Repository: cxf Updated Branches: refs/heads/master 1ebe682c6 -> e125ae55f
Updating JWE ContentDecryptionAlgorithm to return the algo it actually supports Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/29394922 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/29394922 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/29394922 Branch: refs/heads/master Commit: 29394922c5d7f51de88dfa125dfa541a3d342e72 Parents: 1ebe682 Author: Sergey Beryozkin <[email protected]> Authored: Wed Oct 22 17:09:47 2014 +0100 Committer: Sergey Beryozkin <[email protected]> Committed: Wed Oct 22 17:09:47 2014 +0100 ---------------------------------------------------------------------- .../cxf/rs/security/jose/jwa/Algorithm.java | 34 ++++++++++++-------- .../jwe/AbstractContentEncryptionAlgorithm.java | 1 + ...stractContentEncryptionCipherProperties.java | 9 +++++- .../jose/jwe/AesCbcHmacJweDecryption.java | 7 ++-- .../jwe/AesGcmContentDecryptionAlgorithm.java | 9 ++---- .../jwe/ContentEncryptionCipherProperties.java | 1 + .../jose/jwe/JweCompactReaderWriterTest.java | 7 ++-- .../jose/jwe/JwePbeHmacAesWrapTest.java | 2 +- 8 files changed, 43 insertions(+), 27 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java index 6c66825..5b15866 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwa/Algorithm.java @@ -91,6 +91,21 @@ public enum Algorithm { public static final Set<String> EC_SHA_SIGN_SET = new HashSet<String>(Arrays.asList(JoseConstants.ES_SHA_256_ALGO, JoseConstants.ES_SHA_384_ALGO, JoseConstants.ES_SHA_512_ALGO)); + public static final Set<String> RSA_OAEP_CEK_SET = new HashSet<String>(Arrays.asList(JoseConstants.RSA_OAEP_ALGO, + JoseConstants.RSA_OAEP_256_ALGO)); + public static final Set<String> AES_GCM_CEK_SET = new HashSet<String>(Arrays.asList(JoseConstants.A128GCM_ALGO, + JoseConstants.A192GCM_ALGO, + JoseConstants.A256GCM_ALGO)); + public static final Set<String> AES_GCM_KW_SET = new HashSet<String>(Arrays.asList(JoseConstants.A192GCMKW_ALGO, + JoseConstants.A192GCMKW_ALGO, + JoseConstants.A256GCMKW_ALGO)); + public static final Set<String> AES_KW_SET = new HashSet<String>(Arrays.asList(JoseConstants.A128KW_ALGO, + JoseConstants.A192KW_ALGO, + JoseConstants.A256KW_ALGO)); + public static final Set<String> ACBC_HS_SET = + new HashSet<String>(Arrays.asList(JoseConstants.A128CBC_HS256_ALGO, + JoseConstants.A192CBC_HS384_ALGO, + JoseConstants.A256CBC_HS512_ALGO)); private static final Map<String, String> JAVA_TO_JWT_NAMES; private static final Map<String, String> JWT_TO_JAVA_NAMES; @@ -199,28 +214,19 @@ public enum Algorithm { return javaName; } public static boolean isRsaOaep(String algo) { - return JoseConstants.RSA_OAEP_ALGO.equals(algo) - || JoseConstants.RSA_OAEP_256_ALGO.equals(algo); + return RSA_OAEP_CEK_SET.contains(algo); } public static boolean isAesKeyWrap(String algo) { - return JoseConstants.A128KW_ALGO.equals(algo) - || JoseConstants.A192KW_ALGO.equals(algo) - || JoseConstants.A256KW_ALGO.equals(algo); + return AES_KW_SET.contains(algo); } public static boolean isAesGcmKeyWrap(String algo) { - return JoseConstants.A128GCMKW_ALGO.equals(algo) - || JoseConstants.A192GCMKW_ALGO.equals(algo) - || JoseConstants.A256GCMKW_ALGO.equals(algo); + return AES_GCM_KW_SET.contains(algo); } public static boolean isAesGcm(String algo) { - return JoseConstants.A128GCM_ALGO.equals(algo) - || JoseConstants.A192GCM_ALGO.equals(algo) - || JoseConstants.A256GCM_ALGO.equals(algo); + return AES_GCM_CEK_SET.contains(algo); } public static boolean isAesCbcHmac(String algo) { - return JoseConstants.A128CBC_HS256_ALGO.equals(algo) - || JoseConstants.A192CBC_HS384_ALGO.equals(algo) - || JoseConstants.A256CBC_HS512_ALGO.equals(algo); + return ACBC_HS_SET.contains(algo); } public static boolean isHmacSign(String algo) { return HMAC_SIGN_SET.contains(algo); http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java index 770ee56..5edf9fa 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionAlgorithm.java @@ -32,6 +32,7 @@ public abstract class AbstractContentEncryptionAlgorithm extends AbstractContent private String algorithm; protected AbstractContentEncryptionAlgorithm(byte[] cek, byte[] iv, String algo) { + super(algo); this.cek = cek; this.iv = iv; if (iv != null && iv.length > 0) { http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java index bc30979..ca2d6b9 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AbstractContentEncryptionCipherProperties.java @@ -26,7 +26,10 @@ import org.apache.cxf.common.util.crypto.CryptoUtils; public abstract class AbstractContentEncryptionCipherProperties implements ContentEncryptionCipherProperties { private static final int DEFAULT_AUTH_TAG_LENGTH = 128; private int authTagLen = DEFAULT_AUTH_TAG_LENGTH; - + private String algo; + public AbstractContentEncryptionCipherProperties(String algo) { + this.algo = algo; + } public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { return CryptoUtils.getContentEncryptionCipherSpec(getAuthTagLen(), theIv); } @@ -36,4 +39,8 @@ public abstract class AbstractContentEncryptionCipherProperties implements Conte protected int getAuthTagLen() { return authTagLen; } + @Override + public String getAlgorithm() { + return algo; + } } http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java index bf110f3..0ef6580 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java @@ -37,8 +37,8 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption { public AesCbcHmacJweDecryption(KeyDecryptionAlgorithm keyDecryptionAlgo, String supportedAlgo, JoseHeadersReader reader) { - super(reader, keyDecryptionAlgo, new AesCbcContentDecryptionAlgorithm()); - this.supportedAlgo = null; + super(reader, keyDecryptionAlgo, new AesCbcContentDecryptionAlgorithm(supportedAlgo)); + this.supportedAlgo = supportedAlgo; } protected JweDecryptionOutput doDecrypt(JweCompactConsumer consumer, byte[] cek) { validateAuthenticationTag(consumer, cek); @@ -66,6 +66,9 @@ public class AesCbcHmacJweDecryption extends AbstractJweDecryption { } private static class AesCbcContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties implements ContentDecryptionAlgorithm { + public AesCbcContentDecryptionAlgorithm(String supportedAlgo) { + super(supportedAlgo); + } @Override public AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] theIv) { return new IvParameterSpec(theIv); http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java index 70b3a00..f1f3388 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesGcmContentDecryptionAlgorithm.java @@ -24,19 +24,14 @@ import org.apache.cxf.rs.security.jose.jwa.Algorithm; public class AesGcmContentDecryptionAlgorithm extends AbstractContentEncryptionCipherProperties implements ContentDecryptionAlgorithm { - private String supportedAlgo; - public AesGcmContentDecryptionAlgorithm() { - this(null); - } public AesGcmContentDecryptionAlgorithm(String supportedAlgo) { - this.supportedAlgo = supportedAlgo; + super(supportedAlgo); } @Override public byte[] getEncryptedSequence(JweHeaders headers, byte[] cipher, byte[] authTag) { String algo = headers.getContentEncryptionAlgorithm(); - if (!Algorithm.isAesGcm(algo) - || supportedAlgo != null && !supportedAlgo.equals(algo)) { + if (!Algorithm.isAesGcm(algo) || !getAlgorithm().equals(algo)) { throw new SecurityException(); } return JweCompactConsumer.getCipherWithAuthTag(cipher, authTag); http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java index 54da6fd..14ea8f3 100644 --- a/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java +++ b/rt/rs/security/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/ContentEncryptionCipherProperties.java @@ -24,4 +24,5 @@ import java.security.spec.AlgorithmParameterSpec; public interface ContentEncryptionCipherProperties { byte[] getAdditionalAuthenticationData(String headersJson); AlgorithmParameterSpec getAlgorithmParameterSpec(byte[] iv); + String getAlgorithm(); } http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java index b62dc87..c88c5e4 100644 --- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java +++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JweCompactReaderWriterTest.java @@ -188,13 +188,16 @@ public class JweCompactReaderWriterTest extends Assert { private void decrypt(String jweContent, String plainContent, boolean unwrap) throws Exception { RSAPrivateKey privateKey = CryptoUtils.getRSAPrivateKey(RSA_MODULUS_ENCODED_A1, RSA_PRIVATE_EXPONENT_ENCODED_A1); + String algo = Cipher.getMaxAllowedKeyLength("AES") > 128 + ? JoseConstants.A256GCM_ALGO : JoseConstants.A128GCM_ALGO; JweDecryptionProvider decryptor = new WrappedKeyJweDecryption(new RSAOaepKeyDecryptionAlgorithm(privateKey), - new AesGcmContentDecryptionAlgorithm()); + new AesGcmContentDecryptionAlgorithm(algo)); String decryptedText = decryptor.decrypt(jweContent).getContentText(); assertEquals(decryptedText, plainContent); } private void decryptDirect(SecretKey key, String jweContent, String plainContent) throws Exception { - DirectKeyJweDecryption decryptor = new DirectKeyJweDecryption(key, new AesGcmContentDecryptionAlgorithm()); + DirectKeyJweDecryption decryptor = new DirectKeyJweDecryption(key, + new AesGcmContentDecryptionAlgorithm(JoseConstants.A128GCM_ALGO)); String decryptedText = decryptor.decrypt(jweContent).getContentText(); assertEquals(decryptedText, plainContent); } http://git-wip-us.apache.org/repos/asf/cxf/blob/29394922/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java index 05d53c2..e21cde0 100644 --- a/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java +++ b/rt/rs/security/jose/src/test/java/org/apache/cxf/rs/security/jose/jwe/JwePbeHmacAesWrapTest.java @@ -71,7 +71,7 @@ public class JwePbeHmacAesWrapTest extends Assert { String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null); PbesHmacAesWrapKeyDecryptionAlgorithm keyDecryption = new PbesHmacAesWrapKeyDecryptionAlgorithm(password); JweDecryptionProvider decryption = new WrappedKeyJweDecryption(keyDecryption, - new AesGcmContentDecryptionAlgorithm()); + new AesGcmContentDecryptionAlgorithm(JoseConstants.A128GCM_ALGO)); String decryptedText = decryption.decrypt(jweContent).getContentText(); assertEquals(specPlainText, decryptedText);
