algo; } - private static int validatePbesCount(int count) { + static int validatePbesCount(int count) { if (count < 1000) { throw new SecurityException(); } return count; } - private static byte[] stringToBytes(String str) { + static byte[] stringToBytes(String str) { try { return str.getBytes("UTF-8"); } catch (UnsupportedEncodingException ex) { http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java index 45164bf..b36585a 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java @@ -41,11 +41,11 @@ public class WrappedKeyJweDecryption extends AbstractJweDecryption { this(new WrappedKeyDecryptionAlgorithm(cekDecryptionKey, unwrap), props, reader); } - public WrappedKeyJweDecryption(WrappedKeyDecryptionAlgorithm keyDecryptionAlgo, + public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo, JweCryptoProperties props, JwtHeadersReader reader) { this(keyDecryptionAlgo, props, reader, new AesGcmContentDecryptionAlgorithm()); } - public WrappedKeyJweDecryption(WrappedKeyDecryptionAlgorithm keyDecryptionAlgo, + public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo, JweCryptoProperties props, JwtHeadersReader reader, ContentDecryptionAlgorithm cipherProps) { super(props, reader, keyDecryptionAlgo, cipherProps); http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java index b525bc2..9d48765 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwt/AbstractJwtObjectReaderWriter.java @@ -178,7 +178,7 @@ public class AbstractJwtObjectReaderWriter { value = valueStr.substring(1, valueStr.length() - 1); } else if ("true".equals(value) || "false".equals(value)) { value = Boolean.valueOf(valueStr); - } + } return value; } http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java index beed021..f59e602 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JweCompactReaderWriterTest.java @@ -205,22 +205,5 @@ public class JweCompactReaderWriterTest extends Assert { } return key; } - - @Test - public void testEncryptDecryptPbesHmacAesWrapA128CBCHS256() throws Exception { - final String specPlainText = "Live long and prosper."; - JweHeaders headers = new JweHeaders(); - headers.setAlgorithm(JwtConstants.PBES2_HS256_A128KW_ALGO); - headers.setContentEncryptionAlgorithm(Algorithm.A128CBC_HS256.getJwtName()); - final String password = "Thus from my lips, by yours, my sin is purged."; - KeyEncryptionAlgorithm keyEncryption = - new PbesHmacAesWrapKeyEncryptionAlgorithm(password, - 4096, - JwtConstants.PBES2_HS256_A128KW_ALGO); - JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(headers, keyEncryption); - String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); - - System.out.println(jweContent); - } } http://git-wip-us.apache.org/repos/asf/cxf/blob/103a6aef/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java index 9dbd2cf..704f37b 100644 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java +++ b/rt/rs/security/oauth-parent/oauth2-jwt/src/test/java/org/apache/cxf/rs/security/oauth2/jwe/JwePbeHmacAesWrapTest.java @@ -49,8 +49,30 @@ public class JwePbeHmacAesWrapTest extends Assert { new PbesHmacAesWrapKeyEncryptionAlgorithm(password, JwtConstants.PBES2_HS256_A128KW_ALGO); JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(headers, keyEncryption); String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); - assertNotNull(jweContent); - + + PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password); + JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption); + String decryptedText = decryption.decrypt(jweContent).getContentText(); + assertEquals(specPlainText, decryptedText); + + } + @Test + public void testEncryptDecryptPbesHmacAesWrapAesGcm() throws Exception { + final String specPlainText = "Live long and prosper."; + JweHeaders headers = new JweHeaders(); + headers.setAlgorithm(JwtConstants.PBES2_HS256_A128KW_ALGO); + headers.setContentEncryptionAlgorithm(Algorithm.A128GCM.getJwtName()); + final String password = "Thus from my lips, by yours, my sin is purged."; + KeyEncryptionAlgorithm keyEncryption = + new PbesHmacAesWrapKeyEncryptionAlgorithm(password, JwtConstants.PBES2_HS256_A128KW_ALGO); + JweEncryptionProvider encryption = + new WrappedKeyJweEncryption(headers, keyEncryption); + String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); + PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password); + JweDecryptionProvider decryption = new WrappedKeyJweDecryption(keyDecryption, null, null); + String decryptedText = decryption.decrypt(jweContent).getContentText(); + assertEquals(specPlainText, decryptedText); + } }