Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
3.3.4
-
None
-
Unknown
Description
Although the Apache CXF implementation of JWE supports ECDH Direct encryption/decryption, the API is not sufficiently open for it.
A few problems:
- KeyAlgorithm.getAlgorithm(String) does not support parsing ECDH
- EcdhDirectKeyDecryptionAlgorithm is a private innerclass so cannot be used from the clientview perspective (different approach for different algorithms, why?)
- EcdhDirectKeyJweDecryption makes an assumption that AES GCM is used without verifying (could be AES CBC as well)
- JweUtils.getPrivateKeyDecryptionProvider(PrivateKey,KeyAlgorithm) makes an assumption that AESWrap is used in case of an EC Key without veryfing the KeyAlgorithm (could be Direct as well)
The API should support proper handling of key algorithm between client and library and should verify what is given as input to decide which key and content decrypters to use.