Example 1 with ContentAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm in project cxf by apache.
the class OAuthUtils method getClientSecretContentAlgorithm.
private static ContentAlgorithm getClientSecretContentAlgorithm(Properties props) {
String ctAlgoProp = props.getProperty(OAuthConstants.CLIENT_SECRET_CONTENT_ENCRYPTION_ALGORITHM);
if (ctAlgoProp == null) {
ctAlgoProp = props.getProperty(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM);
}
ContentAlgorithm ctAlgo = ContentAlgorithm.getAlgorithm(ctAlgoProp);
ctAlgo = ctAlgo != null ? ctAlgo : ContentAlgorithm.A128GCM;
return ctAlgo;
}
Also used :
ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)
Example 2 with ContentAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm in project cxf by apache.
the class JweUtils method loadDecryptionProvider.
public static JweDecryptionProvider loadDecryptionProvider(Properties props, JweHeaders inHeaders) {
Message m = PhaseInterceptorChain.getCurrentMessage();
KeyDecryptionProvider keyDecryptionProvider = null;
ContentAlgorithm contentAlgo = getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM);
SecretKey ctDecryptionKey = null;
KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) {
// Supporting loading a private key via a certificate for now
List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
KeyManagementUtils.validateCertificateChain(props, chain);
X509Certificate cert = chain == null ? null : chain.get(0);
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
} else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), MessageDigestUtils.ALGO_SHA_1, m, props);
if (foundCert != null) {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
} else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT_SHA256) != null) {
X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509ThumbprintSHA256(), MessageDigestUtils.ALGO_SHA_256, m, props);
if (foundCert != null) {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
} else {
if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.DECRYPT);
if (jwk == null) {
LOG.warning("Extracting the JsonWebKey failed");
throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
}
if (KeyAlgorithm.DIRECT == keyAlgo) {
contentAlgo = getContentEncryptionAlgorithm(m, props, ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()), ContentAlgorithm.A128GCM);
ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentAlgo.getJwaName());
} else {
keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
keyDecryptionProvider = getKeyDecryptionProvider(jwk, keyAlgo);
}
} else if (keyAlgo != null && AlgorithmUtils.PBES_HS_SET.contains(keyAlgo.getJwaName())) {
PrivateKeyPasswordProvider provider = KeyManagementUtils.loadPasswordProvider(m, props, KeyOperation.DECRYPT);
char[] password = provider != null ? provider.getPassword(props) : null;
if (password == null) {
throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
}
keyDecryptionProvider = new PbesHmacAesWrapKeyDecryptionAlgorithm(new String(password));
} else {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
}
return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentAlgo);
}
Also used :
ECPrivateKey(java.security.interfaces.ECPrivateKey)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
Message(org.apache.cxf.message.Message)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
PrivateKeyPasswordProvider(org.apache.cxf.rs.security.jose.common.PrivateKeyPasswordProvider)
X509Certificate(java.security.cert.X509Certificate)
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
SecretKey(javax.crypto.SecretKey)
ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)
Example 3 with ContentAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm in project cxf by apache.
the class AbstractJweJsonWriterProvider method getInitializedEncryptionProviders.
protected List<JweEncryptionProvider> getInitializedEncryptionProviders(List<String> propLocs, JweHeaders sharedProtectedHeaders, List<JweHeaders> perRecipientUnprotectedHeaders) {
if (encProviders != null) {
return encProviders;
}
// The task is to have a single ContentEncryptionProvider instance,
// configured to generate CEK only once, paired with all the loaded
// KeyEncryptionProviders to have JweEncryptionProviders initialized
Message m = JAXRSUtils.getCurrentMessage();
// Load all the properties
List<Properties> propsList = new ArrayList<Properties>(propLocs.size());
for (int i = 0; i < propLocs.size(); i++) {
propsList.add(JweUtils.loadJweProperties(m, propLocs.get(i)));
}
ContentAlgorithm ctAlgo = null;
// This set is to find out how many key encryption algorithms are used
// If only one then save it in the shared protected headers as opposed to
// per-recipient specific not protected ones
Set<KeyAlgorithm> keyAlgos = new HashSet<KeyAlgorithm>();
List<KeyEncryptionProvider> keyProviders = new LinkedList<KeyEncryptionProvider>();
for (int i = 0; i < propLocs.size(); i++) {
Properties props = propsList.get(i);
ContentAlgorithm currentCtAlgo = JweUtils.getContentEncryptionAlgorithm(m, props, ContentAlgorithm.A128GCM);
if (ctAlgo == null) {
ctAlgo = currentCtAlgo;
} else if (currentCtAlgo != null && !ctAlgo.equals(currentCtAlgo)) {
// ctAlgo must be the same for all the recipients
throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
JweHeaders perRecipientUnprotectedHeader = perRecipientUnprotectedHeaders.get(i);
KeyEncryptionProvider keyEncryptionProvider = JweUtils.loadKeyEncryptionProvider(props, m, perRecipientUnprotectedHeader);
if (keyEncryptionProvider.getAlgorithm() == KeyAlgorithm.DIRECT && propLocs.size() > 1) {
throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
keyProviders.add(keyEncryptionProvider);
keyAlgos.add(perRecipientUnprotectedHeader.getKeyEncryptionAlgorithm());
}
if (ctAlgo == null) {
throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
sharedProtectedHeaders.setContentEncryptionAlgorithm(ctAlgo);
List<JweEncryptionProvider> theEncProviders = new LinkedList<JweEncryptionProvider>();
if (keyProviders.size() == 1 && keyProviders.get(0).getAlgorithm() == KeyAlgorithm.DIRECT) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, propsList.get(0), KeyOperation.ENCRYPT);
if (jwk != null) {
ContentEncryptionProvider ctProvider = JweUtils.getContentEncryptionProvider(jwk, ctAlgo);
JweEncryptionProvider encProvider = new JweEncryption(keyProviders.get(0), ctProvider);
theEncProviders.add(encProvider);
}
} else {
ContentEncryptionProvider ctProvider = JweUtils.getContentEncryptionProvider(ctAlgo, true);
for (int i = 0; i < keyProviders.size(); i++) {
JweEncryptionProvider encProvider = new JweEncryption(keyProviders.get(0), ctProvider);
theEncProviders.add(encProvider);
}
}
if (keyAlgos.size() == 1) {
sharedProtectedHeaders.setKeyEncryptionAlgorithm(keyAlgos.iterator().next());
for (int i = 0; i < perRecipientUnprotectedHeaders.size(); i++) {
perRecipientUnprotectedHeaders.get(i).removeProperty(JoseConstants.JWE_HEADER_KEY_ENC_ALGORITHM);
}
}
return theEncProviders;
}
Also used :
ContentEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.ContentEncryptionProvider)
KeyEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.KeyEncryptionProvider)
Message(org.apache.cxf.message.Message)
JweEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider)
ArrayList(java.util.ArrayList)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
Properties(java.util.Properties)
JweEncryption(org.apache.cxf.rs.security.jose.jwe.JweEncryption)
LinkedList(java.util.LinkedList)
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
JweHeaders(org.apache.cxf.rs.security.jose.jwe.JweHeaders)
JweException(org.apache.cxf.rs.security.jose.jwe.JweException)
ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)
HashSet(java.util.HashSet)
Example 4 with ContentAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm in project cxf by apache.
the class BookStore method getRecipientText.
private String getRecipientText(JweJsonConsumer consumer, String recipientPropLoc, String recipientKid) {
Message message = JAXRSUtils.getCurrentMessage();
Properties recipientProps = JweUtils.loadJweProperties(message, recipientPropLoc);
JsonWebKey recipientKey = JwkUtils.loadJwkSet(message, recipientProps, null).getKey(recipientKid);
ContentAlgorithm contentEncryptionAlgorithm = JweUtils.getContentEncryptionAlgorithm(recipientProps);
JweDecryptionProvider jweRecipient = JweUtils.createJweDecryptionProvider(recipientKey, contentEncryptionAlgorithm);
JweDecryptionOutput jweRecipientOutput = consumer.decryptWith(jweRecipient, Collections.singletonMap("kid", recipientKid));
return jweRecipientOutput.getContentText();
}
Also used :
JweDecryptionOutput(org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput)
Message(org.apache.cxf.message.Message)
ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
JweDecryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider)
Properties(java.util.Properties)
Example 5 with ContentAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm in project cxf by apache.
the class JweUtils method getKeyEncryptionProvider.
public static KeyEncryptionProvider getKeyEncryptionProvider(JsonWebKey jwk, KeyAlgorithm defaultAlgorithm) {
KeyAlgorithm keyAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : KeyAlgorithm.getAlgorithm(jwk.getAlgorithm());
KeyEncryptionProvider keyEncryptionProvider = null;
KeyType keyType = jwk.getKeyType();
if (KeyType.RSA == keyType) {
keyEncryptionProvider = getPublicKeyEncryptionProvider(JwkUtils.toRSAPublicKey(jwk, true), keyAlgo);
} else if (KeyType.OCTET == keyType) {
keyEncryptionProvider = getSecretKeyEncryptionAlgorithm(JwkUtils.toSecretKey(jwk), keyAlgo);
} else {
ContentAlgorithm ctAlgo = null;
Message m = PhaseInterceptorChain.getCurrentMessage();
if (m != null) {
ctAlgo = getContentAlgo((String) m.get(JoseConstants.RSSEC_ENCRYPTION_CONTENT_ALGORITHM));
}
keyEncryptionProvider = new EcdhAesWrapKeyEncryptionAlgorithm(JwkUtils.toECPublicKey(jwk), jwk.getStringProperty(JsonWebKey.EC_CURVE), keyAlgo, ctAlgo == null ? ContentAlgorithm.A128GCM : ctAlgo);
}
return keyEncryptionProvider;
}
Also used :
KeyType(org.apache.cxf.rs.security.jose.jwk.KeyType)
Message(org.apache.cxf.message.Message)
ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
Aggregations
ContentAlgorithm (org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)10
JsonWebKey (org.apache.cxf.rs.security.jose.jwk.JsonWebKey)5
Message (org.apache.cxf.message.Message)4
KeyAlgorithm (org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)4
RSAPrivateKey (java.security.interfaces.RSAPrivateKey)2
Properties (java.util.Properties)2
SecretKey (javax.crypto.SecretKey)2
KeyType (org.apache.cxf.rs.security.jose.jwk.KeyType)2
PrivateKey (java.security.PrivateKey)1
X509Certificate (java.security.cert.X509Certificate)1
ECPrivateKey (java.security.interfaces.ECPrivateKey)1
ArrayList (java.util.ArrayList)1
HashSet (java.util.HashSet)1
LinkedList (java.util.LinkedList)1
PrivateKeyPasswordProvider (org.apache.cxf.rs.security.jose.common.PrivateKeyPasswordProvider)1
ContentEncryptionProvider (org.apache.cxf.rs.security.jose.jwe.ContentEncryptionProvider)1
JweDecryptionOutput (org.apache.cxf.rs.security.jose.jwe.JweDecryptionOutput)1
JweDecryptionProvider (org.apache.cxf.rs.security.jose.jwe.JweDecryptionProvider)1
JweEncryption (org.apache.cxf.rs.security.jose.jwe.JweEncryption)1
JweEncryptionProvider (org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider)1
