Versions Compared

Old Version 6

changes.mady.by.user Sergey Beryozkin

Saved on

compared with

New Version 7

changes.mady.by.user Sergey Beryozkin

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The following subsections will have the examples with more details.

JWA Algorithms

All JOSE signature and encryption algorithms are grouped and described in a JSON Web Algorithms (JWA) specification.

...

CXF offers the initial utility support for working with JWA algorithms in this package.

JWK Keys

 

Json Web Key (JWK) is a JSON document describing the cryptographic key properties. JWKs are very flexible and light-weight (in most cases) and one can expect JWKs becoming one of the major

...

CXF offers a utility support for reading and writing JWK keys and key sets and for working with the encrypted inlined and standalone JWK stores in this package.

Note that JWK keys can be set as JWS or JWE header properties, example, in order to provide a recipient with the representation of a public key used to create a signature.

JWS Signature

JSON Web Signature (JWS) document describes how a document content can be signed. For example, Appendix A1 shows how the content can be signed with a MAC key.

...

CXF ships JWS related classes in this package and offers a support for all of JWA signature algorithms.

JwsSignatureProvider supports signing the content, JwsSignatureVerifier - validating the signatures. Providers and verifiers supporting RSA, HMac and Elliptic Curve signature algorithms are shipped.

...

Many more examples will be added here.

JSON Encryption

JSON Web Signature (JWE) document describes how a document content, and, when applicable, a content encryption key, can be encrypted. For example, Appendix A1 shows how the content can be encrypted

with a secret key using Aes Gcm with the actual content encryption key encrypted/wrapped using RSA-OAEP.

Here is the example for doing Aes Cbc HMac and Aes Key Wrap in CXF:

Code Block
languagejava
titleCXF Jwe AesWrapAesCbcHMac
final String specPlainText = "Live long and prosper.";
        
byte[] cekEncryptionKey = Base64UrlUtility.decode(KEY_ENCRYPTION_KEY_A3);
        
AesWrapKeyEncryptionAlgorithm keyEncryption = new AesWrapKeyEncryptionAlgorithm(cekEncryptionKey, KeyAlgorithm.A128KW);
JweEncryptionProvider encryption = new AesCbcHmacJweEncryption(ContentAlgorithm.A128CBC_HS256,
                                                               CONTENT_ENCRYPTION_KEY_A3, 
                                                               INIT_VECTOR_A3,
                                                               keyEncryption);
String jweContent = encryption.encrypt(specPlainText.getBytes("UTF-8"), null);
assertEquals(JWE_OUTPUT_A3, jweContent);
        
AesWrapKeyDecryptionAlgorithm keyDecryption = new AesWrapKeyDecryptionAlgorithm(cekEncryptionKey);
JweDecryptionProvider decryption = new AesCbcHmacJweDecryption(keyDecryption);
String decryptedText = decryption.decrypt(jweContent).getContentText();
assertEquals(specPlainText, decryptedText);

 

CXF ships JWE related classes in this package and offers a support for all of JWA encryption algorithms.

JweEncryptionProvider supports encrypting the content, JweDecryptionProvider - decrypting the content. Encryptors and Decryptors for all of JWE algorithms are shipped.

JweCompactConsumer and JweCompactProducer offer a utility support for creating and validating JWE compact serialization and accept keys in a variety of formats

(as JWKs, JCA representations, created out of band and wrapped in either JweEncryptionProvider or JweDecryptionProvider).

JweJwtCompactConsumer and JweJwtCompactProducer are JweCompactConsumer and JweCompactProducer specializations that offer a utility support for encrypting Json Web Tokens in a compact format.

JweJsonConsumer and JweJsonProducer support JWE JSON (full) serialization.

JweOutputStream is a specialized output stream that can be used in conjunction with JWE JAX-RS filters (see one of the next sections)

to support the best effort at streaming the content while encrypting it.  These classes will use JweEncryptionOutput  optionally returned from JweEncryptionProvider

instead of working with the consumer utility classes which deal with the encryption process completely in memory.

 

Many more examples will be added here.

JSON Web Tokens

 

JSON Web Token (JWT) is a collection of claims in JSON format. It offers a standard JSON container for representing various properties or claims.

JWT can be signed and or encrypted, i.e, serve as a JOSE signature or encryption input like any other data structure.

 

JWT has been primarily used in OAuth2 applications to represent self-contained access tokens but can also be used in other contexts.

CXF offers an initial JWT support in this package.

Linking JWT authentications to JWS or JWE content

Add more...

JOSE JAX-RS Filters

JWE

...

JWS

Configuration

 

 

OAuth2 and Jose

A variety of signature and encryption key properties is supported. Add more...

Encrypting JWK stores

JAX-RS filters can read the keys from encrypted JWK stores. The stores are encrypted inline or in separate storages (files). By default the filters expect that the stores has been encrypted using

a password based PBES2 algorithm. The filters will check a registered password provider.

OAuth2 and Jose

CXF OAuth2 module depends on its JOSE module. This will be used to support OAuth2 POP tokens. Authorization code JOSE requests can already be processed. Utility support for validating JWT-based access tokens is provided.

Add more...

OIDC and Jose

OIDC heavily depends on JOSE. CXF OIDC module utilizes a JOSE module to support OIDC RP and IDP code. Add more...

Future Work

OAuth2, WebCrypto, OIDC, etc 

Third-Party Alternatives

Jose4J. Etc is a top project from Brian Campbell.  CXF users are encouraged to experiment with Jose4J (or indeed with other 3rd party implementations) if they prefer.

TODO: describe how Jose4J can be integrated with CXF filters if preferred.