Search in sources :

Example 1 with KeyProperties

use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.

the class WrappedKeyDecryptionAlgorithm method getDecryptedContentEncryptionKey.

public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
    KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(jweDecryptionInput));
    AlgorithmParameterSpec spec = getAlgorithmParameterSpec(jweDecryptionInput);
    if (spec != null) {
        keyProps.setAlgoSpec(spec);
    }
    if (!unwrap) {
        keyProps.setBlockSize(getKeyCipherBlockSize());
        return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(jweDecryptionInput), getCekDecryptionKey(), keyProps);
    }
    return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(jweDecryptionInput), getContentEncryptionAlgorithm(jweDecryptionInput), getCekDecryptionKey(), keyProps).getEncoded();
}
Also used : KeyProperties(org.apache.cxf.rt.security.crypto.KeyProperties) AlgorithmParameterSpec(java.security.spec.AlgorithmParameterSpec)

Example 2 with KeyProperties

use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.

the class AbstractJweDecryption method doDecrypt.

protected JweDecryptionOutput doDecrypt(JweDecryptionInput jweDecryptionInput, byte[] cek) {
    KeyProperties keyProperties = new KeyProperties(getContentEncryptionAlgorithm(jweDecryptionInput));
    keyProperties.setAdditionalData(getContentEncryptionCipherAAD(jweDecryptionInput));
    AlgorithmParameterSpec spec = getContentEncryptionCipherSpec(jweDecryptionInput);
    keyProperties.setAlgoSpec(spec);
    boolean compressionSupported = JoseConstants.JWE_DEFLATE_ZIP_ALGORITHM.equals(jweDecryptionInput.getJweHeaders().getZipAlgorithm());
    keyProperties.setCompressionSupported(compressionSupported);
    byte[] actualCek = getActualCek(cek, jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm().getJwaName());
    SecretKey secretKey = CryptoUtils.createSecretKeySpec(actualCek, keyProperties.getKeyAlgo());
    byte[] bytes = CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(jweDecryptionInput), secretKey, keyProperties);
    // Here we're finished with the SecretKey we created, so we can destroy it
    try {
        secretKey.destroy();
    } catch (DestroyFailedException e) {
    // ignore
    }
    Arrays.fill(cek, (byte) 0);
    if (actualCek != cek) {
        Arrays.fill(actualCek, (byte) 0);
    }
    return new JweDecryptionOutput(jweDecryptionInput.getJweHeaders(), bytes);
}
Also used : SecretKey(javax.crypto.SecretKey) DestroyFailedException(javax.security.auth.DestroyFailedException) KeyProperties(org.apache.cxf.rt.security.crypto.KeyProperties) AlgorithmParameterSpec(java.security.spec.AlgorithmParameterSpec)

Example 3 with KeyProperties

use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.

the class AbstractWrapKeyEncryptionAlgorithm method getEncryptedContentEncryptionKey.

@Override
public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) {
    checkAlgorithms(headers);
    KeyProperties secretKeyProperties = new KeyProperties(getKeyEncryptionAlgoJava(headers));
    AlgorithmParameterSpec spec = getAlgorithmParameterSpec(headers);
    if (spec != null) {
        secretKeyProperties.setAlgoSpec(spec);
    }
    if (!wrap) {
        return CryptoUtils.encryptBytes(cek, keyEncryptionKey, secretKeyProperties);
    }
    return CryptoUtils.wrapSecretKey(cek, getContentEncryptionAlgoJava(headers), keyEncryptionKey, secretKeyProperties);
}
Also used : KeyProperties(org.apache.cxf.rt.security.crypto.KeyProperties) AlgorithmParameterSpec(java.security.spec.AlgorithmParameterSpec)

Example 4 with KeyProperties

use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.

the class AbstractJweEncryption method getInternalState.

private JweEncryptionInternal getInternalState(JweHeaders jweInHeaders, JweEncryptionInput jweInput) {
    JweHeaders theHeaders = new JweHeaders();
    if (getKeyAlgorithm() != null) {
        theHeaders.setKeyEncryptionAlgorithm(getKeyAlgorithm());
    }
    theHeaders.setContentEncryptionAlgorithm(getContentEncryptionAlgorithm().getAlgorithm());
    final JweHeaders protectedHeaders;
    if (jweInHeaders != null) {
        if (jweInHeaders.getKeyEncryptionAlgorithm() != null && (getKeyAlgorithm() == null || !getKeyAlgorithm().equals(jweInHeaders.getKeyEncryptionAlgorithm()))) {
            LOG.warning("Invalid key encryption algorithm");
            throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
        }
        if (jweInHeaders.getContentEncryptionAlgorithm() != null && !getContentEncryptionAlgoJwt().equals(jweInHeaders.getContentEncryptionAlgorithm().getJwaName())) {
            LOG.warning("Invalid content encryption algorithm");
            throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
        }
        theHeaders.asMap().putAll(jweInHeaders.asMap());
        protectedHeaders = jweInHeaders.getProtectedHeaders() != null ? jweInHeaders.getProtectedHeaders() : theHeaders;
    } else {
        protectedHeaders = theHeaders;
    }
    byte[] theCek = jweInput.getCek() != null ? jweInput.getCek() : getContentEncryptionKey(theHeaders);
    JweEncryptionInternal state = new JweEncryptionInternal();
    state.jweContentEncryptionKey = getEncryptedContentEncryptionKey(theHeaders, theCek);
    state.theHeaders = theHeaders;
    if (jweInput.isContentEncryptionRequired()) {
        String contentEncryptionAlgoJavaName = getContentEncryptionAlgoJava();
        KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
        keyProps.setCompressionSupported(compressionRequired(theHeaders));
        byte[] theIv = jweInput.getIv() != null ? jweInput.getIv() : getContentEncryptionAlgorithm().getInitVector();
        AlgorithmParameterSpec specParams = getAlgorithmParameterSpec(theIv);
        keyProps.setAlgoSpec(specParams);
        String protectedHeadersJson = writer.toJson(protectedHeaders);
        byte[] additionalEncryptionParam = getAAD(protectedHeadersJson, jweInput.getAad());
        keyProps.setAdditionalData(additionalEncryptionParam);
        state.keyProps = keyProps;
        state.theIv = theIv;
        state.protectedHeadersJson = protectedHeadersJson;
        state.aad = jweInput.getAad();
        state.secretKey = theCek;
    }
    return state;
}
Also used : KeyProperties(org.apache.cxf.rt.security.crypto.KeyProperties) AlgorithmParameterSpec(java.security.spec.AlgorithmParameterSpec)

Example 5 with KeyProperties

use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.

the class CryptoUtilsTest method testBearerTokenJSONCertificate.

@Test
public void testBearerTokenJSONCertificate() throws Exception {
    if ("IBM Corporation".equals(System.getProperty("java.vendor"))) {
        return;
    }
    KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
    KeyPair keyPair = kpg.generateKeyPair();
    PublicKey publicKey = keyPair.getPublic();
    PrivateKey privateKey = keyPair.getPrivate();
    AccessTokenRegistration atr = prepareTokenRegistration();
    BearerAccessToken token = p.createAccessTokenInternal(atr);
    JSONProvider<BearerAccessToken> jsonp = new JSONProvider<>();
    jsonp.setMarshallAsJaxbElement(true);
    jsonp.setUnmarshallAsJaxbElement(true);
    ByteArrayOutputStream bos = new ByteArrayOutputStream();
    jsonp.writeTo(token, BearerAccessToken.class, new Annotation[] {}, MediaType.APPLICATION_JSON_TYPE, new MetadataMap<String, Object>(), bos);
    KeyProperties props1 = new KeyProperties(publicKey.getAlgorithm());
    String encrypted = CryptoUtils.encryptSequence(bos.toString(), publicKey, props1);
    KeyProperties props2 = new KeyProperties(privateKey.getAlgorithm());
    String decrypted = CryptoUtils.decryptSequence(encrypted, privateKey, props2);
    ServerAccessToken token2 = jsonp.readFrom(BearerAccessToken.class, BearerAccessToken.class, new Annotation[] {}, MediaType.APPLICATION_JSON_TYPE, new MetadataMap<String, String>(), new ByteArrayInputStream(decrypted.getBytes()));
    // compare tokens
    compareAccessTokens(token, token2);
}
Also used : KeyPair(java.security.KeyPair) PrivateKey(java.security.PrivateKey) KeyProperties(org.apache.cxf.rt.security.crypto.KeyProperties) PublicKey(java.security.PublicKey) KeyPairGenerator(java.security.KeyPairGenerator) ByteArrayOutputStream(java.io.ByteArrayOutputStream) ServerAccessToken(org.apache.cxf.rs.security.oauth2.common.ServerAccessToken) ByteArrayInputStream(java.io.ByteArrayInputStream) JSONProvider(org.apache.cxf.jaxrs.provider.json.JSONProvider) BearerAccessToken(org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken) AccessTokenRegistration(org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration) Test(org.junit.Test)

Aggregations

KeyProperties (org.apache.cxf.rt.security.crypto.KeyProperties)5 AlgorithmParameterSpec (java.security.spec.AlgorithmParameterSpec)4 ByteArrayInputStream (java.io.ByteArrayInputStream)1 ByteArrayOutputStream (java.io.ByteArrayOutputStream)1 KeyPair (java.security.KeyPair)1 KeyPairGenerator (java.security.KeyPairGenerator)1 PrivateKey (java.security.PrivateKey)1 PublicKey (java.security.PublicKey)1 SecretKey (javax.crypto.SecretKey)1 DestroyFailedException (javax.security.auth.DestroyFailedException)1 JSONProvider (org.apache.cxf.jaxrs.provider.json.JSONProvider)1 AccessTokenRegistration (org.apache.cxf.rs.security.oauth2.common.AccessTokenRegistration)1 ServerAccessToken (org.apache.cxf.rs.security.oauth2.common.ServerAccessToken)1 BearerAccessToken (org.apache.cxf.rs.security.oauth2.tokens.bearer.BearerAccessToken)1 Test (org.junit.Test)1