/**
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.cxf.rs.security.jose.common;
public final class JoseConstants {
public static final String HEADER_TYPE = "typ";
public static final String HEADER_ALGORITHM = "alg";
public static final String HEADER_CONTENT_TYPE = "cty";
public static final String HEADER_CRITICAL = "crit";
public static final String HEADER_KEY_ID = "kid";
public static final String HEADER_X509_URL = "x5u";
public static final String HEADER_X509_CHAIN = "x5c";
public static final String HEADER_X509_THUMBPRINT = "x5t";
public static final String HEADER_X509_THUMBPRINT_SHA256 = "x5t#S256";
public static final String HEADER_JSON_WEB_KEY = "jwk";
public static final String HEADER_JSON_WEB_KEY_SET = "jku";
public static final String JWE_HEADER_KEY_ENC_ALGORITHM = HEADER_ALGORITHM;
public static final String JWE_HEADER_CONTENT_ENC_ALGORITHM = "enc";
public static final String JWE_HEADER_ZIP_ALGORITHM = "zip";
public static final String JWE_DEFLATE_ZIP_ALGORITHM = "DEF";
public static final String JWS_HEADER_B64_STATUS_HEADER = "b64";
public static final String TYPE_JWT = "JWT";
public static final String TYPE_JOSE = "JOSE";
public static final String TYPE_JOSE_JSON = "JOSE+JSON";
public static final String MEDIA_TYPE_JOSE = "application/jose";
public static final String MEDIA_TYPE_JOSE_JSON = "application/jose+json";
public static final String JOSE_CONTEXT_PROPERTY = "org.apache.cxf.jose.context";
//
// JOSE Configuration constants
//
//
// Shared configuration
//
/**
* The keystore type. Suitable values are "jks" or "jwk". The default value is "jwk".
*/
public static final String RSSEC_KEY_STORE_TYPE = "rs.security.keystore.type";
/**
* The password required to access the keystore.
*/
public static final String RSSEC_KEY_STORE_PSWD = "rs.security.keystore.password";
/**
* The password required to access the private key (in the keystore).
*/
public static final String RSSEC_KEY_PSWD = "rs.security.key.password";
/**
* The keystore alias corresponding to the key to use. You can append one of the following to this tag to
* get the alias for more specific operations:
* - jwe.out
* - jwe.in
* - jws.out
* - jws.in
*/
public static final String RSSEC_KEY_STORE_ALIAS = "rs.security.keystore.alias";
/**
* The keystore aliases corresponding to the keys to use, when using the JSON serialization form. You can
* append one of the following to this tag to get the alias for more specific operations:
* - jws.out
* - jws.in
*/
public static final String RSSEC_KEY_STORE_ALIASES = "rs.security.keystore.aliases";
/**
* The path to the keystore file.
*/
public static final String RSSEC_KEY_STORE_FILE = "rs.security.keystore.file";
/**
* The KeyStore Object.
*/
public static final String RSSEC_KEY_STORE = "rs.security.keystore";
/**
* A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys.
*/
public static final String RSSEC_KEY_PSWD_PROVIDER = "rs.security.key.password.provider";
/**
* Whether to allow using a JWK received in the header for signature validation. The default
* is "false".
*/
public static final String RSSEC_ACCEPT_PUBLIC_KEY = "rs.security.accept.public.key";
/**
* TODO documentation for these
*/
public static final String RSSEC_KEY_STORE_JWKSET = "rs.security.keystore.jwkset";
public static final String RSSEC_KEY_STORE_JWKKEY = "rs.security.keystore.jwkkey";
//
// JWS specific Configuration
//
/**
* A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
* for signature. If this is not specified it falls back to use the RSSEC_KEY_PSWD_PROVIDER.
*/
public static final String RSSEC_SIGNATURE_KEY_PSWD_PROVIDER = "rs.security.signature.key.password.provider";
/**
* The signature algorithm to use. The default algorithm if not specified is 'RS256'.
*/
public static final String RSSEC_SIGNATURE_ALGORITHM = "rs.security.signature.algorithm";
/**
* The EC Curve to use with EC keys loaded from Java Key Store.
* JWK EC Keys are expected to use a standard "crv" property instead.
*/
public static final String RSSEC_EC_CURVE = "rs.security.elliptic.curve";
/**
* The signature properties file for compact signature creation. If not specified then it falls back to
* RSSEC_SIGNATURE_PROPS.
*/
public static final String RSSEC_SIGNATURE_OUT_PROPS = "rs.security.signature.out.properties";
/**
* The signature properties file for compact signature verification. If not specified then it falls back to
* RSSEC_SIGNATURE_PROPS.
*/
public static final String RSSEC_SIGNATURE_IN_PROPS = "rs.security.signature.in.properties";
/**
* The signature properties file for compact signature creation/verification.
*/
public static final String RSSEC_SIGNATURE_PROPS = "rs.security.signature.properties";
/**
* Include the JWK public key for signature in the "jwk" header.
*/
public static final String RSSEC_SIGNATURE_INCLUDE_PUBLIC_KEY = "rs.security.signature.include.public.key";
/**
* Include the X.509 certificate for signature in the "x5c" header.
*/
public static final String RSSEC_SIGNATURE_INCLUDE_CERT = "rs.security.signature.include.cert";
/**
* Include the JWK key id for signature in the "kid" header.
*/
public static final String RSSEC_SIGNATURE_INCLUDE_KEY_ID = "rs.security.signature.include.key.id";
/**
* Include the X.509 certificate SHA-1 digest for signature in the "x5t" header.
*/
public static final String RSSEC_SIGNATURE_INCLUDE_CERT_SHA1 = "rs.security.signature.include.cert.sha1";
/**
* Include the X.509 certificate SHA-256 digest for signature in the "x5t#S256" header.
*/
public static final String RSSEC_SIGNATURE_INCLUDE_CERT_SHA256 = "rs.security.signature.include.cert.sha256";
//
// JWE specific Configuration
//
/**
* A reference to a PrivateKeyPasswordProvider instance used to retrieve passwords to access keys
* for decryption. If this is not specified it falls back to use the RSSEC_KEY_PSWD_PROVIDER.
*/
public static final String RSSEC_DECRYPTION_KEY_PSWD_PROVIDER = "rs.security.decryption.key.password.provider";
/**
* The encryption content algorithm to use. The default algorithm if not specified is 'A128GCM'.
*/
public static final String RSSEC_ENCRYPTION_CONTENT_ALGORITHM = "rs.security.encryption.content.algorithm";
/**
* The encryption key algorithm to use. The default algorithm if not specified is 'RSA-OAEP' if the key is an
* RSA key, and 'A128GCMKW' if it is an octet sequence.
*/
public static final String RSSEC_ENCRYPTION_KEY_ALGORITHM = "rs.security.encryption.key.algorithm";
/**
* The encryption zip algorithm to use.
*/
public static final String RSSEC_ENCRYPTION_ZIP_ALGORITHM = "rs.security.encryption.zip.algorithm";
/**
* The encryption properties file for encryption creation. If not specified then it falls back to
* RSSEC_ENCRYPTION_PROPS.
*/
public static final String RSSEC_ENCRYPTION_OUT_PROPS = "rs.security.encryption.out.properties";
/**
* The decryption properties file for decryption. If not specified then it falls back to
* RSSEC_ENCRYPTION_PROPS.
*/
public static final String RSSEC_ENCRYPTION_IN_PROPS = "rs.security.encryption.in.properties";
/**
* The encryption/decryption properties file
*/
public static final String RSSEC_ENCRYPTION_PROPS = "rs.security.encryption.properties";
/**
* Include the JWK public key for encryption in the "jwk" header.
*/
public static final String RSSEC_ENCRYPTION_INCLUDE_PUBLIC_KEY = "rs.security.encryption.include.public.key";
/**
* Include the X.509 certificate for encryption the "x5c" header.
*/
public static final String RSSEC_ENCRYPTION_INCLUDE_CERT = "rs.security.encryption.include.cert";
/**
* Include the JWK key id for encryption in the "kid" header.
*/
public static final String RSSEC_ENCRYPTION_INCLUDE_KEY_ID = "rs.security.encryption.include.key.id";
/**
* Include the X.509 certificate SHA-1 digest for encryption in the "x5t" header.
*/
public static final String RSSEC_ENCRYPTION_INCLUDE_CERT_SHA1 = "rs.security.encryption.include.cert.sha1";
/**
* Include the X.509 certificate SHA-256 digest for encryption in the "x5t#S256" header.
*/
public static final String RSSEC_ENCRYPTION_INCLUDE_CERT_SHA256 = "rs.security.encryption.include.cert.sha256";
//
// JWT specific configuration
//
/**
* Whether to allow unsigned JWT tokens as SecurityContext Principals. The default is false.
*/
public static final String ENABLE_UNSIGNED_JWT_PRINCIPAL = "rs.security.enable.unsigned-jwt.principal";
/**
* Whether to trace JOSE headers.
*/
public static final String JOSE_DEBUG = "jose.debug";
private JoseConstants() {
}
}