Onek8/LNXCORE
1
0
Fork 0
Code Pull Requests Activity

Update Files

Browse Source
This commit is contained in:
Onek8
2025-01-22 17:22:38 +01:00
parent 89b9349629
commit 4c5e729485
5132 changed files with 1195369 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

271
Kinc/Sources/kinc/libs/jose/jwe/enc/aescbc.c Executable file
View File

@ -0,0 +1,271 @@
/*
* libwebsockets - small server side websockets and web server implementation
*
* Copyright (C) 2010 - 2020 Andy Green <andy@warmcat.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to
* deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
* sell copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/
#include "private-lib-core.h"
#include "private-lib-jose-jwe.h"
int
lws_jwe_encrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *cek,
uint8_t *aad, int aad_len)
{
int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
uint8_t digest[LWS_GENHASH_LARGEST];
struct lws_gencrypto_keyelem el;
struct lws_genhmac_ctx hmacctx;
struct lws_genaes_ctx aesctx;
size_t paddedlen;
uint8_t al[8];
/* Caller must have prepared space for the results */
if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
hlen / 2, (int)jwe->jws.map.len[LJWE_ATAG]);
return -1;
}
if (jwe->jws.map.len[LJWE_IV] != 16) {
lwsl_notice("expected iv len %d, got %d\n", 16,
(int)jwe->jws.map.len[LJWE_IV]);
return -1;
}
/* first create the authentication hmac */
/* JWA Section 5.2.2.1
*
* 1. The secondary keys MAC_KEY and ENC_KEY are generated from the
* input key K as follows. Each of these two keys is an octet
* string.
*
* MAC_KEY consists of the initial MAC_KEY_LEN octets of K, in
* order.
* ENC_KEY consists of the final ENC_KEY_LEN octets of K, in
* order.
*/
/*
* 2. The IV used is a 128-bit value generated randomly or
* pseudorandomly for use in the cipher.
*/
lws_get_random(jwe->jws.context, (void *)jwe->jws.map.buf[LJWE_IV], 16);
/*
* 3. The plaintext is CBC encrypted using PKCS #7 padding using
* ENC_KEY as the key and the IV. We denote the ciphertext output
* from this step as E.
*/
/* second half is the AES ENC_KEY */
el.buf = cek + (hlen / 2);
el.len = (uint32_t)(hlen / 2);
if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_CBC, &el,
LWS_GAESP_WITH_PADDING, NULL)) {
lwsl_err("%s: lws_genaes_create failed\n", __func__);
return -1;
}
/*
* the plaintext gets delivered to us in LJWE_CTXT, this replaces the
* plaintext there with the ciphertext, which will be larger by some
* padding bytes
*/
n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_IV],
NULL, NULL, LWS_AES_CBC_BLOCKLEN);
paddedlen = lws_gencrypto_padded_length(LWS_AES_CBC_BLOCKLEN,
jwe->jws.map.len[LJWE_CTXT]);
jwe->jws.map.len[LJWE_CTXT] = (uint32_t)paddedlen;
lws_genaes_destroy(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT] +
paddedlen - LWS_AES_CBC_BLOCKLEN, LWS_AES_CBC_BLOCKLEN);
if (n) {
lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
return -1;
}
/*
* 4. The octet string AL is equal to the number of bits in the
* Additional Authenticated Data A expressed as a 64-bit unsigned
* big-endian integer.
*/
lws_jwe_be64((unsigned int)aad_len * 8, al);
/* first half of the CEK is the MAC key */
if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type,
cek, (unsigned int)hlen / 2))
return -1;
/*
* 5. A message Authentication Tag T is computed by applying HMAC
* [RFC2104] to the following data, in order:
*
* - the Additional Authenticated Data A,
* - the Initialization Vector IV,
* - the ciphertext E computed in the previous step, and
* - the octet string AL defined above.
*
* The string MAC_KEY is used as the MAC key. We denote the output
* of the MAC computed in this step as M. The first T_LEN octets of
* M are used as T.
*/
if (lws_genhmac_update(&hmacctx, aad, (unsigned int)aad_len) ||
lws_genhmac_update(&hmacctx, jwe->jws.map.buf[LJWE_IV],
LWS_JWE_AES_IV_BYTES) ||
/* since we encrypted it, this is the ciphertext */
lws_genhmac_update(&hmacctx,
(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT]) ||
lws_genhmac_update(&hmacctx, al, 8)) {
lwsl_err("%s: hmac computation failed\n", __func__);
lws_genhmac_destroy(&hmacctx, NULL);
return -1;
}
if (lws_genhmac_destroy(&hmacctx, digest)) {
lwsl_err("%s: problem destroying hmac\n", __func__);
return -1;
}
/* create tag */
memcpy((void *)jwe->jws.map.buf[LJWE_ATAG], digest, (unsigned int)hlen / 2);
return (int)jwe->jws.map.len[LJWE_CTXT];
}
int
lws_jwe_auth_and_decrypt_cbc_hs(struct lws_jwe *jwe, uint8_t *enc_cek,
uint8_t *aad, int aad_len)
{
int n, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type);
uint8_t digest[LWS_GENHASH_LARGEST];
struct lws_gencrypto_keyelem el;
struct lws_genhmac_ctx hmacctx;
struct lws_genaes_ctx aesctx;
uint8_t al[8];
/* Some sanity checks on what came in */
if (jwe->jws.map.len[LJWE_ATAG] != (unsigned int)hlen / 2) {
lwsl_notice("%s: expected tag len %d, got %d\n", __func__,
hlen / 2, (int)jwe->jws.map.len[LJWE_ATAG]);
return -1;
}
if (jwe->jws.map.len[LJWE_IV] != 16) {
lwsl_notice("expected iv len %d, got %d\n", 16,
(int)jwe->jws.map.len[LJWE_IV]);
return -1;
}
/* Prepare to check authentication
*
* AAD is the b64 JOSE header.
*
* The octet string AL, which is the number of bits in AAD expressed as
* a big-endian 64-bit unsigned integer is:
*
* [0, 0, 0, 0, 0, 0, 1, 152]
*
* Concatenate the AAD, the Initialization Vector, the ciphertext, and
* the AL value.
*
*/
lws_jwe_be64((unsigned int)aad_len * 8, al);
/* first half of enc_cek is the MAC key */
if (lws_genhmac_init(&hmacctx, jwe->jose.enc_alg->hmac_type, enc_cek,
(unsigned int)hlen / 2)) {
lwsl_err("%s: lws_genhmac_init fail\n", __func__);
return -1;
}
if (lws_genhmac_update(&hmacctx, aad, (unsigned int)aad_len) ||
lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_IV],
jwe->jws.map.len[LJWE_IV]) ||
lws_genhmac_update(&hmacctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT]) ||
lws_genhmac_update(&hmacctx, al, 8)) {
lwsl_err("%s: hmac computation failed\n", __func__);
lws_genhmac_destroy(&hmacctx, NULL);
return -1;
}
if (lws_genhmac_destroy(&hmacctx, digest)) {
lwsl_err("%s: problem destroying hmac\n", __func__);
return -1;
}
/* first half of digest is the auth tag */
if (lws_timingsafe_bcmp(digest, jwe->jws.map.buf[LJWE_ATAG], (unsigned int)hlen / 2)) {
lwsl_err("%s: auth failed: hmac tag (%d) != ATAG (%d)\n",
__func__, hlen / 2, (int)jwe->jws.map.len[LJWE_ATAG]);
lwsl_hexdump_notice(jwe->jws.map.buf[LJWE_ATAG], (unsigned int)hlen / 2);
lwsl_hexdump_notice(digest, (unsigned int)hlen / 2);
return -1;
}
/* second half of enc cek is the CEK KEY */
el.buf = enc_cek + (hlen / 2);
el.len = (unsigned int)hlen / 2;
if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_CBC,
&el, LWS_GAESP_NO_PADDING, NULL)) {
lwsl_err("%s: lws_genaes_create failed\n", __func__);
return -1;
}
n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_IV], NULL, NULL, 16);
/* Strip the PKCS #7 padding */
if (jwe->jws.map.len[LJWE_CTXT] < LWS_AES_CBC_BLOCKLEN ||
jwe->jws.map.len[LJWE_CTXT] <= (unsigned char)jwe->jws.map.buf[LJWE_CTXT]
[jwe->jws.map.len[LJWE_CTXT] - 1]) {
lwsl_err("%s: invalid padded ciphertext length: %d. Corrupt data?\n",
__func__, (int)jwe->jws.map.len[LJWE_CTXT]);
return -1;
}
jwe->jws.map.len[LJWE_CTXT] = (uint32_t)((int)jwe->jws.map.len[LJWE_CTXT] -
jwe->jws.map.buf[LJWE_CTXT][jwe->jws.map.len[LJWE_CTXT] - 1]);
n |= lws_genaes_destroy(&aesctx, NULL, 0);
if (n) {
lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
return -1;
}
return (int)jwe->jws.map.len[LJWE_CTXT];
}

173
Kinc/Sources/kinc/libs/jose/jwe/enc/aesgcm.c Normal file
View File

@ -0,0 +1,173 @@
/*
* libwebsockets - small server side websockets and web server implementation
*
* Copyright (C) 2010 - 2020 Andy Green <andy@warmcat.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to
* deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
* sell copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/
#include "private-lib-core.h"
#include "private-lib-jose-jwe.h"
/*
* NOTICE this is AESGCM content encryption, it's not AES GCM key wrapping
*
*
* This section defines the specifics of performing authenticated
* encryption with AES in Galois/Counter Mode (GCM) ([AES] and
* [NIST.800-38D]).
*
* The CEK is used as the encryption key.
*
* Use of an IV of size 96 bits is REQUIRED with this algorithm.
*
* The requested size of the Authentication Tag output MUST be 128 bits,
* regardless of the key size.
*
* For decrypt: decrypt the KEK, then decrypt the payload
*
* For encrypt: encrypt the payload, then encrypt the KEK
*/
/*
* encrypting... enc_cek is unencrypted
*/
int
lws_jwe_encrypt_gcm(struct lws_jwe *jwe,
uint8_t *enc_cek, uint8_t *aad, int aad_len)
{
struct lws_gencrypto_keyelem el;
struct lws_genaes_ctx aesctx;
size_t ivs = LWS_AESGCM_IV;
int n;
/* Some sanity checks on what came in */
/* MUST be 128-bit for all sizes */
if (jwe->jws.map.len[LJWE_ATAG] != LWS_AESGCM_TAG) {
lwsl_notice("%s: AESGCM tag size must be 128b, got %d\n",
__func__, (int)jwe->jws.map.len[LJWE_ATAG]);
return -1;
}
if (jwe->jws.map.len[LJWE_IV] != LWS_AESGCM_IV) { /* MUST be 96-bit */
lwsl_notice("%s: AESGCM IV must be 128b, got %d\n", __func__,
(int)jwe->jws.map.len[LJWE_IV]);
return -1;
}
/* EKEY is directly the CEK KEY */
el.buf = enc_cek;
el.len = jwe->jose.enc_alg->keybits_fixed / 8;
if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_GCM,
&el, LWS_GAESP_NO_PADDING, NULL)) {
lwsl_err("%s: lws_genaes_create failed\n", __func__);
return -1;
}
/* aad */
n = lws_genaes_crypt(&aesctx, aad, (unsigned int)aad_len, NULL,
(uint8_t *)jwe->jws.map.buf[LJWE_IV],
(uint8_t *)jwe->jws.map.buf[LJWE_ATAG], &ivs,
LWS_AESGCM_TAG);
if (n) {
lwsl_err("%s: lws_genaes_crypt aad failed\n", __func__);
return -1;
}
/* payload */
n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_IV],
NULL, &ivs,
LWS_AESGCM_TAG);
n |= lws_genaes_destroy(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_ATAG],
LWS_AESGCM_TAG);
if (n) {
lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
return -1;
}
return (int)jwe->jws.map.len[LJWE_CTXT];
}
int
lws_jwe_auth_and_decrypt_gcm(struct lws_jwe *jwe,
uint8_t *enc_cek, uint8_t *aad, int aad_len)
{
struct lws_gencrypto_keyelem el;
struct lws_genaes_ctx aesctx;
size_t ivs = LWS_AESGCM_IV;
uint8_t tag[LWS_AESGCM_TAG];
int n;
/* Some sanity checks on what came in */
/* Tag MUST be 128-bit for all sizes */
if (jwe->jws.map.len[LJWE_ATAG] != LWS_AESGCM_TAG) {
lwsl_notice("%s: AESGCM tag size must be 128b, got %d\n",
__func__, (int)jwe->jws.map.len[LJWE_ATAG]);
return -1;
}
if (jwe->jws.map.len[LJWE_IV] != LWS_AESGCM_IV) { /* MUST be 96-bit */
lwsl_notice("%s: AESGCM IV must be 128b, got %d\n", __func__,
(int)jwe->jws.map.len[LJWE_IV]);
return -1;
}
/* EKEY is directly the CEK KEY */
el.buf = enc_cek;
el.len = jwe->jose.enc_alg->keybits_fixed / 8;
if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_GCM,
&el, LWS_GAESP_NO_PADDING, NULL)) {
lwsl_err("%s: lws_genaes_create failed\n", __func__);
return -1;
}
n = lws_genaes_crypt(&aesctx, aad, (unsigned int)aad_len,
NULL,
(uint8_t *)jwe->jws.map.buf[LJWE_IV],
(uint8_t *)jwe->jws.map.buf[LJWE_ATAG], &ivs, 16);
if (n) {
lwsl_err("%s: lws_genaes_crypt aad failed\n", __func__);
return -1;
}
n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
jwe->jws.map.len[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_CTXT],
(uint8_t *)jwe->jws.map.buf[LJWE_IV],
(uint8_t *)jwe->jws.map.buf[LJWE_ATAG], &ivs, 16);
n |= lws_genaes_destroy(&aesctx, tag, sizeof(tag));
if (n) {
lwsl_err("%s: lws_genaes_crypt failed\n", __func__);
return -1;
}
return (int)jwe->jws.map.len[LJWE_CTXT];
}

177
Kinc/Sources/kinc/libs/jose/jwe/enc/aeskw.c Normal file
View File

@ -0,0 +1,177 @@
/*
* libwebsockets - small server side websockets and web server implementation
*
* Copyright (C) 2010 - 2020 Andy Green <andy@warmcat.com>
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to
* deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
* sell copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in
* all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
* IN THE SOFTWARE.
*/
#include "private-lib-core.h"
#include "private-lib-jose-jwe.h"
/*
* RFC3394 Key Wrap uses a 128-bit key, and bloats what it is wrapping by
* one 8-byte block. So, if you had a 32 byte plaintext CEK to wrap, after
* wrapping it becomes a 40 byte wrapped, enciphered, key.
*
* The CEK comes in from and goes out in LJWE_EKEY. So LJWE_EKEY length
* increases by 8 from calling this.
*/
int
lws_jwe_encrypt_aeskw_cbc_hs(struct lws_jwe *jwe, char *temp, int *temp_len)
{
struct lws_genaes_ctx aesctx;
/* we are wrapping a key, so size for the worst case after wrap */
uint8_t enc_cek[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES +
LWS_JWE_RFC3394_OVERHEAD_BYTES];
int n, m, hlen = (int)lws_genhmac_size(jwe->jose.enc_alg->hmac_type),
ot = *temp_len;
if (jwe->jws.jwk->kty != LWS_GENCRYPTO_KTY_OCT) {
lwsl_err("%s: unexpected kty %d\n", __func__, jwe->jws.jwk->kty);
return -1;
}
/* create a b64 version of the JOSE header, needed for hashing */
if (lws_jws_encode_b64_element(&jwe->jws.map_b64, LJWE_JOSE,
temp, temp_len,
jwe->jws.map.buf[LJWE_JOSE],
jwe->jws.map.len[LJWE_JOSE]))
return -1;
/* Allocate temp space for ATAG and IV */
if (lws_jws_alloc_element(&jwe->jws.map, LJWE_ATAG, temp + (ot - *temp_len),
temp_len, (unsigned int)hlen / 2, 0))
return -1;
if (lws_jws_alloc_element(&jwe->jws.map, LJWE_IV, temp + (ot - *temp_len),
temp_len, LWS_JWE_AES_IV_BYTES, 0))
return -1;
/* 1) Encrypt the payload... */
/* the CEK is 256-bit in the example encrypted with a 128-bit key */
n = lws_jwe_encrypt_cbc_hs(jwe, (uint8_t *)jwe->jws.map.buf[LJWE_EKEY],
(uint8_t *)jwe->jws.map_b64.buf[LJWE_JOSE],
(int)jwe->jws.map_b64.len[LJWE_JOSE]);
if (n < 0) {
lwsl_err("%s: lws_jwe_encrypt_cbc_hs failed\n", __func__);
return -1;
}
/* 2) Encrypt the JWE Encrypted Key: RFC3394 Key Wrap uses 64 bit blocks
* and 128-bit input key*/
if (lws_genaes_create(&aesctx, LWS_GAESO_ENC, LWS_GAESM_KW,
jwe->jws.jwk->e, 1, NULL)) {
lwsl_notice("%s: lws_genaes_create\n", __func__);
return -1;
}
/* tag size is determined by enc cipher key length */
n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_EKEY],
jwe->jws.map.len[LJWE_EKEY], enc_cek, NULL, NULL, NULL,
lws_gencrypto_bits_to_bytes(
jwe->jose.enc_alg->keybits_fixed));
m = lws_genaes_destroy(&aesctx, NULL, 0);
if (n < 0) {
lwsl_err("%s: encrypt cek fail\n", __func__);
return -1;
}
if (m < 0) {
lwsl_err("%s: lws_genaes_destroy fail\n", __func__);
return -1;
}
jwe->jws.map.len[LJWE_EKEY] += LWS_JWE_RFC3394_OVERHEAD_BYTES;
memcpy((uint8_t *)jwe->jws.map.buf[LJWE_EKEY], enc_cek,
jwe->jws.map.len[LJWE_EKEY]);
return (int)jwe->jws.map.len[LJWE_CTXT];
}
int
lws_jwe_auth_and_decrypt_aeskw_cbc_hs(struct lws_jwe *jwe)
{
struct lws_genaes_ctx aesctx;
uint8_t enc_cek[LWS_JWE_LIMIT_KEY_ELEMENT_BYTES +
LWS_JWE_RFC3394_OVERHEAD_BYTES];
int n, m;
if (jwe->jws.jwk->kty != LWS_GENCRYPTO_KTY_OCT) {
lwsl_err("%s: unexpected kty %d\n", __func__, jwe->jws.jwk->kty);
return -1;
}
/* the CEK is 256-bit in the example encrypted with a 128-bit key */
if (jwe->jws.map.len[LJWE_EKEY] > sizeof(enc_cek))
return -1;
/* 1) Decrypt the JWE Encrypted Key to get the raw MAC / CEK */
if (lws_genaes_create(&aesctx, LWS_GAESO_DEC, LWS_GAESM_KW,
jwe->jws.jwk->e, 1, NULL)) {
lwsl_notice("%s: lws_genaes_create\n", __func__);
return -1;
}
/*
* Decrypt the CEK into enc_cek
* tag size is determined by enc cipher key length */
n = lws_genaes_crypt(&aesctx, (uint8_t *)jwe->jws.map.buf[LJWE_EKEY],
jwe->jws.map.len[LJWE_EKEY], enc_cek, NULL, NULL, NULL,
lws_gencrypto_bits_to_bytes(
jwe->jose.enc_alg->keybits_fixed));
m = lws_genaes_destroy(&aesctx, NULL, 0);
if (n < 0) {
lwsl_err("%s: decrypt CEK fail\n", __func__);
return -1;
}
if (m < 0) {
lwsl_err("%s: lws_genaes_destroy fail\n", __func__);
return -1;
}
/* 2) Decrypt the payload */
n = lws_jwe_auth_and_decrypt_cbc_hs(jwe, enc_cek,
(uint8_t *)jwe->jws.map_b64.buf[LJWE_JOSE],
(int)jwe->jws.map_b64.len[LJWE_JOSE]);
if (n < 0) {
lwsl_err("%s: lws_jwe_auth_and_decrypt_cbc_hs failed\n",
__func__);
return -1;
}
return (int)jwe->jws.map.len[LJWE_CTXT];
}