static bool sig_done(jose_io_t *io) { io_t *i = containerof(io, io_t, io); size_t len = 0; if (EVP_DigestSignFinal(i->emc, NULL, &len) <= 0) return false; uint8_t buf[len]; if (EVP_DigestSignFinal(i->emc, buf, &len) <= 0) return false; if (json_object_set_new(i->sig, "signature", jose_b64_enc(buf, len)) < 0) return false; return add_entity(i->obj, i->sig, "signatures", "signature", "protected", "header", NULL); }
static bool alg_wrap_wrp(const jose_hook_alg_t *alg, jose_cfg_t *cfg, json_t *jwe, json_t *rcp, const json_t *jwk, json_t *cek) { openssl_auto(EVP_PKEY_CTX) *epc = NULL; openssl_auto(EVP_PKEY) *key = NULL; const EVP_MD *md = NULL; const RSA *rsa = NULL; uint8_t *pt = NULL; uint8_t *ct = NULL; bool ret = false; size_t ptl = 0; size_t ctl = 0; int tmp = 0; int pad = 0; if (!json_object_get(cek, "k") && !jose_jwk_gen(cfg, cek)) return false; switch (str2enum(alg->name, NAMES, NULL)) { case 0: pad = RSA_PKCS1_PADDING; tmp = 11; md = EVP_sha1(); break; case 1: pad = RSA_PKCS1_OAEP_PADDING; tmp = 41; md = EVP_sha1(); break; case 2: pad = RSA_PKCS1_OAEP_PADDING; tmp = 41; md = EVP_sha256(); break; default: return false; } key = jose_openssl_jwk_to_EVP_PKEY(cfg, jwk); if (!key || EVP_PKEY_base_id(key) != EVP_PKEY_RSA) return false; ptl = jose_b64_dec(json_object_get(cek, "k"), NULL, 0); if (ptl == SIZE_MAX) return false; rsa = EVP_PKEY_get0_RSA(key); if (!rsa) return false; if ((int) ptl >= RSA_size(rsa) - tmp) return false; epc = EVP_PKEY_CTX_new(key, NULL); if (!epc) return false; if (EVP_PKEY_encrypt_init(epc) <= 0) return false; if (EVP_PKEY_CTX_set_rsa_padding(epc, pad) <= 0) return false; if (pad == RSA_PKCS1_OAEP_PADDING) { if (EVP_PKEY_CTX_set_rsa_oaep_md(epc, md) <= 0) return false; if (EVP_PKEY_CTX_set_rsa_mgf1_md(epc, md) <= 0) return false; } pt = malloc(ptl); if (!pt) return false; if (jose_b64_dec(json_object_get(cek, "k"), pt, ptl) != ptl) goto egress; if (EVP_PKEY_encrypt(epc, NULL, &ctl, pt, ptl) <= 0) goto egress; ct = malloc(ctl); if (!ct) goto egress; if (EVP_PKEY_encrypt(epc, ct, &ctl, pt, ptl) <= 0) goto egress; if (json_object_set_new(rcp, "encrypted_key", jose_b64_enc(ct, ctl)) < 0) goto egress; ret = add_entity(jwe, rcp, "recipients", "header", "encrypted_key", NULL); egress: if (pt) { OPENSSL_cleanse(pt, ptl); free(pt); } free(ct); return ret; }
static bool alg_wrap_unw(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jwe, const json_t *rcp, const json_t *jwk, json_t *cek) { openssl_auto(EVP_PKEY_CTX) *epc = NULL; openssl_auto(EVP_PKEY) *key = NULL; const uint8_t *tt = NULL; const EVP_MD *md = NULL; uint8_t *ct = NULL; uint8_t *pt = NULL; uint8_t *rt = NULL; bool ret = false; size_t ctl = 0; size_t ptl = 0; size_t rtl = 0; size_t ttl = 0; int pad = 0; switch (str2enum(alg->name, NAMES, NULL)) { case 0: pad = RSA_PKCS1_PADDING; md = EVP_sha1(); break; case 1: pad = RSA_PKCS1_OAEP_PADDING; md = EVP_sha1(); break; case 2: pad = RSA_PKCS1_OAEP_PADDING; md = EVP_sha256(); break; default: return false; } key = jose_openssl_jwk_to_EVP_PKEY(cfg, jwk); if (!key || EVP_PKEY_base_id(key) != EVP_PKEY_RSA) goto egress; ctl = jose_b64_dec(json_object_get(rcp, "encrypted_key"), NULL, 0); if (ctl == SIZE_MAX) goto egress; ct = malloc(ctl); if (!ct) goto egress; if (jose_b64_dec(json_object_get(rcp, "encrypted_key"), ct, ctl) != ctl) goto egress; ptl = ctl; pt = malloc(ptl); if (!pt) goto egress; epc = EVP_PKEY_CTX_new(key, NULL); if (!epc) goto egress; if (EVP_PKEY_decrypt_init(epc) <= 0) goto egress; if (EVP_PKEY_CTX_set_rsa_padding(epc, pad) <= 0) goto egress; if (pad == RSA_PKCS1_OAEP_PADDING) { if (EVP_PKEY_CTX_set_rsa_oaep_md(epc, md) <= 0) return false; if (EVP_PKEY_CTX_set_rsa_mgf1_md(epc, md) <= 0) goto egress; } /* Handle MMA Attack as prescribed by RFC 3218, always generate a * random buffer of appropriate length so that the same operations * are performed whether decrypt succeeds or not, in an attempt to * foil timing attacks */ rtl = ptl; rt = malloc(rtl); if (!rt) goto egress; if (RAND_bytes(rt, rtl) <= 0) goto egress; ret |= EVP_PKEY_decrypt(epc, pt, &ptl, ct, ctl) > 0; ttl = ret ? ptl : rtl; tt = ret ? pt : rt; ret |= pad == RSA_PKCS1_PADDING; if (json_object_set_new(cek, "k", jose_b64_enc(tt, ttl)) < 0) ret = false; egress: if (pt) { OPENSSL_cleanse(pt, ptl); free(pt); } if (rt) { OPENSSL_cleanse(rt, rtl); free(rt); } free(ct); return ret; }
static json_t * derive(const jose_hook_alg_t *alg, jose_cfg_t *cfg, json_t *hdr, json_t *cek, const json_t *key) { const jose_hook_alg_t *halg = NULL; const char *name = alg->name; uint8_t pu[KEYMAX] = {}; uint8_t pv[KEYMAX] = {}; uint8_t dk[KEYMAX] = {}; uint8_t ky[KEYMAX] = {}; const char *enc = NULL; json_t *out = NULL; size_t dkl = 0; size_t pul = 0; size_t pvl = 0; size_t kyl = 0; halg = jose_hook_alg_find(JOSE_HOOK_ALG_KIND_HASH, "S256"); if (!halg) goto egress; if (json_unpack(hdr, "{s?s}", "enc", &enc) < 0) goto egress; if (!enc && json_unpack(cek, "{s:s}", "alg", &enc) < 0) goto egress; switch (str2enum(alg->name, NAMES, NULL)) { case 0: dkl = encr_alg_keylen(cfg, enc); name = enc; break; case 1: dkl = 16; break; case 2: dkl = 24; break; case 3: dkl = 32; break; default: goto egress; } if (dkl < 16 || dkl > sizeof(dk)) goto egress; pul = decode(hdr, "apu", pu, sizeof(pu)); if (pul > sizeof(pu)) goto egress; pvl = decode(hdr, "apv", pv, sizeof(pv)); if (pvl > sizeof(pv)) goto egress; kyl = decode(key, "x", ky, sizeof(ky)); if (kyl > sizeof(ky)) goto egress; if (!concatkdf(halg, cfg, dk, dkl, ky, kyl, name, strlen(name), pu, pul, pv, pvl, NULL)) goto egress; out = json_pack("{s:s,s:s,s:o}", "kty", "oct", "alg", enc, "k", jose_b64_enc(dk, dkl)); egress: OPENSSL_cleanse(ky, sizeof(ky)); OPENSSL_cleanse(pu, sizeof(pu)); OPENSSL_cleanse(pv, sizeof(pv)); OPENSSL_cleanse(dk, sizeof(dk)); return out; }
static bool alg_wrap_unw(const jose_hook_alg_t *alg, jose_cfg_t *cfg, const json_t *jwe, const json_t *rcp, const json_t *jwk, json_t *cek) { const EVP_CIPHER *cph = NULL; EVP_CIPHER_CTX *ecc = NULL; bool ret = false; size_t ctl = 0; size_t ptl = 0; int len = 0; switch (str2enum(alg->name, NAMES, NULL)) { case 0: cph = EVP_aes_128_wrap(); break; case 1: cph = EVP_aes_192_wrap(); break; case 2: cph = EVP_aes_256_wrap(); break; default: return NULL; } uint8_t ky[EVP_CIPHER_key_length(cph)]; uint8_t iv[EVP_CIPHER_iv_length(cph)]; uint8_t ct[KEYMAX + EVP_CIPHER_block_size(cph) * 2]; uint8_t pt[sizeof(ct)]; memset(iv, 0xA6, sizeof(iv)); if (jose_b64_dec(json_object_get(jwk, "k"), NULL, 0) != sizeof(ky)) goto egress; if (jose_b64_dec(json_object_get(jwk, "k"), ky, sizeof(ky)) != sizeof(ky)) goto egress; ctl = jose_b64_dec(json_object_get(rcp, "encrypted_key"), NULL, 0); if (ctl > sizeof(ct)) goto egress; if (jose_b64_dec(json_object_get(rcp, "encrypted_key"), ct, ctl) != ctl) goto egress; ecc = EVP_CIPHER_CTX_new(); if (!ecc) goto egress; EVP_CIPHER_CTX_set_flags(ecc, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); if (EVP_DecryptInit_ex(ecc, cph, NULL, ky, iv) <= 0) goto egress; if (EVP_DecryptUpdate(ecc, pt, &len, ct, ctl) <= 0) goto egress; ptl = len; if (EVP_DecryptFinal(ecc, &pt[len], &len) <= 0) goto egress; ptl += len; ret = json_object_set_new(cek, "k", jose_b64_enc(pt, ptl)) == 0; egress: OPENSSL_cleanse(ky, sizeof(ky)); OPENSSL_cleanse(pt, sizeof(pt)); EVP_CIPHER_CTX_free(ecc); return ret; }