jose 0.1.0

data/lib/jose/jwe/alg_dir.rb

@@ -0,0 +1,40 @@
+class JOSE::JWE::ALG_dir
+
+  # JOSE::JWE callbacks
+
+  def self.from_map(fields)
+    case fields['alg']
+    when 'dir'
+      return new(), fields.delete('alg')
+    else
+      raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
+    end
+  end
+
+  def to_map(fields)
+    return fields.put('alg', 'dir')
+  end
+
+  # JOSE::JWE::ALG callbacks
+
+  def key_decrypt(key, enc, encrypted_key)
+    if key.is_a?(String)
+      return key
+    else
+      return key.kty.derive_key
+    end
+  end
+
+  def key_encrypt(key, enc, decrypted_key)
+    return '', self
+  end
+
+  def next_cek(key, enc)
+    if key.is_a?(String)
+      return key
+    else
+      return key.kty.derive_key
+    end
+  end
+
+end

data/lib/jose/jwe/alg_ecdh_es.rb

@@ -0,0 +1,123 @@
+class JOSE::JWE::ALG_ECDH_ES < Struct.new(:bits, :epk, :apu, :apv)
+
+  # JOSE::JWE callbacks
+
+  def self.from_map(fields)
+    bits = nil
+    case fields['alg']
+    when 'ECDH-ES'
+      bits = nil
+    when 'ECDH-ES+A128KW'
+      bits = 128
+    when 'ECDH-ES+A192KW'
+      bits = 192
+    when 'ECDH-ES+A256KW'
+      bits = 256
+    else
+      raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
+    end
+    epk = nil
+    if fields.has_key?('epk')
+      epk = JOSE::JWK.from_map(fields['epk'])
+    end
+    apu = nil
+    if fields.has_key?('apu')
+      apu = JOSE.urlsafe_decode64(fields['apu'])
+    end
+    apv = nil
+    if fields.has_key?('apv')
+      apv = JOSE.urlsafe_decode64(fields['apv'])
+    end
+    return new(bits, epk, apu, apv), fields.except('alg', 'apu', 'apv', 'epk')
+  end
+
+  def to_map(fields)
+    fields = fields.put('alg', algorithm)
+    if epk
+      fields = fields.put('epk', epk.to_map)
+    end
+    if apu
+      fields = fields.put('apu', JOSE.urlsafe_encode64(apu))
+    end
+    if apv
+      fields = fields.put('apv', JOSE.urlsafe_encode64(apv))
+    end
+    return fields
+  end
+
+  # JOSE::JWE::ALG callbacks
+
+  def key_decrypt(box_keys, enc, encrypted_key)
+    other_public_key, my_private_key = box_keys
+    if my_private_key and epk and epk.to_key != other_public_key.to_key
+      raise ArgumentError, "other and ephemeral public key mismatch"
+    elsif epk and my_private_key.nil?
+      my_private_key = other_public_key
+      other_public_key = epk
+    else
+      raise ArgumentError, "missing 'epk' or my_private_key"
+    end
+    z = other_public_key.derive_key(my_private_key)
+    if bits.nil?
+      algorithm_id = enc.algorithm
+      key_data_len = enc.bits
+      supp_pub_info = [key_data_len].pack('N')
+      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, apu, apv, supp_pub_info], key_data_len)
+      return derived_key
+    else
+      algorithm_id = algorithm
+      key_data_len = bits
+      supp_pub_info = [key_data_len].pack('N')
+      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, apu, apv, supp_pub_info], key_data_len)
+      decrypted_key = JOSE::JWA::AES_KW.unwrap(encrypted_key, derived_key)
+      return decrypted_key
+    end
+  end
+
+  def key_encrypt(box_keys, enc, decrypted_key)
+    if bits.nil?
+      return '', self
+    else
+      other_public_key, my_private_key = box_keys
+      z = other_public_key.derive_key(my_private_key)
+      algorithm_id = algorithm
+      key_data_len = bits
+      supp_pub_info = [key_data_len].pack('N')
+      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, apu, apv, supp_pub_info], key_data_len)
+      encrypted_key = JOSE::JWA::AES_KW.wrap(decrypted_key, derived_key)
+      return encrypted_key, self
+    end
+  end
+
+  def next_cek(box_keys, enc)
+    if bits.nil?
+      other_public_key, my_private_key = box_keys
+      z = other_public_key.derive_key(my_private_key)
+      algorithm_id = enc.algorithm
+      key_data_len = enc.bits
+      supp_pub_info = [key_data_len].pack('N')
+      derived_key = JOSE::JWA::ConcatKDF.kdf(OpenSSL::Digest::SHA256, z, [algorithm_id, apu, apv, supp_pub_info], key_data_len)
+      return derived_key
+    else
+      return enc.next_cek
+    end
+  end
+
+  # API functions
+
+  def algorithm
+    case bits
+    when nil
+      return 'ECDH-ES'
+    when 128
+      return 'ECDH-ES+A128KW'
+    when 192
+      return 'ECDH-ES+A192KW'
+    when 256
+      return 'ECDH-ES+A256KW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_ECDH_ES bits: #{bits.inspect}"
+    end
+  end
+
+end

data/lib/jose/jwe/alg_pbes2.rb

@@ -0,0 +1,90 @@
+class JOSE::JWE::ALG_PBES2 < Struct.new(:hmac, :bits, :salt, :iter)
+
+  # JOSE::JWE callbacks
+
+  def self.from_map(fields)
+    bits = nil
+    hmac = nil
+    case fields['alg']
+    when 'PBES2-HS256+A128KW'
+      bits = 128
+      hmac = OpenSSL::Digest::SHA256
+    when 'PBES2-HS384+A192KW'
+      bits = 192
+      hmac = OpenSSL::Digest::SHA384
+    when 'PBES2-HS512+A256KW'
+      bits = 256
+      hmac = OpenSSL::Digest::SHA512
+    else
+      raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
+    end
+    iter = nil
+    if fields['p2c'].is_a?(Integer) and fields['p2c'] >= 0
+      iter = fields['p2c']
+    else
+      raise ArgumentError, "invalid 'p2c' for JWE: #{fields['p2c'].inspect}"
+    end
+    salt = nil
+    if fields.has_key?('p2s') and fields['p2s'].is_a?(String)
+      salt = wrap_salt(fields['alg'], JOSE.urlsafe_decode64(fields['p2s']))
+    else
+      raise ArgumentError, "invalid 'p2s' for JWE: #{fields['p2s'].inspect}"
+    end
+    return new(hmac, bits, salt, iter), fields.except('alg', 'p2c', 'p2s')
+  end
+
+  def to_map(fields)
+    alg = if hmac == OpenSSL::Digest::SHA256
+      'PBES2-HS256+A128KW'
+    elsif hmac == OpenSSL::Digest::SHA384
+      'PBES2-HS384+A192KW'
+    elsif hmac == OpenSSL::Digest::SHA512
+      'PBES2-HS512+A256KW'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_PBES2 hmac: #{hmac.inspect}"
+    end
+    p2c = iter
+    p2s = JOSE.urlsafe_encode64(unwrap_salt(alg, salt))
+    return fields.put('alg', alg).put('p2c', p2c).put('p2s', p2s)
+  end
+
+  # JOSE::JWE::ALG callbacks
+
+  def key_decrypt(key, enc, encrypted_key)
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    derived_key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, iter, bits.div(8) + (bits % 8), hmac.new)
+    decrypted_key = JOSE::JWA::AES_KW.unwrap(encrypted_key, derived_key)
+    return decrypted_key
+  end
+
+  def key_encrypt(key, enc, decrypted_key)
+    if key.is_a?(JOSE::JWK)
+      key = key.kty.derive_key
+    end
+    derived_key = OpenSSL::PKCS5.pbkdf2_hmac(key, salt, iter, bits.div(8) + (bits % 8), hmac.new)
+    encrypted_key = JOSE::JWA::AES_KW.wrap(decrypted_key, derived_key)
+    return encrypted_key, self
+  end
+
+  def next_cek(key, enc)
+    return enc.next_cek
+  end
+
+private
+
+  def unwrap_salt(algorithm, salt)
+    salt_s = StringIO.new(salt)
+    if salt_s.read(algorithm.length) != algorithm or salt_s.getbyte != 0
+      raise ArgumentError, "unrecognized salt value"
+    else
+      return salt_s.read
+    end
+  end
+
+  def self.wrap_salt(algorithm, salt_input)
+    return [algorithm, 0x00, salt_input].pack('a*Ca*')
+  end
+
+end

data/lib/jose/jwe/alg_rsa.rb

@@ -0,0 +1,63 @@
+class JOSE::JWE::ALG_RSA < Struct.new(:rsa_padding, :rsa_oaep_md)
+
+  # JOSE::JWE callbacks
+
+  def self.from_map(fields)
+    rsa_padding = nil
+    rsa_oaep_md = nil
+    case fields['alg']
+    when 'RSA1_5'
+      rsa_padding = :rsa_pkcs1_padding
+    when 'RSA-OAEP'
+      rsa_padding = :rsa_pkcs1_oaep_padding
+      rsa_oaep_md = OpenSSL::Digest::SHA1
+    when 'RSA-OAEP-256'
+      rsa_padding = :rsa_pkcs1_oaep_padding
+      rsa_oaep_md = OpenSSL::Digest::SHA256
+    else
+      raise ArgumentError, "invalid 'alg' for JWE: #{fields['alg'].inspect}"
+    end
+    return new(rsa_padding, rsa_oaep_md), fields.except('alg')
+  end
+
+  def to_map(fields)
+    alg = nil
+    if rsa_padding == :rsa_pkcs1_padding
+      alg = 'RSA1_5'
+    elsif rsa_padding == :rsa_pkcs1_oaep_padding
+      if rsa_oaep_md == OpenSSL::Digest::SHA1
+        alg = 'RSA-OAEP'
+      elsif rsa_oaep_md == OpenSSL::Digest::SHA256
+        alg = 'RSA-OAEP-256'
+      else
+        raise ArgumentError, "unhandled JOSE::JWE::ALG_RSA rsa_oaep_md: #{rsa_oaep_md.inspect}"
+      end
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ALG_RSA rsa_padding: #{rsa_padding.inspect}"
+    end
+    return fields.put('alg', alg)
+  end
+
+  # JOSE::JWE::ALG callbacks
+
+  def key_decrypt(key, enc, encrypted_key)
+    if key.is_a?(JOSE::JWK)
+      return key.kty.decrypt_private(encrypted_key, rsa_padding: rsa_padding, rsa_oaep_md: rsa_oaep_md)
+    else
+      raise ArgumentError, "'key' must be a JOSE::JWK"
+    end
+  end
+
+  def key_encrypt(key, enc, decrypted_key)
+    if key.is_a?(JOSE::JWK)
+      return key.kty.encrypt_public(decrypted_key, rsa_padding: rsa_padding, rsa_oaep_md: rsa_oaep_md), self
+    else
+      raise ArgumentError, "'key' must be a JOSE::JWK"
+    end
+  end
+
+  def next_cek(key, enc)
+    return enc.next_cek
+  end
+
+end

data/lib/jose/jwe/enc.rb

@@ -0,0 +1,8 @@
+module JOSE::JWE::ENC
+
+  extend self
+
+end
+
+require 'jose/jwe/enc_aes_cbc_hmac'
+require 'jose/jwe/enc_aes_gcm'

data/lib/jose/jwe/enc_aes_cbc_hmac.rb

@@ -0,0 +1,80 @@
+class JOSE::JWE::ENC_AES_CBC_HMAC < Struct.new(:cipher_name, :bits, :cek_len, :iv_len, :enc_len, :mac_len, :tag_len, :hmac)
+
+  # JOSE::JWE callbacks
+
+  def self.from_map(fields)
+    case fields['enc']
+    when 'A128CBC-HS256'
+      return new('aes-128-cbc', 256, 32, 16, 16, 16, 16, OpenSSL::Digest::SHA256), fields.delete('enc')
+    when 'A192CBC-HS384'
+      return new('aes-192-cbc', 384, 48, 16, 24, 24, 24, OpenSSL::Digest::SHA384), fields.delete('enc')
+    when 'A256CBC-HS512'
+      return new('aes-256-cbc', 512, 64, 16, 32, 32, 32, OpenSSL::Digest::SHA512), fields.delete('enc')
+    else
+      raise ArgumentError, "invalid 'enc' for JWE: #{fields['enc'].inspect}"
+    end
+  end
+
+  def to_map(fields)
+    return fields.put('enc', algorithm)
+  end
+
+  # JOSE::JWE::ENC callbacks
+
+  def algorithm
+    case cipher_name
+    when 'aes-128-cbc'
+      return 'A128CBC-HS256'
+    when 'aes-192-cbc'
+      return 'A192CBC-HS384'
+    when 'aes-256-cbc'
+      return 'A256CBC-HS512'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ENC_AES_CBC_HMAC cipher name: #{cipher_name.inspect}"
+    end
+  end
+
+  def block_decrypt(aad_cipher_text_cipher_tag, cek, iv)
+    aad, cipher_text, cipher_tag = aad_cipher_text_cipher_tag
+    cek_s = StringIO.new(cek)
+    mac_key = cek_s.read(mac_len)
+    enc_key = cek_s.read(enc_len)
+    aad_len = [(aad.bytesize * 8)].pack('Q>')
+    mac_data = [aad, iv, cipher_text, aad_len].pack('a*a*a*a*')
+    if cipher_tag != OpenSSL::HMAC.digest(hmac.new, mac_key, mac_data)[0..tag_len]
+      raise ArgumentError, "decryption error"
+    else
+      cipher = OpenSSL::Cipher.new(cipher_name)
+      cipher.decrypt
+      cipher.key = cek
+      cipher.iv = iv
+      plain_text = JOSE::JWA::PKCS7.unpad(cipher.update(cipher_text) + cipher.final)
+      return plain_text
+    end
+  end
+
+  def block_encrypt(aad_plain_text, cek, iv)
+    aad, plain_text = aad_plain_text
+    cek_s = StringIO.new(cek)
+    mac_key = cek_s.read(mac_len)
+    enc_key = cek_s.read(enc_len)
+    cipher = OpenSSL::Cipher.new(cipher_name)
+    cipher.encrypt
+    cipher.key = cek
+    cipher.iv = iv
+    cipher_text = cipher.update(JOSE::JWA::PKCS7.pad(plain_text)) + cipher.final
+    aad_len = [(aad.bytesize * 8)].pack('Q>')
+    mac_data = [aad, iv, cipher_text, aad_len].pack('a*a*a*a*')
+    cipher_tag = OpenSSL::HMAC.digest(hmac.new, mac_key, mac_data)[0..tag_len]
+    return cipher_text, cipher_tag
+  end
+
+  def next_cek
+    return SecureRandom.random_bytes(cek_len)
+  end
+
+  def next_iv
+    return SecureRandom.random_bytes(iv_len)
+  end
+
+end

data/lib/jose/jwe/enc_aes_gcm.rb

@@ -0,0 +1,68 @@
+class JOSE::JWE::ENC_AES_GCM < Struct.new(:cipher_name, :bits, :cek_len, :iv_len)
+
+  # JOSE::JWE callbacks
+
+  def self.from_map(fields)
+    case fields['enc']
+    when 'A128GCM'
+      return new('aes-128-gcm', 128, 16, 12), fields.delete('enc')
+    when 'A192GCM'
+      return new('aes-192-gcm', 192, 24, 12), fields.delete('enc')
+    when 'A256GCM'
+      return new('aes-256-gcm', 256, 32, 12), fields.delete('enc')
+    else
+      raise ArgumentError, "invalid 'enc' for JWE: #{fields['enc'].inspect}"
+    end
+  end
+
+  def to_map(fields)
+    return fields.put('enc', algorithm)
+  end
+
+  # JOSE::JWE::ENC callbacks
+
+  def algorithm
+    case cipher_name
+    when 'aes-128-gcm'
+      return 'A128GCM'
+    when 'aes-192-gcm'
+      return 'A192GCM'
+    when 'aes-256-gcm'
+      return 'A256GCM'
+    else
+      raise ArgumentError, "unhandled JOSE::JWE::ENC_AES_GCM cipher name: #{cipher_name.inspect}"
+    end
+  end
+
+  def block_decrypt(aad_cipher_text_cipher_tag, cek, iv)
+    aad, cipher_text, cipher_tag = aad_cipher_text_cipher_tag
+    cipher = OpenSSL::Cipher.new(cipher_name)
+    cipher.decrypt
+    cipher.key = cek
+    cipher.iv = iv
+    cipher.auth_data = aad
+    cipher.auth_tag = cipher_tag
+    plain_text = cipher.update(cipher_text) + cipher.final
+    return plain_text
+  end
+
+  def block_encrypt(aad_plain_text, cek, iv)
+    aad, plain_text = aad_plain_text
+    cipher = OpenSSL::Cipher.new(cipher_name)
+    cipher.encrypt
+    cipher.key = cek
+    cipher.iv = iv
+    cipher.auth_data = aad
+    cipher_text = cipher.update(plain_text) + cipher.final
+    return cipher_text, cipher.auth_tag
+  end
+
+  def next_cek
+    return SecureRandom.random_bytes(cek_len)
+  end
+
+  def next_iv
+    return SecureRandom.random_bytes(iv_len)
+  end
+
+end