http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionState.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionState.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionState.java deleted file mode 100644 index 9397549..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweEncryptionState.java +++ /dev/null @@ -1,63 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import javax.crypto.Cipher; - -public class JweEncryptionState { - private Cipher cipher; - private JweHeaders headers; - private byte[] contentEncryptionKey; - private byte[] iv; - private boolean compressionSupported; - private AuthenticationTagProducer authTagProducer; - - public JweEncryptionState(Cipher cipher, - JweHeaders headers, - byte[] contentEncryptionKey, - byte[] iv, - AuthenticationTagProducer authTagProducer, - boolean compressionSupported) { - this.cipher = cipher; - this.headers = headers; - this.contentEncryptionKey = contentEncryptionKey; - this.iv = iv; - this.authTagProducer = authTagProducer; - this.compressionSupported = compressionSupported; - } - public Cipher getCipher() { - return cipher; - } - public JweHeaders getHeaders() { - return headers; - } - public byte[] getContentEncryptionKey() { - return contentEncryptionKey; - } - public byte[] getIv() { - return iv; - } - public boolean isCompressionSupported() { - return compressionSupported; - } - public AuthenticationTagProducer getAuthTagProducer() { - return authTagProducer; - } - -}
http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweHeaders.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweHeaders.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweHeaders.java deleted file mode 100644 index bb956e1..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweHeaders.java +++ /dev/null @@ -1,102 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ - -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.io.UnsupportedEncodingException; -import java.util.Map; - -import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - - - - -public class JweHeaders extends JwtHeaders { - - public JweHeaders() { - } - - public JweHeaders(Map<String, Object> values) { - super(values); - } - public JweHeaders(String keyEncAlgo, String ctEncAlgo) { - this(keyEncAlgo, ctEncAlgo, false); - } - public JweHeaders(String ctEncAlgo) { - this(null, ctEncAlgo, false); - } - public JweHeaders(String ctEncAlgo, boolean deflate) { - this(null, ctEncAlgo, deflate); - } - public JweHeaders(String keyEncAlgo, String ctEncAlgo, boolean deflate) { - init(keyEncAlgo, ctEncAlgo, deflate); - } - private void init(String keyEncAlgo, String ctEncAlgo, boolean deflate) { - if (keyEncAlgo != null) { - setKeyEncryptionAlgorithm(keyEncAlgo); - } - setContentEncryptionAlgorithm(ctEncAlgo); - if (deflate) { - setZipAlgorithm(JwtConstants.DEFLATE_ZIP_ALGORITHM); - } - } - - public void setKeyEncryptionAlgorithm(String type) { - super.setAlgorithm(type); - } - - public String getKeyEncryptionAlgorithm() { - return super.getAlgorithm(); - } - - public void setContentEncryptionAlgorithm(String type) { - setHeader(JwtConstants.JWE_HEADER_CONTENT_ENC_ALGORITHM, type); - } - - public String getContentEncryptionAlgorithm() { - return (String)getHeader(JwtConstants.JWE_HEADER_CONTENT_ENC_ALGORITHM); - } - - public void setZipAlgorithm(String type) { - setHeader(JwtConstants.JWE_HEADER_ZIP_ALGORITHM, type); - } - - public String getZipAlgorithm() { - return (String)getHeader(JwtConstants.JWE_HEADER_ZIP_ALGORITHM); - } - - @Override - public JwtHeaders setHeader(String name, Object value) { - return (JwtHeaders)super.setHeader(name, value); - } - public byte[] toCipherAdditionalAuthData(JwtHeadersWriter writer) { - return toCipherAdditionalAuthData(writer.headersToJson(this)); - } - public static byte[] toCipherAdditionalAuthData(String headersJson) { - try { - String base64UrlHeadersInJson = Base64UrlUtility.encode(headersJson.getBytes("UTF-8")); - return base64UrlHeadersInJson.getBytes("US-ASCII"); - } catch (UnsupportedEncodingException ex) { - throw new RuntimeException(ex); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweOutputStream.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweOutputStream.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweOutputStream.java deleted file mode 100644 index ff6f0bd..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/JweOutputStream.java +++ /dev/null @@ -1,145 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.io.FilterOutputStream; -import java.io.IOException; -import java.io.OutputStream; -import java.nio.ByteBuffer; - -import javax.crypto.Cipher; - -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - -public class JweOutputStream extends FilterOutputStream { - private Cipher encryptingCipher; - private int blockSize; - private AuthenticationTagProducer authTagProducer; - private byte[] lastRawDataChunk; - private byte[] lastEncryptedDataChunk; - private boolean flushed; - public JweOutputStream(OutputStream out, - Cipher encryptingCipher, - AuthenticationTagProducer authTagProducer) { - super(out); - this.encryptingCipher = encryptingCipher; - this.blockSize = encryptingCipher.getBlockSize(); - this.authTagProducer = authTagProducer; - } - - @Override - public void write(int value) throws IOException { - byte[] bytes = ByteBuffer.allocate(Integer.SIZE / 8).putInt(value).array(); - write(bytes, 0, bytes.length); - } - - @Override - public void write(byte b[], int off, int len) throws IOException { - if (lastRawDataChunk != null) { - int remaining = blockSize - lastRawDataChunk.length; - int lenToCopy = remaining < len ? remaining : len; - lastRawDataChunk = newArray(lastRawDataChunk, 0, lastRawDataChunk.length, b, off, lenToCopy); - off = off + lenToCopy; - len -= lenToCopy; - if (lastRawDataChunk.length < blockSize) { - return; - } else { - encryptAndWrite(lastRawDataChunk, 0, lastRawDataChunk.length); - lastRawDataChunk = null; - } - } - int offset = 0; - int chunkSize = blockSize > len ? blockSize : blockSize * (len / blockSize); - for (; offset + chunkSize <= len; offset += chunkSize, off += chunkSize) { - encryptAndWrite(b, off, chunkSize); - } - if (offset < len) { - lastRawDataChunk = newArray(b, off, len - offset); - } - - } - - private void encryptAndWrite(byte[] chunk, int off, int len) throws IOException { - byte[] encrypted = encryptingCipher.update(chunk, off, len); - if (authTagProducer != null) { - authTagProducer.update(encrypted, 0, encrypted.length); - } - encodeAndWrite(encrypted, 0, encrypted.length, false); - } - private void encodeAndWrite(byte[] encryptedChunk, int off, int len, boolean finalWrite) throws IOException { - byte[] theChunk = lastEncryptedDataChunk; - int lenToEncode = len; - if (theChunk != null) { - theChunk = newArray(theChunk, 0, theChunk.length, encryptedChunk, off, len); - lenToEncode = theChunk.length; - off = 0; - } else { - theChunk = encryptedChunk; - } - int rem = finalWrite ? 0 : lenToEncode % 3; - Base64UrlUtility.encodeAndStream(theChunk, off, lenToEncode - rem, out); - - if (rem > 0) { - lastEncryptedDataChunk = newArray(theChunk, lenToEncode - rem, rem); - } else { - lastEncryptedDataChunk = null; - } - } - - @Override - public void flush() throws IOException { - if (flushed) { - return; - } - try { - byte[] finalBytes = lastRawDataChunk == null - ? encryptingCipher.doFinal() - : encryptingCipher.doFinal(lastRawDataChunk, 0, lastRawDataChunk.length); - final int authTagLengthBits = 128; - if (authTagProducer != null) { - authTagProducer.update(finalBytes, 0, finalBytes.length); - encodeAndWrite(finalBytes, 0, finalBytes.length, true); - } else { - encodeAndWrite(finalBytes, 0, finalBytes.length - authTagLengthBits / 8, true); - } - out.write(new byte[]{'.'}); - - if (authTagProducer == null) { - encodeAndWrite(finalBytes, finalBytes.length - authTagLengthBits / 8, authTagLengthBits / 8, true); - } else { - byte[] authTag = authTagProducer.getTag(); - encodeAndWrite(authTag, 0, authTagLengthBits / 8, true); - } - } catch (Exception ex) { - throw new SecurityException(); - } - flushed = true; - } - private byte[] newArray(byte[] src, int srcPos, int srcLen) { - byte[] buf = new byte[srcLen]; - System.arraycopy(src, srcPos, buf, 0, srcLen); - return buf; - } - private byte[] newArray(byte[] src, int srcPos, int srcLen, byte[] src2, int srcPos2, int srcLen2) { - byte[] buf = new byte[srcLen + srcLen2]; - System.arraycopy(src, srcPos, buf, 0, srcLen); - System.arraycopy(src2, srcPos2, buf, srcLen, srcLen2); - return buf; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java deleted file mode 100644 index d58e295..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyDecryptionAlgorithm.java +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - - -public interface KeyDecryptionAlgorithm { - byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyEncryptionAlgorithm.java deleted file mode 100644 index 55c066e..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/KeyEncryptionAlgorithm.java +++ /dev/null @@ -1,24 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - - -public interface KeyEncryptionAlgorithm { - byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java deleted file mode 100644 index 22eba6d..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,54 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - -public class PbesHmacAesWrapKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm { - private byte[] password; - public PbesHmacAesWrapKeyDecryptionAlgorithm(String password) { - this(PbesHmacAesWrapKeyEncryptionAlgorithm.stringToBytes(password)); - } - public PbesHmacAesWrapKeyDecryptionAlgorithm(char[] password) { - this(PbesHmacAesWrapKeyEncryptionAlgorithm.charsToBytes(password)); - } - public PbesHmacAesWrapKeyDecryptionAlgorithm(byte[] password) { - this.password = password; - } - @Override - public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) { - byte[] saltInput = getDecodedBytes(consumer, "p2s"); - int pbesCount = consumer.getJweHeaders().getIntegerHeader("p2c"); - String keyAlgoJwt = consumer.getJweHeaders().getAlgorithm(); - int keySize = PbesHmacAesWrapKeyEncryptionAlgorithm.getKeySize(keyAlgoJwt); - byte[] derivedKey = PbesHmacAesWrapKeyEncryptionAlgorithm - .createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount); - KeyDecryptionAlgorithm aesWrap = new AesWrapKeyDecryptionAlgorithm(derivedKey); - return aesWrap.getDecryptedContentEncryptionKey(consumer); - } - private byte[] getDecodedBytes(JweCompactConsumer consumer, String headerName) { - try { - Object headerValue = consumer.getJweHeaders().getHeader(headerName); - return Base64UrlUtility.decode(headerValue.toString()); - } catch (Exception ex) { - throw new SecurityException(ex); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java deleted file mode 100644 index 1cba7b6..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java +++ /dev/null @@ -1,169 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.io.UnsupportedEncodingException; -import java.nio.ByteBuffer; -import java.nio.CharBuffer; -import java.nio.charset.Charset; -import java.util.Arrays; -import java.util.HashMap; -import java.util.HashSet; -import java.util.Map; -import java.util.Set; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.bouncycastle.crypto.Digest; -import org.bouncycastle.crypto.digests.SHA256Digest; -import org.bouncycastle.crypto.digests.SHA384Digest; -import org.bouncycastle.crypto.digests.SHA512Digest; -import org.bouncycastle.crypto.generators.PKCS5S2ParametersGenerator; -import org.bouncycastle.crypto.params.KeyParameter; - -public class PbesHmacAesWrapKeyEncryptionAlgorithm implements KeyEncryptionAlgorithm { - private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( - Arrays.asList(Algorithm.PBES2_HS256_A128KW.getJwtName(), - Algorithm.PBES2_HS384_A192KW.getJwtName(), - Algorithm.PBES2_HS512_A256KW.getJwtName())); - private static final Map<String, Integer> PBES_HMAC_MAP; - private static final Map<String, String> PBES_AES_MAP; - private static final Map<String, Integer> DERIVED_KEY_SIZE_MAP; - static { - PBES_HMAC_MAP = new HashMap<String, Integer>(); - PBES_HMAC_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), 256); - PBES_HMAC_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), 384); - PBES_HMAC_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), 512); - - PBES_AES_MAP = new HashMap<String, String>(); - PBES_AES_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), Algorithm.A128KW.getJwtName()); - PBES_AES_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), Algorithm.A192KW.getJwtName()); - PBES_AES_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), Algorithm.A256KW.getJwtName()); - - DERIVED_KEY_SIZE_MAP = new HashMap<String, Integer>(); - DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS256_A128KW.getJwtName(), 16); - DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS384_A192KW.getJwtName(), 24); - DERIVED_KEY_SIZE_MAP.put(Algorithm.PBES2_HS512_A256KW.getJwtName(), 32); - } - - - private byte[] password; - private int pbesCount; - private String keyAlgoJwt; - public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, String keyAlgoJwt) { - this(stringToBytes(password), keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(String password, int pbesCount, String keyAlgoJwt) { - this(stringToBytes(password), pbesCount, keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, String keyAlgoJwt) { - this(password, 4096, keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(char[] password, int pbesCount, String keyAlgoJwt) { - this(charsToBytes(password), pbesCount, keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, String keyAlgoJwt) { - this(password, 4096, keyAlgoJwt); - } - public PbesHmacAesWrapKeyEncryptionAlgorithm(byte[] password, int pbesCount, String keyAlgoJwt) { - this.password = password; - this.keyAlgoJwt = validateKeyAlgorithm(keyAlgoJwt); - this.pbesCount = validatePbesCount(pbesCount); - } - - @Override - public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) { - int keySize = getKeySize(keyAlgoJwt); - byte[] saltInput = CryptoUtils.generateSecureRandomBytes(keySize); - byte[] derivedKey = createDerivedKey(keyAlgoJwt, keySize, password, saltInput, pbesCount); - - headers.setHeader("p2s", Base64UrlUtility.encode(saltInput)); - headers.setIntegerHeader("p2c", pbesCount); - - final String aesAlgoJwt = PBES_AES_MAP.get(keyAlgoJwt); - KeyEncryptionAlgorithm aesWrap = new AesWrapKeyEncryptionAlgorithm(derivedKey, aesAlgoJwt) { - protected void checkAlgorithms(JweHeaders headers, String defaultAlgo) { - // complete - } - protected String getKeyEncryptionAlgoJava(JweHeaders headers) { - return Algorithm.AES_WRAP_ALGO_JAVA; - } - }; - return aesWrap.getEncryptedContentEncryptionKey(headers, cek); - - - } - static int getKeySize(String keyAlgoJwt) { - return DERIVED_KEY_SIZE_MAP.get(keyAlgoJwt); - } - static byte[] createDerivedKey(String keyAlgoJwt, int keySize, - byte[] password, byte[] saltInput, int pbesCount) { - byte[] saltValue = createSaltValue(keyAlgoJwt, saltInput); - Digest digest = null; - int macSigSize = PBES_HMAC_MAP.get(keyAlgoJwt); - if (macSigSize == 256) { - digest = new SHA256Digest(); - } else if (macSigSize == 384) { - digest = new SHA384Digest(); - } else { - digest = new SHA512Digest(); - } - PKCS5S2ParametersGenerator gen = new PKCS5S2ParametersGenerator(digest); - gen.init(password, saltValue, pbesCount); - return ((KeyParameter) gen.generateDerivedParameters(keySize * 8)).getKey(); - } - - - private static byte[] createSaltValue(String keyAlgoJwt, byte[] saltInput) { - byte[] algoBytes = stringToBytes(keyAlgoJwt); - byte[] saltValue = new byte[algoBytes.length + 1 + saltInput.length]; - System.arraycopy(algoBytes, 0, saltValue, 0, algoBytes.length); - saltValue[algoBytes.length] = 0; - System.arraycopy(saltInput, 0, saltValue, algoBytes.length + 1, saltInput.length); - return saltValue; - } - static String validateKeyAlgorithm(String algo) { - if (!SUPPORTED_ALGORITHMS.contains(algo)) { - throw new SecurityException(); - } - return algo; - } - static int validatePbesCount(int count) { - if (count < 1000) { - throw new SecurityException(); - } - return count; - } - - static byte[] stringToBytes(String str) { - try { - return str.getBytes("UTF-8"); - } catch (UnsupportedEncodingException ex) { - throw new SecurityException(ex); - } - } - static byte[] charsToBytes(char[] chars) { - ByteBuffer bb = Charset.forName("UTF-8").encode(CharBuffer.wrap(chars)); - byte[] b = new byte[bb.remaining()]; - bb.get(b); - return b; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyDecryptionAlgorithm.java deleted file mode 100644 index 3ea8cd0..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,33 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.security.interfaces.RSAPrivateKey; - -public class RSAOaepKeyDecryptionAlgorithm extends WrappedKeyDecryptionAlgorithm { - public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey) { - this(privateKey, true); - } - public RSAOaepKeyDecryptionAlgorithm(RSAPrivateKey privateKey, boolean unwrap) { - super(privateKey, unwrap); - } - protected int getKeyCipherBlockSize() { - return ((RSAPrivateKey)getCekDecryptionKey()).getModulus().toByteArray().length; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryptionAlgorithm.java deleted file mode 100644 index d80a04d..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/RSAOaepKeyEncryptionAlgorithm.java +++ /dev/null @@ -1,39 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.security.interfaces.RSAPublicKey; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; - -public class RSAOaepKeyEncryptionAlgorithm extends AbstractWrapKeyEncryptionAlgorithm { - private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( - Arrays.asList(Algorithm.RSA_OAEP.getJwtName(), - Algorithm.RSA_OAEP_256.getJwtName())); - public RSAOaepKeyEncryptionAlgorithm(RSAPublicKey publicKey, String jweAlgo) { - this(publicKey, jweAlgo, true); - } - public RSAOaepKeyEncryptionAlgorithm(RSAPublicKey publicKey, String jweAlgo, boolean wrap) { - super(publicKey, jweAlgo, wrap, SUPPORTED_ALGORITHMS); - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java deleted file mode 100644 index 40cf8d9..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyDecryptionAlgorithm.java +++ /dev/null @@ -1,74 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.security.Key; -import java.security.spec.AlgorithmParameterSpec; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.KeyProperties; - -public class WrappedKeyDecryptionAlgorithm implements KeyDecryptionAlgorithm { - private Key cekDecryptionKey; - private boolean unwrap; - public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey) { - this(cekDecryptionKey, true); - } - public WrappedKeyDecryptionAlgorithm(Key cekDecryptionKey, boolean unwrap) { - this.cekDecryptionKey = cekDecryptionKey; - this.unwrap = unwrap; - } - public byte[] getDecryptedContentEncryptionKey(JweCompactConsumer consumer) { - KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(consumer)); - AlgorithmParameterSpec spec = getAlgorithmParameterSpec(consumer); - if (spec != null) { - keyProps.setAlgoSpec(spec); - } - if (!unwrap) { - keyProps.setBlockSize(getKeyCipherBlockSize()); - return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(consumer), - getCekDecryptionKey(), keyProps); - } else { - return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(consumer), - getContentEncryptionAlgorithm(consumer), - getCekDecryptionKey(), - keyProps).getEncoded(); - } - } - - protected Key getCekDecryptionKey() { - return cekDecryptionKey; - } - protected int getKeyCipherBlockSize() { - return -1; - } - protected String getKeyEncryptionAlgorithm(JweCompactConsumer consumer) { - return Algorithm.toJavaName(consumer.getJweHeaders().getKeyEncryptionAlgorithm()); - } - protected String getContentEncryptionAlgorithm(JweCompactConsumer consumer) { - return Algorithm.toJavaName(consumer.getJweHeaders().getContentEncryptionAlgorithm()); - } - protected AlgorithmParameterSpec getAlgorithmParameterSpec(JweCompactConsumer consumer) { - return null; - } - protected byte[] getEncryptedContentEncryptionKey(JweCompactConsumer consumer) { - return consumer.getEncryptedContentEncryptionKey(); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java deleted file mode 100644 index 0c65962..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweDecryption.java +++ /dev/null @@ -1,56 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import java.security.Key; - -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersReader; - -public class WrappedKeyJweDecryption extends AbstractJweDecryption { - public WrappedKeyJweDecryption(Key cekDecryptionKey) { - this(cekDecryptionKey, true); - } - public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap) { - this(cekDecryptionKey, unwrap, null); - } - public WrappedKeyJweDecryption(Key cekDecryptionKey, JweCryptoProperties props) { - this(cekDecryptionKey, true, props); - } - public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap, - JweCryptoProperties props) { - this(cekDecryptionKey, unwrap, props, null); - } - public WrappedKeyJweDecryption(Key cekDecryptionKey, boolean unwrap, - JweCryptoProperties props, JwtHeadersReader reader) { - this(new WrappedKeyDecryptionAlgorithm(cekDecryptionKey, unwrap), - props, reader); - } - public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo) { - this(keyDecryptionAlgo, null, null); - } - public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo, - JweCryptoProperties props, JwtHeadersReader reader) { - this(keyDecryptionAlgo, props, reader, new AesGcmContentDecryptionAlgorithm()); - } - public WrappedKeyJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo, - JweCryptoProperties props, JwtHeadersReader reader, - ContentDecryptionAlgorithm cipherProps) { - super(props, reader, keyDecryptionAlgo, cipherProps); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java deleted file mode 100644 index d57f490..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwe/WrappedKeyJweEncryption.java +++ /dev/null @@ -1,41 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwe; - -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersWriter; - -public class WrappedKeyJweEncryption extends AbstractJweEncryption { - public WrappedKeyJweEncryption(JweHeaders headers, - KeyEncryptionAlgorithm keyEncryptionAlgorithm) { - this(headers, null, null, keyEncryptionAlgorithm); - } - public WrappedKeyJweEncryption(JweHeaders headers, byte[] cek, - byte[] iv, KeyEncryptionAlgorithm keyEncryptionAlgorithm) { - this(headers, cek, iv, keyEncryptionAlgorithm, null); - } - public WrappedKeyJweEncryption(JweHeaders headers, - byte[] cek, - byte[] iv, - KeyEncryptionAlgorithm keyEncryptionAlgorithm, - JwtHeadersWriter writer) { - super(headers, new AesGcmContentEncryptionAlgorithm(cek, iv), keyEncryptionAlgorithm, writer); - } - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/DefaultJwkReaderWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/DefaultJwkReaderWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/DefaultJwkReaderWriter.java deleted file mode 100644 index ece0c7c..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/DefaultJwkReaderWriter.java +++ /dev/null @@ -1,48 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwk; - -import org.apache.cxf.rs.security.oauth2.jwt.AbstractJwtObjectReaderWriter; - - - - -public class DefaultJwkReaderWriter extends AbstractJwtObjectReaderWriter - implements JwkReaderWriter { - @Override - public String jwkSetToJson(JsonWebKeys jwks) { - return toJson(jwks); - } - @Override - public JsonWebKeys jsonToJwkSet(String jwksJson) { - JsonWebKeys jwks = new JsonWebKeys(); - fromJsonInternal(jwks, jwksJson); - return jwks; - } - @Override - public String jwkToJson(JsonWebKey jwk) { - return toJson(jwk); - } - @Override - public JsonWebKey jsonToJwk(String jwkJson) { - JsonWebKey jwk = new JsonWebKey(); - fromJsonInternal(jwk, jwkJson); - return jwk; - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java deleted file mode 100644 index fa357fa..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKey.java +++ /dev/null @@ -1,213 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwk; - -import java.security.interfaces.ECPrivateKey; -import java.security.interfaces.ECPublicKey; -import java.security.interfaces.RSAPrivateKey; -import java.security.interfaces.RSAPublicKey; -import java.util.List; -import java.util.Map; - -import javax.crypto.SecretKey; - -import org.apache.cxf.helpers.CastUtils; -import org.apache.cxf.rs.security.oauth2.jwt.AbstractJwtObject; -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.jwt.JwtConstants; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; - - -public class JsonWebKey extends AbstractJwtObject { - - public static final String KEY_TYPE = "kty"; - public static final String PUBLIC_KEY_USE = "use"; - public static final String KEY_OPERATIONS = "key_ops"; - public static final String KEY_ALGO = JwtConstants.HEADER_ALGORITHM; - public static final String KEY_ID = JwtConstants.HEADER_KEY_ID; - public static final String X509_URL = JwtConstants.HEADER_X509_URL; - public static final String X509_CHAIN = JwtConstants.HEADER_X509_CHAIN; - public static final String X509_THUMBPRINT = JwtConstants.HEADER_X509_THUMBPRINT; - public static final String X509_THUMBPRINT_SHA256 = JwtConstants.HEADER_X509_THUMBPRINT_SHA256; - - public static final String KEY_TYPE_RSA = "RSA"; - public static final String RSA_MODULUS = "n"; - public static final String RSA_PUBLIC_EXP = "e"; - public static final String RSA_PRIVATE_EXP = "d"; - public static final String RSA_FIRST_PRIME_FACTOR = "p"; - public static final String RSA_SECOND_PRIME_FACTOR = "q"; - public static final String RSA_FIRST_PRIME_CRT = "dp"; - public static final String RSA_SECOND_PRIME_CRT = "dq"; - public static final String RSA_FIRST_CRT_COEFFICIENT = "qi"; - - public static final String KEY_TYPE_OCTET = "oct"; - public static final String OCTET_KEY_VALUE = "k"; - - public static final String KEY_TYPE_ELLIPTIC = "EC"; - public static final String EC_CURVE = "crv"; - public static final String EC_CURVE_P256 = "P-256"; - public static final String EC_CURVE_P384 = "P-384"; - public static final String EC_CURVE_P512 = "P-512"; - public static final String EC_X_COORDINATE = "x"; - public static final String EC_Y_COORDINATE = "y"; - public static final String EC_PRIVATE_KEY = "d"; - - public static final String PUBLIC_KEY_USE_SIGN = "sig"; - public static final String PUBLIC_KEY_USE_ENCRYPT = "enc"; - - public static final String KEY_OPER_SIGN = "sign"; - public static final String KEY_OPER_VERIFY = "verify"; - public static final String KEY_OPER_ENCRYPT = "encrypt"; - public static final String KEY_OPER_DECRYPT = "decrypt"; - - public JsonWebKey() { - - } - - public JsonWebKey(Map<String, Object> values) { - super(values); - } - - public void setKeyType(String keyType) { - super.setValue(KEY_TYPE, keyType); - } - - public String getKeyType() { - return (String)super.getValue(KEY_TYPE); - } - - public void setPublicKeyUse(String use) { - super.setValue(PUBLIC_KEY_USE, use); - } - - public String getPublicKeyUse() { - return (String)super.getValue(PUBLIC_KEY_USE); - } - - public void setKeyOperation(List<String> keyOperation) { - super.setValue(KEY_OPERATIONS, keyOperation); - } - - public List<String> getKeyOperation() { - return CastUtils.cast((List<?>)super.getValue(KEY_OPERATIONS)); - } - - public void setAlgorithm(String algorithm) { - super.setValue(KEY_ALGO, algorithm); - } - - public String getAlgorithm() { - return (String)super.getValue(KEY_ALGO); - } - - public void setKid(String kid) { - super.setValue(KEY_ID, kid); - } - - public String getKid() { - return (String)super.getValue(KEY_ID); - } - - public void setX509Url(String x509Url) { - super.setValue(X509_URL, x509Url); - } - - public String getX509Url() { - return (String)super.getValue(X509_URL); - } - - public void setX509Chain(String x509Chain) { - super.setValue(X509_CHAIN, x509Chain); - } - - public String getX509Chain() { - return (String)super.getValue(X509_CHAIN); - } - - public void setX509Thumbprint(String x509Thumbprint) { - super.setValue(X509_THUMBPRINT, x509Thumbprint); - } - - public String getX509Thumbprint() { - return (String)super.getValue(X509_THUMBPRINT); - } - - public void setX509ThumbprintSHA256(String x509Thumbprint) { - super.setValue(X509_THUMBPRINT_SHA256, x509Thumbprint); - } - - public String getX509ThumbprintSHA256() { - return (String)super.getValue(X509_THUMBPRINT_SHA256); - } - - public JsonWebKey setProperty(String name, Object value) { - super.setValue(name, value); - return this; - } - - public Object getProperty(String name) { - return super.getValue(name); - } - - public RSAPublicKey toRSAPublicKey() { - String encodedModulus = (String)super.getValue(RSA_MODULUS); - String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP); - return CryptoUtils.getRSAPublicKey(encodedModulus, encodedPublicExponent); - } - public RSAPrivateKey toRSAPrivateKey() { - String encodedModulus = (String)super.getValue(RSA_MODULUS); - String encodedPrivateExponent = (String)super.getValue(RSA_PRIVATE_EXP); - String encodedPrimeP = (String)super.getValue(RSA_FIRST_PRIME_FACTOR); - if (encodedPrimeP == null) { - return CryptoUtils.getRSAPrivateKey(encodedModulus, encodedPrivateExponent); - } else { - String encodedPublicExponent = (String)super.getValue(RSA_PUBLIC_EXP); - String encodedPrimeQ = (String)super.getValue(RSA_SECOND_PRIME_FACTOR); - String encodedPrimeExpP = (String)super.getValue(RSA_FIRST_PRIME_CRT); - String encodedPrimeExpQ = (String)super.getValue(RSA_SECOND_PRIME_CRT); - String encodedCrtCoefficient = (String)super.getValue(RSA_FIRST_CRT_COEFFICIENT); - return CryptoUtils.getRSAPrivateKey(encodedModulus, - encodedPublicExponent, - encodedPrivateExponent, - encodedPrimeP, - encodedPrimeQ, - encodedPrimeExpP, - encodedPrimeExpQ, - encodedCrtCoefficient); - } - } - public ECPublicKey toECPublicKey() { - String eCurve = (String)super.getValue(EC_CURVE); - String encodedXCoord = (String)super.getValue(EC_X_COORDINATE); - String encodedYCoord = (String)super.getValue(EC_Y_COORDINATE); - return CryptoUtils.getECPublicKey(eCurve, encodedXCoord, encodedYCoord); - } - public ECPrivateKey toECPrivateKey() { - String eCurve = (String)super.getValue(EC_CURVE); - String encodedPrivateKey = (String)super.getValue(EC_PRIVATE_KEY); - return CryptoUtils.getECPrivateKey(eCurve, encodedPrivateKey); - } - - public SecretKey toSecretKey() { - return CryptoUtils.createSecretKeySpec((String)getProperty(OCTET_KEY_VALUE), - Algorithm.toJavaName(getAlgorithm())); - } - - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java deleted file mode 100644 index ff21b45..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JsonWebKeys.java +++ /dev/null @@ -1,131 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwk; - -import java.util.Collections; -import java.util.LinkedHashMap; -import java.util.LinkedList; -import java.util.List; -import java.util.Map; - -import org.apache.cxf.helpers.CastUtils; -import org.apache.cxf.rs.security.oauth2.jwt.AbstractJwtObject; - -public class JsonWebKeys extends AbstractJwtObject { - public static final String KEYS_PROPERTY = "keys"; - public List<JsonWebKey> getKeys() { - List<?> list = (List<?>)super.getValue(KEYS_PROPERTY); - if (list != null && !list.isEmpty()) { - Object first = list.get(0); - if (first instanceof JsonWebKey) { - return CastUtils.cast(list); - } else { - List<JsonWebKey> keys = new LinkedList<JsonWebKey>(); - List<Map<String, Object>> listOfMaps = - CastUtils.cast((List<?>)super.getValue(KEYS_PROPERTY)); - for (Map<String, Object> map : listOfMaps) { - keys.add(new JsonWebKey(map)); - } - return keys; - } - } else { - return null; - } - } - - public void setKeys(List<JsonWebKey> keys) { - super.setValue(KEYS_PROPERTY, keys); - } - - public Map<String, JsonWebKey> getKeyIdMap() { - List<JsonWebKey> keys = getKeys(); - if (keys == null) { - return Collections.emptyMap(); - } - Map<String, JsonWebKey> map = new LinkedHashMap<String, JsonWebKey>(); - for (JsonWebKey key : keys) { - String kid = key.getKid(); - if (kid != null) { - map.put(kid, key); - } - } - return map; - } - public JsonWebKey getKey(String kid) { - return getKeyIdMap().get(kid); - } - public Map<String, List<JsonWebKey>> getKeyTypeMap() { - return getKeyPropertyMap(JsonWebKey.KEY_TYPE); - } - public Map<String, List<JsonWebKey>> getKeyUseMap() { - return getKeyPropertyMap(JsonWebKey.PUBLIC_KEY_USE); - } - private Map<String, List<JsonWebKey>> getKeyPropertyMap(String propertyName) { - List<JsonWebKey> keys = getKeys(); - if (keys == null) { - return Collections.emptyMap(); - } - Map<String, List<JsonWebKey>> map = new LinkedHashMap<String, List<JsonWebKey>>(); - for (JsonWebKey key : keys) { - String propValue = (String)key.getProperty(propertyName); - if (propValue != null) { - List<JsonWebKey> list = map.get(propValue); - if (list == null) { - list = new LinkedList<JsonWebKey>(); - map.put(propValue, list); - } - list.add(key); - } - } - return map; - } - public Map<String, List<JsonWebKey>> getKeyOperationMap() { - List<JsonWebKey> keys = getKeys(); - if (keys == null) { - return Collections.emptyMap(); - } - Map<String, List<JsonWebKey>> map = new LinkedHashMap<String, List<JsonWebKey>>(); - for (JsonWebKey key : keys) { - List<String> ops = key.getKeyOperation(); - if (ops != null) { - for (String op : ops) { - List<JsonWebKey> list = map.get(op); - if (list == null) { - list = new LinkedList<JsonWebKey>(); - map.put(op, list); - } - list.add(key); - } - } - } - return map; - } - public List<JsonWebKey> getKeys(String keyType) { - return getKeyTypeMap().get(keyType); - } - public List<JsonWebKey> getRsaKeys() { - return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_RSA); - } - public List<JsonWebKey> getEllipticKeys() { - return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_ELLIPTIC); - } - public List<JsonWebKey> getSecretKeys() { - return getKeyTypeMap().get(JsonWebKey.KEY_TYPE_OCTET); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkReaderWriter.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkReaderWriter.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkReaderWriter.java deleted file mode 100644 index 9397bfd..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkReaderWriter.java +++ /dev/null @@ -1,27 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwk; - - -public interface JwkReaderWriter { - String jwkToJson(JsonWebKey jwk); - JsonWebKey jsonToJwk(String jwkJson); - String jwkSetToJson(JsonWebKeys jwkSet); - JsonWebKeys jsonToJwkSet(String jwkSetJson); -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java deleted file mode 100644 index fba082a..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jwk/JwkUtils.java +++ /dev/null @@ -1,190 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jwk; - -import java.io.InputStream; -import java.io.UnsupportedEncodingException; -import java.util.Collections; -import java.util.List; -import java.util.Properties; - -import org.apache.cxf.Bus; -import org.apache.cxf.helpers.IOUtils; -import org.apache.cxf.jaxrs.utils.ResourceUtils; -import org.apache.cxf.message.Message; -import org.apache.cxf.rs.security.oauth2.jwe.AesCbcHmacJweDecryption; -import org.apache.cxf.rs.security.oauth2.jwe.AesCbcHmacJweEncryption; -import org.apache.cxf.rs.security.oauth2.jwe.JweDecryptionProvider; -import org.apache.cxf.rs.security.oauth2.jwe.JweEncryptionProvider; -import org.apache.cxf.rs.security.oauth2.jwe.KeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.KeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.PbesHmacAesWrapKeyDecryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwe.PbesHmacAesWrapKeyEncryptionAlgorithm; -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.utils.crypto.CryptoUtils; -import org.apache.cxf.rs.security.oauth2.utils.crypto.PrivateKeyPasswordProvider; - -public final class JwkUtils { - public static final String JWK_KEY_STORE_TYPE = "jwk"; - public static final String RSSEC_KEY_STORE_JWKSET = "rs.security.keystore.jwkset"; - public static final String RSSEC_KEY_STORE_JWKKEY = "rs.security.keystore.jwkkey"; - private JwkUtils() { - - } - public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password) { - return encryptJwkSet(jwkSet, password, new DefaultJwkReaderWriter()); - } - public static String encryptJwkSet(JsonWebKeys jwkSet, char[] password, JwkReaderWriter writer) { - return encryptJwkSet(jwkSet, createDefaultEncryption(password), writer); - } - public static String encryptJwkSet(JsonWebKeys jwkSet, JweEncryptionProvider jwe, JwkReaderWriter writer) { - return jwe.encrypt(stringToBytes(writer.jwkSetToJson(jwkSet)), "jwk-set+json"); - } - public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password) { - return decryptJwkSet(jsonJwkSet, password, new DefaultJwkReaderWriter()); - } - public static JsonWebKeys decryptJwkSet(String jsonJwkSet, char[] password, JwkReaderWriter reader) { - return decryptJwkSet(jsonJwkSet, createDefaultDecryption(password), reader); - } - public static JsonWebKeys decryptJwkSet(String jsonJwkSet, JweDecryptionProvider jwe, JwkReaderWriter reader) { - return reader.jsonToJwkSet(jwe.decrypt(jsonJwkSet).getContentText()); - } - public static String encryptJwkKey(JsonWebKey jwk, char[] password) { - return encryptJwkKey(jwk, password, new DefaultJwkReaderWriter()); - } - public static String encryptJwkKey(JsonWebKey jwkKey, char[] password, JwkReaderWriter writer) { - return encryptJwkKey(jwkKey, createDefaultEncryption(password), writer); - } - public static String encryptJwkKey(JsonWebKey jwkKey, JweEncryptionProvider jwe, JwkReaderWriter writer) { - return jwe.encrypt(stringToBytes(writer.jwkToJson(jwkKey)), "jwk+json"); - } - public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password) { - return decryptJwkKey(jsonJwkKey, password, new DefaultJwkReaderWriter()); - } - public static JsonWebKey decryptJwkKey(String jsonJwkKey, char[] password, JwkReaderWriter reader) { - return decryptJwkKey(jsonJwkKey, createDefaultDecryption(password), reader); - } - public static JsonWebKey decryptJwkKey(String jsonJwkKey, JweDecryptionProvider jwe, JwkReaderWriter reader) { - return reader.jsonToJwk(jwe.decrypt(jsonJwkKey).getContentText()); - } - private static JweEncryptionProvider createDefaultEncryption(char[] password) { - KeyEncryptionAlgorithm keyEncryption = - new PbesHmacAesWrapKeyEncryptionAlgorithm(password, Algorithm.PBES2_HS256_A128KW.getJwtName()); - return new AesCbcHmacJweEncryption(Algorithm.PBES2_HS256_A128KW.getJwtName(), - Algorithm.A128CBC_HS256.getJwtName(), - keyEncryption); - } - private static JweDecryptionProvider createDefaultDecryption(char[] password) { - KeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password); - return new AesCbcHmacJweDecryption(keyDecryption); - } - public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb) { - return loadJwkSet(m, props, cb, new DefaultJwkReaderWriter()); - } - public static JsonWebKeys loadJwkSet(Message m, Properties props, PrivateKeyPasswordProvider cb, - JwkReaderWriter reader) { - JsonWebKeys jwkSet = (JsonWebKeys)m.getExchange().get(props.get(CryptoUtils.RSSEC_KEY_STORE_FILE)); - if (jwkSet == null) { - jwkSet = loadJwkSet(props, m.getExchange().getBus(), cb, reader); - m.getExchange().put((String)props.get(CryptoUtils.RSSEC_KEY_STORE_FILE), jwkSet); - } - return jwkSet; - } - public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb) { - return loadJwkSet(props, bus, cb, new DefaultJwkReaderWriter()); - } - public static JsonWebKeys loadJwkSet(Properties props, Bus bus, PrivateKeyPasswordProvider cb, - JwkReaderWriter reader) { - JweDecryptionProvider decryption = cb != null - ? new AesCbcHmacJweDecryption(new PbesHmacAesWrapKeyDecryptionAlgorithm(cb.getPassword(props))) : null; - return loadJwkSet(props, bus, decryption, reader); - } - public static JsonWebKeys loadJwkSet(Properties props, Bus bus, JweDecryptionProvider jwe, JwkReaderWriter reader) { - String keyContent = null; - String keyStoreLoc = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_FILE); - if (keyStoreLoc != null) { - try { - InputStream is = ResourceUtils.getResourceStream(keyStoreLoc, bus); - keyContent = IOUtils.readStringFromStream(is); - } catch (Exception ex) { - throw new SecurityException(ex); - } - } else { - keyContent = props.getProperty(RSSEC_KEY_STORE_JWKSET); - if (keyContent == null) { - keyContent = props.getProperty(RSSEC_KEY_STORE_JWKKEY); - } - } - if (jwe != null) { - keyContent = jwe.decrypt(keyContent).getContentText(); - } - if (props.getProperty(RSSEC_KEY_STORE_JWKKEY) == null) { - return reader.jsonToJwkSet(keyContent); - } else { - JsonWebKey key = reader.jsonToJwk(keyContent); - JsonWebKeys keys = new JsonWebKeys(); - keys.setKeys(Collections.singletonList(key)); - return keys; - } - } - public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper) { - return loadJsonWebKey(m, props, keyOper, new DefaultJwkReaderWriter()); - } - public static JsonWebKey loadJsonWebKey(Message m, Properties props, String keyOper, JwkReaderWriter reader) { - PrivateKeyPasswordProvider cb = - (PrivateKeyPasswordProvider)m.getContextualProperty(CryptoUtils.RSSEC_KEY_PSWD_PROVIDER); - if (cb == null && keyOper != null) { - String propName = keyOper.equals(JsonWebKey.KEY_OPER_SIGN) ? CryptoUtils.RSSEC_SIG_KEY_PSWD_PROVIDER - : keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT) ? CryptoUtils.RSSEC_DECRYPT_KEY_PSWD_PROVIDER : null; - if (propName != null) { - cb = (PrivateKeyPasswordProvider)m.getContextualProperty(propName); - } - } - JsonWebKeys jwkSet = loadJwkSet(m, props, cb, reader); - String kid = props.getProperty(CryptoUtils.RSSEC_KEY_STORE_ALIAS); - if (kid == null && keyOper != null) { - String keyIdProp = null; - if (keyOper.equals(JsonWebKey.KEY_OPER_ENCRYPT)) { - keyIdProp = CryptoUtils.RSSEC_KEY_STORE_ALIAS + ".jwe"; - } else if (keyOper.equals(JsonWebKey.KEY_OPER_SIGN) - || keyOper.equals(JsonWebKey.KEY_OPER_VERIFY)) { - keyIdProp = CryptoUtils.RSSEC_KEY_STORE_ALIAS + ".jws"; - } - if (keyIdProp != null) { - kid = props.getProperty(keyIdProp); - } - } - if (kid != null) { - return jwkSet.getKey(kid); - } else if (keyOper != null) { - List<JsonWebKey> keys = jwkSet.getKeyUseMap().get(keyOper); - if (keys != null && keys.size() == 1) { - return keys.get(0); - } - } - return null; - } - private static byte[] stringToBytes(String str) { - try { - return str.getBytes("UTF-8"); - } catch (UnsupportedEncodingException ex) { - throw new SecurityException(ex); - } - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java deleted file mode 100644 index 1e0ceee..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/AbstractJwsSignatureProvider.java +++ /dev/null @@ -1,62 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jws; - -import java.util.Set; - -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; - -public abstract class AbstractJwsSignatureProvider implements JwsSignatureProvider { - private Set<String> supportedAlgorithms; - private String defaultJwtAlgorithm; - - protected AbstractJwsSignatureProvider(Set<String> supportedAlgorithms) { - this.supportedAlgorithms = supportedAlgorithms; - } - - protected JwtHeaders prepareHeaders(JwtHeaders headers) { - if (headers == null) { - headers = new JwtHeaders(); - } - String algo = headers.getAlgorithm(); - if (algo != null) { - checkAlgorithm(algo); - } else { - headers.setAlgorithm(defaultJwtAlgorithm); - } - return headers; - } - - @Override - public JwsSignature createJwsSignature(JwtHeaders headers) { - return doCreateJwsSignature(prepareHeaders(headers)); - } - - protected abstract JwsSignature doCreateJwsSignature(JwtHeaders headers); - - public void setDefaultJwtAlgorithm(String algo) { - this.defaultJwtAlgorithm = algo; - } - protected void checkAlgorithm(String algo) { - if (algo == null || !supportedAlgorithms.contains(algo)) { - throw new SecurityException(); - } - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/EcDsaJwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/EcDsaJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/EcDsaJwsSignatureProvider.java deleted file mode 100644 index 8077cf3..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/EcDsaJwsSignatureProvider.java +++ /dev/null @@ -1,45 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jws; - -import java.security.SecureRandom; -import java.security.interfaces.ECPrivateKey; -import java.security.spec.AlgorithmParameterSpec; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; - -public class EcDsaJwsSignatureProvider extends PrivateKeyJwsSignatureProvider { - private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( - Arrays.asList(Algorithm.SHA256withECDSA.getJwtName(), - Algorithm.SHA384withECDSA.getJwtName(), - Algorithm.SHA512withECDSA.getJwtName())); - - public EcDsaJwsSignatureProvider(ECPrivateKey key) { - this(key, null); - } - public EcDsaJwsSignatureProvider(ECPrivateKey key, AlgorithmParameterSpec spec) { - this(key, null, spec); - } - public EcDsaJwsSignatureProvider(ECPrivateKey key, SecureRandom random, AlgorithmParameterSpec spec) { - super(key, random, spec, SUPPORTED_ALGORITHMS); - } -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java deleted file mode 100644 index a71da3b..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/HmacJwsSignatureProvider.java +++ /dev/null @@ -1,89 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jws; - -import java.security.spec.AlgorithmParameterSpec; -import java.util.Arrays; -import java.util.HashSet; -import java.util.Set; - -import javax.crypto.Mac; - -import org.apache.cxf.common.util.Base64Exception; -import org.apache.cxf.rs.security.oauth2.jwt.Algorithm; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; -import org.apache.cxf.rs.security.oauth2.utils.crypto.HmacUtils; - -public class HmacJwsSignatureProvider extends AbstractJwsSignatureProvider implements JwsSignatureVerifier { - private static final Set<String> SUPPORTED_ALGORITHMS = new HashSet<String>( - Arrays.asList(Algorithm.HmacSHA256.getJwtName(), - Algorithm.HmacSHA384.getJwtName(), - Algorithm.HmacSHA512.getJwtName())); - private byte[] key; - private AlgorithmParameterSpec hmacSpec; - - public HmacJwsSignatureProvider(byte[] key) { - this(key, null); - } - public HmacJwsSignatureProvider(byte[] key, AlgorithmParameterSpec spec) { - super(SUPPORTED_ALGORITHMS); - this.key = key; - this.hmacSpec = spec; - } - public HmacJwsSignatureProvider(String encodedKey) { - super(SUPPORTED_ALGORITHMS); - try { - this.key = Base64UrlUtility.decode(encodedKey); - } catch (Base64Exception ex) { - throw new SecurityException(); - } - } - - @Override - public boolean verify(JwtHeaders headers, String unsignedText, byte[] signature) { - byte[] expected = computeMac(headers, unsignedText); - return Arrays.equals(expected, signature); - } - - private byte[] computeMac(JwtHeaders headers, String text) { - return HmacUtils.computeHmac(key, - Algorithm.toJavaName(headers.getAlgorithm()), - hmacSpec, - text); - } - protected JwsSignature doCreateJwsSignature(JwtHeaders headers) { - final Mac mac = HmacUtils.getInitializedMac(key, Algorithm.toJavaName(headers.getAlgorithm()), - hmacSpec); - return new JwsSignature() { - - @Override - public void update(byte[] src, int off, int len) { - mac.update(src, off, len); - } - - @Override - public byte[] sign() { - return mac.doFinal(); - } - - }; - } - -} http://git-wip-us.apache.org/repos/asf/cxf/blob/707d938a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java b/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java deleted file mode 100644 index 57c7c69..0000000 --- a/rt/rs/security/oauth-parent/oauth2-jwt/src/main/java/org/apache/cxf/rs/security/oauth2/jws/JwsCompactConsumer.java +++ /dev/null @@ -1,122 +0,0 @@ -/** - * Licensed to the Apache Software Foundation (ASF) under one - * or more contributor license agreements. See the NOTICE file - * distributed with this work for additional information - * regarding copyright ownership. The ASF licenses this file - * to you under the Apache License, Version 2.0 (the - * "License"); you may not use this file except in compliance - * with the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, - * software distributed under the License is distributed on an - * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - * KIND, either express or implied. See the License for the - * specific language governing permissions and limitations - * under the License. - */ -package org.apache.cxf.rs.security.oauth2.jws; - -import java.io.UnsupportedEncodingException; - -import org.apache.cxf.common.util.Base64Exception; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeaders; -import org.apache.cxf.rs.security.oauth2.jwt.JwtHeadersReader; -import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReader; -import org.apache.cxf.rs.security.oauth2.jwt.JwtTokenReaderWriter; -import org.apache.cxf.rs.security.oauth2.provider.OAuthServiceException; -import org.apache.cxf.rs.security.oauth2.utils.Base64UrlUtility; - -public class JwsCompactConsumer { - private JwtHeadersReader reader = new JwtTokenReaderWriter(); - private String encodedSequence; - private String encodedSignature; - private String headersJson; - private String jwsPayload; - private JwsSignatureProperties props; - public JwsCompactConsumer(String encodedJws) { - this(encodedJws, null, null); - } - public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props) { - this(encodedJws, props, null); - } - public JwsCompactConsumer(String encodedJws, JwtTokenReader r) { - this(encodedJws, null, r); - } - public JwsCompactConsumer(String encodedJws, JwsSignatureProperties props, JwtHeadersReader r) { - if (r != null) { - this.reader = r; - } - this.props = props; - String[] parts = encodedJws.split("\\."); - if (parts.length != 3) { - if (parts.length == 2 && encodedJws.endsWith(".")) { - encodedSignature = ""; - } else { - throw new OAuthServiceException("Invalid JWS Compact sequence"); - } - } else { - encodedSignature = parts[2]; - } - headersJson = decodeToString(parts[0]); - jwsPayload = decodeToString(parts[1]); - encodedSequence = parts[0] + "." + parts[1]; - - } - public String getUnsignedEncodedPayload() { - return encodedSequence; - } - public String getEncodedSignature() { - return encodedSignature; - } - public String getDecodedJsonHeaders() { - return headersJson; - } - public String getDecodedJwsPayload() { - return jwsPayload; - } - public byte[] getDecodedJwsPayloadBytes() { - try { - return jwsPayload.getBytes("UTF-8"); - } catch (UnsupportedEncodingException ex) { - throw new SecurityException(ex); - } - } - public byte[] getDecodedSignature() { - return encodedSignature.isEmpty() ? new byte[]{} : decode(encodedSignature); - } - public JwtHeaders getJwtHeaders() { - return getReader().fromJsonHeaders(headersJson); - } - public boolean verifySignatureWith(JwsSignatureVerifier validator) { - enforceJweSignatureProperties(); - if (!validator.verify(getJwtHeaders(), getUnsignedEncodedPayload(), getDecodedSignature())) { - throw new SecurityException(); - } - return true; - } - private void enforceJweSignatureProperties() { - if (props != null) { - //TODO: - } - } - private static String decodeToString(String encoded) { - try { - return new String(decode(encoded), "UTF-8"); - } catch (UnsupportedEncodingException ex) { - throw new SecurityException(ex); - } - - } - protected JwtHeadersReader getReader() { - return reader; - } - private static byte[] decode(String encoded) { - try { - return Base64UrlUtility.decode(encoded); - } catch (Base64Exception ex) { - throw new SecurityException(ex); - } - } -}