| /* |
| * libwebsockets - small server side websockets and web server implementation |
| * |
| * Copyright (C) 2010 - 2019 Andy Green <[email protected]> |
| * |
| * Permission is hereby granted, free of charge, to any person obtaining a copy |
| * of this software and associated documentation files (the "Software"), to |
| * deal in the Software without restriction, including without limitation the |
| * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or |
| * sell copies of the Software, and to permit persons to whom the Software is |
| * furnished to do so, subject to the following conditions: |
| * |
| * The above copyright notice and this permission notice shall be included in |
| * all copies or substantial portions of the Software. |
| * |
| * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
| * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
| * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE |
| * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
| * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING |
| * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS |
| * IN THE SOFTWARE. |
| */ |
| |
| #include "private-lib-core.h" |
| |
| /* |
| * These came from RFC7518 (JSON Web Algorithms) Section 3 |
| * |
| * Cryptographic Algorithms for Digital Signatures and MACs |
| */ |
| |
| static const struct lws_jose_jwe_alg lws_gencrypto_jws_alg_map[] = { |
| |
| /* |
| * JWSs MAY also be created that do not provide integrity protection. |
| * Such a JWS is called an Unsecured JWS. An Unsecured JWS uses the |
| * "alg" value "none" and is formatted identically to other JWSs, but |
| * MUST use the empty octet sequence as its JWS Signature value. |
| * Recipients MUST verify that the JWS Signature value is the empty |
| * octet sequence. |
| * |
| * Implementations that support Unsecured JWSs MUST NOT accept such |
| * objects as valid unless the application specifies that it is |
| * acceptable for a specific object to not be integrity protected. |
| * Implementations MUST NOT accept Unsecured JWSs by default. In order |
| * to mitigate downgrade attacks, applications MUST NOT signal |
| * acceptance of Unsecured JWSs at a global level, and SHOULD signal |
| * acceptance on a per-object basis. See Section 8.5 for security |
| * considerations associated with using this algorithm. |
| */ |
| { /* optional */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_NONE, |
| "none", NULL, 0, 0, 0 |
| }, |
| |
| /* |
| * HMAC with SHA-2 Functions |
| * |
| * The HMAC SHA-256 MAC for a JWS is validated by computing an HMAC |
| * value per RFC 2104, using SHA-256 as the hash algorithm "H", using |
| * the received JWS Signing Input as the "text" value, and using the |
| * shared key. This computed HMAC value is then compared to the result |
| * of base64url decoding the received encoded JWS Signature value. The |
| * comparison of the computed HMAC value to the JWS Signature value MUST |
| * be done in a constant-time manner to thwart timing attacks. |
| * |
| * Alternatively, the computed HMAC value can be base64url encoded and |
| * compared to the received encoded JWS Signature value (also in a |
| * constant-time manner), as this comparison produces the same result as |
| * comparing the unencoded values. In either case, if the values match, |
| * the HMAC has been validated. |
| */ |
| |
| { /* required: HMAC using SHA-256 */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_SHA256, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_NONE, |
| "HS256", NULL, 0, 0, 0 |
| }, |
| { /* optional: HMAC using SHA-384 */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_SHA384, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_NONE, |
| "HS384", NULL, 0, 0, 0 |
| }, |
| { /* optional: HMAC using SHA-512 */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_SHA512, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_NONE, |
| "HS512", NULL, 0, 0, 0 |
| }, |
| |
| /* |
| * Digital Signature with RSASSA-PKCS1-v1_5 |
| * |
| * This section defines the use of the RSASSA-PKCS1-v1_5 digital |
| * signature algorithm as defined in Section 8.2 of RFC 3447 [RFC3447] |
| * (commonly known as PKCS #1), using SHA-2 [SHS] hash functions. |
| * |
| * A key of size 2048 bits or larger MUST be used with these algorithms. |
| * |
| * The RSASSA-PKCS1-v1_5 SHA-256 digital signature is generated as |
| * follows: generate a digital signature of the JWS Signing Input using |
| * RSASSA-PKCS1-v1_5-SIGN and the SHA-256 hash function with the desired |
| * private key. This is the JWS Signature value. |
| * |
| * The RSASSA-PKCS1-v1_5 SHA-256 digital signature for a JWS is |
| * validated as follows: submit the JWS Signing Input, the JWS |
| * Signature, and the public key corresponding to the private key used |
| * by the signer to the RSASSA-PKCS1-v1_5-VERIFY algorithm using SHA-256 |
| * as the hash function. |
| */ |
| |
| { /* recommended: RSASSA-PKCS1-v1_5 using SHA-256 */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, |
| LWS_JOSE_ENCTYPE_NONE, |
| "RS256", NULL, 2048, 4096, 0 |
| }, |
| { /* optional: RSASSA-PKCS1-v1_5 using SHA-384 */ |
| LWS_GENHASH_TYPE_SHA384, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, |
| LWS_JOSE_ENCTYPE_NONE, |
| "RS384", NULL, 2048, 4096, 0 |
| }, |
| { /* optional: RSASSA-PKCS1-v1_5 using SHA-512 */ |
| LWS_GENHASH_TYPE_SHA512, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, |
| LWS_JOSE_ENCTYPE_NONE, |
| "RS512", NULL, 2048, 4096, 0 |
| }, |
| |
| /* |
| * Digital Signature with ECDSA |
| * |
| * The ECDSA P-256 SHA-256 digital signature is generated as follows: |
| * |
| * 1. Generate a digital signature of the JWS Signing Input using ECDSA |
| * P-256 SHA-256 with the desired private key. The output will be |
| * the pair (R, S), where R and S are 256-bit unsigned integers. |
| * 2. Turn R and S into octet sequences in big-endian order, with each |
| * array being be 32 octets long. The octet sequence |
| * representations MUST NOT be shortened to omit any leading zero |
| * octets contained in the values. |
| * |
| * 3. Concatenate the two octet sequences in the order R and then S. |
| * (Note that many ECDSA implementations will directly produce this |
| * concatenation as their output.) |
| * |
| * 4. The resulting 64-octet sequence is the JWS Signature value. |
| * |
| * The ECDSA P-256 SHA-256 digital signature for a JWS is validated as |
| * follows: |
| * |
| * 1. The JWS Signature value MUST be a 64-octet sequence. If it is |
| * not a 64-octet sequence, the validation has failed. |
| * |
| * 2. Split the 64-octet sequence into two 32-octet sequences. The |
| * first octet sequence represents R and the second S. The values R |
| * and S are represented as octet sequences using the Integer-to- |
| * OctetString Conversion defined in Section 2.3.7 of SEC1 [SEC1] |
| * (in big-endian octet order). |
| * 3. Submit the JWS Signing Input, R, S, and the public key (x, y) to |
| * the ECDSA P-256 SHA-256 validator. |
| */ |
| |
| { /* Recommended+: ECDSA using P-256 and SHA-256 */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_ECDSA, |
| LWS_JOSE_ENCTYPE_NONE, |
| "ES256", "P-256", 256, 256, 0 |
| }, |
| { /* optional: ECDSA using P-384 and SHA-384 */ |
| LWS_GENHASH_TYPE_SHA384, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_ECDSA, |
| LWS_JOSE_ENCTYPE_NONE, |
| "ES384", "P-384", 384, 384, 0 |
| }, |
| { /* optional: ECDSA using P-521 and SHA-512 */ |
| LWS_GENHASH_TYPE_SHA512, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_ECDSA, |
| LWS_JOSE_ENCTYPE_NONE, |
| "ES512", "P-521", 521, 521, 0 |
| }, |
| #if 0 |
| Not yet supported |
| |
| /* |
| * Digital Signature with RSASSA-PSS |
| * |
| * A key of size 2048 bits or larger MUST be used with this algorithm. |
| * |
| * The RSASSA-PSS SHA-256 digital signature is generated as follows: |
| * generate a digital signature of the JWS Signing Input using RSASSA- |
| * PSS-SIGN, the SHA-256 hash function, and the MGF1 mask generation |
| * function with SHA-256 with the desired private key. This is the JWS |
| * Signature value. |
| * |
| * The RSASSA-PSS SHA-256 digital signature for a JWS is validated as |
| * follows: submit the JWS Signing Input, the JWS Signature, and the |
| * public key corresponding to the private key used by the signer to the |
| * RSASSA-PSS-VERIFY algorithm using SHA-256 as the hash function and |
| * using MGF1 as the mask generation function with SHA-256. |
| * |
| */ |
| { /* optional: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, |
| LWS_JOSE_ENCTYPE_NONE, |
| "PS256", NULL, 2048, 4096, 0 |
| }, |
| { /* optional: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 */ |
| LWS_GENHASH_TYPE_SHA384, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, |
| LWS_JOSE_ENCTYPE_NONE, |
| "PS384", NULL, 2048, 4096, 0 |
| }, |
| { /* optional: RSASSA-PSS using SHA-512 and MGF1 with SHA-512*/ |
| LWS_GENHASH_TYPE_SHA512, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_PSS, |
| LWS_JOSE_ENCTYPE_NONE, |
| "PS512", NULL, 2048, 4096, 0 |
| }, |
| #endif |
| /* list terminator */ |
| { 0, 0, 0, 0, NULL, NULL, 0, 0, 0} |
| }; |
| |
| /* |
| * These came from RFC7518 (JSON Web Algorithms) Section 4 |
| * |
| * Cryptographic Algorithms for Key Management |
| * |
| * JWE uses cryptographic algorithms to encrypt or determine the Content |
| * Encryption Key (CEK). |
| */ |
| |
| static const struct lws_jose_jwe_alg lws_gencrypto_jwe_alg_map[] = { |
| |
| /* |
| * This section defines the specifics of encrypting a JWE CEK with |
| * RSAES-PKCS1-v1_5 [RFC3447]. The "alg" (algorithm) Header Parameter |
| * value "RSA1_5" is used for this algorithm. |
| * |
| * A key of size 2048 bits or larger MUST be used with this algorithm. |
| */ |
| |
| { /* recommended-: RSAES-PKCS1-v1_5 */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_1_5, |
| LWS_JOSE_ENCTYPE_NONE, |
| "RSA1_5", NULL, 2048, 4096, 0 |
| }, |
| { /* recommended+: RSAES OAEP using default parameters */ |
| LWS_GENHASH_TYPE_SHA1, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_OAEP, |
| LWS_JOSE_ENCTYPE_NONE, |
| "RSA-OAEP", NULL, 2048, 4096, 0 |
| }, |
| { /* recommended+: RSAES OAEP using SHA-256 and MGF1 SHA-256 */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_RSASSA_PKCS1_OAEP, |
| LWS_JOSE_ENCTYPE_NONE, |
| "RSA-OAEP-256", NULL, 2048, 4096, 0 |
| }, |
| |
| /* |
| * Key Wrapping with AES Key Wrap |
| * |
| * This section defines the specifics of encrypting a JWE CEK with the |
| * Advanced Encryption Standard (AES) Key Wrap Algorithm [RFC3394] using |
| * the default initial value specified in Section 2.2.3.1 of that |
| * document. |
| * |
| * |
| */ |
| { /* recommended: AES Key Wrap with AES Key Wrap with defaults |
| using 128-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| LWS_JOSE_ENCTYPE_NONE, |
| "A128KW", NULL, 128, 128, 64 |
| }, |
| |
| { /* optional: AES Key Wrap with AES Key Wrap with defaults |
| using 192-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| LWS_JOSE_ENCTYPE_NONE, |
| "A192KW", NULL, 192, 192, 64 |
| }, |
| |
| { /* recommended: AES Key Wrap with AES Key Wrap with defaults |
| using 256-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| LWS_JOSE_ENCTYPE_NONE, |
| "A256KW", NULL, 256, 256, 64 |
| }, |
| |
| /* |
| * This section defines the specifics of directly performing symmetric |
| * key encryption without performing a key wrapping step. In this case, |
| * the shared symmetric key is used directly as the Content Encryption |
| * Key (CEK) value for the "enc" algorithm. An empty octet sequence is |
| * used as the JWE Encrypted Key value. The "alg" (algorithm) Header |
| * Parameter value "dir" is used in this case. |
| */ |
| { /* recommended */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_NONE, |
| "dir", NULL, 0, 0, 0 |
| }, |
| |
| /* |
| * Key Agreement with Elliptic Curve Diffie-Hellman Ephemeral Static |
| * (ECDH-ES) |
| * |
| * This section defines the specifics of key agreement with Elliptic |
| * Curve Diffie-Hellman Ephemeral Static [RFC6090], in combination with |
| * the Concat KDF, as defined in Section 5.8.1 of [NIST.800-56A]. The |
| * key agreement result can be used in one of two ways: |
| * |
| * 1. directly as the Content Encryption Key (CEK) for the "enc" |
| * algorithm, in the Direct Key Agreement mode, or |
| * |
| * 2. as a symmetric key used to wrap the CEK with the "A128KW", |
| * "A192KW", or "A256KW" algorithms, in the Key Agreement with Key |
| * Wrapping mode. |
| * |
| * A new ephemeral public key value MUST be generated for each key |
| * agreement operation. |
| * |
| * In Direct Key Agreement mode, the output of the Concat KDF MUST be a |
| * key of the same length as that used by the "enc" algorithm. In this |
| * case, the empty octet sequence is used as the JWE Encrypted Key |
| * value. The "alg" (algorithm) Header Parameter value "ECDH-ES" is |
| * used in the Direct Key Agreement mode. |
| * |
| * In Key Agreement with Key Wrapping mode, the output of the Concat KDF |
| * MUST be a key of the length needed for the specified key wrapping |
| * algorithm. In this case, the JWE Encrypted Key is the CEK wrapped |
| * with the agreed-upon key. |
| */ |
| |
| { /* recommended+: ECDH Ephemeral Static Key agreement Concat KDF */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_ECDHES, |
| LWS_JOSE_ENCTYPE_NONE, |
| "ECDH-ES", NULL, 128, 128, 0 |
| }, |
| { /* recommended: ECDH-ES + Concat KDF + wrapped by AES128KW */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_ECDHES, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| "ECDH-ES+A128KW", NULL, 128, 128, 0 |
| }, |
| { /* optional: ECDH-ES + Concat KDF + wrapped by AES192KW */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_ECDHES, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| "ECDH-ES+A192KW", NULL, 192, 192, 0 |
| }, |
| { /* recommended: ECDH-ES + Concat KDF + wrapped by AES256KW */ |
| LWS_GENHASH_TYPE_SHA256, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_ECDHES, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| "ECDH-ES+A256KW", NULL, 256, 256, 0 |
| }, |
| |
| /* |
| * Key Encryption with AES GCM |
| * |
| * This section defines the specifics of encrypting a JWE Content |
| * Encryption Key (CEK) with Advanced Encryption Standard (AES) in |
| * Galois/Counter Mode (GCM) ([AES] and [NIST.800-38D]). |
| * |
| * Use of an Initialization Vector (IV) of size 96 bits is REQUIRED with |
| * this algorithm. The IV is represented in base64url-encoded form as |
| * the "iv" (initialization vector) Header Parameter value. |
| * |
| * The Additional Authenticated Data value used is the empty octet |
| * string. |
| * |
| * The requested size of the Authentication Tag output MUST be 128 bits, |
| * regardless of the key size. |
| * |
| * The JWE Encrypted Key value is the ciphertext output. |
| * |
| * The Authentication Tag output is represented in base64url-encoded |
| * form as the "tag" (authentication tag) Header Parameter value. |
| * |
| * |
| * "iv" (Initialization Vector) Header Parameter |
| * |
| * The "iv" (initialization vector) Header Parameter value is the |
| * base64url-encoded representation of the 96-bit IV value used for the |
| * key encryption operation. This Header Parameter MUST be present and |
| * MUST be understood and processed by implementations when these |
| * algorithms are used. |
| * |
| * "tag" (Authentication Tag) Header Parameter |
| * |
| * The "tag" (authentication tag) Header Parameter value is the |
| * base64url-encoded representation of the 128-bit Authentication Tag |
| * value resulting from the key encryption operation. This Header |
| * Parameter MUST be present and MUST be understood and processed by |
| * implementations when these algorithms are used. |
| */ |
| { /* optional: Key wrapping with AES GCM using 128-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| LWS_JOSE_ENCTYPE_NONE, |
| "A128GCMKW", NULL, 128, 128, 96 |
| }, |
| |
| { /* optional: Key wrapping with AES GCM using 192-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| LWS_JOSE_ENCTYPE_NONE, |
| "A192GCMKW", NULL, 192, 192, 96 |
| }, |
| |
| { /* optional: Key wrapping with AES GCM using 256-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_AES_ECB, |
| LWS_JOSE_ENCTYPE_NONE, |
| "A256GCMKW", NULL, 256, 256, 96 |
| }, |
| |
| /* list terminator */ |
| { 0, 0, 0, 0, NULL, NULL, 0, 0, 0 } |
| }; |
| |
| /* |
| * The "enc" (encryption algorithm) Header Parameter identifies the |
| * content encryption algorithm used to perform authenticated encryption |
| * on the plaintext to produce the ciphertext and the Authentication |
| * Tag. This algorithm MUST be an AEAD algorithm with a specified key |
| * length. The encrypted content is not usable if the "enc" value does |
| * not represent a supported algorithm. "enc" values should either be |
| * registered in the IANA "JSON Web Signature and Encryption Algorithms" |
| * registry established by [JWA] or be a value that contains a |
| * Collision-Resistant Name. The "enc" value is a case-sensitive ASCII |
| * string containing a StringOrURI value. This Header Parameter MUST be |
| * present and MUST be understood and processed by implementations. |
| */ |
| |
| static const struct lws_jose_jwe_alg lws_gencrypto_jwe_enc_map[] = { |
| /* |
| * AES_128_CBC_HMAC_SHA_256 / 512 |
| * |
| * It uses the HMAC message authentication code [RFC2104] with the |
| * SHA-256 hash function [SHS] to provide message authentication, with |
| * the HMAC output truncated to 128 bits, corresponding to the |
| * HMAC-SHA-256-128 algorithm defined in [RFC4868]. For encryption, it |
| * uses AES in the CBC mode of operation as defined in Section 6.2 of |
| * [NIST.800-38A], with PKCS #7 padding and a 128-bit IV value. |
| * |
| * The AES_CBC_HMAC_SHA2 parameters specific to AES_128_CBC_HMAC_SHA_256 |
| * are: |
| * |
| * The input key K is 32 octets long. |
| * ENC_KEY_LEN is 16 octets. |
| * MAC_KEY_LEN is 16 octets. |
| * The SHA-256 hash algorithm is used for the HMAC. |
| * The HMAC-SHA-256 output is truncated to T_LEN=16 octets, by |
| * stripping off the final 16 octets. |
| */ |
| { /* required */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_SHA256, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_AES_CBC, |
| "A128CBC-HS256", NULL, 256, 256, 128 |
| }, |
| /* |
| * AES_192_CBC_HMAC_SHA_384 is based on AES_128_CBC_HMAC_SHA_256, but |
| * with the following differences: |
| * |
| * The input key K is 48 octets long instead of 32. |
| * ENC_KEY_LEN is 24 octets instead of 16. |
| * MAC_KEY_LEN is 24 octets instead of 16. |
| * SHA-384 is used for the HMAC instead of SHA-256. |
| * The HMAC SHA-384 value is truncated to T_LEN=24 octets instead of 16. |
| */ |
| { /* required */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_SHA384, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_AES_CBC, |
| "A192CBC-HS384", NULL, 384, 384, 192 |
| }, |
| /* |
| * AES_256_CBC_HMAC_SHA_512 is based on AES_128_CBC_HMAC_SHA_256, but |
| * with the following differences: |
| * |
| * The input key K is 64 octets long instead of 32. |
| * ENC_KEY_LEN is 32 octets instead of 16. |
| * MAC_KEY_LEN is 32 octets instead of 16. |
| * SHA-512 is used for the HMAC instead of SHA-256. |
| * The HMAC SHA-512 value is truncated to T_LEN=32 octets instead of 16. |
| */ |
| { /* required */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_SHA512, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_AES_CBC, |
| "A256CBC-HS512", NULL, 512, 512, 256 |
| }, |
| |
| /* |
| * The CEK is used as the encryption key. |
| * |
| * Use of an IV of size 96 bits is REQUIRED with this algorithm. |
| * |
| * The requested size of the Authentication Tag output MUST be 128 bits, |
| * regardless of the key size. |
| */ |
| { /* recommended: AES GCM using 128-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_AES_GCM, |
| "A128GCM", NULL, 128, 128, 96 |
| }, |
| { /* optional: AES GCM using 192-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_AES_GCM, |
| "A192GCM", NULL, 192, 192, 96 |
| }, |
| { /* recommended: AES GCM using 256-bit key */ |
| LWS_GENHASH_TYPE_UNKNOWN, |
| LWS_GENHMAC_TYPE_UNKNOWN, |
| LWS_JOSE_ENCTYPE_NONE, |
| LWS_JOSE_ENCTYPE_AES_GCM, |
| "A256GCM", NULL, 256, 256, 96 |
| }, |
| { 0, 0, 0, 0, NULL, NULL, 0, 0, 0 } /* sentinel */ |
| }; |
| |
| int |
| lws_gencrypto_jws_alg_to_definition(const char *alg, |
| const struct lws_jose_jwe_alg **jose) |
| { |
| const struct lws_jose_jwe_alg *a = lws_gencrypto_jws_alg_map; |
| |
| while (a->alg) { |
| if (!strcmp(alg, a->alg)) { |
| *jose = a; |
| |
| return 0; |
| } |
| a++; |
| } |
| |
| return 1; |
| } |
| |
| int |
| lws_gencrypto_jwe_alg_to_definition(const char *alg, |
| const struct lws_jose_jwe_alg **jose) |
| { |
| const struct lws_jose_jwe_alg *a = lws_gencrypto_jwe_alg_map; |
| |
| while (a->alg) { |
| if (!strcmp(alg, a->alg)) { |
| *jose = a; |
| |
| return 0; |
| } |
| a++; |
| } |
| |
| return 1; |
| } |
| |
| int |
| lws_gencrypto_jwe_enc_to_definition(const char *enc, |
| const struct lws_jose_jwe_alg **jose) |
| { |
| const struct lws_jose_jwe_alg *e = lws_gencrypto_jwe_enc_map; |
| |
| while (e->alg) { |
| if (!strcmp(enc, e->alg)) { |
| *jose = e; |
| |
| return 0; |
| } |
| e++; |
| } |
| |
| return 1; |
| } |
| |
| size_t |
| lws_genhash_size(enum lws_genhash_types type) |
| { |
| switch(type) { |
| case LWS_GENHASH_TYPE_UNKNOWN: |
| return 0; |
| case LWS_GENHASH_TYPE_MD5: |
| return 16; |
| case LWS_GENHASH_TYPE_SHA1: |
| return 20; |
| case LWS_GENHASH_TYPE_SHA256: |
| return 32; |
| case LWS_GENHASH_TYPE_SHA384: |
| return 48; |
| case LWS_GENHASH_TYPE_SHA512: |
| return 64; |
| } |
| |
| return 0; |
| } |
| |
| size_t |
| lws_genhmac_size(enum lws_genhmac_types type) |
| { |
| switch(type) { |
| case LWS_GENHMAC_TYPE_UNKNOWN: |
| return 0; |
| case LWS_GENHMAC_TYPE_SHA256: |
| return 32; |
| case LWS_GENHMAC_TYPE_SHA384: |
| return 48; |
| case LWS_GENHMAC_TYPE_SHA512: |
| return 64; |
| } |
| |
| return 0; |
| } |
| |
| int |
| lws_gencrypto_bits_to_bytes(int bits) |
| { |
| if (bits & 7) |
| return (bits / 8) + 1; |
| |
| return bits / 8; |
| } |
| |
| int |
| lws_base64_size(int bytes) |
| { |
| return ((bytes * 4) / 3) + 6; |
| } |
| |
| void |
| lws_gencrypto_destroy_elements(struct lws_gencrypto_keyelem *el, int m) |
| { |
| int n; |
| |
| for (n = 0; n < m; n++) |
| if (el[n].buf) |
| lws_free_set_NULL(el[n].buf); |
| } |
| |
| size_t lws_gencrypto_padded_length(size_t pad_block_size, size_t len) |
| { |
| return (len / pad_block_size + 1) * pad_block_size; |
| } |
