/src/libwebsockets/lib/tls/lws-gencrypto-common.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * libwebsockets - small server side websockets and web server implementation |
3 | | * |
4 | | * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com> |
5 | | * |
6 | | * Permission is hereby granted, free of charge, to any person obtaining a copy |
7 | | * of this software and associated documentation files (the "Software"), to |
8 | | * deal in the Software without restriction, including without limitation the |
9 | | * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
10 | | * sell copies of the Software, and to permit persons to whom the Software is |
11 | | * furnished to do so, subject to the following conditions: |
12 | | * |
13 | | * The above copyright notice and this permission notice shall be included in |
14 | | * all copies or substantial portions of the Software. |
15 | | * |
16 | | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
17 | | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
18 | | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
19 | | * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
20 | | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
21 | | * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS |
22 | | * IN THE SOFTWARE. |
23 | | */ |
24 | | |
25 | | #include "private-lib-core.h" |
26 | | |
27 | | /* |
28 | | * These came from RFC7518 (JSON Web Algorithms) Section 3 |
29 | | * |
30 | | * Cryptographic Algorithms for Digital Signatures and MACs |
31 | | */ |
32 | | |
33 | | static const struct lws_jose_jwe_alg lws_gencrypto_jws_alg_map[] = { |
34 | | |
35 | | /* |
36 | | * JWSs MAY also be created that do not provide integrity protection. |
37 | | * Such a JWS is called an Unsecured JWS. An Unsecured JWS uses the |
38 | | * "alg" value "none" and is formatted identically to other JWSs, but |
39 | | * MUST use the empty octet sequence as its JWS Signature value. |
40 | | * Recipients MUST verify that the JWS Signature value is the empty |
41 | | * octet sequence. |
42 | | * |
43 | | * Implementations that support Unsecured JWSs MUST NOT accept such |
44 | | * objects as valid unless the application specifies that it is |
45 | | * acceptable for a specific object to not be integrity protected. |
46 | | * Implementations MUST NOT accept Unsecured JWSs by default. In order |
47 | | * to mitigate downgrade attacks, applications MUST NOT signal |
48 | | * acceptance of Unsecured JWSs at a global level, and SHOULD signal |
49 | | * acceptance on a per-object basis. See Section 8.5 for security |
50 | | * considerations associated with using this algorithm. |
51 | | */ |
52 | | { /* optional */ |
53 | | LWS_GENHASH_TYPE_UNKNOWN, |
54 | | LWS_GENHMAC_TYPE_UNKNOWN, |
55 | | LWS_JOSE_ENCTYPE_NONE, |
56 | | LWS_JOSE_ENCTYPE_NONE, |
57 | | "none", NULL, 0, 0, 0 |
58 | | }, |
59 | | |
60 | | /* |
61 | | * HMAC with SHA-2 Functions |
62 | | * |
63 | | * The HMAC SHA-256 MAC for a JWS is validated by computing an HMAC |
64 | | * value per RFC 2104, using SHA-256 as the hash algorithm "H", using |
65 | | * the received JWS Signing Input as the "text" value, and using the |
66 | | * shared key. This computed HMAC value is then compared to the result |
67 | | * of base64url decoding the received encoded JWS Signature value. The |
68 | | * comparison of the computed HMAC value to the JWS Signature value MUST |
69 | | * be done in a constant-time manner to thwart timing attacks. |
70 | | * |
71 | | * Alternatively, the computed HMAC value can be base64url encoded and |
72 | | * compared to the received encoded JWS Signature value (also in a |
73 | | * constant-time manner), as this comparison produces the same result as |
74 | | * comparing the unencoded values. In either case, if the values match, |
75 | | * the HMAC has been validated. |
76 | | */ |
77 | | |
78 | | { /* required: HMAC using SHA-256 */ |
79 | | LWS_GENHASH_TYPE_UNKNOWN, |
80 | | LWS_GENHMAC_TYPE_SHA256, |
81 | | LWS_JOSE_ENCTYPE_NONE, |
82 | | LWS_JOSE_ENCTYPE_NONE, |
83 | | "HS256", NULL, 0, 0, 0 |
84 | | }, |
85 | | { /* optional: HMAC using SHA-384 */ |
86 | | LWS_GENHASH_TYPE_UNKNOWN, |
87 | | LWS_GENHMAC_TYPE_SHA384, |
88 | | LWS_JOSE_ENCTYPE_NONE, |
89 | | LWS_JOSE_ENCTYPE_NONE, |
90 | | "HS384", NULL, 0, 0, 0 |
91 | | }, |
92 | | { /* optional: HMAC using SHA-512 */ |
93 | | LWS_GENHASH_TYPE_UNKNOWN, |
94 | | LWS_GENHMAC_TYPE_SHA512, |
95 | | LWS_JOSE_ENCTYPE_NONE, |
96 | | LWS_JOSE_ENCTYPE_NONE, |
97 | | "HS512", NULL, 0, 0, 0 |
98 | | }, |
99 | | |
100 | | /* |
101 | | * Digital Signature with RSASSA-PKCS1-v1_5 |
102 | | * |
103 | | * This section defines the use of the RSASSA-PKCS1-v1_5 digital |
104 | | * signature algorithm as defined in Section 8.2 of RFC 3447 [RFC3447] |
105 | | * (commonly known as PKCS #1), using SHA-2 [SHS] hash functions. |
106 | | * |
107 | | * A key of size 2048 bits or larger MUST be used with these algorithms. |
108 | | * |
109 | | * The RSASSA-PKCS1-v1_5 SHA-256 digital signature is generated as |
110 | | * follows: generate a digital signature of the JWS Signing Input using |
111 | | * RSASSA-PKCS1-v1_5-SIGN and the SHA-256 hash function with the desired |
112 | | * private key. This is the JWS Signature value. |
113 | | * |
114 | | * The RSASSA-PKCS1-v1_5 SHA-256 digital signature for a JWS is |
115 | | * validated as follows: submit the JWS Signing Input, the JWS |
116 | | * Signature, and the public key corresponding to the private key used |
117 | | * by the signer to the RSASSA-PKCS1-v1_5-VERIFY algorithm using SHA-256 |
118 | | * as the hash function. |
119 | | */ |
120 | | |
121 | | { /* recommended: RSASSA-PKCS1-v1_5 using SHA-256 */ |
122 | | LWS_GENHASH_TYPE_SHA256, |
123 | | LWS_GENHMAC_TYPE_UNKNOWN, |
124 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, |
125 | | LWS_JOSE_ENCTYPE_NONE, |
126 | | "RS256", NULL, 2048, 4096, 0 |
127 | | }, |
128 | | { /* optional: RSASSA-PKCS1-v1_5 using SHA-384 */ |
129 | | LWS_GENHASH_TYPE_SHA384, |
130 | | LWS_GENHMAC_TYPE_UNKNOWN, |
131 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, |
132 | | LWS_JOSE_ENCTYPE_NONE, |
133 | | "RS384", NULL, 2048, 4096, 0 |
134 | | }, |
135 | | { /* optional: RSASSA-PKCS1-v1_5 using SHA-512 */ |
136 | | LWS_GENHASH_TYPE_SHA512, |
137 | | LWS_GENHMAC_TYPE_UNKNOWN, |
138 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, |
139 | | LWS_JOSE_ENCTYPE_NONE, |
140 | | "RS512", NULL, 2048, 4096, 0 |
141 | | }, |
142 | | |
143 | | /* |
144 | | * Digital Signature with ECDSA |
145 | | * |
146 | | * The ECDSA P-256 SHA-256 digital signature is generated as follows: |
147 | | * |
148 | | * 1. Generate a digital signature of the JWS Signing Input using ECDSA |
149 | | * P-256 SHA-256 with the desired private key. The output will be |
150 | | * the pair (R, S), where R and S are 256-bit unsigned integers. |
151 | | * 2. Turn R and S into octet sequences in big-endian order, with each |
152 | | * array being be 32 octets long. The octet sequence |
153 | | * representations MUST NOT be shortened to omit any leading zero |
154 | | * octets contained in the values. |
155 | | * |
156 | | * 3. Concatenate the two octet sequences in the order R and then S. |
157 | | * (Note that many ECDSA implementations will directly produce this |
158 | | * concatenation as their output.) |
159 | | * |
160 | | * 4. The resulting 64-octet sequence is the JWS Signature value. |
161 | | * |
162 | | * The ECDSA P-256 SHA-256 digital signature for a JWS is validated as |
163 | | * follows: |
164 | | * |
165 | | * 1. The JWS Signature value MUST be a 64-octet sequence. If it is |
166 | | * not a 64-octet sequence, the validation has failed. |
167 | | * |
168 | | * 2. Split the 64-octet sequence into two 32-octet sequences. The |
169 | | * first octet sequence represents R and the second S. The values R |
170 | | * and S are represented as octet sequences using the Integer-to- |
171 | | * OctetString Conversion defined in Section 2.3.7 of SEC1 [SEC1] |
172 | | * (in big-endian octet order). |
173 | | * 3. Submit the JWS Signing Input, R, S, and the public key (x, y) to |
174 | | * the ECDSA P-256 SHA-256 validator. |
175 | | */ |
176 | | |
177 | | { /* Recommended+: ECDSA using P-256 and SHA-256 */ |
178 | | LWS_GENHASH_TYPE_SHA256, |
179 | | LWS_GENHMAC_TYPE_UNKNOWN, |
180 | | LWS_JOSE_ENCTYPE_ECDSA, |
181 | | LWS_JOSE_ENCTYPE_NONE, |
182 | | "ES256", "P-256", 256, 256, 0 |
183 | | }, |
184 | | { /* optional: ECDSA using P-384 and SHA-384 */ |
185 | | LWS_GENHASH_TYPE_SHA384, |
186 | | LWS_GENHMAC_TYPE_UNKNOWN, |
187 | | LWS_JOSE_ENCTYPE_ECDSA, |
188 | | LWS_JOSE_ENCTYPE_NONE, |
189 | | "ES384", "P-384", 384, 384, 0 |
190 | | }, |
191 | | { /* optional: ECDSA using P-521 and SHA-512 */ |
192 | | LWS_GENHASH_TYPE_SHA512, |
193 | | LWS_GENHMAC_TYPE_UNKNOWN, |
194 | | LWS_JOSE_ENCTYPE_ECDSA, |
195 | | LWS_JOSE_ENCTYPE_NONE, |
196 | | "ES512", "P-521", 521, 521, 0 |
197 | | }, |
198 | | #if 0 |
199 | | Not yet supported |
200 | | |
201 | | /* |
202 | | * Digital Signature with RSASSA-PSS |
203 | | * |
204 | | * A key of size 2048 bits or larger MUST be used with this algorithm. |
205 | | * |
206 | | * The RSASSA-PSS SHA-256 digital signature is generated as follows: |
207 | | * generate a digital signature of the JWS Signing Input using RSASSA- |
208 | | * PSS-SIGN, the SHA-256 hash function, and the MGF1 mask generation |
209 | | * function with SHA-256 with the desired private key. This is the JWS |
210 | | * Signature value. |
211 | | * |
212 | | * The RSASSA-PSS SHA-256 digital signature for a JWS is validated as |
213 | | * follows: submit the JWS Signing Input, the JWS Signature, and the |
214 | | * public key corresponding to the private key used by the signer to the |
215 | | * RSASSA-PSS-VERIFY algorithm using SHA-256 as the hash function and |
216 | | * using MGF1 as the mask generation function with SHA-256. |
217 | | * |
218 | | */ |
219 | | { /* optional: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 */ |
220 | | LWS_GENHASH_TYPE_SHA256, |
221 | | LWS_GENHMAC_TYPE_UNKNOWN, |
222 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, |
223 | | LWS_JOSE_ENCTYPE_NONE, |
224 | | "PS256", NULL, 2048, 4096, 0 |
225 | | }, |
226 | | { /* optional: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 */ |
227 | | LWS_GENHASH_TYPE_SHA384, |
228 | | LWS_GENHMAC_TYPE_UNKNOWN, |
229 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, |
230 | | LWS_JOSE_ENCTYPE_NONE, |
231 | | "PS384", NULL, 2048, 4096, 0 |
232 | | }, |
233 | | { /* optional: RSASSA-PSS using SHA-512 and MGF1 with SHA-512*/ |
234 | | LWS_GENHASH_TYPE_SHA512, |
235 | | LWS_GENHMAC_TYPE_UNKNOWN, |
236 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, |
237 | | LWS_JOSE_ENCTYPE_NONE, |
238 | | "PS512", NULL, 2048, 4096, 0 |
239 | | }, |
240 | | #endif |
241 | | /* list terminator */ |
242 | | { 0, 0, 0, 0, NULL, NULL, 0, 0, 0} |
243 | | }; |
244 | | |
245 | | /* |
246 | | * These came from RFC7518 (JSON Web Algorithms) Section 4 |
247 | | * |
248 | | * Cryptographic Algorithms for Key Management |
249 | | * |
250 | | * JWE uses cryptographic algorithms to encrypt or determine the Content |
251 | | * Encryption Key (CEK). |
252 | | */ |
253 | | |
254 | | static const struct lws_jose_jwe_alg lws_gencrypto_jwe_alg_map[] = { |
255 | | |
256 | | /* |
257 | | * This section defines the specifics of encrypting a JWE CEK with |
258 | | * RSAES-PKCS1-v1_5 [RFC3447]. The "alg" (algorithm) Header Parameter |
259 | | * value "RSA1_5" is used for this algorithm. |
260 | | * |
261 | | * A key of size 2048 bits or larger MUST be used with this algorithm. |
262 | | */ |
263 | | |
264 | | { /* recommended-: RSAES-PKCS1-v1_5 */ |
265 | | LWS_GENHASH_TYPE_SHA256, |
266 | | LWS_GENHMAC_TYPE_UNKNOWN, |
267 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, |
268 | | LWS_JOSE_ENCTYPE_NONE, |
269 | | "RSA1_5", NULL, 2048, 4096, 0 |
270 | | }, |
271 | | { /* recommended+: RSAES OAEP using default parameters */ |
272 | | LWS_GENHASH_TYPE_SHA1, |
273 | | LWS_GENHMAC_TYPE_UNKNOWN, |
274 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_OAEP, |
275 | | LWS_JOSE_ENCTYPE_NONE, |
276 | | "RSA-OAEP", NULL, 2048, 4096, 0 |
277 | | }, |
278 | | { /* recommended+: RSAES OAEP using SHA-256 and MGF1 SHA-256 */ |
279 | | LWS_GENHASH_TYPE_SHA256, |
280 | | LWS_GENHMAC_TYPE_UNKNOWN, |
281 | | LWS_JOSE_ENCTYPE_RSASSA_PKCS1_OAEP, |
282 | | LWS_JOSE_ENCTYPE_NONE, |
283 | | "RSA-OAEP-256", NULL, 2048, 4096, 0 |
284 | | }, |
285 | | |
286 | | /* |
287 | | * Key Wrapping with AES Key Wrap |
288 | | * |
289 | | * This section defines the specifics of encrypting a JWE CEK with the |
290 | | * Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using |
291 | | * the default initial value specified in Section 2.2.3.1 of that |
292 | | * document. |
293 | | * |
294 | | * |
295 | | */ |
296 | | { /* recommended: AES Key Wrap with AES Key Wrap with defaults |
297 | | using 128-bit key */ |
298 | | LWS_GENHASH_TYPE_UNKNOWN, |
299 | | LWS_GENHMAC_TYPE_UNKNOWN, |
300 | | LWS_JOSE_ENCTYPE_AES_ECB, |
301 | | LWS_JOSE_ENCTYPE_NONE, |
302 | | "A128KW", NULL, 128, 128, 64 |
303 | | }, |
304 | | |
305 | | { /* optional: AES Key Wrap with AES Key Wrap with defaults |
306 | | using 192-bit key */ |
307 | | LWS_GENHASH_TYPE_UNKNOWN, |
308 | | LWS_GENHMAC_TYPE_UNKNOWN, |
309 | | LWS_JOSE_ENCTYPE_AES_ECB, |
310 | | LWS_JOSE_ENCTYPE_NONE, |
311 | | "A192KW", NULL, 192, 192, 64 |
312 | | }, |
313 | | |
314 | | { /* recommended: AES Key Wrap with AES Key Wrap with defaults |
315 | | using 256-bit key */ |
316 | | LWS_GENHASH_TYPE_UNKNOWN, |
317 | | LWS_GENHMAC_TYPE_UNKNOWN, |
318 | | LWS_JOSE_ENCTYPE_AES_ECB, |
319 | | LWS_JOSE_ENCTYPE_NONE, |
320 | | "A256KW", NULL, 256, 256, 64 |
321 | | }, |
322 | | |
323 | | /* |
324 | | * This section defines the specifics of directly performing symmetric |
325 | | * key encryption without performing a key wrapping step. In this case, |
326 | | * the shared symmetric key is used directly as the Content Encryption |
327 | | * Key (CEK) value for the "enc" algorithm. An empty octet sequence is |
328 | | * used as the JWE Encrypted Key value. The "alg" (algorithm) Header |
329 | | * Parameter value "dir" is used in this case. |
330 | | */ |
331 | | { /* recommended */ |
332 | | LWS_GENHASH_TYPE_UNKNOWN, |
333 | | LWS_GENHMAC_TYPE_UNKNOWN, |
334 | | LWS_JOSE_ENCTYPE_NONE, |
335 | | LWS_JOSE_ENCTYPE_NONE, |
336 | | "dir", NULL, 0, 0, 0 |
337 | | }, |
338 | | |
339 | | /* |
340 | | * Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static |
341 | | * (ECDH-ES) |
342 | | * |
343 | | * This section defines the specifics of key agreement with Elliptic |
344 | | * Curve Diffie-Hellman Ephemeral Static [RFC6090], in combination with |
345 | | * the Concat KDF, as defined in Section 5.8.1 of [NIST.800-56A]. The |
346 | | * key agreement result can be used in one of two ways: |
347 | | * |
348 | | * 1. directly as the Content Encryption Key (CEK) for the "enc" |
349 | | * algorithm, in the Direct Key Agreement mode, or |
350 | | * |
351 | | * 2. as a symmetric key used to wrap the CEK with the "A128KW", |
352 | | * "A192KW", or "A256KW" algorithms, in the Key Agreement with Key |
353 | | * Wrapping mode. |
354 | | * |
355 | | * A new ephemeral public key value MUST be generated for each key |
356 | | * agreement operation. |
357 | | * |
358 | | * In Direct Key Agreement mode, the output of the Concat KDF MUST be a |
359 | | * key of the same length as that used by the "enc" algorithm. In this |
360 | | * case, the empty octet sequence is used as the JWE Encrypted Key |
361 | | * value. The "alg" (algorithm) Header Parameter value "ECDH-ES" is |
362 | | * used in the Direct Key Agreement mode. |
363 | | * |
364 | | * In Key Agreement with Key Wrapping mode, the output of the Concat KDF |
365 | | * MUST be a key of the length needed for the specified key wrapping |
366 | | * algorithm. In this case, the JWE Encrypted Key is the CEK wrapped |
367 | | * with the agreed-upon key. |
368 | | */ |
369 | | |
370 | | { /* recommended+: ECDH Ephemeral Static Key agreement Concat KDF */ |
371 | | LWS_GENHASH_TYPE_SHA256, |
372 | | LWS_GENHMAC_TYPE_UNKNOWN, |
373 | | LWS_JOSE_ENCTYPE_ECDHES, |
374 | | LWS_JOSE_ENCTYPE_NONE, |
375 | | "ECDH-ES", NULL, 128, 128, 0 |
376 | | }, |
377 | | { /* recommended: ECDH-ES + Concat KDF + wrapped by AES128KW */ |
378 | | LWS_GENHASH_TYPE_SHA256, |
379 | | LWS_GENHMAC_TYPE_UNKNOWN, |
380 | | LWS_JOSE_ENCTYPE_ECDHES, |
381 | | LWS_JOSE_ENCTYPE_AES_ECB, |
382 | | "ECDH-ES+A128KW", NULL, 128, 128, 0 |
383 | | }, |
384 | | { /* optional: ECDH-ES + Concat KDF + wrapped by AES192KW */ |
385 | | LWS_GENHASH_TYPE_SHA256, |
386 | | LWS_GENHMAC_TYPE_UNKNOWN, |
387 | | LWS_JOSE_ENCTYPE_ECDHES, |
388 | | LWS_JOSE_ENCTYPE_AES_ECB, |
389 | | "ECDH-ES+A192KW", NULL, 192, 192, 0 |
390 | | }, |
391 | | { /* recommended: ECDH-ES + Concat KDF + wrapped by AES256KW */ |
392 | | LWS_GENHASH_TYPE_SHA256, |
393 | | LWS_GENHMAC_TYPE_UNKNOWN, |
394 | | LWS_JOSE_ENCTYPE_ECDHES, |
395 | | LWS_JOSE_ENCTYPE_AES_ECB, |
396 | | "ECDH-ES+A256KW", NULL, 256, 256, 0 |
397 | | }, |
398 | | |
399 | | /* |
400 | | * Key Encryption with AES GCM |
401 | | * |
402 | | * This section defines the specifics of encrypting a JWE Content |
403 | | * Encryption Key (CEK) with Advanced Encryption Standard (AES) in |
404 | | * Galois/Counter Mode (GCM) ([AES] and [NIST.800-38D]). |
405 | | * |
406 | | * Use of an Initialization Vector (IV) of size 96 bits is REQUIRED with |
407 | | * this algorithm. The IV is represented in base64url-encoded form as |
408 | | * the "iv" (initialization vector) Header Parameter value. |
409 | | * |
410 | | * The Additional Authenticated Data value used is the empty octet |
411 | | * string. |
412 | | * |
413 | | * The requested size of the Authentication Tag output MUST be 128 bits, |
414 | | * regardless of the key size. |
415 | | * |
416 | | * The JWE Encrypted Key value is the ciphertext output. |
417 | | * |
418 | | * The Authentication Tag output is represented in base64url-encoded |
419 | | * form as the "tag" (authentication tag) Header Parameter value. |
420 | | * |
421 | | * |
422 | | * "iv" (Initialization Vector) Header Parameter |
423 | | * |
424 | | * The "iv" (initialization vector) Header Parameter value is the |
425 | | * base64url-encoded representation of the 96-bit IV value used for the |
426 | | * key encryption operation. This Header Parameter MUST be present and |
427 | | * MUST be understood and processed by implementations when these |
428 | | * algorithms are used. |
429 | | * |
430 | | * "tag" (Authentication Tag) Header Parameter |
431 | | * |
432 | | * The "tag" (authentication tag) Header Parameter value is the |
433 | | * base64url-encoded representation of the 128-bit Authentication Tag |
434 | | * value resulting from the key encryption operation. This Header |
435 | | * Parameter MUST be present and MUST be understood and processed by |
436 | | * implementations when these algorithms are used. |
437 | | */ |
438 | | { /* optional: Key wrapping with AES GCM using 128-bit key */ |
439 | | LWS_GENHASH_TYPE_UNKNOWN, |
440 | | LWS_GENHMAC_TYPE_UNKNOWN, |
441 | | LWS_JOSE_ENCTYPE_AES_ECB, |
442 | | LWS_JOSE_ENCTYPE_NONE, |
443 | | "A128GCMKW", NULL, 128, 128, 96 |
444 | | }, |
445 | | |
446 | | { /* optional: Key wrapping with AES GCM using 192-bit key */ |
447 | | LWS_GENHASH_TYPE_UNKNOWN, |
448 | | LWS_GENHMAC_TYPE_UNKNOWN, |
449 | | LWS_JOSE_ENCTYPE_AES_ECB, |
450 | | LWS_JOSE_ENCTYPE_NONE, |
451 | | "A192GCMKW", NULL, 192, 192, 96 |
452 | | }, |
453 | | |
454 | | { /* optional: Key wrapping with AES GCM using 256-bit key */ |
455 | | LWS_GENHASH_TYPE_UNKNOWN, |
456 | | LWS_GENHMAC_TYPE_UNKNOWN, |
457 | | LWS_JOSE_ENCTYPE_AES_ECB, |
458 | | LWS_JOSE_ENCTYPE_NONE, |
459 | | "A256GCMKW", NULL, 256, 256, 96 |
460 | | }, |
461 | | |
462 | | /* list terminator */ |
463 | | { 0, 0, 0, 0, NULL, NULL, 0, 0, 0 } |
464 | | }; |
465 | | |
466 | | /* |
467 | | * The "enc" (encryption algorithm) Header Parameter identifies the |
468 | | * content encryption algorithm used to perform authenticated encryption |
469 | | * on the plaintext to produce the ciphertext and the Authentication |
470 | | * Tag. This algorithm MUST be an AEAD algorithm with a specified key |
471 | | * length. The encrypted content is not usable if the "enc" value does |
472 | | * not represent a supported algorithm. "enc" values should either be |
473 | | * registered in the IANA "JSON Web Signature and Encryption Algorithms" |
474 | | * registry established by [JWA] or be a value that contains a |
475 | | * Collision-Resistant Name. The "enc" value is a case-sensitive ASCII |
476 | | * string containing a StringOrURI value. This Header Parameter MUST be |
477 | | * present and MUST be understood and processed by implementations. |
478 | | */ |
479 | | |
480 | | static const struct lws_jose_jwe_alg lws_gencrypto_jwe_enc_map[] = { |
481 | | /* |
482 | | * AES_128_CBC_HMAC_SHA_256 / 512 |
483 | | * |
484 | | * It uses the HMAC message authentication code [RFC2104] with the |
485 | | * SHA-256 hash function [SHS] to provide message authentication, with |
486 | | * the HMAC output truncated to 128 bits, corresponding to the |
487 | | * HMAC-SHA-256-128 algorithm defined in [RFC4868]. For encryption, it |
488 | | * uses AES in the CBC mode of operation as defined in Section 6.2 of |
489 | | * [NIST.800-38A], with PKCS #7 padding and a 128-bit IV value. |
490 | | * |
491 | | * The AES_CBC_HMAC_SHA2 parameters specific to AES_128_CBC_HMAC_SHA_256 |
492 | | * are: |
493 | | * |
494 | | * The input key K is 32 octets long. |
495 | | * ENC_KEY_LEN is 16 octets. |
496 | | * MAC_KEY_LEN is 16 octets. |
497 | | * The SHA-256 hash algorithm is used for the HMAC. |
498 | | * The HMAC-SHA-256 output is truncated to T_LEN=16 octets, by |
499 | | * stripping off the final 16 octets. |
500 | | */ |
501 | | { /* required */ |
502 | | LWS_GENHASH_TYPE_UNKNOWN, |
503 | | LWS_GENHMAC_TYPE_SHA256, |
504 | | LWS_JOSE_ENCTYPE_NONE, |
505 | | LWS_JOSE_ENCTYPE_AES_CBC, |
506 | | "A128CBC-HS256", NULL, 256, 256, 128 |
507 | | }, |
508 | | /* |
509 | | * AES_192_CBC_HMAC_SHA_384 is based on AES_128_CBC_HMAC_SHA_256, but |
510 | | * with the following differences: |
511 | | * |
512 | | * The input key K is 48 octets long instead of 32. |
513 | | * ENC_KEY_LEN is 24 octets instead of 16. |
514 | | * MAC_KEY_LEN is 24 octets instead of 16. |
515 | | * SHA-384 is used for the HMAC instead of SHA-256. |
516 | | * The HMAC SHA-384 value is truncated to T_LEN=24 octets instead of 16. |
517 | | */ |
518 | | { /* required */ |
519 | | LWS_GENHASH_TYPE_UNKNOWN, |
520 | | LWS_GENHMAC_TYPE_SHA384, |
521 | | LWS_JOSE_ENCTYPE_NONE, |
522 | | LWS_JOSE_ENCTYPE_AES_CBC, |
523 | | "A192CBC-HS384", NULL, 384, 384, 192 |
524 | | }, |
525 | | /* |
526 | | * AES_256_CBC_HMAC_SHA_512 is based on AES_128_CBC_HMAC_SHA_256, but |
527 | | * with the following differences: |
528 | | * |
529 | | * The input key K is 64 octets long instead of 32. |
530 | | * ENC_KEY_LEN is 32 octets instead of 16. |
531 | | * MAC_KEY_LEN is 32 octets instead of 16. |
532 | | * SHA-512 is used for the HMAC instead of SHA-256. |
533 | | * The HMAC SHA-512 value is truncated to T_LEN=32 octets instead of 16. |
534 | | */ |
535 | | { /* required */ |
536 | | LWS_GENHASH_TYPE_UNKNOWN, |
537 | | LWS_GENHMAC_TYPE_SHA512, |
538 | | LWS_JOSE_ENCTYPE_NONE, |
539 | | LWS_JOSE_ENCTYPE_AES_CBC, |
540 | | "A256CBC-HS512", NULL, 512, 512, 256 |
541 | | }, |
542 | | |
543 | | /* |
544 | | * The CEK is used as the encryption key. |
545 | | * |
546 | | * Use of an IV of size 96 bits is REQUIRED with this algorithm. |
547 | | * |
548 | | * The requested size of the Authentication Tag output MUST be 128 bits, |
549 | | * regardless of the key size. |
550 | | */ |
551 | | { /* recommended: AES GCM using 128-bit key */ |
552 | | LWS_GENHASH_TYPE_UNKNOWN, |
553 | | LWS_GENHMAC_TYPE_UNKNOWN, |
554 | | LWS_JOSE_ENCTYPE_NONE, |
555 | | LWS_JOSE_ENCTYPE_AES_GCM, |
556 | | "A128GCM", NULL, 128, 128, 96 |
557 | | }, |
558 | | { /* optional: AES GCM using 192-bit key */ |
559 | | LWS_GENHASH_TYPE_UNKNOWN, |
560 | | LWS_GENHMAC_TYPE_UNKNOWN, |
561 | | LWS_JOSE_ENCTYPE_NONE, |
562 | | LWS_JOSE_ENCTYPE_AES_GCM, |
563 | | "A192GCM", NULL, 192, 192, 96 |
564 | | }, |
565 | | { /* recommended: AES GCM using 256-bit key */ |
566 | | LWS_GENHASH_TYPE_UNKNOWN, |
567 | | LWS_GENHMAC_TYPE_UNKNOWN, |
568 | | LWS_JOSE_ENCTYPE_NONE, |
569 | | LWS_JOSE_ENCTYPE_AES_GCM, |
570 | | "A256GCM", NULL, 256, 256, 96 |
571 | | }, |
572 | | { 0, 0, 0, 0, NULL, NULL, 0, 0, 0 } /* sentinel */ |
573 | | }; |
574 | | |
575 | | int |
576 | | lws_gencrypto_jws_alg_to_definition(const char *alg, |
577 | | const struct lws_jose_jwe_alg **jose) |
578 | 0 | { |
579 | 0 | const struct lws_jose_jwe_alg *a = lws_gencrypto_jws_alg_map; |
580 | |
|
581 | 0 | while (a->alg) { |
582 | 0 | if (!strcmp(alg, a->alg)) { |
583 | 0 | *jose = a; |
584 | |
|
585 | 0 | return 0; |
586 | 0 | } |
587 | 0 | a++; |
588 | 0 | } |
589 | | |
590 | 0 | return 1; |
591 | 0 | } |
592 | | |
593 | | int |
594 | | lws_gencrypto_jwe_alg_to_definition(const char *alg, |
595 | | const struct lws_jose_jwe_alg **jose) |
596 | 0 | { |
597 | 0 | const struct lws_jose_jwe_alg *a = lws_gencrypto_jwe_alg_map; |
598 | |
|
599 | 0 | while (a->alg) { |
600 | 0 | if (!strcmp(alg, a->alg)) { |
601 | 0 | *jose = a; |
602 | |
|
603 | 0 | return 0; |
604 | 0 | } |
605 | 0 | a++; |
606 | 0 | } |
607 | | |
608 | 0 | return 1; |
609 | 0 | } |
610 | | |
611 | | int |
612 | | lws_gencrypto_jwe_enc_to_definition(const char *enc, |
613 | | const struct lws_jose_jwe_alg **jose) |
614 | 0 | { |
615 | 0 | const struct lws_jose_jwe_alg *e = lws_gencrypto_jwe_enc_map; |
616 | |
|
617 | 0 | while (e->alg) { |
618 | 0 | if (!strcmp(enc, e->alg)) { |
619 | 0 | *jose = e; |
620 | |
|
621 | 0 | return 0; |
622 | 0 | } |
623 | 0 | e++; |
624 | 0 | } |
625 | | |
626 | 0 | return 1; |
627 | 0 | } |
628 | | |
629 | | size_t |
630 | | lws_genhash_size(enum lws_genhash_types type) |
631 | 0 | { |
632 | 0 | switch(type) { |
633 | 0 | case LWS_GENHASH_TYPE_UNKNOWN: |
634 | 0 | return 0; |
635 | 0 | case LWS_GENHASH_TYPE_MD5: |
636 | 0 | return 16; |
637 | 0 | case LWS_GENHASH_TYPE_SHA1: |
638 | 0 | return 20; |
639 | 0 | case LWS_GENHASH_TYPE_SHA256: |
640 | 0 | return 32; |
641 | 0 | case LWS_GENHASH_TYPE_SHA384: |
642 | 0 | return 48; |
643 | 0 | case LWS_GENHASH_TYPE_SHA512: |
644 | 0 | return 64; |
645 | 0 | } |
646 | | |
647 | 0 | return 0; |
648 | 0 | } |
649 | | |
650 | | size_t |
651 | | lws_genhmac_size(enum lws_genhmac_types type) |
652 | 0 | { |
653 | 0 | switch(type) { |
654 | 0 | case LWS_GENHMAC_TYPE_UNKNOWN: |
655 | 0 | return 0; |
656 | 0 | case LWS_GENHMAC_TYPE_SHA256: |
657 | 0 | return 32; |
658 | 0 | case LWS_GENHMAC_TYPE_SHA384: |
659 | 0 | return 48; |
660 | 0 | case LWS_GENHMAC_TYPE_SHA512: |
661 | 0 | return 64; |
662 | 0 | } |
663 | | |
664 | 0 | return 0; |
665 | 0 | } |
666 | | |
667 | | int |
668 | | lws_gencrypto_bits_to_bytes(int bits) |
669 | 0 | { |
670 | 0 | if (bits & 7) |
671 | 0 | return (bits / 8) + 1; |
672 | | |
673 | 0 | return bits / 8; |
674 | 0 | } |
675 | | |
676 | | int |
677 | | lws_base64_size(int bytes) |
678 | 0 | { |
679 | 0 | return ((bytes * 4) / 3) + 6; |
680 | 0 | } |
681 | | |
682 | | void |
683 | | lws_gencrypto_destroy_elements(struct lws_gencrypto_keyelem *el, int m) |
684 | 0 | { |
685 | 0 | int n; |
686 | |
|
687 | 0 | for (n = 0; n < m; n++) |
688 | 0 | if (el[n].buf) |
689 | 0 | lws_free_set_NULL(el[n].buf); |
690 | 0 | } |
691 | | |
692 | | size_t lws_gencrypto_padded_length(size_t pad_block_size, size_t len) |
693 | 0 | { |
694 | 0 | return (len / pad_block_size + 1) * pad_block_size; |
695 | 0 | } |