[CXF-8177] JWE API does not support ECDH Direct Encryption/Decryption - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 3.3.4
Fix Version/s: 3.3.5, 3.4.0
Component/s: JAX-RS Security
Labels:
None

Estimated Complexity:
Unknown

Description

Although the Apache CXF implementation of JWE supports ECDH Direct encryption/decryption, the API is not sufficiently open for it.

A few problems:

KeyAlgorithm.getAlgorithm(String) does not support parsing ECDH
EcdhDirectKeyDecryptionAlgorithm is a private innerclass so cannot be used from the clientview perspective (different approach for different algorithms, why?)
EcdhDirectKeyJweDecryption makes an assumption that AES GCM is used without verifying (could be AES CBC as well)
JweUtils.getPrivateKeyDecryptionProvider(PrivateKey,KeyAlgorithm) makes an assumption that AESWrap is used in case of an EC Key without veryfing the KeyAlgorithm (could be Direct as well)

The API should support proper handling of key algorithm between client and library and should verify what is given as input to decide which key and content decrypters to use.

Attachments

Issue Links

is related to

CXF-8178 ECDH KeyAgreement with Key Wrapping is not in line with the specification

Closed

CXF-8185 Generated Ephemeral Public Key missing in JWE Headers when Json Serialization is used

Closed

links to

GitHub Pull Request #612

Activity

People

Assignee:: Colm O hEigeartaigh

Reporter:: Frederik Libert

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 05/Dec/19 10:42

Updated:: 15/Jan/20 10:24

Resolved:: 20/Dec/19 12:52

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

20m