1 /*
2 * libwebsockets - small server side websockets and web server implementation
3 *
4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
5 *
6 * Permission is hereby granted, free of charge, to any person obtaining a copy
7 * of this software and associated documentation files (the "Software"), to
8 * deal in the Software without restriction, including without limitation the
9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10 * sell copies of the Software, and to permit persons to whom the Software is
11 * furnished to do so, subject to the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be included in
14 * all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22 * IN THE SOFTWARE.
23 */
24
25 #include "private-lib-core.h"
26
27 /*
28 * These came from RFC7518 (JSON Web Algorithms) Section 3
29 *
30 * Cryptographic Algorithms for Digital Signatures and MACs
31 */
32
33 static const struct lws_jose_jwe_alg lws_gencrypto_jws_alg_map[] = {
34
35 /*
36 * JWSs MAY also be created that do not provide integrity protection.
37 * Such a JWS is called an Unsecured JWS. An Unsecured JWS uses the
38 * "alg" value "none" and is formatted identically to other JWSs, but
39 * MUST use the empty octet sequence as its JWS Signature value.
40 * Recipients MUST verify that the JWS Signature value is the empty
41 * octet sequence.
42 *
43 * Implementations that support Unsecured JWSs MUST NOT accept such
44 * objects as valid unless the application specifies that it is
45 * acceptable for a specific object to not be integrity protected.
46 * Implementations MUST NOT accept Unsecured JWSs by default. In order
47 * to mitigate downgrade attacks, applications MUST NOT signal
48 * acceptance of Unsecured JWSs at a global level, and SHOULD signal
49 * acceptance on a per-object basis. See Section 8.5 for security
50 * considerations associated with using this algorithm.
51 */
52 { /* optional */
53 LWS_GENHASH_TYPE_UNKNOWN,
54 LWS_GENHMAC_TYPE_UNKNOWN,
55 LWS_JOSE_ENCTYPE_NONE,
56 LWS_JOSE_ENCTYPE_NONE,
57 "none", NULL, 0, 0, 0
58 },
59
60 /*
61 * HMAC with SHA-2 Functions
62 *
63 * The HMAC SHA-256 MAC for a JWS is validated by computing an HMAC
64 * value per RFC 2104, using SHA-256 as the hash algorithm "H", using
65 * the received JWS Signing Input as the "text" value, and using the
66 * shared key. This computed HMAC value is then compared to the result
67 * of base64url decoding the received encoded JWS Signature value. The
68 * comparison of the computed HMAC value to the JWS Signature value MUST
69 * be done in a constant-time manner to thwart timing attacks.
70 *
71 * Alternatively, the computed HMAC value can be base64url encoded and
72 * compared to the received encoded JWS Signature value (also in a
73 * constant-time manner), as this comparison produces the same result as
74 * comparing the unencoded values. In either case, if the values match,
75 * the HMAC has been validated.
76 */
77
78 { /* required: HMAC using SHA-256 */
79 LWS_GENHASH_TYPE_UNKNOWN,
80 LWS_GENHMAC_TYPE_SHA256,
81 LWS_JOSE_ENCTYPE_NONE,
82 LWS_JOSE_ENCTYPE_NONE,
83 "HS256", NULL, 0, 0, 0
84 },
85 { /* optional: HMAC using SHA-384 */
86 LWS_GENHASH_TYPE_UNKNOWN,
87 LWS_GENHMAC_TYPE_SHA384,
88 LWS_JOSE_ENCTYPE_NONE,
89 LWS_JOSE_ENCTYPE_NONE,
90 "HS384", NULL, 0, 0, 0
91 },
92 { /* optional: HMAC using SHA-512 */
93 LWS_GENHASH_TYPE_UNKNOWN,
94 LWS_GENHMAC_TYPE_SHA512,
95 LWS_JOSE_ENCTYPE_NONE,
96 LWS_JOSE_ENCTYPE_NONE,
97 "HS512", NULL, 0, 0, 0
98 },
99
100 /*
101 * Digital Signature with RSASSA-PKCS1-v1_5
102 *
103 * This section defines the use of the RSASSA-PKCS1-v1_5 digital
104 * signature algorithm as defined in Section 8.2 of RFC 3447 [RFC3447]
105 * (commonly known as PKCS #1), using SHA-2 [SHS] hash functions.
106 *
107 * A key of size 2048 bits or larger MUST be used with these algorithms.
108 *
109 * The RSASSA-PKCS1-v1_5 SHA-256 digital signature is generated as
110 * follows: generate a digital signature of the JWS Signing Input using
111 * RSASSA-PKCS1-v1_5-SIGN and the SHA-256 hash function with the desired
112 * private key. This is the JWS Signature value.
113 *
114 * The RSASSA-PKCS1-v1_5 SHA-256 digital signature for a JWS is
115 * validated as follows: submit the JWS Signing Input, the JWS
116 * Signature, and the public key corresponding to the private key used
117 * by the signer to the RSASSA-PKCS1-v1_5-VERIFY algorithm using SHA-256
118 * as the hash function.
119 */
120
121 { /* recommended: RSASSA-PKCS1-v1_5 using SHA-256 */
122 LWS_GENHASH_TYPE_SHA256,
123 LWS_GENHMAC_TYPE_UNKNOWN,
124 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5,
125 LWS_JOSE_ENCTYPE_NONE,
126 "RS256", NULL, 2048, 4096, 0
127 },
128 { /* optional: RSASSA-PKCS1-v1_5 using SHA-384 */
129 LWS_GENHASH_TYPE_SHA384,
130 LWS_GENHMAC_TYPE_UNKNOWN,
131 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5,
132 LWS_JOSE_ENCTYPE_NONE,
133 "RS384", NULL, 2048, 4096, 0
134 },
135 { /* optional: RSASSA-PKCS1-v1_5 using SHA-512 */
136 LWS_GENHASH_TYPE_SHA512,
137 LWS_GENHMAC_TYPE_UNKNOWN,
138 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5,
139 LWS_JOSE_ENCTYPE_NONE,
140 "RS512", NULL, 2048, 4096, 0
141 },
142
143 /*
144 * Digital Signature with ECDSA
145 *
146 * The ECDSA P-256 SHA-256 digital signature is generated as follows:
147 *
148 * 1. Generate a digital signature of the JWS Signing Input using ECDSA
149 * P-256 SHA-256 with the desired private key. The output will be
150 * the pair (R, S), where R and S are 256-bit unsigned integers.
151 * 2. Turn R and S into octet sequences in big-endian order, with each
152 * array being be 32 octets long. The octet sequence
153 * representations MUST NOT be shortened to omit any leading zero
154 * octets contained in the values.
155 *
156 * 3. Concatenate the two octet sequences in the order R and then S.
157 * (Note that many ECDSA implementations will directly produce this
158 * concatenation as their output.)
159 *
160 * 4. The resulting 64-octet sequence is the JWS Signature value.
161 *
162 * The ECDSA P-256 SHA-256 digital signature for a JWS is validated as
163 * follows:
164 *
165 * 1. The JWS Signature value MUST be a 64-octet sequence. If it is
166 * not a 64-octet sequence, the validation has failed.
167 *
168 * 2. Split the 64-octet sequence into two 32-octet sequences. The
169 * first octet sequence represents R and the second S. The values R
170 * and S are represented as octet sequences using the Integer-to-
171 * OctetString Conversion defined in Section 2.3.7 of SEC1 [SEC1]
172 * (in big-endian octet order).
173 * 3. Submit the JWS Signing Input, R, S, and the public key (x, y) to
174 * the ECDSA P-256 SHA-256 validator.
175 */
176
177 { /* Recommended+: ECDSA using P-256 and SHA-256 */
178 LWS_GENHASH_TYPE_SHA256,
179 LWS_GENHMAC_TYPE_UNKNOWN,
180 LWS_JOSE_ENCTYPE_ECDSA,
181 LWS_JOSE_ENCTYPE_NONE,
182 "ES256", "P-256", 256, 256, 0
183 },
184 { /* optional: ECDSA using P-384 and SHA-384 */
185 LWS_GENHASH_TYPE_SHA384,
186 LWS_GENHMAC_TYPE_UNKNOWN,
187 LWS_JOSE_ENCTYPE_ECDSA,
188 LWS_JOSE_ENCTYPE_NONE,
189 "ES384", "P-384", 384, 384, 0
190 },
191 { /* optional: ECDSA using P-521 and SHA-512 */
192 LWS_GENHASH_TYPE_SHA512,
193 LWS_GENHMAC_TYPE_UNKNOWN,
194 LWS_JOSE_ENCTYPE_ECDSA,
195 LWS_JOSE_ENCTYPE_NONE,
196 "ES512", "P-521", 521, 521, 0
197 },
198 #if 0
199 Not yet supported
200
201 /*
202 * Digital Signature with RSASSA-PSS
203 *
204 * A key of size 2048 bits or larger MUST be used with this algorithm.
205 *
206 * The RSASSA-PSS SHA-256 digital signature is generated as follows:
207 * generate a digital signature of the JWS Signing Input using RSASSA-
208 * PSS-SIGN, the SHA-256 hash function, and the MGF1 mask generation
209 * function with SHA-256 with the desired private key. This is the JWS
210 * Signature value.
211 *
212 * The RSASSA-PSS SHA-256 digital signature for a JWS is validated as
213 * follows: submit the JWS Signing Input, the JWS Signature, and the
214 * public key corresponding to the private key used by the signer to the
215 * RSASSA-PSS-VERIFY algorithm using SHA-256 as the hash function and
216 * using MGF1 as the mask generation function with SHA-256.
217 *
218 */
219 { /* optional: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 */
220 LWS_GENHASH_TYPE_SHA256,
221 LWS_GENHMAC_TYPE_UNKNOWN,
222 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS,
223 LWS_JOSE_ENCTYPE_NONE,
224 "PS256", NULL, 2048, 4096, 0
225 },
226 { /* optional: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 */
227 LWS_GENHASH_TYPE_SHA384,
228 LWS_GENHMAC_TYPE_UNKNOWN,
229 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS,
230 LWS_JOSE_ENCTYPE_NONE,
231 "PS384", NULL, 2048, 4096, 0
232 },
233 { /* optional: RSASSA-PSS using SHA-512 and MGF1 with SHA-512*/
234 LWS_GENHASH_TYPE_SHA512,
235 LWS_GENHMAC_TYPE_UNKNOWN,
236 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS,
237 LWS_JOSE_ENCTYPE_NONE,
238 "PS512", NULL, 2048, 4096, 0
239 },
240 #endif
241 /* list terminator */
242 { 0, 0, 0, 0, NULL, NULL, 0, 0, 0}
243 };
244
245 /*
246 * These came from RFC7518 (JSON Web Algorithms) Section 4
247 *
248 * Cryptographic Algorithms for Key Management
249 *
250 * JWE uses cryptographic algorithms to encrypt or determine the Content
251 * Encryption Key (CEK).
252 */
253
254 static const struct lws_jose_jwe_alg lws_gencrypto_jwe_alg_map[] = {
255
256 /*
257 * This section defines the specifics of encrypting a JWE CEK with
258 * RSAES-PKCS1-v1_5 [RFC3447]. The "alg" (algorithm) Header Parameter
259 * value "RSA1_5" is used for this algorithm.
260 *
261 * A key of size 2048 bits or larger MUST be used with this algorithm.
262 */
263
264 { /* recommended-: RSAES-PKCS1-v1_5 */
265 LWS_GENHASH_TYPE_SHA256,
266 LWS_GENHMAC_TYPE_UNKNOWN,
267 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5,
268 LWS_JOSE_ENCTYPE_NONE,
269 "RSA1_5", NULL, 2048, 4096, 0
270 },
271 { /* recommended+: RSAES OAEP using default parameters */
272 LWS_GENHASH_TYPE_SHA1,
273 LWS_GENHMAC_TYPE_UNKNOWN,
274 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_OAEP,
275 LWS_JOSE_ENCTYPE_NONE,
276 "RSA-OAEP", NULL, 2048, 4096, 0
277 },
278 { /* recommended+: RSAES OAEP using SHA-256 and MGF1 SHA-256 */
279 LWS_GENHASH_TYPE_SHA256,
280 LWS_GENHMAC_TYPE_UNKNOWN,
281 LWS_JOSE_ENCTYPE_RSASSA_PKCS1_OAEP,
282 LWS_JOSE_ENCTYPE_NONE,
283 "RSA-OAEP-256", NULL, 2048, 4096, 0
284 },
285
286 /*
287 * Key Wrapping with AES Key Wrap
288 *
289 * This section defines the specifics of encrypting a JWE CEK with the
290 * Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using
291 * the default initial value specified in Section 2.2.3.1 of that
292 * document.
293 *
294 *
295 */
296 { /* recommended: AES Key Wrap with AES Key Wrap with defaults
297 using 128-bit key */
298 LWS_GENHASH_TYPE_UNKNOWN,
299 LWS_GENHMAC_TYPE_UNKNOWN,
300 LWS_JOSE_ENCTYPE_AES_ECB,
301 LWS_JOSE_ENCTYPE_NONE,
302 "A128KW", NULL, 128, 128, 64
303 },
304
305 { /* optional: AES Key Wrap with AES Key Wrap with defaults
306 using 192-bit key */
307 LWS_GENHASH_TYPE_UNKNOWN,
308 LWS_GENHMAC_TYPE_UNKNOWN,
309 LWS_JOSE_ENCTYPE_AES_ECB,
310 LWS_JOSE_ENCTYPE_NONE,
311 "A192KW", NULL, 192, 192, 64
312 },
313
314 { /* recommended: AES Key Wrap with AES Key Wrap with defaults
315 using 256-bit key */
316 LWS_GENHASH_TYPE_UNKNOWN,
317 LWS_GENHMAC_TYPE_UNKNOWN,
318 LWS_JOSE_ENCTYPE_AES_ECB,
319 LWS_JOSE_ENCTYPE_NONE,
320 "A256KW", NULL, 256, 256, 64
321 },
322
323 /*
324 * This section defines the specifics of directly performing symmetric
325 * key encryption without performing a key wrapping step. In this case,
326 * the shared symmetric key is used directly as the Content Encryption
327 * Key (CEK) value for the "enc" algorithm. An empty octet sequence is
328 * used as the JWE Encrypted Key value. The "alg" (algorithm) Header
329 * Parameter value "dir" is used in this case.
330 */
331 { /* recommended */
332 LWS_GENHASH_TYPE_UNKNOWN,
333 LWS_GENHMAC_TYPE_UNKNOWN,
334 LWS_JOSE_ENCTYPE_NONE,
335 LWS_JOSE_ENCTYPE_NONE,
336 "dir", NULL, 0, 0, 0
337 },
338
339 /*
340 * Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static
341 * (ECDH-ES)
342 *
343 * This section defines the specifics of key agreement with Elliptic
344 * Curve Diffie-Hellman Ephemeral Static [RFC6090], in combination with
345 * the Concat KDF, as defined in Section 5.8.1 of [NIST.800-56A]. The
346 * key agreement result can be used in one of two ways:
347 *
348 * 1. directly as the Content Encryption Key (CEK) for the "enc"
349 * algorithm, in the Direct Key Agreement mode, or
350 *
351 * 2. as a symmetric key used to wrap the CEK with the "A128KW",
352 * "A192KW", or "A256KW" algorithms, in the Key Agreement with Key
353 * Wrapping mode.
354 *
355 * A new ephemeral public key value MUST be generated for each key
356 * agreement operation.
357 *
358 * In Direct Key Agreement mode, the output of the Concat KDF MUST be a
359 * key of the same length as that used by the "enc" algorithm. In this
360 * case, the empty octet sequence is used as the JWE Encrypted Key
361 * value. The "alg" (algorithm) Header Parameter value "ECDH-ES" is
362 * used in the Direct Key Agreement mode.
363 *
364 * In Key Agreement with Key Wrapping mode, the output of the Concat KDF
365 * MUST be a key of the length needed for the specified key wrapping
366 * algorithm. In this case, the JWE Encrypted Key is the CEK wrapped
367 * with the agreed-upon key.
368 */
369
370 { /* recommended+: ECDH Ephemeral Static Key agreement Concat KDF */
371 LWS_GENHASH_TYPE_SHA256,
372 LWS_GENHMAC_TYPE_UNKNOWN,
373 LWS_JOSE_ENCTYPE_ECDHES,
374 LWS_JOSE_ENCTYPE_NONE,
375 "ECDH-ES", NULL, 128, 128, 0
376 },
377 { /* recommended: ECDH-ES + Concat KDF + wrapped by AES128KW */
378 LWS_GENHASH_TYPE_SHA256,
379 LWS_GENHMAC_TYPE_UNKNOWN,
380 LWS_JOSE_ENCTYPE_ECDHES,
381 LWS_JOSE_ENCTYPE_AES_ECB,
382 "ECDH-ES+A128KW", NULL, 128, 128, 0
383 },
384 { /* optional: ECDH-ES + Concat KDF + wrapped by AES192KW */
385 LWS_GENHASH_TYPE_SHA256,
386 LWS_GENHMAC_TYPE_UNKNOWN,
387 LWS_JOSE_ENCTYPE_ECDHES,
388 LWS_JOSE_ENCTYPE_AES_ECB,
389 "ECDH-ES+A192KW", NULL, 192, 192, 0
390 },
391 { /* recommended: ECDH-ES + Concat KDF + wrapped by AES256KW */
392 LWS_GENHASH_TYPE_SHA256,
393 LWS_GENHMAC_TYPE_UNKNOWN,
394 LWS_JOSE_ENCTYPE_ECDHES,
395 LWS_JOSE_ENCTYPE_AES_ECB,
396 "ECDH-ES+A256KW", NULL, 256, 256, 0
397 },
398
399 /*
400 * Key Encryption with AES GCM
401 *
402 * This section defines the specifics of encrypting a JWE Content
403 * Encryption Key (CEK) with Advanced Encryption Standard (AES) in
404 * Galois/Counter Mode (GCM) ([AES] and [NIST.800-38D]).
405 *
406 * Use of an Initialization Vector (IV) of size 96 bits is REQUIRED with
407 * this algorithm. The IV is represented in base64url-encoded form as
408 * the "iv" (initialization vector) Header Parameter value.
409 *
410 * The Additional Authenticated Data value used is the empty octet
411 * string.
412 *
413 * The requested size of the Authentication Tag output MUST be 128 bits,
414 * regardless of the key size.
415 *
416 * The JWE Encrypted Key value is the ciphertext output.
417 *
418 * The Authentication Tag output is represented in base64url-encoded
419 * form as the "tag" (authentication tag) Header Parameter value.
420 *
421 *
422 * "iv" (Initialization Vector) Header Parameter
423 *
424 * The "iv" (initialization vector) Header Parameter value is the
425 * base64url-encoded representation of the 96-bit IV value used for the
426 * key encryption operation. This Header Parameter MUST be present and
427 * MUST be understood and processed by implementations when these
428 * algorithms are used.
429 *
430 * "tag" (Authentication Tag) Header Parameter
431 *
432 * The "tag" (authentication tag) Header Parameter value is the
433 * base64url-encoded representation of the 128-bit Authentication Tag
434 * value resulting from the key encryption operation. This Header
435 * Parameter MUST be present and MUST be understood and processed by
436 * implementations when these algorithms are used.
437 */
438 { /* optional: Key wrapping with AES GCM using 128-bit key */
439 LWS_GENHASH_TYPE_UNKNOWN,
440 LWS_GENHMAC_TYPE_UNKNOWN,
441 LWS_JOSE_ENCTYPE_AES_ECB,
442 LWS_JOSE_ENCTYPE_NONE,
443 "A128GCMKW", NULL, 128, 128, 96
444 },
445
446 { /* optional: Key wrapping with AES GCM using 192-bit key */
447 LWS_GENHASH_TYPE_UNKNOWN,
448 LWS_GENHMAC_TYPE_UNKNOWN,
449 LWS_JOSE_ENCTYPE_AES_ECB,
450 LWS_JOSE_ENCTYPE_NONE,
451 "A192GCMKW", NULL, 192, 192, 96
452 },
453
454 { /* optional: Key wrapping with AES GCM using 256-bit key */
455 LWS_GENHASH_TYPE_UNKNOWN,
456 LWS_GENHMAC_TYPE_UNKNOWN,
457 LWS_JOSE_ENCTYPE_AES_ECB,
458 LWS_JOSE_ENCTYPE_NONE,
459 "A256GCMKW", NULL, 256, 256, 96
460 },
461
462 /* list terminator */
463 { 0, 0, 0, 0, NULL, NULL, 0, 0, 0 }
464 };
465
466 /*
467 * The "enc" (encryption algorithm) Header Parameter identifies the
468 * content encryption algorithm used to perform authenticated encryption
469 * on the plaintext to produce the ciphertext and the Authentication
470 * Tag. This algorithm MUST be an AEAD algorithm with a specified key
471 * length. The encrypted content is not usable if the "enc" value does
472 * not represent a supported algorithm. "enc" values should either be
473 * registered in the IANA "JSON Web Signature and Encryption Algorithms"
474 * registry established by [JWA] or be a value that contains a
475 * Collision-Resistant Name. The "enc" value is a case-sensitive ASCII
476 * string containing a StringOrURI value. This Header Parameter MUST be
477 * present and MUST be understood and processed by implementations.
478 */
479
480 static const struct lws_jose_jwe_alg lws_gencrypto_jwe_enc_map[] = {
481 /*
482 * AES_128_CBC_HMAC_SHA_256 / 512
483 *
484 * It uses the HMAC message authentication code [RFC2104] with the
485 * SHA-256 hash function [SHS] to provide message authentication, with
486 * the HMAC output truncated to 128 bits, corresponding to the
487 * HMAC-SHA-256-128 algorithm defined in [RFC4868]. For encryption, it
488 * uses AES in the CBC mode of operation as defined in Section 6.2 of
489 * [NIST.800-38A], with PKCS #7 padding and a 128-bit IV value.
490 *
491 * The AES_CBC_HMAC_SHA2 parameters specific to AES_128_CBC_HMAC_SHA_256
492 * are:
493 *
494 * The input key K is 32 octets long.
495 * ENC_KEY_LEN is 16 octets.
496 * MAC_KEY_LEN is 16 octets.
497 * The SHA-256 hash algorithm is used for the HMAC.
498 * The HMAC-SHA-256 output is truncated to T_LEN=16 octets, by
499 * stripping off the final 16 octets.
500 */
501 { /* required */
502 LWS_GENHASH_TYPE_UNKNOWN,
503 LWS_GENHMAC_TYPE_SHA256,
504 LWS_JOSE_ENCTYPE_NONE,
505 LWS_JOSE_ENCTYPE_AES_CBC,
506 "A128CBC-HS256", NULL, 256, 256, 128
507 },
508 /*
509 * AES_192_CBC_HMAC_SHA_384 is based on AES_128_CBC_HMAC_SHA_256, but
510 * with the following differences:
511 *
512 * The input key K is 48 octets long instead of 32.
513 * ENC_KEY_LEN is 24 octets instead of 16.
514 * MAC_KEY_LEN is 24 octets instead of 16.
515 * SHA-384 is used for the HMAC instead of SHA-256.
516 * The HMAC SHA-384 value is truncated to T_LEN=24 octets instead of 16.
517 */
518 { /* required */
519 LWS_GENHASH_TYPE_UNKNOWN,
520 LWS_GENHMAC_TYPE_SHA384,
521 LWS_JOSE_ENCTYPE_NONE,
522 LWS_JOSE_ENCTYPE_AES_CBC,
523 "A192CBC-HS384", NULL, 384, 384, 192
524 },
525 /*
526 * AES_256_CBC_HMAC_SHA_512 is based on AES_128_CBC_HMAC_SHA_256, but
527 * with the following differences:
528 *
529 * The input key K is 64 octets long instead of 32.
530 * ENC_KEY_LEN is 32 octets instead of 16.
531 * MAC_KEY_LEN is 32 octets instead of 16.
532 * SHA-512 is used for the HMAC instead of SHA-256.
533 * The HMAC SHA-512 value is truncated to T_LEN=32 octets instead of 16.
534 */
535 { /* required */
536 LWS_GENHASH_TYPE_UNKNOWN,
537 LWS_GENHMAC_TYPE_SHA512,
538 LWS_JOSE_ENCTYPE_NONE,
539 LWS_JOSE_ENCTYPE_AES_CBC,
540 "A256CBC-HS512", NULL, 512, 512, 256
541 },
542
543 /*
544 * The CEK is used as the encryption key.
545 *
546 * Use of an IV of size 96 bits is REQUIRED with this algorithm.
547 *
548 * The requested size of the Authentication Tag output MUST be 128 bits,
549 * regardless of the key size.
550 */
551 { /* recommended: AES GCM using 128-bit key */
552 LWS_GENHASH_TYPE_UNKNOWN,
553 LWS_GENHMAC_TYPE_UNKNOWN,
554 LWS_JOSE_ENCTYPE_NONE,
555 LWS_JOSE_ENCTYPE_AES_GCM,
556 "A128GCM", NULL, 128, 128, 96
557 },
558 { /* optional: AES GCM using 192-bit key */
559 LWS_GENHASH_TYPE_UNKNOWN,
560 LWS_GENHMAC_TYPE_UNKNOWN,
561 LWS_JOSE_ENCTYPE_NONE,
562 LWS_JOSE_ENCTYPE_AES_GCM,
563 "A192GCM", NULL, 192, 192, 96
564 },
565 { /* recommended: AES GCM using 256-bit key */
566 LWS_GENHASH_TYPE_UNKNOWN,
567 LWS_GENHMAC_TYPE_UNKNOWN,
568 LWS_JOSE_ENCTYPE_NONE,
569 LWS_JOSE_ENCTYPE_AES_GCM,
570 "A256GCM", NULL, 256, 256, 96
571 },
572 { 0, 0, 0, 0, NULL, NULL, 0, 0, 0 } /* sentinel */
573 };
574
575 int
lws_gencrypto_jws_alg_to_definition(const char * alg,const struct lws_jose_jwe_alg ** jose)576 lws_gencrypto_jws_alg_to_definition(const char *alg,
577 const struct lws_jose_jwe_alg **jose)
578 {
579 const struct lws_jose_jwe_alg *a = lws_gencrypto_jws_alg_map;
580
581 while (a->alg) {
582 if (!strcmp(alg, a->alg)) {
583 *jose = a;
584
585 return 0;
586 }
587 a++;
588 }
589
590 return 1;
591 }
592
593 int
lws_gencrypto_jwe_alg_to_definition(const char * alg,const struct lws_jose_jwe_alg ** jose)594 lws_gencrypto_jwe_alg_to_definition(const char *alg,
595 const struct lws_jose_jwe_alg **jose)
596 {
597 const struct lws_jose_jwe_alg *a = lws_gencrypto_jwe_alg_map;
598
599 while (a->alg) {
600 if (!strcmp(alg, a->alg)) {
601 *jose = a;
602
603 return 0;
604 }
605 a++;
606 }
607
608 return 1;
609 }
610
611 int
lws_gencrypto_jwe_enc_to_definition(const char * enc,const struct lws_jose_jwe_alg ** jose)612 lws_gencrypto_jwe_enc_to_definition(const char *enc,
613 const struct lws_jose_jwe_alg **jose)
614 {
615 const struct lws_jose_jwe_alg *e = lws_gencrypto_jwe_enc_map;
616
617 while (e->alg) {
618 if (!strcmp(enc, e->alg)) {
619 *jose = e;
620
621 return 0;
622 }
623 e++;
624 }
625
626 return 1;
627 }
628
629 size_t
lws_genhash_size(enum lws_genhash_types type)630 lws_genhash_size(enum lws_genhash_types type)
631 {
632 switch(type) {
633 case LWS_GENHASH_TYPE_UNKNOWN:
634 return 0;
635 case LWS_GENHASH_TYPE_MD5:
636 return 16;
637 case LWS_GENHASH_TYPE_SHA1:
638 return 20;
639 case LWS_GENHASH_TYPE_SHA256:
640 return 32;
641 case LWS_GENHASH_TYPE_SHA384:
642 return 48;
643 case LWS_GENHASH_TYPE_SHA512:
644 return 64;
645 }
646
647 return 0;
648 }
649
650 size_t
lws_genhmac_size(enum lws_genhmac_types type)651 lws_genhmac_size(enum lws_genhmac_types type)
652 {
653 switch(type) {
654 case LWS_GENHMAC_TYPE_UNKNOWN:
655 return 0;
656 case LWS_GENHMAC_TYPE_SHA256:
657 return 32;
658 case LWS_GENHMAC_TYPE_SHA384:
659 return 48;
660 case LWS_GENHMAC_TYPE_SHA512:
661 return 64;
662 }
663
664 return 0;
665 }
666
667 int
lws_gencrypto_bits_to_bytes(int bits)668 lws_gencrypto_bits_to_bytes(int bits)
669 {
670 if (bits & 7)
671 return (bits / 8) + 1;
672
673 return bits / 8;
674 }
675
676 int
lws_base64_size(int bytes)677 lws_base64_size(int bytes)
678 {
679 return ((bytes * 4) / 3) + 6;
680 }
681
682 void
lws_gencrypto_destroy_elements(struct lws_gencrypto_keyelem * el,int m)683 lws_gencrypto_destroy_elements(struct lws_gencrypto_keyelem *el, int m)
684 {
685 int n;
686
687 for (n = 0; n < m; n++)
688 if (el[n].buf)
689 lws_free_set_NULL(el[n].buf);
690 }
691
lws_gencrypto_padded_length(size_t pad_block_size,size_t len)692 size_t lws_gencrypto_padded_length(size_t pad_block_size, size_t len)
693 {
694 return (len / pad_block_size + 1) * pad_block_size;
695 }
696