Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8162

JWE with multiple recipients does not work for AES CBC Encryption

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.3.4
    • Fix Version/s: 3.3.5, 3.4.0
    • Component/s: JAX-RS Security
    • Labels:
      None
    • Estimated Complexity:
      Unknown

      Description

      When encrypting for multiple recipients, the plaintext, the CEK, JWE Initialization Vector, and JWE Protected Header are shared by all recipients (which must be the case, since
      the ciphertext and Authentication Tag are also shared).

      The Apache CXF API for encrypting the content with AES GCM allows this by initializing a ContentEncryptionProvider of type AesGcmContentEncryptionAlgorithm which can be used as reference when initializing the list of JweEncryptionProviders (which take a KeyEncryptionProvider and an ContentEncryptionProvider).

      When using AES CBC, the API is different.

      The class AesCbcContentEncryptionAlgorithm is a private innerclass of  JweEncryptionProvider AesCbcHmacJweEncryption so you can't initialize it once and reuse it in all JweEncryptionProviders of the list.

      There is a workaround as the API allows to build the CEK and InitializationVector yourself (not very nice), the API for AES CBC encryption should allow the initialization of the ContentEncryptionProvider from outside the JweEncryptionProvider so it can be referenced in all JweEncryptionProviders.

      Without that, you can only encrypt for 1 recipient or the validation will fail (invalid authentication tag) for all but 1 recipient.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                coheigea Colm O hEigeartaigh
                Reporter:
                frelib Frederik Libert
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 20m
                  20m