keycloak
クラス | 公開メンバ関数 | 限定公開メンバ関数 | 非公開メンバ関数 | 全メンバ一覧
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider クラスabstract
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider の継承関係図
Inheritance graph
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider 連携図
Collaboration graph

クラス

class  Aes128CbcHmacSha256Provider
 
class  Aes192CbcHmacSha384Provider
 
class  Aes256CbcHmacSha512Provider
 

公開メンバ関数

void encodeJwe (JWE jwe) throws IOException, GeneralSecurityException
 
void verifyAndDecodeJwe (JWE jwe) throws IOException, GeneralSecurityException
 
void deserializeCEK (JWEKeyStorage keyStorage)
 
byte [] serializeCEK (JWEKeyStorage keyStorage)
 
int getExpectedCEKLength ()
 

限定公開メンバ関数

abstract int getExpectedAesKeyLength ()
 
abstract String getHmacShaAlgorithm ()
 
abstract int getAuthenticationTagLength ()
 

非公開メンバ関数

byte [] encryptBytes (byte[] contentBytes, byte[] ivBytes, Key aesKey) throws GeneralSecurityException
 
byte [] decryptBytes (byte[] encryptedBytes, byte[] ivBytes, Key aesKey) throws GeneralSecurityException
 
byte [] computeAuthenticationTag (byte[] aadBytes, byte[] ivBytes, byte[] cipherBytes, Key hmacKeySpec) throws NoSuchAlgorithmException, InvalidKeyException
 

詳解

著者
Marek Posolda

関数詳解

◆ computeAuthenticationTag()

byte [] org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.computeAuthenticationTag ( byte []  aadBytes,
byte []  ivBytes,
byte []  cipherBytes,
Key  hmacKeySpec 
) throws NoSuchAlgorithmException, InvalidKeyException
inlineprivate
133  {
134  // Compute "al"
135  ByteBuffer b = ByteBuffer.allocate(4);
136  b.order(ByteOrder.BIG_ENDIAN); // optional, the initial order of a byte buffer is always BIG_ENDIAN.
137  int aadLengthInBits = aadBytes.length * 8;
138  b.putInt(aadLengthInBits);
139  byte[] result1 = b.array();
140  byte[] al = new byte[8];
141  System.arraycopy(result1, 0, al, 4, 4);
142 
143  byte[] concatenatedHmacInput = new byte[aadBytes.length + ivBytes.length + cipherBytes.length + al.length];
144  System.arraycopy(aadBytes, 0, concatenatedHmacInput, 0, aadBytes.length);
145  System.arraycopy(ivBytes, 0, concatenatedHmacInput, aadBytes.length, ivBytes.length );
146  System.arraycopy(cipherBytes, 0, concatenatedHmacInput, aadBytes.length + ivBytes.length , cipherBytes.length);
147  System.arraycopy(al, 0, concatenatedHmacInput, aadBytes.length + ivBytes.length + cipherBytes.length, al.length);
148 
149  String hmacShaAlg = getHmacShaAlgorithm();
150  Mac macImpl = Mac.getInstance(hmacShaAlg);
151  macImpl.init(hmacKeySpec);
152  macImpl.update(concatenatedHmacInput);
153  byte[] macEncoded = macImpl.doFinal();
154 
155  int authTagLength = getAuthenticationTagLength();
156  return Arrays.copyOf(macEncoded, authTagLength);
157  }

◆ decryptBytes()

byte [] org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.decryptBytes ( byte []  encryptedBytes,
byte []  ivBytes,
Key  aesKey 
) throws GeneralSecurityException
inlineprivate
125  {
126  Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
127  AlgorithmParameterSpec ivParamSpec = new IvParameterSpec(ivBytes);
128  cipher.init(Cipher.DECRYPT_MODE, aesKey, ivParamSpec);
129  return cipher.doFinal(encryptedBytes);
130  }

◆ deserializeCEK()

void org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.deserializeCEK ( JWEKeyStorage  keyStorage)
inline

org.keycloak.jose.jwe.enc.JWEEncryptionProviderを実装しています。

161  {
162  byte[] cekBytes = keyStorage.getCekBytes();
163 
164  int cekLength = getExpectedCEKLength();
165  byte[] cekMacKey = Arrays.copyOf(cekBytes, cekLength / 2);
166  byte[] cekAesKey = Arrays.copyOfRange(cekBytes, cekLength / 2, cekLength);
167 
168  SecretKeySpec aesKey = new SecretKeySpec(cekAesKey, "AES");
169  SecretKeySpec hmacKey = new SecretKeySpec(cekMacKey, "HMACSHA2");
170 
171  keyStorage.setCEKKey(aesKey, JWEKeyStorage.KeyUse.ENCRYPTION);
172  keyStorage.setCEKKey(hmacKey, JWEKeyStorage.KeyUse.SIGNATURE);
173  }

◆ encodeJwe()

void org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.encodeJwe ( JWE  jwe) throws IOException, GeneralSecurityException
inline

org.keycloak.jose.jwe.enc.JWEEncryptionProviderを実装しています。

47  {
48 
49  byte[] contentBytes = jwe.getContent();
50 
51  byte[] initializationVector = JWEUtils.generateSecret(16);
52 
53  Key aesKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
54  if (aesKey == null) {
55  throw new IllegalArgumentException("AES CEK key not present");
56  }
57 
58  Key hmacShaKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
59  if (hmacShaKey == null) {
60  throw new IllegalArgumentException("HMAC CEK key not present");
61  }
62 
63  int expectedAesKeyLength = getExpectedAesKeyLength();
64  if (expectedAesKeyLength != aesKey.getEncoded().length) {
65  throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength +", but was " + aesKey.getEncoded().length);
66  }
67 
68  byte[] cipherBytes = encryptBytes(contentBytes, initializationVector, aesKey);
69 
70  byte[] aad = jwe.getBase64Header().getBytes("UTF-8");
71  byte[] authenticationTag = computeAuthenticationTag(aad, initializationVector, cipherBytes, hmacShaKey);
72 
73  jwe.setEncryptedContentInfo(initializationVector, cipherBytes, authenticationTag);
74  }
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.computeAuthenticationTag
byte [] computeAuthenticationTag(byte[] aadBytes, byte[] ivBytes, byte[] cipherBytes, Key hmacKeySpec)
Definition: AesCbcHmacShaEncryptionProvider.java:133
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.encryptBytes
byte [] encryptBytes(byte[] contentBytes, byte[] ivBytes, Key aesKey)
Definition: AesCbcHmacShaEncryptionProvider.java:117

◆ encryptBytes()

byte [] org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.encryptBytes ( byte []  contentBytes,
byte []  ivBytes,
Key  aesKey 
) throws GeneralSecurityException
inlineprivate
117  {
118  Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding", "BC");
119  AlgorithmParameterSpec ivParamSpec = new IvParameterSpec(ivBytes);
120  cipher.init(Cipher.ENCRYPT_MODE, aesKey, ivParamSpec);
121  return cipher.doFinal(contentBytes);
122  }

◆ getAuthenticationTagLength()

abstract int org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.getAuthenticationTagLength ( )
abstractprotected

◆ getExpectedAesKeyLength()

abstract int org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.getExpectedAesKeyLength ( )
abstractprotected

◆ getExpectedCEKLength()

int org.keycloak.jose.jwe.enc.JWEEncryptionProvider.getExpectedCEKLength ( )
inherited

org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.Aes256CbcHmacSha512Provider, org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.Aes192CbcHmacSha384Provider, org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.Aes128CbcHmacSha256Providerで実装されています。

◆ getHmacShaAlgorithm()

abstract String org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.getHmacShaAlgorithm ( )
abstractprotected

◆ serializeCEK()

byte [] org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.serializeCEK ( JWEKeyStorage  keyStorage)
inline

org.keycloak.jose.jwe.enc.JWEEncryptionProviderを実装しています。

177  {
178  Key aesKey = keyStorage.getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
179  if (aesKey == null) {
180  throw new IllegalArgumentException("AES CEK key not present");
181  }
182 
183  Key hmacShaKey = keyStorage.getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
184  if (hmacShaKey == null) {
185  throw new IllegalArgumentException("HMAC CEK key not present");
186  }
187 
188  byte[] hmacBytes = hmacShaKey.getEncoded();
189  byte[] aesBytes = aesKey.getEncoded();
190 
191  byte[] result = new byte[hmacBytes.length + aesBytes.length];
192  System.arraycopy(hmacBytes, 0, result, 0, hmacBytes.length);
193  System.arraycopy(aesBytes, 0, result, hmacBytes.length, aesBytes.length);
194 
195  return result;
196  }

◆ verifyAndDecodeJwe()

void org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.verifyAndDecodeJwe ( JWE  jwe) throws IOException, GeneralSecurityException
inline

org.keycloak.jose.jwe.enc.JWEEncryptionProviderを実装しています。

78  {
79  Key aesKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.ENCRYPTION, false);
80  if (aesKey == null) {
81  throw new IllegalArgumentException("AES CEK key not present");
82  }
83 
84  Key hmacShaKey = jwe.getKeyStorage().getCEKKey(JWEKeyStorage.KeyUse.SIGNATURE, false);
85  if (hmacShaKey == null) {
86  throw new IllegalArgumentException("HMAC CEK key not present");
87  }
88 
89  int expectedAesKeyLength = getExpectedAesKeyLength();
90  if (expectedAesKeyLength != aesKey.getEncoded().length) {
91  throw new IllegalStateException("Length of aes key should be " + expectedAesKeyLength +", but was " + aesKey.getEncoded().length);
92  }
93 
94  byte[] aad = jwe.getBase64Header().getBytes("UTF-8");
95  byte[] authenticationTag = computeAuthenticationTag(aad, jwe.getInitializationVector(), jwe.getEncryptedContent(), hmacShaKey);
96 
97  byte[] expectedAuthTag = jwe.getAuthenticationTag();
98  boolean digitsEqual = MessageDigest.isEqual(expectedAuthTag, authenticationTag);
99 
100  if (!digitsEqual) {
101  throw new IllegalArgumentException("Signature validations failed");
102  }
103 
104  byte[] contentBytes = decryptBytes(jwe.getEncryptedContent(), jwe.getInitializationVector(), aesKey);
105 
106  jwe.content(contentBytes);
107  }
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.computeAuthenticationTag
byte [] computeAuthenticationTag(byte[] aadBytes, byte[] ivBytes, byte[] cipherBytes, Key hmacKeySpec)
Definition: AesCbcHmacShaEncryptionProvider.java:133
org.keycloak.jose.jwe.enc.AesCbcHmacShaEncryptionProvider.decryptBytes
byte [] decryptBytes(byte[] encryptedBytes, byte[] ivBytes, Key aesKey)
Definition: AesCbcHmacShaEncryptionProvider.java:125
このクラス詳解は次のファイルから抽出されました:
2018年10月29日(月) 00時34分42秒作成 - keycloak / 構成:   doxygen 1.8.13