jwa 0.1.0

data/lib/jwa/algorithms/content_encryption/aes_gcm.rb

@@ -0,0 +1,64 @@
+require 'jwa/cipher'
+
+module JWA
+  module Algorithms
+    module ContentEncryption
+      # Abstract AES in Galois Counter mode for different key sizes.
+      module AesGcm
+        attr_reader :key, :iv
+
+        def initialize(key, iv = nil)
+          @key = key
+          @iv = iv || SecureRandom.random_bytes(12)
+
+          if @key.length != self.class.key_length
+            raise ArgumentError, "Invalid Key. Expected length: #{self.class.key_length}. Actual: #{@key.length}."
+          end
+
+          if @iv.length != 12
+            raise ArgumentError, "Invalid IV. Expected length: 12. Actual: #{@iv.length}."
+          end
+        end
+
+        def encrypt(plaintext, authenticated_data)
+          setup_cipher(:encrypt, authenticated_data)
+          ciphertext = cipher.update(plaintext) + cipher.final
+
+          [ciphertext, cipher.auth_tag]
+        end
+
+        def decrypt(ciphertext, authenticated_data, tag)
+          setup_cipher(:decrypt, authenticated_data, tag)
+          cipher.update(ciphertext) + cipher.final
+        rescue OpenSSL::Cipher::CipherError
+          raise JWA::BadDecrypt, 'Invalid ciphertext or authentication tag'
+        end
+
+        def setup_cipher(direction, auth_data, tag = nil)
+          cipher.send(direction)
+          cipher.key = @key
+          cipher.iv = @iv
+          cipher.auth_tag = tag if tag
+          cipher.auth_data = auth_data
+        end
+
+        def cipher
+          @cipher ||= Cipher.for(self.class.cipher_name)
+        end
+
+        def self.included(base)
+          base.extend(ClassMethods)
+        end
+
+        module ClassMethods
+          def available?
+            Cipher.for(cipher_name)
+            true
+          rescue NotImplementedError
+            false
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management.rb

@@ -0,0 +1,56 @@
+require 'jwa/algorithms/key_management/rsa15'
+require 'jwa/algorithms/key_management/rsa_oaep'
+
+require 'jwa/algorithms/key_management/a128_kw'
+require 'jwa/algorithms/key_management/a192_kw'
+require 'jwa/algorithms/key_management/a256_kw'
+
+require 'jwa/algorithms/key_management/ecdh_es'
+require 'jwa/algorithms/key_management/ecdh_es_a128_kw'
+require 'jwa/algorithms/key_management/ecdh_es_a192_kw'
+require 'jwa/algorithms/key_management/ecdh_es_a256_kw'
+
+require 'jwa/algorithms/key_management/a128_gcm_kw'
+require 'jwa/algorithms/key_management/a192_gcm_kw'
+require 'jwa/algorithms/key_management/a256_gcm_kw'
+
+require 'jwa/algorithms/key_management/pbes_hs256_a128_kw'
+require 'jwa/algorithms/key_management/pbes_hs384_a192_kw'
+require 'jwa/algorithms/key_management/pbes_hs512_a256_kw'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      KNOWN_ALGS = {
+        'RSA1_5' => Rsa15,
+        'RSA-OAEP' => RsaOaep,
+        'RSA-OAEP-256' => nil,
+
+        'A128KW' => A128Kw,
+        'A192KW' => A192Kw,
+        'A256KW' => A256Kw,
+
+        'dir' => nil,
+
+        'ECDH-ES' => EcdhEs,
+        'ECDH-ES+A128KW' => EcdhEs,
+        'ECDH-ES+A192KW' => EcdhEs,
+        'ECDH-ES+A256KW' => EcdhEs,
+
+        'A128GCMKW' => A128GcmKw,
+        'A192GCMKW' => A192GcmKw,
+        'A256GCMKW' => A256GcmKw,
+
+        'PBES2-HS256+A128KW' => Pbes2Hs256A128Kw,
+        'PBES2-HS384+A192KW' => Pbes2Hs384A192Kw,
+        'PBES2-HS512+A256KW' => Pbes2Hs512A256Kw
+      }.freeze
+
+      class << self
+        def for(name)
+          KNOWN_ALGS[name]
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/a128_gcm_kw.rb

@@ -0,0 +1,21 @@
+require 'jwa/algorithms/key_management/aes_gcm_kw'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      class A128GcmKw
+        include AesGcmKw
+
+        class << self
+          def key_length
+            16
+          end
+
+          def cipher
+            A128Gcm
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/a128_kw.rb

@@ -0,0 +1,21 @@
+require 'jwa/algorithms/key_management/aes_kw'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      class A128Kw
+        include AesKw
+
+        class << self
+          def key_length
+            16
+          end
+
+          def cipher_name
+            'AES-128-ECB'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/a192_gcm_kw.rb

@@ -0,0 +1,21 @@
+require 'jwa/algorithms/key_management/aes_gcm_kw'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      class A192GcmKw
+        include AesGcmKw
+
+        class << self
+          def key_length
+            24
+          end
+
+          def cipher
+            A192Gcm
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/a192_kw.rb

@@ -0,0 +1,21 @@
+require 'jwa/algorithms/key_management/aes_kw'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      class A192Kw
+        include AesKw
+
+        class << self
+          def key_length
+            24
+          end
+
+          def cipher_name
+            'AES-192-ECB'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/a256_gcm_kw.rb

@@ -0,0 +1,21 @@
+require 'jwa/algorithms/key_management/aes_gcm_kw'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      class A256GcmKw
+        include AesGcmKw
+
+        class << self
+          def key_length
+            32
+          end
+
+          def cipher
+            A256Gcm
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/a256_kw.rb

@@ -0,0 +1,21 @@
+require 'jwa/algorithms/key_management/aes_kw'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      class A256Kw
+        include AesKw
+
+        class << self
+          def key_length
+            32
+          end
+
+          def cipher_name
+            'AES-256-ECB'
+          end
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/aes_gcm_kw.rb

@@ -0,0 +1,26 @@
+module JWA
+  module Algorithms
+    module KeyManagement
+      module AesGcmKw
+        def initialize(key, iv = nil)
+          @key = key
+          @iv = iv
+
+          if @key.length != self.class.key_length
+            raise ArgumentError, "Invalid Key. Expected length: #{self.class.key_length}. Actual: #{@key.length}."
+          end
+        end
+
+        def encrypt(plaintext)
+          cipher = self.class.cipher.new(@key, @iv)
+          cipher.encrypt(plaintext, '')
+        end
+
+        def decrypt(ciphertext, tag)
+          cipher = self.class.cipher.new(@key, @iv)
+          cipher.decrypt(ciphertext, '', tag)
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/aes_kw.rb

@@ -0,0 +1,100 @@
+require 'jwa/cipher'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      # Generic AES Key Wrapping algorithm for any key size.
+      module AesKw
+        attr_reader :key, :iv
+
+        def initialize(key, iv = "\xA6\xA6\xA6\xA6\xA6\xA6\xA6\xA6")
+          @key = key.force_encoding('ASCII-8BIT')
+          @iv = iv.force_encoding('ASCII-8BIT')
+
+          if @key.length != self.class.key_length
+            raise ArgumentError, "Invalid Key. Expected length: #{self.class.key_length}. Actual: #{@key.length}."
+          end
+        end
+
+        def encrypt(plaintext)
+          a = @iv
+          r = plaintext.force_encoding('ASCII-8BIT').scan(/.{8}/m)
+
+          6.times do |j|
+            a, r = kw_encrypt_round(j, a, r)
+          end
+
+          ([a] + r).join
+        end
+
+        def kw_encrypt_round(j, a, r)
+          r.length.times do |i|
+            b = encrypt_round(a + r[i]).chars
+
+            a, r[i] = a_ri(b)
+
+            a = xor(a, (r.length * j) + i + 1)
+          end
+
+          [a, r]
+        end
+
+        def decrypt(ciphertext)
+          c = ciphertext.force_encoding('ASCII-8BIT').scan(/.{8}/m)
+          a, *r = c
+
+          5.downto(0) do |j|
+            a, r = kw_decrypt_round(j, a, r)
+          end
+
+          if a != @iv
+            raise StandardError, 'The encrypted key has been tampered. Do not use this key.'
+          end
+
+          r.join
+        end
+
+        def kw_decrypt_round(j, a, r)
+          r.length.downto(1) do |i|
+            a = xor(a, (r.length * j) + i)
+
+            b = decrypt_round(a + r[i - 1]).chars
+
+            a, r[i - 1] = a_ri(b)
+          end
+
+          [a, r]
+        end
+
+        def a_ri(b)
+          [b.first(8).join, b.to_a.last(8).join]
+        end
+
+        def cipher
+          @cipher ||= Cipher.for(self.class.cipher_name)
+        end
+
+        def encrypt_round(data)
+          cipher.encrypt
+          cipher.key = @key
+          cipher.padding = 0
+          cipher.update(data) + cipher.final
+        end
+
+        def decrypt_round(data)
+          cipher.decrypt
+          cipher.key = @key
+          cipher.padding = 0
+          cipher.update(data) + cipher.final
+        end
+
+        def xor(data, t)
+          t = ([0] * (data.length - 1)) + [t]
+          data = data.chars.map(&:ord)
+
+          data.zip(t).map { |a, b| (a ^ b).chr }.join
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/ecdh_es.rb

@@ -0,0 +1,45 @@
+# This implementation is protected by the attack described at:
+#   http://blogs.adobe.com/security/2017/03/critical-vulnerability-uncovered-in-json-encryption.html
+#
+# The Ruby wrapper around OpenSSL raises an OpenSSL::PKey::EC::Point error if an attempt is made to
+# initialize a public key with coordinates that do not reside on the wanted curve.
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      class EcdhEs
+        def initialize(ephemeral_key, enc_algorithm, apu, apv)
+          @ephemeral_key = ephemeral_key
+          @key_length = enc_algorithm.key_length * 8
+
+          algorithm_id = length_encode(enc_algorithm.enc_name)
+          apu = length_encode(apu)
+          apv = length_encode(apv)
+          supp_pub_info = [@key_length].pack('N')
+          supp_priv_info = ''
+
+          @info = algorithm_id + apu + apv + supp_pub_info + supp_priv_info
+        end
+
+        # This is technically not an encryption, but to keep the same interface
+        # with other classes, let's name it this way.
+        def encrypt(public_key)
+          z = @ephemeral_key.dh_compute_key(public_key)
+
+          concat_kdf = Support::ConcatKDF.new(Digest::SHA256.new)
+          concat_kdf.run(z, @info, @key_length)
+        end
+
+        def decrypt(public_key)
+          encrypt(public_key)
+        end
+
+        private
+
+        def length_encode(s)
+          [s.length].pack('N') + s
+        end
+      end
+    end
+  end
+end

data/lib/jwa/algorithms/key_management/ecdh_es_a128_kw.rb

@@ -0,0 +1,25 @@
+require 'jwa/algorithms/key_management/ecdh_es_kw'
+
+module JWA
+  module Algorithms
+    module KeyManagement
+      class EcdhEsA128Kw
+        include EcdhEsKw
+
+        class << self
+          def alg_name
+            'ECDH-ES+A128KW'
+          end
+
+          def shared_key_length
+            16
+          end
+
+          def kw_class
+            A128Kw
+          end
+        end
+      end
+    end
+  end
+end