coheigea commented on code in PR #1645: URL: https://github.com/apache/cxf/pull/1645#discussion_r1459208818
########## rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/PbesHmacAesWrapKeyEncryptionAlgorithm.java: ########## @@ -129,19 +128,23 @@ static int getKeySize(String keyAlgoJwt) { } static byte[] createDerivedKey(String keyAlgoJwt, int keySize, byte[] password, byte[] saltInput, int pbesCount) { - byte[] saltValue = createSaltValue(keyAlgoJwt, saltInput); - final Digest digest; - int macSigSize = PBES_HMAC_MAP.get(keyAlgoJwt); - if (macSigSize == 256) { - digest = new SHA256Digest(); - } else if (macSigSize == 384) { - digest = new SHA384Digest(); - } else { - digest = new SHA512Digest(); + try { + byte[] saltValue = createSaltValue(keyAlgoJwt, saltInput); + int macSigSize = PBES_HMAC_MAP.get(keyAlgoJwt); + + String algorithm = "PBKDF2WithHmacSHA" + macSigSize; + PBEKeySpec pbeSpec = new PBEKeySpec(new String(password).toCharArray(), saltValue, pbesCount, keySize * 8); + SecretKeyFactory keyFact = SecretKeyFactory.getInstance(algorithm); + Key sKey = keyFact.generateSecret(pbeSpec); + byte[] ret = new byte[keySize]; + byte[] key = sKey.getEncoded(); + System.arraycopy(key, 0, ret, 0, keySize); + return ret; + + } catch (Exception ex) { + LOG.warning("cannot create Derived Key"); Review Comment: Shouldn't the exception be logged here? ########## rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/PublicKeyJwsSignatureVerifier.java: ########## @@ -59,6 +85,30 @@ public PublicKeyJwsSignatureVerifier(X509Certificate cert, this.key = null; } this.cert = cert; + String javaAlgoName = supportedAlgo.getJavaName(); + if (javaAlgoName.equals(AlgorithmUtils.PS_SHA_JAVA) + && spec == null) { + //must have spec in this case + String size = supportedAlgo.getJwaName().substring(2); + switch (size) { + case "256" : + spec = new PSSParameterSpec(MGF1ParameterSpec.SHA256.getDigestAlgorithm(), + "MGF1", MGF1ParameterSpec.SHA256, Integer.valueOf(size) / 8, 1); + break; + case "384" : + spec = new PSSParameterSpec(MGF1ParameterSpec.SHA384.getDigestAlgorithm(), + "MGF1", MGF1ParameterSpec.SHA384, Integer.valueOf(size) / 8, 1); + break; + case "512" : + spec = new PSSParameterSpec(MGF1ParameterSpec.SHA512.getDigestAlgorithm(), + "MGF1", MGF1ParameterSpec.SHA512, Integer.valueOf(size) / 8, 1); + break; + default : Review Comment: Could we maybe have some shared code for this PSSParameterSpec creation, as it's re-used 3 times? ########## rt/security/src/main/java/org/apache/cxf/rt/security/crypto/CryptoUtils.java: ########## @@ -592,6 +578,11 @@ public static Cipher initCipher(Key secretKey, KeyProperties keyProps, int mode) try { String algorithm = keyProps != null && keyProps.getKeyAlgo() != null ? keyProps.getKeyAlgo() : secretKey.getAlgorithm(); + if (algorithm.equals("AESWrap")) { + int keySize = secretKey.getEncoded().length; + algorithm = "AESWrap_" + keySize * 8; + secretKey = new SecretKeySpec(secretKey.getEncoded(), 0, keySize, "AES"); + } Review Comment: Why is this change needed? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@cxf.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org