1 /* 2 * libwebsockets - small server side websockets and web server implementation 3 * 4 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com> 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining a copy 7 * of this software and associated documentation files (the "Software"), to 8 * deal in the Software without restriction, including without limitation the 9 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or 10 * sell copies of the Software, and to permit persons to whom the Software is 11 * furnished to do so, subject to the following conditions: 12 * 13 * The above copyright notice and this permission notice shall be included in 14 * all copies or substantial portions of the Software. 15 * 16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 19 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING 21 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22 * IN THE SOFTWARE. 23 * 24 * JWE Compact Serialization consists of 25 * 26 * BASE64URL(UTF8(JWE Protected Header)) || '.' || 27 * BASE64URL(JWE Encrypted Key) || '.' || 28 * BASE64URL(JWE Initialization Vector) || '.' || 29 * BASE64URL(JWE Ciphertext) || '.' || 30 * BASE64URL(JWE Authentication Tag) 31 */ 32 33 #define LWS_JWE_RFC3394_OVERHEAD_BYTES 8 34 #define LWS_JWE_AES_IV_BYTES 16 35 36 #define LWS_JWE_LIMIT_RSA_KEY_BITS 4096 37 #define LWS_JWE_LIMIT_AES_KEY_BITS (512 + 64) /* RFC3394 Key Wrap adds 64b */ 38 #define LWS_JWE_LIMIT_EC_KEY_BITS 528 /* 521 rounded to byte boundary */ 39 #define LWS_JWE_LIMIT_HASH_BITS (LWS_GENHASH_LARGEST * 8) 40 41 /* the largest key element for any cipher */ 42 #define LWS_JWE_LIMIT_KEY_ELEMENT_BYTES (LWS_JWE_LIMIT_RSA_KEY_BITS / 8) 43 44 45 struct lws_jwe { 46 struct lws_jose jose; 47 struct lws_jws jws; 48 struct lws_jwk jwk; 49 50 /* 51 * We have to keep a copy of the CEK so we can reuse it with later 52 * key encryptions for the multiple recipient case. 53 */ 54 uint8_t cek[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES]; 55 unsigned int cek_valid:1; 56 57 int recip; 58 }; 59 60 LWS_VISIBLE LWS_EXTERN void 61 lws_jwe_init(struct lws_jwe *jwe, struct lws_context *context); 62 63 LWS_VISIBLE LWS_EXTERN void 64 lws_jwe_destroy(struct lws_jwe *jwe); 65 66 LWS_VISIBLE LWS_EXTERN void 67 lws_jwe_be64(uint64_t c, uint8_t *p8); 68 69 /* 70 * JWE Compact Serialization consists of 71 * 72 * BASE64URL(UTF8(JWE Protected Header)) || '.' || 73 * BASE64URL(JWE Encrypted Key) || '.' || 74 * BASE64URL(JWE Initialization Vector) || '.' || 75 * BASE64URL(JWE Ciphertext) || '.' || 76 * BASE64URL(JWE Authentication Tag) 77 */ 78 79 LWS_VISIBLE LWS_EXTERN int 80 lws_jwe_render_compact(struct lws_jwe *jwe, char *out, size_t out_len); 81 82 LWS_VISIBLE int 83 lws_jwe_render_flattened(struct lws_jwe *jwe, char *out, size_t out_len); 84 85 LWS_VISIBLE LWS_EXTERN int 86 lws_jwe_json_parse(struct lws_jwe *jwe, const uint8_t *buf, int len, 87 char *temp, int *temp_len); 88 89 /** 90 * lws_jwe_auth_and_decrypt() - confirm and decrypt JWE 91 * 92 * \param jose: jose context 93 * \param jws: jws / jwe context... .map and .map_b64 must be filled already 94 * 95 * This is a high level JWE decrypt api that takes a jws with the maps 96 * already processed, and if the authentication passes, returns the decrypted 97 * plaintext in jws.map.buf[LJWE_CTXT] and its length in jws.map.len[LJWE_CTXT]. 98 * 99 * In the jws, the following fields must have been set by the caller 100 * 101 * .context 102 * .jwk (the key encryption key) 103 * .map 104 * .map_b64 105 * 106 * Having the b64 and decoded maps filled externally makes it flexible where 107 * the data was picked from, eg, from a Complete JWE JSON serialization, a 108 * flattened one, or a Compact Serialization. 109 * 110 * Returns decrypt length, or -1 for failure. 111 */ 112 LWS_VISIBLE LWS_EXTERN int 113 lws_jwe_auth_and_decrypt(struct lws_jwe *jwe, char *temp, int *temp_len); 114 115 /** 116 * lws_jwe_encrypt() - perform JWE encryption 117 * 118 * \param jose: the JOSE header information (encryption types, etc) 119 * \param jws: the JWE elements, pointer to jwk etc 120 * \param temp: parent-owned buffer to "allocate" elements into 121 * \param temp_len: amount of space available in temp 122 * 123 * May be called up to LWS_JWS_MAX_RECIPIENTS times to encrypt the same CEK 124 * multiple ways on the same JWE payload. 125 * 126 * returns the amount of temp used, or -1 for error. 127 */ 128 LWS_VISIBLE LWS_EXTERN int 129 lws_jwe_encrypt(struct lws_jwe *jwe, char *temp, int *temp_len); 130 131 /** 132 * lws_jwe_create_packet() - add b64 sig to b64 hdr + payload 133 * 134 * \param jwe: the struct lws_jwe we are trying to render 135 * \param payload: unencoded payload JSON 136 * \param len: length of unencoded payload JSON 137 * \param nonce: Nonse string to include in protected header 138 * \param out: buffer to take signed packet 139 * \param out_len: size of \p out buffer 140 * \param conext: lws_context to get random from 141 * 142 * This creates a "flattened" JWS packet from the jwk and the plaintext 143 * payload, and signs it. The packet is written into \p out. 144 * 145 * This does the whole packet assembly and signing, calling through to 146 * lws_jws_sign_from_b64() as part of the process. 147 * 148 * Returns the length written to \p out, or -1. 149 */ 150 LWS_VISIBLE LWS_EXTERN int 151 lws_jwe_create_packet(struct lws_jwe *jwe, 152 const char *payload, size_t len, const char *nonce, 153 char *out, size_t out_len, struct lws_context *context); 154 155 156 /* only exposed because we have test vectors that need it */ 157 LWS_VISIBLE LWS_EXTERN int 158 lws_jwe_auth_and_decrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *enc_cek, 159 uint8_t *aad, int aad_len); 160 161 /* only exposed because we have test vectors that need it */ 162 LWS_VISIBLE LWS_EXTERN int 163 lws_jwa_concat_kdf(struct lws_jwe *jwe, int direct, 164 uint8_t *out, const uint8_t *shared_secret, int sslen); 165