Friday, March 13, 2015

Apache CXF is getting JOSE ready

I've already talked about JOSE on this blog. In my opinion, it is one of the key technologies, alongside OAuth2, that will deeply affect the way developers write secure HTTP RS services in the years to come.

A one sentence summary: one can use JOSE to secure, sign and/or encrypt a data content in any format, JSON, text, binaries, anything. JOSE is a key component of an advanced OAuth2 application, but also is a good fit for securing the regular HTTP web service communications.

As such it should not be a surprise that CXF now ships its own JOSE implementation offering a support for all of JOSE signature and encryption algorithms and representation formats and joins a list of other frameworks/projects directly supporting JOSE.

I've done an initial documentation here. There's so much to document that I will need probably another week to complete it all. Lots of interesting stuff for developers to experiment with that needs to be documented. I think it is unique in its own way while probably repeating some of the boilerplate code that any JOSE implementation needs to do.

Apart from being keen to directly deal with such an implementation, IMHO it is also good to have it supported in CXF due to how important this technology will become for web services developers in the future. It is always healthy to have multiple implementations as the JAX-RS space has demonstrated. And if CXF users would prefer to use other JOSE implementations then it will be fine.

One such 3rd party implementation is Jose4J. I'd like to thank Brian Campbell for creating it - it did help me to keep my sanity when I only started trying to write a test validating an RSA-OAEP output which is random. I also looked at its source recently when I was puzzled as to why my tests involving EC keys produce wrong-size signatures, even though the validation was passing - the comment in Jose4J made a rather cryptic JOSE spec text obvious, JOSE EC signatures are formatted in a format more compact than DER. I still wrote my own code though :-) which one might say is questionable but there you go. Thanks Brian. I think we can plug in Jose4J with CXF JOSE filters easily enough should users demand it.

CXF JOSE project is not completely finalized but I'm thinking it is getting pretty close to the final API. I'd like to encourage the early adopters give it a go and provide the feedback. In meantime I'll be working on completing the documentation and tweaking the code to enforce some of the security considerations documented in JOSE specifications, etc.

Enjoy !

No comments: