github
/
OpenID-Connect-Java-Spring-Server
mirror of https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

updated encryption/decryption to dynamically get mode for cipher. also made the keyDataLen come from the kdf parameter rather than enc

pull/105/head
Mike Derryberry 2012-07-16 15:46:31 -04:00
parent 5d3d888c3f
commit e380d85ad7
7 changed files with 25 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
openid-connect-common/encryptedJwe.txt
View File

@ -1 +0,0 @@
eyJpbnQiOiJIUzI1NiIsIml2IjoiQXhZOERDdERhR2xzYkdsamIzUm9aUSIsImFsZyI6IkhTMjU2IiwiZW5jIjoiQTEyOENCQyJ9.1TWc1U58WUtz6HnRVfFcCFt04dWJivMZmTG3ZeIUKbfWbG6UHsYRNnj1a9LvYpb7DA97j57whfXxxwT9P3ZnCMaeqm_JCmyasocu7ftefELw4BSYcBuIGeiOzZO7mffS4lj5s7N76kV-LXkVIMwjzKom1z1doBqnmV7M5yUCTnxQJ3ao7LYLJI0QiCY5Pcqd.CS8GW8JLnDAF4SEvw2kras0yp50-eIX90Mbn1qKF1cePqG3VWcItEJoPa0FbFbmj.0uQ48_WFcQR-q6IBcs8IG-DquLi17kbeXjqKRANr0Hw

6
openid-connect-common/src/main/java/org/mitre/jwt/encryption/AbstractJweDecrypter.java
View File

@ -14,14 +14,8 @@ public abstract class AbstractJweDecrypter implements JwtDecrypter {
//HUGE DISCLAIMER: this won't work on windows machines that don't have jce unlimited security files installed.
//without it, keys can't be over 128 bit in length, and SHA-128 doesn't work for message digest.
//SHA-128 is not a valid instance, therefore change to 256
if(keyDataLen == 128){
md = MessageDigest.getInstance("SHA-256");
}
//use keyDataLen to determine instance
else {
md = MessageDigest.getInstance("SHA-" + Integer.toString(keyDataLen));
}
keyDataLen = keyDataLen / 8;
byte[] key = new byte[keyDataLen];

7
openid-connect-common/src/main/java/org/mitre/jwt/encryption/AbstractJweEncrypter.java
View File

@ -11,14 +11,8 @@ public abstract class AbstractJweEncrypter implements JwtEncrypter {
//HUGE DISCLAIMER: this won't work on windows machines that don't have jce unlimited security files installed.
//without it, keys can't be over 128 bit in length, and SHA-128 doesn't work for message digest.
//SHA-128 is not a valid instance, therefore change to 256
if(keyDataLen == 128){
md = MessageDigest.getInstance("SHA-256");
}
//Use keyDataLen to determine instance
else {
md = MessageDigest.getInstance("SHA-" + Integer.toString(keyDataLen));
}
long MAX_HASH_INPUTLEN = Long.MAX_VALUE;
long UNSIGNED_INT_MAX_VALUE = 4294967395L;
@ -60,5 +54,4 @@ public abstract class AbstractJweEncrypter implements JwtEncrypter {
return res;
}
}

11
openid-connect-common/src/main/java/org/mitre/jwt/encryption/impl/RsaDecrypter.java
View File

@ -39,9 +39,9 @@ public class RsaDecrypter extends AbstractJweDecrypter {
byte[] contentEncryptionKey = null;
byte[] contentIntegrityKey = null;
//check what the key length is
String encMethod = jwe.getHeader().getEncryptionMethod();
String encMethod = jwe.getHeader().getKeyDerivationFunction();
char[] array = encMethod.toCharArray();
String keyBitLengthString = String.copyValueOf(array, 1, 3);
String keyBitLengthString = new String("" + array[2] + array[3] + array[4]);
int keyBitLength = Integer.parseInt(keyBitLengthString);
//generate cek and cik
contentEncryptionKey = generateContentKey(jwe.getEncryptedKey(), keyBitLength, "Encryption".getBytes());
@ -79,10 +79,13 @@ public class RsaDecrypter extends AbstractJweDecrypter {
iv = Base64.decodeBase64(jwe.getHeader().getInitializationVector());
String encMethod = jwe.getHeader().getEncryptionMethod();
//TODO: should also check for A128GCM and A256GCM, but Cipher.getInstance() does not support the GCM mode. For now, don't use them
if(encMethod.equals("A128CBC") || encMethod.equals("A256CBC")) {
if(encMethod.equals("A128CBC") || encMethod.equals("A256CBC") || encMethod.equals("A128GCM") || encMethod.equals("A256GCM")) {
String delims = "[8,6]+";
String[] mode = encMethod.split(delims);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
Cipher cipher = Cipher.getInstance("AES/" + mode[1] + "/PKCS5Padding");
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(contentEncryptionKey, "AES"), new IvParameterSpec(iv));
byte[] clearText = cipher.doFinal(jwe.getCiphertext());

11
openid-connect-common/src/main/java/org/mitre/jwt/encryption/impl/RsaEncrypter.java
View File

@ -36,9 +36,9 @@ public class RsaEncrypter extends AbstractJweEncrypter {
//generate random content master key
//check what the key length is
String encMethod = jwe.getHeader().getEncryptionMethod();
String encMethod = jwe.getHeader().getKeyDerivationFunction();
char[] array = encMethod.toCharArray();
String keyBitLengthString = String.copyValueOf(array, 1, 3);
String keyBitLengthString = new String("" + array[2] + array[3] + array[4]);
int keyBitLength = Integer.parseInt(keyBitLengthString);
byte[] contentMasterKey = new byte[keyBitLength];
@ -99,10 +99,13 @@ public class RsaEncrypter extends AbstractJweEncrypter {
}
String encMethod = jwe.getHeader().getEncryptionMethod();
//TODO: should also check for A128GCM and A256GCM, but Cipher.getInstance() does not support the GCM mode. For now, don't use them
if(encMethod.equals("A128CBC") || encMethod.equals("A256CBC")) {
if(encMethod.equals("A128CBC") || encMethod.equals("A256CBC") || encMethod.equals("A128GCM") || encMethod.equals("A256GCM")) {
String delims = "[8,6]+";
String[] mode = encMethod.split(delims);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
Cipher cipher = Cipher.getInstance("AES/" + mode[1] + "/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(contentEncryptionKey, "AES"), new IvParameterSpec(iv));
byte[] cipherText = cipher.doFinal(jwe.getCiphertext());
return cipherText;

3
openid-connect-common/src/main/java/org/mitre/jwt/signer/AbstractJwtSigner.java
View File

@ -57,7 +57,8 @@ public abstract class AbstractJwtSigner implements JwtSigner {
*/
@Override
public Jwt sign(Jwt jwt) throws NoSuchAlgorithmException {
//TODO: this check changes the algorithm param of a jwe to the int param. not sure why?
//TODO: need a seperate check for Jwe. As is, it will change the alg param to be the enc param
/*if (!Objects.equal(algorithm, jwt.getHeader().getAlgorithm())) {
// algorithm type doesn't match
// TODO: should this be an error or should we just fix it in the incoming jwt?

2
openid-connect-common/src/test/resources/jwe/jweHeader
View File

@ -1 +1 @@
{"alg":"RSA1_5","enc":"A128CBC","int":"HS384","iv":"AxY8DCtDaGlsbGljb3RoZQ"}
{"alg":"RSA1_5","enc":"A256CBC","int":"HS384","iv":"AxY8DCtDaGlsbGljb3RoZQ","kdf":"CS256"}