Example 1 with KeyAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm in project cxf by apache.
the class JweUtils method getKeyDecryptionProvider.
public static KeyDecryptionProvider getKeyDecryptionProvider(JsonWebKey jwk, KeyAlgorithm defaultAlgorithm) {
KeyAlgorithm keyAlgo = jwk.getAlgorithm() == null ? defaultAlgorithm : KeyAlgorithm.getAlgorithm(jwk.getAlgorithm());
KeyDecryptionProvider keyDecryptionProvider = null;
KeyType keyType = jwk.getKeyType();
if (KeyType.RSA == keyType) {
keyDecryptionProvider = getPrivateKeyDecryptionProvider(JwkUtils.toRSAPrivateKey(jwk), keyAlgo);
} else if (KeyType.OCTET == keyType) {
keyDecryptionProvider = getSecretKeyDecryptionProvider(JwkUtils.toSecretKey(jwk), keyAlgo);
} else {
keyDecryptionProvider = getPrivateKeyDecryptionProvider(JwkUtils.toECPrivateKey(jwk), keyAlgo);
}
return keyDecryptionProvider;
}
Also used :
KeyType(org.apache.cxf.rs.security.jose.jwk.KeyType)
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
Example 2 with KeyAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm in project cxf by apache.
the class JweUtils method loadDecryptionProvider.
public static JweDecryptionProvider loadDecryptionProvider(Properties props, JweHeaders inHeaders) {
Message m = PhaseInterceptorChain.getCurrentMessage();
KeyDecryptionProvider keyDecryptionProvider = null;
ContentAlgorithm contentAlgo = getContentEncryptionAlgorithm(m, props, null, ContentAlgorithm.A128GCM);
SecretKey ctDecryptionKey = null;
KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_CHAIN) != null) {
// Supporting loading a private key via a certificate for now
List<X509Certificate> chain = KeyManagementUtils.toX509CertificateChain(inHeaders.getX509Chain());
KeyManagementUtils.validateCertificateChain(props, chain);
X509Certificate cert = chain == null ? null : chain.get(0);
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, cert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
} else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT) != null) {
X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509Thumbprint(), MessageDigestUtils.ALGO_SHA_1, m, props);
if (foundCert != null) {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
} else if (inHeaders != null && inHeaders.getHeader(JoseConstants.HEADER_X509_THUMBPRINT_SHA256) != null) {
X509Certificate foundCert = KeyManagementUtils.getCertificateFromThumbprint(inHeaders.getX509ThumbprintSHA256(), MessageDigestUtils.ALGO_SHA_256, m, props);
if (foundCert != null) {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, foundCert, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
contentAlgo = inHeaders.getContentEncryptionAlgorithm();
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
} else {
if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.DECRYPT);
if (jwk == null) {
LOG.warning("Extracting the JsonWebKey failed");
throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
}
if (KeyAlgorithm.DIRECT == keyAlgo) {
contentAlgo = getContentEncryptionAlgorithm(m, props, ContentAlgorithm.getAlgorithm(jwk.getAlgorithm()), ContentAlgorithm.A128GCM);
ctDecryptionKey = getContentDecryptionSecretKey(jwk, contentAlgo.getJwaName());
} else {
keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
keyDecryptionProvider = getKeyDecryptionProvider(jwk, keyAlgo);
}
} else if (keyAlgo != null && AlgorithmUtils.PBES_HS_SET.contains(keyAlgo.getJwaName())) {
PrivateKeyPasswordProvider provider = KeyManagementUtils.loadPasswordProvider(m, props, KeyOperation.DECRYPT);
char[] password = provider != null ? provider.getPassword(props) : null;
if (password == null) {
throw new JweException(JweException.Error.KEY_DECRYPTION_FAILURE);
}
keyDecryptionProvider = new PbesHmacAesWrapKeyDecryptionAlgorithm(new String(password));
} else {
PrivateKey privateKey = KeyManagementUtils.loadPrivateKey(m, props, KeyOperation.DECRYPT);
if (keyAlgo == null) {
keyAlgo = getDefaultPrivateKeyAlgorithm(privateKey);
}
keyDecryptionProvider = getPrivateKeyDecryptionProvider(privateKey, keyAlgo);
}
}
return createJweDecryptionProvider(keyDecryptionProvider, ctDecryptionKey, contentAlgo);
}
Also used :
ECPrivateKey(java.security.interfaces.ECPrivateKey)
RSAPrivateKey(java.security.interfaces.RSAPrivateKey)
PrivateKey(java.security.PrivateKey)
Message(org.apache.cxf.message.Message)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
PrivateKeyPasswordProvider(org.apache.cxf.rs.security.jose.common.PrivateKeyPasswordProvider)
X509Certificate(java.security.cert.X509Certificate)
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
SecretKey(javax.crypto.SecretKey)
ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)
Example 3 with KeyAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm in project cxf by apache.
the class AbstractJweJsonWriterProvider method getInitializedEncryptionProviders.
protected List<JweEncryptionProvider> getInitializedEncryptionProviders(List<String> propLocs, JweHeaders sharedProtectedHeaders, List<JweHeaders> perRecipientUnprotectedHeaders) {
if (encProviders != null) {
return encProviders;
}
// The task is to have a single ContentEncryptionProvider instance,
// configured to generate CEK only once, paired with all the loaded
// KeyEncryptionProviders to have JweEncryptionProviders initialized
Message m = JAXRSUtils.getCurrentMessage();
// Load all the properties
List<Properties> propsList = new ArrayList<Properties>(propLocs.size());
for (int i = 0; i < propLocs.size(); i++) {
propsList.add(JweUtils.loadJweProperties(m, propLocs.get(i)));
}
ContentAlgorithm ctAlgo = null;
// This set is to find out how many key encryption algorithms are used
// If only one then save it in the shared protected headers as opposed to
// per-recipient specific not protected ones
Set<KeyAlgorithm> keyAlgos = new HashSet<KeyAlgorithm>();
List<KeyEncryptionProvider> keyProviders = new LinkedList<KeyEncryptionProvider>();
for (int i = 0; i < propLocs.size(); i++) {
Properties props = propsList.get(i);
ContentAlgorithm currentCtAlgo = JweUtils.getContentEncryptionAlgorithm(m, props, ContentAlgorithm.A128GCM);
if (ctAlgo == null) {
ctAlgo = currentCtAlgo;
} else if (currentCtAlgo != null && !ctAlgo.equals(currentCtAlgo)) {
// ctAlgo must be the same for all the recipients
throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
JweHeaders perRecipientUnprotectedHeader = perRecipientUnprotectedHeaders.get(i);
KeyEncryptionProvider keyEncryptionProvider = JweUtils.loadKeyEncryptionProvider(props, m, perRecipientUnprotectedHeader);
if (keyEncryptionProvider.getAlgorithm() == KeyAlgorithm.DIRECT && propLocs.size() > 1) {
throw new JweException(JweException.Error.INVALID_JSON_JWE);
}
keyProviders.add(keyEncryptionProvider);
keyAlgos.add(perRecipientUnprotectedHeader.getKeyEncryptionAlgorithm());
}
if (ctAlgo == null) {
throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
sharedProtectedHeaders.setContentEncryptionAlgorithm(ctAlgo);
List<JweEncryptionProvider> theEncProviders = new LinkedList<JweEncryptionProvider>();
if (keyProviders.size() == 1 && keyProviders.get(0).getAlgorithm() == KeyAlgorithm.DIRECT) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, propsList.get(0), KeyOperation.ENCRYPT);
if (jwk != null) {
ContentEncryptionProvider ctProvider = JweUtils.getContentEncryptionProvider(jwk, ctAlgo);
JweEncryptionProvider encProvider = new JweEncryption(keyProviders.get(0), ctProvider);
theEncProviders.add(encProvider);
}
} else {
ContentEncryptionProvider ctProvider = JweUtils.getContentEncryptionProvider(ctAlgo, true);
for (int i = 0; i < keyProviders.size(); i++) {
JweEncryptionProvider encProvider = new JweEncryption(keyProviders.get(0), ctProvider);
theEncProviders.add(encProvider);
}
}
if (keyAlgos.size() == 1) {
sharedProtectedHeaders.setKeyEncryptionAlgorithm(keyAlgos.iterator().next());
for (int i = 0; i < perRecipientUnprotectedHeaders.size(); i++) {
perRecipientUnprotectedHeaders.get(i).removeProperty(JoseConstants.JWE_HEADER_KEY_ENC_ALGORITHM);
}
}
return theEncProviders;
}
Also used :
ContentEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.ContentEncryptionProvider)
KeyEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.KeyEncryptionProvider)
Message(org.apache.cxf.message.Message)
JweEncryptionProvider(org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider)
ArrayList(java.util.ArrayList)
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
Properties(java.util.Properties)
JweEncryption(org.apache.cxf.rs.security.jose.jwe.JweEncryption)
LinkedList(java.util.LinkedList)
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
JweHeaders(org.apache.cxf.rs.security.jose.jwe.JweHeaders)
JweException(org.apache.cxf.rs.security.jose.jwe.JweException)
ContentAlgorithm(org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)
HashSet(java.util.HashSet)
Example 4 with KeyAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm in project cxf by apache.
the class AbstractWrapKeyEncryptionAlgorithm method checkAlgorithms.
protected void checkAlgorithms(JweHeaders headers) {
KeyAlgorithm providedAlgo = headers.getKeyEncryptionAlgorithm();
if (providedAlgo != null && !providedAlgo.equals(algorithm)) {
LOG.warning("Invalid key encryption algorithm: " + providedAlgo);
throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
if (providedAlgo != null) {
checkAlgorithm(providedAlgo.getJwaName());
} else {
checkAlgorithm(algorithm.getJwaName());
headers.setKeyEncryptionAlgorithm(algorithm);
}
}
Also used :
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
Example 5 with KeyAlgorithm
use of org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm in project cxf by apache.
the class JweUtils method loadKeyEncryptionProvider.
public static KeyEncryptionProvider loadKeyEncryptionProvider(Properties props, Message m, JweHeaders headers) {
KeyEncryptionProvider keyEncryptionProvider = null;
KeyAlgorithm keyAlgo = getKeyEncryptionAlgorithm(m, props, null, null);
if (KeyAlgorithm.DIRECT == keyAlgo) {
keyEncryptionProvider = new DirectKeyEncryptionAlgorithm();
} else if (keyAlgo != null && AlgorithmUtils.PBES_HS_SET.contains(keyAlgo.getJwaName())) {
PrivateKeyPasswordProvider provider = KeyManagementUtils.loadPasswordProvider(m, props, KeyOperation.ENCRYPT);
char[] password = provider != null ? provider.getPassword(props) : null;
if (password == null) {
throw new JweException(JweException.Error.KEY_ENCRYPTION_FAILURE);
}
int pbes2Count = MessageUtils.getContextualInteger(m, JoseConstants.RSSEC_ENCRYPTION_PBES2_COUNT, 4096);
return new PbesHmacAesWrapKeyEncryptionAlgorithm(new String(password), pbes2Count, keyAlgo, false);
} else {
boolean includeCert = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_CERT);
boolean includeCertSha1 = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_CERT_SHA1);
boolean includeCertSha256 = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_CERT_SHA256);
boolean includeKeyId = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_KEY_ID);
if (JoseConstants.HEADER_JSON_WEB_KEY.equals(props.get(JoseConstants.RSSEC_KEY_STORE_TYPE))) {
JsonWebKey jwk = JwkUtils.loadJsonWebKey(m, props, KeyOperation.ENCRYPT);
if (jwk != null) {
keyAlgo = getKeyEncryptionAlgorithm(m, props, KeyAlgorithm.getAlgorithm(jwk.getAlgorithm()), getDefaultKeyAlgorithm(jwk));
keyEncryptionProvider = getKeyEncryptionProvider(jwk, keyAlgo);
boolean includePublicKey = JoseUtils.checkBooleanProperty(headers, props, m, JoseConstants.RSSEC_ENCRYPTION_INCLUDE_PUBLIC_KEY);
if (includeCert) {
JwkUtils.includeCertChain(jwk, headers, keyAlgo.getJwaName());
}
if (includeCertSha1) {
KeyManagementUtils.setSha1DigestHeader(headers, m, props);
} else if (includeCertSha256) {
KeyManagementUtils.setSha256DigestHeader(headers, m, props);
}
if (includePublicKey) {
JwkUtils.includePublicKey(jwk, headers, keyAlgo.getJwaName());
}
if (includeKeyId && jwk.getKeyId() != null) {
headers.setKeyId(jwk.getKeyId());
}
}
} else {
keyEncryptionProvider = getPublicKeyEncryptionProvider(KeyManagementUtils.loadPublicKey(m, props), props, keyAlgo);
if (includeCert) {
headers.setX509Chain(KeyManagementUtils.loadAndEncodeX509CertificateOrChain(m, props));
}
if (includeCertSha1) {
KeyManagementUtils.setSha1DigestHeader(headers, m, props);
} else if (includeCertSha256) {
KeyManagementUtils.setSha256DigestHeader(headers, m, props);
}
if (includeKeyId && props.containsKey(JoseConstants.RSSEC_KEY_STORE_ALIAS)) {
headers.setKeyId(props.getProperty(JoseConstants.RSSEC_KEY_STORE_ALIAS));
}
}
}
if (keyEncryptionProvider == null) {
throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
headers.setKeyEncryptionAlgorithm(keyEncryptionProvider.getAlgorithm());
return keyEncryptionProvider;
}
Also used :
JsonWebKey(org.apache.cxf.rs.security.jose.jwk.JsonWebKey)
PrivateKeyPasswordProvider(org.apache.cxf.rs.security.jose.common.PrivateKeyPasswordProvider)
KeyAlgorithm(org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)
Aggregations
KeyAlgorithm (org.apache.cxf.rs.security.jose.jwa.KeyAlgorithm)7
ContentAlgorithm (org.apache.cxf.rs.security.jose.jwa.ContentAlgorithm)4
Message (org.apache.cxf.message.Message)3
JsonWebKey (org.apache.cxf.rs.security.jose.jwk.JsonWebKey)3
SecretKey (javax.crypto.SecretKey)2
PrivateKeyPasswordProvider (org.apache.cxf.rs.security.jose.common.PrivateKeyPasswordProvider)2
KeyType (org.apache.cxf.rs.security.jose.jwk.KeyType)2
PrivateKey (java.security.PrivateKey)1
X509Certificate (java.security.cert.X509Certificate)1
ECPrivateKey (java.security.interfaces.ECPrivateKey)1
RSAPrivateKey (java.security.interfaces.RSAPrivateKey)1
ArrayList (java.util.ArrayList)1
HashSet (java.util.HashSet)1
LinkedList (java.util.LinkedList)1
Properties (java.util.Properties)1
ContentEncryptionProvider (org.apache.cxf.rs.security.jose.jwe.ContentEncryptionProvider)1
JweEncryption (org.apache.cxf.rs.security.jose.jwe.JweEncryption)1
JweEncryptionProvider (org.apache.cxf.rs.security.jose.jwe.JweEncryptionProvider)1
JweException (org.apache.cxf.rs.security.jose.jwe.JweException)1
JweHeaders (org.apache.cxf.rs.security.jose.jwe.JweHeaders)1
