1  /*
2  * libwebsockets - small server side websockets and web server implementation
3  *
4  * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining a copy
7  * of this software and associated documentation files (the "Software"), to
8  * deal in the Software without restriction, including without limitation the
9  * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
10  * sell copies of the Software, and to permit persons to whom the Software is
11  * furnished to do so, subject to the following conditions:
12  *
13  * The above copyright notice and this permission notice shall be included in
14  * all copies or substantial portions of the Software.
15  *
16  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
17  * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
18  * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
19  * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
20  * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
21  * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22  * IN THE SOFTWARE.
23  *
24  * JWE Compact Serialization consists of
25  *
26  *     BASE64URL(UTF8(JWE Protected Header)) || '.' ||
27  *     BASE64URL(JWE Encrypted Key)	     || '.' ||
28  *     BASE64URL(JWE Initialization Vector)  || '.' ||
29  *     BASE64URL(JWE Ciphertext)	     || '.' ||
30  *     BASE64URL(JWE Authentication Tag)
31  */
32 
33 #define LWS_JWE_RFC3394_OVERHEAD_BYTES 8
34 #define LWS_JWE_AES_IV_BYTES 16
35 
36 #define LWS_JWE_LIMIT_RSA_KEY_BITS 4096
37 #define LWS_JWE_LIMIT_AES_KEY_BITS (512 + 64) /* RFC3394 Key Wrap adds 64b */
38 #define LWS_JWE_LIMIT_EC_KEY_BITS  528 /* 521 rounded to byte boundary */
39 #define LWS_JWE_LIMIT_HASH_BITS    (LWS_GENHASH_LARGEST * 8)
40 
41 /* the largest key element for any cipher */
42 #define LWS_JWE_LIMIT_KEY_ELEMENT_BYTES (LWS_JWE_LIMIT_RSA_KEY_BITS / 8)
43 
44 
45 struct lws_jwe {
46 	struct lws_jose jose;
47 	struct lws_jws jws;
48 	struct lws_jwk jwk;
49 
50 	/*
51 	 * We have to keep a copy of the CEK so we can reuse it with later
52 	 * key encryptions for the multiple recipient case.
53 	 */
54 	uint8_t cek[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES];
55 	unsigned int cek_valid:1;
56 
57 	int recip;
58 };
59 
60 LWS_VISIBLE LWS_EXTERN void
61 lws_jwe_init(struct lws_jwe *jwe, struct lws_context *context);
62 
63 LWS_VISIBLE LWS_EXTERN void
64 lws_jwe_destroy(struct lws_jwe *jwe);
65 
66 LWS_VISIBLE LWS_EXTERN void
67 lws_jwe_be64(uint64_t c, uint8_t *p8);
68 
69 /*
70  * JWE Compact Serialization consists of
71  *
72  *     BASE64URL(UTF8(JWE Protected Header)) || '.' ||
73  *     BASE64URL(JWE Encrypted Key)	     || '.' ||
74  *     BASE64URL(JWE Initialization Vector)  || '.' ||
75  *     BASE64URL(JWE Ciphertext)	     || '.' ||
76  *     BASE64URL(JWE Authentication Tag)
77  */
78 
79 LWS_VISIBLE LWS_EXTERN int
80 lws_jwe_render_compact(struct lws_jwe *jwe, char *out, size_t out_len);
81 
82 LWS_VISIBLE int
83 lws_jwe_render_flattened(struct lws_jwe *jwe, char *out, size_t out_len);
84 
85 LWS_VISIBLE LWS_EXTERN int
86 lws_jwe_json_parse(struct lws_jwe *jwe, const uint8_t *buf, int len,
87 		   char *temp, int *temp_len);
88 
89 /**
90  * lws_jwe_auth_and_decrypt() - confirm and decrypt JWE
91  *
92  * \param jose: jose context
93  * \param jws: jws / jwe context... .map and .map_b64 must be filled already
94  *
95  * This is a high level JWE decrypt api that takes a jws with the maps
96  * already processed, and if the authentication passes, returns the decrypted
97  * plaintext in jws.map.buf[LJWE_CTXT] and its length in jws.map.len[LJWE_CTXT].
98  *
99  * In the jws, the following fields must have been set by the caller
100  *
101  * .context
102  * .jwk (the key encryption key)
103  * .map
104  * .map_b64
105  *
106  * Having the b64 and decoded maps filled externally makes it flexible where
107  * the data was picked from, eg, from a Complete JWE JSON serialization, a
108  * flattened one, or a Compact Serialization.
109  *
110  * Returns decrypt length, or -1 for failure.
111  */
112 LWS_VISIBLE LWS_EXTERN int
113 lws_jwe_auth_and_decrypt(struct lws_jwe *jwe, char *temp, int *temp_len);
114 
115 /**
116  * lws_jwe_encrypt() - perform JWE encryption
117  *
118  * \param jose: the JOSE header information (encryption types, etc)
119  * \param jws: the JWE elements, pointer to jwk etc
120  * \param temp: parent-owned buffer to "allocate" elements into
121  * \param temp_len: amount of space available in temp
122  *
123  * May be called up to LWS_JWS_MAX_RECIPIENTS times to encrypt the same CEK
124  * multiple ways on the same JWE payload.
125  *
126  * returns the amount of temp used, or -1 for error.
127  */
128 LWS_VISIBLE LWS_EXTERN int
129 lws_jwe_encrypt(struct lws_jwe *jwe, char *temp, int *temp_len);
130 
131 /**
132  * lws_jwe_create_packet() - add b64 sig to b64 hdr + payload
133  *
134  * \param jwe: the struct lws_jwe we are trying to render
135  * \param payload: unencoded payload JSON
136  * \param len: length of unencoded payload JSON
137  * \param nonce: Nonse string to include in protected header
138  * \param out: buffer to take signed packet
139  * \param out_len: size of \p out buffer
140  * \param conext: lws_context to get random from
141  *
142  * This creates a "flattened" JWS packet from the jwk and the plaintext
143  * payload, and signs it.  The packet is written into \p out.
144  *
145  * This does the whole packet assembly and signing, calling through to
146  * lws_jws_sign_from_b64() as part of the process.
147  *
148  * Returns the length written to \p out, or -1.
149  */
150 LWS_VISIBLE LWS_EXTERN int
151 lws_jwe_create_packet(struct lws_jwe *jwe,
152 		      const char *payload, size_t len, const char *nonce,
153 		      char *out, size_t out_len, struct lws_context *context);
154 
155 
156 /* only exposed because we have test vectors that need it */
157 LWS_VISIBLE LWS_EXTERN int
158 lws_jwe_auth_and_decrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *enc_cek,
159 					uint8_t *aad, int aad_len);
160 
161 /* only exposed because we have test vectors that need it */
162 LWS_VISIBLE LWS_EXTERN int
163 lws_jwa_concat_kdf(struct lws_jwe *jwe, int direct,
164 		   uint8_t *out, const uint8_t *shared_secret, int sslen);
165