static bool
ver_done(jose_io_t *io)
{
io_t *i = containerof(io, io_t, io);
const json_t *sig = NULL;
uint8_t *buf = NULL;
bool ret = false;
size_t len = 0;
sig = json_object_get(i->sig, "signature");
if (!sig)
return false;
len = jose_b64_dec(sig, NULL, 0);
if (len == SIZE_MAX)
return false;
buf = malloc(len);
if (!buf)
return false;
if (jose_b64_dec(sig, buf, len) != len) {
free(buf);
return false;
}
ret = EVP_DigestVerifyFinal(i->emc, buf, len) == 1;
free(buf);
return ret;
}
static const char *
alg_sign_sug(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jwk)
{
const char *name = NULL;
const char *type = NULL;
size_t len = 0;
if (json_unpack((json_t *) jwk, "{s?s,s?s}",
"alg", &name, "kty", &type) < 0)
return NULL;
if (name)
return str2enum(name, NAMES, NULL) != SIZE_MAX ? name : NULL;
if (!type || strcmp(type, "RSA") != 0)
return NULL;
len = jose_b64_dec(json_object_get(jwk, "n"), NULL, 0) * 8;
switch ((len < 4096 ? len : 4096) & (4096 | 3072 | 2048)) {
case 4096: return "RS512";
case 3072: return "RS384";
case 2048: return "RS256";
default: return NULL;
}
}
static const char *
alg_wrap_enc(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jwk)
{
size_t len = 0;
len = jose_b64_dec(json_object_get(jwk, "n"), NULL, 0) * 8;
if (len >= 15360)
return "A256CBC-HS512";
else if (len >= 7680)
return "A192CBC-HS384";
else
return "A128CBC-HS256";
}
static const char *
alg_wrap_alg(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jwk)
{
const char *name = NULL;
const char *type = NULL;
if (json_unpack((json_t *) jwk, "{s?s,s?s}",
"alg", &name, "kty", &type) < 0)
return NULL;
if (name)
return str2enum(name, NAMES, NULL) != SIZE_MAX ? name : NULL;
if (!type || strcmp(type, "oct") != 0)
return NULL;
switch (jose_b64_dec(json_object_get(jwk, "k"), NULL, 0)) {
case 16: return "A128KW";
case 24: return "A192KW";
case 32: return "A256KW";
default: return NULL;
}
}
static bool
alg_wrap_wrp(const jose_hook_alg_t *alg, jose_cfg_t *cfg, json_t *jwe,
json_t *rcp, const json_t *jwk, json_t *cek)
{
openssl_auto(EVP_PKEY_CTX) *epc = NULL;
openssl_auto(EVP_PKEY) *key = NULL;
const EVP_MD *md = NULL;
const RSA *rsa = NULL;
uint8_t *pt = NULL;
uint8_t *ct = NULL;
bool ret = false;
size_t ptl = 0;
size_t ctl = 0;
int tmp = 0;
int pad = 0;
if (!json_object_get(cek, "k") && !jose_jwk_gen(cfg, cek))
return false;
switch (str2enum(alg->name, NAMES, NULL)) {
case 0: pad = RSA_PKCS1_PADDING; tmp = 11; md = EVP_sha1(); break;
case 1: pad = RSA_PKCS1_OAEP_PADDING; tmp = 41; md = EVP_sha1(); break;
case 2: pad = RSA_PKCS1_OAEP_PADDING; tmp = 41; md = EVP_sha256(); break;
default: return false;
}
key = jose_openssl_jwk_to_EVP_PKEY(cfg, jwk);
if (!key || EVP_PKEY_base_id(key) != EVP_PKEY_RSA)
return false;
ptl = jose_b64_dec(json_object_get(cek, "k"), NULL, 0);
if (ptl == SIZE_MAX)
return false;
rsa = EVP_PKEY_get0_RSA(key);
if (!rsa)
return false;
if ((int) ptl >= RSA_size(rsa) - tmp)
return false;
epc = EVP_PKEY_CTX_new(key, NULL);
if (!epc)
return false;
if (EVP_PKEY_encrypt_init(epc) <= 0)
return false;
if (EVP_PKEY_CTX_set_rsa_padding(epc, pad) <= 0)
return false;
if (pad == RSA_PKCS1_OAEP_PADDING) {
if (EVP_PKEY_CTX_set_rsa_oaep_md(epc, md) <= 0)
return false;
if (EVP_PKEY_CTX_set_rsa_mgf1_md(epc, md) <= 0)
return false;
}
pt = malloc(ptl);
if (!pt)
return false;
if (jose_b64_dec(json_object_get(cek, "k"), pt, ptl) != ptl)
goto egress;
if (EVP_PKEY_encrypt(epc, NULL, &ctl, pt, ptl) <= 0)
goto egress;
ct = malloc(ctl);
if (!ct)
goto egress;
if (EVP_PKEY_encrypt(epc, ct, &ctl, pt, ptl) <= 0)
goto egress;
if (json_object_set_new(rcp, "encrypted_key", jose_b64_enc(ct, ctl)) < 0)
goto egress;
ret = add_entity(jwe, rcp, "recipients", "header", "encrypted_key", NULL);
egress:
if (pt) {
OPENSSL_cleanse(pt, ptl);
free(pt);
}
free(ct);
return ret;
}
static bool
alg_wrap_unw(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jwe,
const json_t *rcp, const json_t *jwk, json_t *cek)
{
openssl_auto(EVP_PKEY_CTX) *epc = NULL;
openssl_auto(EVP_PKEY) *key = NULL;
const uint8_t *tt = NULL;
const EVP_MD *md = NULL;
uint8_t *ct = NULL;
uint8_t *pt = NULL;
uint8_t *rt = NULL;
bool ret = false;
size_t ctl = 0;
size_t ptl = 0;
size_t rtl = 0;
size_t ttl = 0;
int pad = 0;
switch (str2enum(alg->name, NAMES, NULL)) {
case 0: pad = RSA_PKCS1_PADDING; md = EVP_sha1(); break;
case 1: pad = RSA_PKCS1_OAEP_PADDING; md = EVP_sha1(); break;
case 2: pad = RSA_PKCS1_OAEP_PADDING; md = EVP_sha256(); break;
default: return false;
}
key = jose_openssl_jwk_to_EVP_PKEY(cfg, jwk);
if (!key || EVP_PKEY_base_id(key) != EVP_PKEY_RSA)
goto egress;
ctl = jose_b64_dec(json_object_get(rcp, "encrypted_key"), NULL, 0);
if (ctl == SIZE_MAX)
goto egress;
ct = malloc(ctl);
if (!ct)
goto egress;
if (jose_b64_dec(json_object_get(rcp, "encrypted_key"), ct, ctl) != ctl)
goto egress;
ptl = ctl;
pt = malloc(ptl);
if (!pt)
goto egress;
epc = EVP_PKEY_CTX_new(key, NULL);
if (!epc)
goto egress;
if (EVP_PKEY_decrypt_init(epc) <= 0)
goto egress;
if (EVP_PKEY_CTX_set_rsa_padding(epc, pad) <= 0)
goto egress;
if (pad == RSA_PKCS1_OAEP_PADDING) {
if (EVP_PKEY_CTX_set_rsa_oaep_md(epc, md) <= 0)
return false;
if (EVP_PKEY_CTX_set_rsa_mgf1_md(epc, md) <= 0)
goto egress;
}
/* Handle MMA Attack as prescribed by RFC 3218, always generate a
* random buffer of appropriate length so that the same operations
* are performed whether decrypt succeeds or not, in an attempt to
* foil timing attacks */
rtl = ptl;
rt = malloc(rtl);
if (!rt)
goto egress;
if (RAND_bytes(rt, rtl) <= 0)
goto egress;
ret |= EVP_PKEY_decrypt(epc, pt, &ptl, ct, ctl) > 0;
ttl = ret ? ptl : rtl;
tt = ret ? pt : rt;
ret |= pad == RSA_PKCS1_PADDING;
if (json_object_set_new(cek, "k", jose_b64_enc(tt, ttl)) < 0)
ret = false;
egress:
if (pt) {
OPENSSL_cleanse(pt, ptl);
free(pt);
}
if (rt) {
OPENSSL_cleanse(rt, rtl);
free(rt);
}
free(ct);
return ret;
}
static bool
alg_wrap_unw(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jwe,
const json_t *rcp, const json_t *jwk, json_t *cek)
{
const EVP_CIPHER *cph = NULL;
EVP_CIPHER_CTX *ecc = NULL;
bool ret = false;
size_t ctl = 0;
size_t ptl = 0;
int len = 0;
switch (str2enum(alg->name, NAMES, NULL)) {
case 0: cph = EVP_aes_128_wrap(); break;
case 1: cph = EVP_aes_192_wrap(); break;
case 2: cph = EVP_aes_256_wrap(); break;
default: return NULL;
}
uint8_t ky[EVP_CIPHER_key_length(cph)];
uint8_t iv[EVP_CIPHER_iv_length(cph)];
uint8_t ct[KEYMAX + EVP_CIPHER_block_size(cph) * 2];
uint8_t pt[sizeof(ct)];
memset(iv, 0xA6, sizeof(iv));
if (jose_b64_dec(json_object_get(jwk, "k"), NULL, 0) != sizeof(ky))
goto egress;
if (jose_b64_dec(json_object_get(jwk, "k"), ky, sizeof(ky)) != sizeof(ky))
goto egress;
ctl = jose_b64_dec(json_object_get(rcp, "encrypted_key"), NULL, 0);
if (ctl > sizeof(ct))
goto egress;
if (jose_b64_dec(json_object_get(rcp, "encrypted_key"), ct, ctl) != ctl)
goto egress;
ecc = EVP_CIPHER_CTX_new();
if (!ecc)
goto egress;
EVP_CIPHER_CTX_set_flags(ecc, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
if (EVP_DecryptInit_ex(ecc, cph, NULL, ky, iv) <= 0)
goto egress;
if (EVP_DecryptUpdate(ecc, pt, &len, ct, ctl) <= 0)
goto egress;
ptl = len;
if (EVP_DecryptFinal(ecc, &pt[len], &len) <= 0)
goto egress;
ptl += len;
ret = json_object_set_new(cek, "k", jose_b64_enc(pt, ptl)) == 0;
egress:
OPENSSL_cleanse(ky, sizeof(ky));
OPENSSL_cleanse(pt, sizeof(pt));
EVP_CIPHER_CTX_free(ecc);
return ret;
}
