use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.
the class WrappedKeyDecryptionAlgorithm method getDecryptedContentEncryptionKey.
public byte[] getDecryptedContentEncryptionKey(JweDecryptionInput jweDecryptionInput) {
KeyProperties keyProps = new KeyProperties(getKeyEncryptionAlgorithm(jweDecryptionInput));
AlgorithmParameterSpec spec = getAlgorithmParameterSpec(jweDecryptionInput);
if (spec != null) {
keyProps.setAlgoSpec(spec);
}
if (!unwrap) {
keyProps.setBlockSize(getKeyCipherBlockSize());
return CryptoUtils.decryptBytes(getEncryptedContentEncryptionKey(jweDecryptionInput), getCekDecryptionKey(), keyProps);
}
return CryptoUtils.unwrapSecretKey(getEncryptedContentEncryptionKey(jweDecryptionInput), getContentEncryptionAlgorithm(jweDecryptionInput), getCekDecryptionKey(), keyProps).getEncoded();
}
use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.
the class AbstractJweDecryption method doDecrypt.
protected JweDecryptionOutput doDecrypt(JweDecryptionInput jweDecryptionInput, byte[] cek) {
KeyProperties keyProperties = new KeyProperties(getContentEncryptionAlgorithm(jweDecryptionInput));
keyProperties.setAdditionalData(getContentEncryptionCipherAAD(jweDecryptionInput));
AlgorithmParameterSpec spec = getContentEncryptionCipherSpec(jweDecryptionInput);
keyProperties.setAlgoSpec(spec);
boolean compressionSupported = JoseConstants.JWE_DEFLATE_ZIP_ALGORITHM.equals(jweDecryptionInput.getJweHeaders().getZipAlgorithm());
keyProperties.setCompressionSupported(compressionSupported);
byte[] actualCek = getActualCek(cek, jweDecryptionInput.getJweHeaders().getContentEncryptionAlgorithm().getJwaName());
SecretKey secretKey = CryptoUtils.createSecretKeySpec(actualCek, keyProperties.getKeyAlgo());
byte[] bytes = CryptoUtils.decryptBytes(getEncryptedContentWithAuthTag(jweDecryptionInput), secretKey, keyProperties);
// Here we're finished with the SecretKey we created, so we can destroy it
try {
secretKey.destroy();
} catch (DestroyFailedException e) {
// ignore
}
Arrays.fill(cek, (byte) 0);
if (actualCek != cek) {
Arrays.fill(actualCek, (byte) 0);
}
return new JweDecryptionOutput(jweDecryptionInput.getJweHeaders(), bytes);
}
use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.
the class AbstractWrapKeyEncryptionAlgorithm method getEncryptedContentEncryptionKey.
@Override
public byte[] getEncryptedContentEncryptionKey(JweHeaders headers, byte[] cek) {
checkAlgorithms(headers);
KeyProperties secretKeyProperties = new KeyProperties(getKeyEncryptionAlgoJava(headers));
AlgorithmParameterSpec spec = getAlgorithmParameterSpec(headers);
if (spec != null) {
secretKeyProperties.setAlgoSpec(spec);
}
if (!wrap) {
return CryptoUtils.encryptBytes(cek, keyEncryptionKey, secretKeyProperties);
}
return CryptoUtils.wrapSecretKey(cek, getContentEncryptionAlgoJava(headers), keyEncryptionKey, secretKeyProperties);
}
use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.
the class AbstractJweEncryption method getInternalState.
private JweEncryptionInternal getInternalState(JweHeaders jweInHeaders, JweEncryptionInput jweInput) {
JweHeaders theHeaders = new JweHeaders();
if (getKeyAlgorithm() != null) {
theHeaders.setKeyEncryptionAlgorithm(getKeyAlgorithm());
}
theHeaders.setContentEncryptionAlgorithm(getContentEncryptionAlgorithm().getAlgorithm());
final JweHeaders protectedHeaders;
if (jweInHeaders != null) {
if (jweInHeaders.getKeyEncryptionAlgorithm() != null && (getKeyAlgorithm() == null || !getKeyAlgorithm().equals(jweInHeaders.getKeyEncryptionAlgorithm()))) {
LOG.warning("Invalid key encryption algorithm");
throw new JweException(JweException.Error.INVALID_KEY_ALGORITHM);
}
if (jweInHeaders.getContentEncryptionAlgorithm() != null && !getContentEncryptionAlgoJwt().equals(jweInHeaders.getContentEncryptionAlgorithm().getJwaName())) {
LOG.warning("Invalid content encryption algorithm");
throw new JweException(JweException.Error.INVALID_CONTENT_ALGORITHM);
}
theHeaders.asMap().putAll(jweInHeaders.asMap());
protectedHeaders = jweInHeaders.getProtectedHeaders() != null ? jweInHeaders.getProtectedHeaders() : theHeaders;
} else {
protectedHeaders = theHeaders;
}
byte[] theCek = jweInput.getCek() != null ? jweInput.getCek() : getContentEncryptionKey(theHeaders);
JweEncryptionInternal state = new JweEncryptionInternal();
state.jweContentEncryptionKey = getEncryptedContentEncryptionKey(theHeaders, theCek);
state.theHeaders = theHeaders;
if (jweInput.isContentEncryptionRequired()) {
String contentEncryptionAlgoJavaName = getContentEncryptionAlgoJava();
KeyProperties keyProps = new KeyProperties(contentEncryptionAlgoJavaName);
keyProps.setCompressionSupported(compressionRequired(theHeaders));
byte[] theIv = jweInput.getIv() != null ? jweInput.getIv() : getContentEncryptionAlgorithm().getInitVector();
AlgorithmParameterSpec specParams = getAlgorithmParameterSpec(theIv);
keyProps.setAlgoSpec(specParams);
String protectedHeadersJson = writer.toJson(protectedHeaders);
byte[] additionalEncryptionParam = getAAD(protectedHeadersJson, jweInput.getAad());
keyProps.setAdditionalData(additionalEncryptionParam);
state.keyProps = keyProps;
state.theIv = theIv;
state.protectedHeadersJson = protectedHeadersJson;
state.aad = jweInput.getAad();
state.secretKey = theCek;
}
return state;
}
use of org.apache.cxf.rt.security.crypto.KeyProperties in project cxf by apache.
the class CryptoUtilsTest method testBearerTokenJSONCertificate.
@Test
public void testBearerTokenJSONCertificate() throws Exception {
if ("IBM Corporation".equals(System.getProperty("java.vendor"))) {
return;
}
KeyPairGenerator kpg = KeyPairGenerator.getInstance("RSA");
KeyPair keyPair = kpg.generateKeyPair();
PublicKey publicKey = keyPair.getPublic();
PrivateKey privateKey = keyPair.getPrivate();
AccessTokenRegistration atr = prepareTokenRegistration();
BearerAccessToken token = p.createAccessTokenInternal(atr);
JSONProvider<BearerAccessToken> jsonp = new JSONProvider<>();
jsonp.setMarshallAsJaxbElement(true);
jsonp.setUnmarshallAsJaxbElement(true);
ByteArrayOutputStream bos = new ByteArrayOutputStream();
jsonp.writeTo(token, BearerAccessToken.class, new Annotation[] {}, MediaType.APPLICATION_JSON_TYPE, new MetadataMap<String, Object>(), bos);
KeyProperties props1 = new KeyProperties(publicKey.getAlgorithm());
String encrypted = CryptoUtils.encryptSequence(bos.toString(), publicKey, props1);
KeyProperties props2 = new KeyProperties(privateKey.getAlgorithm());
String decrypted = CryptoUtils.decryptSequence(encrypted, privateKey, props2);
ServerAccessToken token2 = jsonp.readFrom(BearerAccessToken.class, BearerAccessToken.class, new Annotation[] {}, MediaType.APPLICATION_JSON_TYPE, new MetadataMap<String, String>(), new ByteArrayInputStream(decrypted.getBytes()));
// compare tokens
compareAccessTokens(token, token2);
}
Aggregations