2 * libwebsockets - JSON Web Encryption support
4 * Copyright (C) 2018 Andy Green <andy@warmcat.com>
6 * This library is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU Lesser General Public
8 * License as published by the Free Software Foundation:
9 * version 2.1 of the License.
11 * This library is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 * Lesser General Public License for more details.
16 * You should have received a copy of the GNU Lesser General Public
17 * License along with this library; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
22 * JWE code for payload encrypt / decrypt using aescbc
25 #include "core/private.h"
26 #include "jose/jwe/private.h"
29 lws_jwe_encrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *cek,
30 uint8_t *aad, int aad_len)
32 int n, hlen = lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
33 uint8_t digest[LWS_GENHASH_LARGEST];
34 struct lws_gencrypto_keyelem el;
35 struct lws_genhmac_ctx hmacctx;
36 struct lws_genaes_ctx aesctx;
39 /* Caller must have prepared space for the results */
41 if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
42 lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
43 hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
47 if (jwe->jws.map.len[LJWE_IV] != 16) {
48 lwsl_notice("expected iv len %d, got %d\n", 16,
49 jwe->jws.map.len[LJWE_IV]);
53 /* first create the authentication hmac */
55 /* JWA Section 5.2.2.1
57 * 1. The secondary keys MAC_KEY and ENC_KEY are generated from the
58 * input key K as follows. Each of these two keys is an octet
61 * MAC_KEY consists of the initial MAC_KEY_LEN octets of K, in
63 * ENC_KEY consists of the final ENC_KEY_LEN octets of K, in
68 * 2. The IV used is a 128-bit value generated randomly or
69 * pseudorandomly for use in the cipher.
71 lws_get_random(jwe->jws.context, (void *)jwe->jws.map.buf[LJWE_IV], 16);
74 * 3. The plaintext is CBC encrypted using PKCS #7 padding using
75 * ENC_KEY as the key and the IV. We denote the ciphertext output
76 * from this step as E.
79 /* second half is the AES ENC_KEY */
80 el.buf = cek + (hlen / 2);
83 if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_CBC, &el,
84 LWS_GAESP_NO_PADDING, NULL)) {
85 lwsl_err("%s: lws_genaes_create failed\n", __func__);
91 * the plaintext gets delivered to us in LJWE_CTXT, this replaces
92 * the plaintext there with the same amount of ciphertext
94 n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
95 jwe->jws.map.len[LJWE_CTXT],
96 (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
97 (uint8_t *)jwe->jws.map.buf[LJWE_IV],
99 lws_genaes_destroy(&aesctx, NULL, 0);
101 lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
106 * 4. The octet string AL is equal to the number of bits in the
107 * Additional Authenticated Data A expressed as a 64-bit unsigned
108 * big-endian integer.
110 lws_jwe_be64(aad_len * 8, al);
112 /* first half of the CEK is the MAC key */
113 if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type,
118 * 5. A message Authentication Tag T is computed by applying HMAC
119 * [RFC2104] to the following data, in order:
121 * - the Additional Authenticated Data A,
122 * - the Initialization Vector IV,
123 * - the ciphertext E computed in the previous step, and
124 * - the octet string AL defined above.
126 * The string MAC_KEY is used as the MAC key. We denote the output
127 * of the MAC computed in this step as M. The first T_LEN octets of
131 if (lws_genhmac_update(&hmacctx, aad, aad_len) ||
132 lws_genhmac_update(&hmacctx, jwe->jws.map.buf[LJWE_IV],
133 LWS_JWE_AES_IV_BYTES) ||
134 /* since we encrypted it, this is the ciphertext */
135 lws_genhmac_update(&hmacctx,
136 (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
137 jwe->jws.map.len[LJWE_CTXT]) ||
138 lws_genhmac_update(&hmacctx, al, 8)) {
139 lwsl_err("%s: hmac computation failed\n", __func__);
140 lws_genhmac_destroy(&hmacctx, NULL);
144 if (lws_genhmac_destroy(&hmacctx, digest)) {
145 lwsl_err("%s: problem destroying hmac\n", __func__);
150 memcpy((void *)jwe->jws.map.buf[LJWE_ATAG], digest, hlen / 2);
152 return jwe->jws.map.len[LJWE_CTXT];
156 lws_jwe_auth_and_decrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *enc_cek,
157 uint8_t *aad, int aad_len)
159 int n, hlen = lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
160 uint8_t digest[LWS_GENHASH_LARGEST];
161 struct lws_gencrypto_keyelem el;
162 struct lws_genhmac_ctx hmacctx;
163 struct lws_genaes_ctx aesctx;
166 /* Some sanity checks on what came in */
168 if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
169 lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
170 hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
174 if (jwe->jws.map.len[LJWE_IV] != 16) {
175 lwsl_notice("expected iv len %d, got %d\n", 16,
176 jwe->jws.map.len[LJWE_IV]);
180 /* Prepare to check authentication
182 * AAD is the b64 JOSE header.
184 * The octet string AL, which is the number of bits in AAD expressed as
185 * a big-endian 64-bit unsigned integer is:
187 * [0, 0, 0, 0, 0, 0, 1, 152]
189 * Concatenate the AAD, the Initialization Vector, the ciphertext, and
194 lws_jwe_be64(aad_len * 8, al);
196 /* first half of enc_cek is the MAC key */
197 if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type, enc_cek,
199 lwsl_err("%s: lws_genhmac_init fail\n", __func__);
203 if (lws_genhmac_update(&hmacctx, aad, aad_len) ||
204 lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_IV],
205 jwe->jws.map.len[LJWE_IV]) ||
206 lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
207 jwe->jws.map.len[LJWE_CTXT]) ||
208 lws_genhmac_update(&hmacctx, al, 8)) {
209 lwsl_err("%s: hmac computation failed\n", __func__);
210 lws_genhmac_destroy(&hmacctx, NULL);
214 if (lws_genhmac_destroy(&hmacctx, digest)) {
215 lwsl_err("%s: problem destroying hmac\n", __func__);
219 /* first half of digest is the auth tag */
221 if (lws_timingsafe_bcmp(digest, jwe->jws.map.buf[LJWE_ATAG], hlen / 2)) {
222 lwsl_err("%s: auth failed: hmac tag (%d) != ATAG (%d)\n",
223 __func__, hlen / 2, jwe->jws.map.len[LJWE_ATAG]);
224 lwsl_hexdump_notice(jwe->jws.map.buf[LJWE_ATAG], hlen / 2);
225 lwsl_hexdump_notice(digest, hlen / 2);
229 /* second half of enc cek is the CEK KEY */
230 el.buf = enc_cek + (hlen / 2);
233 if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_CBC,
234 &el, LWS_GAESP_NO_PADDING, NULL)) {
235 lwsl_err("%s: lws_genaes_create failed\n", __func__);
240 n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
241 jwe->jws.map.len[LJWE_CTXT],
242 (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
243 (uint8_t *)jwe->jws.map.buf[LJWE_IV], NULL, NULL, 16);
244 n |= lws_genaes_destroy(&aesctx, NULL, 0);
246 lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
250 return jwe->jws.map.len[LJWE_CTXT];