diff --git a/CMakeLists.txt b/CMakeLists.txt index a5680fdf..a9497b0d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -126,6 +126,8 @@ option(LWS_AVOID_SIGPIPE_IGN "Android 7+ seems to need this" OFF) option(LWS_WITH_STATS "Keep statistics of lws internal operations" OFF) option(LWS_WITH_SOCKS5 "Allow use of SOCKS5 proxy on client connections" OFF) option(LWS_WITH_PEER_LIMITS "Track peers and restrict resources a single peer can allocate" OFF) +option(LWS_WITH_JWS "JSON Web Signature (RFC7515) API" OFF) +option(LWS_WITH_SELFTESTS "Selftests run at context creation" OFF) macro(confirm_command CMD NOCMD) find_program (HAVE_CMD_${CMD} ${CMD} ) @@ -146,6 +148,10 @@ if (LWS_WITH_LWSWS) set(LWS_WITH_PEER_LIMITS 1) endif() +if (LWS_WITH_JWS) + set(LWS_WITH_LEJP 1) +endif() + if (LWS_WITH_PLUGINS AND NOT LWS_WITH_LIBUV) message(STATUS "LWS_WITH_PLUGINS --> Enabling LWS_WITH_LIBUV") set(LWS_WITH_LIBUV 1) @@ -837,6 +843,12 @@ if (LWS_WITH_ZIP_FOPS) endif() endif() +if (LWS_WITH_JWS) + list(APPEND SOURCES + lib/jws/jwk.c + lib/jws/jws.c) +endif() + # Add helper files for Windows. if (WIN32) set(WIN32_HELPERS_PATH win32port/win32helpers) diff --git a/cmake/lws_config.h.in b/cmake/lws_config.h.in index 2c429e0b..ed17dfd2 100644 --- a/cmake/lws_config.h.in +++ b/cmake/lws_config.h.in @@ -145,6 +145,9 @@ #cmakedefine LWS_HAVE__ATOI64 #cmakedefine LWS_HAVE__STAT32I64 +#cmakedefine LWS_WITH_JWS +#cmakedefine LWS_WITH_SELFTESTS + /* OpenSSL various APIs */ #cmakedefine LWS_HAVE_TLS_CLIENT_METHOD diff --git a/lib/context.c b/lib/context.c index f67476b1..d68f3f42 100644 --- a/lib/context.c +++ b/lib/context.c @@ -1177,6 +1177,10 @@ lws_create_context(struct lws_context_creation_info *info) LWS_EXT_CB_CLIENT_CONTEXT_CONSTRUCT, NULL, 0) < 0) goto bail; +#if defined(LWS_WITH_SELFTESTS) + lws_jws_selftest(); +#endif + return context; bail: diff --git a/lib/jws/jwk.c b/lib/jws/jwk.c new file mode 100644 index 00000000..fe27079f --- /dev/null +++ b/lib/jws/jwk.c @@ -0,0 +1,288 @@ +/* + * libwebsockets - JSON Web Key support + * + * Copyright (C) 2017 Andy Green + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation: + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ + +#include "private-libwebsockets.h" + +#include +#include + +static const char * const jwk_tok[] = { + "e", "n", "d", "p", "q", "dp", "dq", "qi", "kty", "k", +}; + +static int +_lws_jwk_set_element(struct lws_genrsa_element *e, char *in, int len) +{ + int dec_size = ((len * 3) / 4) + 4, n; + + e->buf = lws_malloc(dec_size, "jwk"); + if (!e->buf) + return -1; + + n = lws_b64_decode_string_len(in, len, (char *)e->buf, dec_size - 1); + if (n < 0) + return -1; + e->len = n; + + return 0; +} + +struct cb_lws_jwk { + struct lws_jwk *s; + char *b64; + int b64max; + int pos; +}; + +static signed char +cb_jwk(struct lejp_ctx *ctx, char reason) +{ + struct cb_lws_jwk *cbs = (struct cb_lws_jwk *)ctx->user; + struct lws_jwk *s = cbs->s; + int idx; + + if (reason == LEJPCB_VAL_STR_START) + cbs->pos = 0; + + if (!(reason & LEJP_FLAG_CB_IS_VALUE) || !ctx->path_match) + return 0; + + switch (ctx->path_match - 1) { + case JWK_KTY: + strncpy(s->keytype, ctx->buf, sizeof(s->keytype) - 1); + s->keytype[sizeof(s->keytype) - 1] = '\0'; + if (!strcmp(ctx->buf, "oct")) { + break; + } + if (!strcmp(ctx->buf, "RSA")) { + break; + } + return -1; + + case JWK_KEY: + if (strcmp(s->keytype, "oct")) + return -1; + idx = JWK_KEY_E; + goto read_element1; + + case JWK_KEY_N: + case JWK_KEY_E: + case JWK_KEY_D: + case JWK_KEY_P: + case JWK_KEY_Q: + case JWK_KEY_DP: + case JWK_KEY_DQ: + case JWK_KEY_QI: + idx = ctx->path_match - 1; + goto read_element; + } + + return 0; + +read_element: + if (strcmp(s->keytype, "RSA")) + return -1; + +read_element1: + + if (cbs->pos + ctx->npos >= cbs->b64max) + return -1; + + memcpy(cbs->b64 + cbs->pos, ctx->buf, ctx->npos); + cbs->pos += ctx->npos; + + if (reason == LEJPCB_VAL_STR_CHUNK) + return 0; + + if (_lws_jwk_set_element(&s->el.e[idx], cbs->b64, cbs->pos) < 0) { + lws_jwk_destroy_genrsa_elements(&s->el); + + return -1; + } + + return 0; +} + +LWS_VISIBLE int +lws_jwk_import(struct lws_jwk *s, const char *in, size_t len) +{ + struct lejp_ctx jctx; + struct cb_lws_jwk cbs; + const int b64max = (((8192 / 8) * 4) / 3) + 1; /* enough for 8K key */ + char b64[b64max]; + int m; + + memset(s, 0, sizeof(*s)); + cbs.s = s; + cbs.b64 = b64; + cbs.b64max = b64max; + cbs.pos = 0; + lejp_construct(&jctx, cb_jwk, &cbs, jwk_tok, ARRAY_SIZE(jwk_tok)); + m = (int)(signed char)lejp_parse(&jctx, (uint8_t *)in, len); + lejp_destruct(&jctx); + + if (m < 0) { + lwsl_notice("%s: parse got %d\n", __func__, m); + + return -1; + } + + return 0; +} + +LWS_VISIBLE void +lws_jwk_destroy(struct lws_jwk *s) +{ + lws_jwk_destroy_genrsa_elements(&s->el); +} + +LWS_VISIBLE int +lws_jwk_export(struct lws_jwk *s, int private, char *p, size_t len) +{ + char *start = p, *end = &p[len - 1]; + int n, m, limit = LWS_COUNT_RSA_ELEMENTS; + + p += lws_snprintf(p, end - p, "{\"kty\":\"%s\",", s->keytype); + + if (!strcmp(s->keytype, "oct")) { + if (!s->el.e[JWK_KEY_E].buf) + return -1; + + p += lws_snprintf(p, end - p, "\"k\":\""); + n = lws_jws_base64_enc((const char *)s->el.e[JWK_KEY_E].buf, + s->el.e[JWK_KEY_E].len, p, + end - p - 4); + if (n < 0) { + lwsl_notice("%s: enc failed\n", __func__); + return -1; + } + p += n; + + p += lws_snprintf(p, end - p, "\"}"); + + return p - start; + } + + if (!strcmp(s->keytype, "RSA")) { + if (!s->el.e[JWK_KEY_E].buf || + !s->el.e[JWK_KEY_N].buf || + (private && (!s->el.e[JWK_KEY_D].buf || + !s->el.e[JWK_KEY_P].buf || + !s->el.e[JWK_KEY_Q].buf)) + ) { + lwsl_notice("%s: not enough elements filled\n", __func__); + return -1; + } + + if (!private) + limit = JWK_KEY_N + 1; + + for (n = 0; n < limit; n++) { + if (!s->el.e[n].buf) + continue; + lwsl_info("%d: len %d\n", n, s->el.e[n].len); + + if (n) + p += lws_snprintf(p, end - p, ","); + p += lws_snprintf(p, end - p, "\"%s\":\"", jwk_tok[n]); + m = lws_jws_base64_enc((const char *)s->el.e[n].buf, + s->el.e[n].len, p, + end - p - 4); + if (m < 0) { + lwsl_notice("%s: enc2 failed inlen %d outlen %d\n", __func__, (int)s->el.e[n].len, (int)(end-p-4)); + return -1; + } + p += m; + *p++ = '\"'; + } + + p += lws_snprintf(p, end - p, "}"); + + return p - start; + } + + lwsl_err("%s: unknown key type %s\n", __func__, s->keytype); + + return -1; +} + +LWS_VISIBLE int +lws_jwk_load(struct lws_jwk *s, const char *filename) +{ + int buflen = 4096; + char *buf = lws_malloc(buflen, "jwk-load"); + int fd, n; + + if (!buf) + return -1; + + fd = open(filename, O_RDONLY); + if (fd == -1) + goto bail; + + n = read(fd, buf, buflen); + close(fd); + if (n < 0) + goto bail; + + n = lws_jwk_import(s, buf, n); + lws_free(buf); + + return n; +bail: + lws_free(buf); + + return -1; +} + +LWS_VISIBLE int +lws_jwk_save(struct lws_jwk *s, const char *filename) +{ + int buflen = 4096; + char *buf = lws_malloc(buflen, "jwk-save"); + int fd, n, m; + + if (!buf) + return -1; + + fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600); + if (fd == -1) + goto bail; + + n = lws_jwk_export(s, 1, buf, buflen); + if (n < 0) { + close(fd); + goto bail; + } + + m = write(fd, buf, n); + close(fd); + lws_free(buf); + if (m < 0 || m != n) + return -1; + + return 0; + +bail: + lws_free(buf); + + return -1; +} diff --git a/lib/jws/jws.c b/lib/jws/jws.c new file mode 100644 index 00000000..b14cf671 --- /dev/null +++ b/lib/jws/jws.c @@ -0,0 +1,643 @@ +/* + * libwebsockets - JSON Web Signature support + * + * Copyright (C) 2017 Andy Green + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation: + * version 2.1 of the License. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, + * MA 02110-1301 USA + */ + +#include "private-libwebsockets.h" + +/* + * JSON Web Signature is defined in RFC7515 + * + * https://tools.ietf.org/html/rfc7515 + * + * It's basically a way to wrap some JSON with a JSON "header" describing the + * crypto, and a signature, all in a BASE64 wrapper with elided terminating '='. + * + * The signature stays with the content, it serves a different purpose than eg + * a TLS tunnel to transfer it. + * + * RFC7518 (JSON Web Algorithms) says for the "alg" names + * + * | HS256 | HMAC using SHA-256 | Required | + * | HS384 | HMAC using SHA-384 | Optional | + * | HS512 | HMAC using SHA-512 | Optional | + * | RS256 | RSASSA-PKCS1-v1_5 using | Recommended | + * | RS384 | RSASSA-PKCS1-v1_5 using | Optional | + * | | SHA-384 | | + * | RS512 | RSASSA-PKCS1-v1_5 using | Optional | + * | | SHA-512 | | + * | ES256 | ECDSA using P-256 and SHA-256 | Recommended+ | + * | ES384 | ECDSA using P-384 and SHA-384 | Optional | + * | ES512 | ECDSA using P-521 and SHA-512 | Optional | + * + * Boulder (FOSS ACME provider) supports RS256, ES256, ES384 and ES512 + * currently. The "Recommended+" just means it is recommended but will likely + * be "very recommended" soon. + * + * We support HS256/384/512 for symmetric crypto, but the choice for the + * asymmetric crypto isn't as easy to make. + * + * Normally you'd choose the EC option but these are defined to use the + * "NIST curves" (RFC7518 3.4) which are believed to be insecure. + * + * https://safecurves.cr.yp.to/ + * + * For that reason we implement RS256/384/512 for asymmetric. + */ + +#if defined(LWS_WITH_SELFTESTS) +static const char + *test1 = "{\"typ\":\"JWT\",\r\n \"alg\":\"HS256\"}", + *test1_enc = "eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9", + *test2 = "{\"iss\":\"joe\",\r\n \"exp\":1300819380,\r\n" + " \"http://example.com/is_root\":true}", + *test2_enc = "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQ" + "ogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ", + *key_jwk = "{\"kty\":\"oct\",\r\n" + " \"k\":\"AyM1SysPpbyDfgZld3umj1qzKObwVMkoqQ-EstJQ" + "Lr_T-1qS0gZH75aKtMN3Yj0iPS4hcgUuTwjAzZr1Z9CAow\"}", + *hash_enc = "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk", + /* the key from worked example in RFC7515 A-1, as a JWK */ + *rfc7515_rsa_key = + "{\"kty\":\"RSA\"," + " \"n\":\"ofgWCuLjybRlzo0tZWJjNiuSfb4p4fAkd_wWJcyQoTbji9k0l8W26mPddx" + "HmfHQp-Vaw-4qPCJrcS2mJPMEzP1Pt0Bm4d4QlL-yRT-SFd2lZS-pCgNMs" + "D1W_YpRPEwOWvG6b32690r2jZ47soMZo9wGzjb_7OMg0LOL-bSf63kpaSH" + "SXndS5z5rexMdbBYUsLA9e-KXBdQOS-UTo7WTBEMa2R2CapHg665xsmtdV" + "MTBQY4uDZlxvb3qCo5ZwKh9kG4LT6_I5IhlJH7aGhyxXFvUK-DWNmoudF8" + "NAco9_h9iaGNj8q2ethFkMLs91kzk2PAcDTW9gb54h4FRWyuXpoQ\"," + "\"e\":\"AQAB\"," + "\"d\":\"Eq5xpGnNCivDflJsRQBXHx1hdR1k6Ulwe2JZD50LpXyWPEAeP88vLNO97I" + "jlA7_GQ5sLKMgvfTeXZx9SE-7YwVol2NXOoAJe46sui395IW_GO-pWJ1O0" + "BkTGoVEn2bKVRUCgu-GjBVaYLU6f3l9kJfFNS3E0QbVdxzubSu3Mkqzjkn" + "439X0M_V51gfpRLI9JYanrC4D4qAdGcopV_0ZHHzQlBjudU2QvXt4ehNYT" + "CBr6XCLQUShb1juUO1ZdiYoFaFQT5Tw8bGUl_x_jTj3ccPDVZFD9pIuhLh" + "BOneufuBiB4cS98l2SR_RQyGWSeWjnczT0QU91p1DhOVRuOopznQ\"," + "\"p\":\"4BzEEOtIpmVdVEZNCqS7baC4crd0pqnRH_5IB3jw3bcxGn6QLvnEtfdUdi" + "YrqBdss1l58BQ3KhooKeQTa9AB0Hw_Py5PJdTJNPY8cQn7ouZ2KKDcmnPG" + "BY5t7yLc1QlQ5xHdwW1VhvKn-nXqhJTBgIPgtldC-KDV5z-y2XDwGUc\"," + "\"q\":\"uQPEfgmVtjL0Uyyx88GZFF1fOunH3-7cepKmtH4pxhtCoHqpWmT8YAmZxa" + "ewHgHAjLYsp1ZSe7zFYHj7C6ul7TjeLQeZD_YwD66t62wDmpe_HlB-TnBA" + "-njbglfIsRLtXlnDzQkv5dTltRJ11BKBBypeeF6689rjcJIDEz9RWdc\"," + "\"dp\":\"BwKfV3Akq5_MFZDFZCnW-wzl-CCo83WoZvnLQwCTeDv8uzluRSnm71I3Q" + "CLdhrqE2e9YkxvuxdBfpT_PI7Yz-FOKnu1R6HsJeDCjn12Sk3vmAktV2zb" + "34MCdy7cpdTh_YVr7tss2u6vneTwrA86rZtu5Mbr1C1XsmvkxHQAdYo0\"," + "\"dq\":\"h_96-mK1R_7glhsum81dZxjTnYynPbZpHziZjeeHcXYsXaaMwkOlODsWa" + "7I9xXDoRwbKgB719rrmI2oKr6N3Do9U0ajaHF-NKJnwgjMd2w9cjz3_-ky" + "NlxAr2v4IKhGNpmM5iIgOS1VZnOZ68m6_pbLBSp3nssTdlqvd0tIiTHU\"," + "\"qi\":\"IYd7DHOhrWvxkwPQsRM2tOgrjbcrfvtQJipd-DlcxyVuuM9sQLdgjVk2o" + "y26F0EmpScGLq2MowX7fhd_QJQ3ydy5cY7YIBi87w93IKLEdfnbJtoOPLU" + "W0ITrJReOgo1cq9SbsxYawBgfp_gh6A5603k2-ZQwVK0JKSHuLFkuQ3U\"" + "}", + *rfc7515_rsa_a1 = /* the signed worked example in RFC7515 A-1 */ + "eyJhbGciOiJSUzI1NiJ9" + ".eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFt" + "cGxlLmNvbS9pc19yb290Ijp0cnVlfQ" + ".cC4hiUPoj9Eetdgtv3hF80EGrhuB__dzERat0XF9g2VtQgr9PJbu3XOiZj5RZmh7" + "AAuHIm4Bh-0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4" + "BAynRFdiuB--f_nZLgrnbyTyWzO75vRK5h6xBArLIARNPvkSjtQBMHlb1L07Qe7K" + "0GarZRmB_eSN9383LcOLn6_dO--xi12jzDwusC-eOkHWEsqtFZESc6BfI7noOPqv" + "hJ1phCnvWh6IeYI2w9QOYEUipUTI8np6LbgGY9Fs98rqVt5AXLIhWkWywlVmtVrB" + "p0igcN_IoypGlUPQGe77Rw"; +#endif + +LWS_VISIBLE int +lws_jws_base64_enc(const char *in, size_t in_len, char *out, size_t out_max) +{ + int n; + + n = lws_b64_encode_string_url(in, in_len, out, out_max - 1); + if (n < 0) + return n; /* too large for output buffer */ + + /* trim the terminal = */ + while (n && out[n - 1] == '=') + n--; + + out[n] = '\0'; + + return n; +} + +LWS_VISIBLE int +lws_jws_encode_section(const char *in, size_t in_len, int first, char **p, + char *end) +{ + int n, len = (end - *p) - 1; + char *p_entry = *p; + + if (len < 3) + return -1; + + if (!first) + *(*p)++ = '.'; + + n = lws_jws_base64_enc(in, in_len, *p, len - 1); + if (n < 0) + return -1; + + *p += n; + + return (*p) - p_entry; +} + +static int +lws_jws_find_sig(const char *in, size_t len) +{ + const char *p = in + len - 1; + + while (len--) + if (*p == '.') + return (p + 1) - in; + else + p--; + + lwsl_notice("%s failed\n", __func__); + return -1; +} + + +static const char * const jhdr_tok[] = { + "typ", + "alg", +}; +enum enum_jhdr_tok { + JHP_TYP, + JHP_ALG +}; +struct cb_hdr_s { + enum lws_genhash_types hash_type; + enum lws_genhmac_types hmac_type; + char alg[10]; + int is_rsa:1; +}; + +static signed char +cb_hdr(struct lejp_ctx *ctx, char reason) +{ + struct cb_hdr_s *s = (struct cb_hdr_s *)ctx->user; + + if (!(reason & LEJP_FLAG_CB_IS_VALUE) || !ctx->path_match) + return 0; + + switch (ctx->path_match - 1) { + case JHP_TYP: /* it is optional */ + if (strcmp(ctx->buf, "JWT")) + return -1; + break; + case JHP_ALG: + strncpy(s->alg, ctx->buf, sizeof(s->alg) - 1); + s->alg[sizeof(s->alg) - 1] = '\0'; + if (!strcmp(ctx->buf, "HS256")) { + s->hmac_type = LWS_GENHMAC_TYPE_SHA256; + break; + } + if (!strcmp(ctx->buf, "HS384")) { + s->hmac_type = LWS_GENHMAC_TYPE_SHA384; + break; + } + if (!strcmp(ctx->buf, "HS512")) { + s->hmac_type = LWS_GENHMAC_TYPE_SHA512; + break; + } + if (!strcmp(ctx->buf, "RS256")) { + s->hash_type = LWS_GENHASH_TYPE_SHA256; + s->is_rsa = 1; + break; + } + if (!strcmp(ctx->buf, "RS384")) { + s->hash_type = LWS_GENHASH_TYPE_SHA384; + s->is_rsa = 1; + break; + } + if (!strcmp(ctx->buf, "RS512")) { + s->hash_type = LWS_GENHASH_TYPE_SHA512; + s->is_rsa = 1; + break; + } + return -1; + } + + return 0; +} + +LWS_VISIBLE int +lws_jws_confirm_sig(const char *in, size_t len, struct lws_jwk *jwk) +{ + int sig_pos = lws_jws_find_sig(in, len), pos = 0, n, m, h_len; + uint8_t digest[LWS_GENHASH_LARGEST]; + struct lws_genhash_ctx hash_ctx; + struct lws_genrsa_ctx rsactx; + struct lws_genhmac_ctx ctx; + struct cb_hdr_s args; + struct lejp_ctx jctx; + char buf[2048]; + + /* 1) there has to be a signature */ + + if (sig_pos < 0) + return -1; + + /* 2) find length of first, hdr, block */ + + while (in[pos] != '.' && pos < (int)len) + pos++; + if (pos == (int)len) + return -1; + + /* 3) Decode the header block */ + + n = lws_b64_decode_string_len(in, pos, buf, sizeof(buf) - 1); + if (n < 0) + return -1; + + /* 4) Require either: + * typ: JWT (if present) and alg: HS256/384/512 + * typ: JWT (if present) and alg: RS256/384/512 + */ + + args.alg[0] = '\0'; + args.is_rsa = 0; + lejp_construct(&jctx, cb_hdr, &args, jhdr_tok, ARRAY_SIZE(jhdr_tok)); + m = (int)(signed char)lejp_parse(&jctx, (uint8_t *)buf, n); + lejp_destruct(&jctx); + if (m < 0) { + lwsl_notice("parse got %d: alg %s\n", m, args.alg); + return -1; + } + + /* 5) decode the B64URL signature part into buf / m */ + + m = lws_b64_decode_string_len(in + sig_pos, len - sig_pos, + buf, sizeof(buf) - 1); + + if (args.is_rsa) { + + /* RSASSA-PKCS1-v1_5 using SHA-256/384/512 */ + + /* 6(RSA): compute the hash of the payload into "digest" */ + + if (lws_genhash_init(&hash_ctx, args.hash_type)) + return -1; + + if (lws_genhash_update(&hash_ctx, (uint8_t *)in, sig_pos - 1)) { + lws_genhash_destroy(&hash_ctx, NULL); + + return -1; + } + if (lws_genhash_destroy(&hash_ctx, digest)) + return -1; + + h_len = lws_genhash_size(args.hash_type); + + if (lws_genrsa_create(&rsactx, &jwk->el)) { + lwsl_notice("%s: lws_genrsa_public_decrypt_create\n", + __func__); + return -1; + } + + n = lws_genrsa_public_verify(&rsactx, digest, args.hash_type, + (uint8_t *)buf, m); + + lws_genrsa_destroy(&rsactx); + if (n < 0) { + lwsl_notice("decrypt fail\n"); + return -1; + } + + return 0; + } + + /* SHA256/384/512 HMAC */ + + h_len = lws_genhmac_size(args.hmac_type); + if (m < 0 || m != h_len) + return -1; + + /* 6) compute HMAC over payload */ + + if (lws_genhmac_init(&ctx, args.hmac_type, jwk->el.e[JWK_KEY_E].buf, + jwk->el.e[JWK_KEY_E].len)) + return -1; + + if (lws_genhmac_update(&ctx, (uint8_t *)in, sig_pos - 1)) { + lws_genhmac_destroy(&ctx, NULL); + + return -1; + } + if (lws_genhmac_destroy(&ctx, digest)) + return -1; + + /* 7) Compare the computed and decoded hashes */ + + if (memcmp(digest, buf, h_len)) { + lwsl_notice("digest mismatch\n"); + + return -1; + } + + return 0; +} + +LWS_VISIBLE int +lws_jws_sign_from_b64(const char *b64_hdr, size_t hdr_len, const char *b64_pay, + size_t pay_len, char *b64_sig, size_t sig_len, + enum lws_genhash_types hash_type, struct lws_jwk *jwk) +{ + uint8_t digest[LWS_GENHASH_LARGEST]; + struct lws_genhash_ctx hash_ctx; + struct lws_genrsa_ctx rsactx; + uint8_t *buf; + int n; + + if (lws_genhash_init(&hash_ctx, hash_type)) + return -1; + + if (b64_hdr) { + if (lws_genhash_update(&hash_ctx, (uint8_t *)b64_hdr, hdr_len)) + goto hash_fail; + if (lws_genhash_update(&hash_ctx, (uint8_t *)".", 1)) + goto hash_fail; + } + if (lws_genhash_update(&hash_ctx, (uint8_t *)b64_pay, pay_len)) + goto hash_fail; + + if (lws_genhash_destroy(&hash_ctx, digest)) + return -1; + + if (!strcmp(jwk->keytype, "RSA")) { + if (lws_genrsa_create(&rsactx, &jwk->el)) { + lwsl_notice("%s: lws_genrsa_public_decrypt_create\n", + __func__); + return -1; + } + + n = jwk->el.e[JWK_KEY_N].len; + buf = lws_malloc(n, "jws sign"); + if (!buf) + return -1; + + n = lws_genrsa_public_sign(&rsactx, digest, hash_type, buf, n); + lws_genrsa_destroy(&rsactx); + if (n < 0) { + lws_free(buf); + + return -1; + } + + n = lws_jws_base64_enc((char *)buf, n, b64_sig, sig_len); + lws_free(buf); + + return n; + } + + if (!strcmp(jwk->keytype, "oct")) + return lws_jws_base64_enc((char *)digest, + lws_genhash_size(hash_type), + b64_sig, sig_len); + + /* unknown key type */ + + return -1; + +hash_fail: + lws_genhash_destroy(&hash_ctx, NULL); + return -1; +} + +LWS_VISIBLE int +lws_jws_create_packet(struct lws_jwk *jwk, const char *payload, size_t len, + const char *nonce, char *out, size_t out_len) +{ + char *buf, *start, *p, *end, *p1, *end1, *b64_hdr, *b64_pay; + int n, b64_hdr_len, b64_pay_len; + + /* + * This buffer is local to the function, the actual output + * is prepared into vhd->buf. Only the plaintext protected header + * (which contains the public key, 512 bytes for 4096b) goes in + * here temporarily. + */ + n = LWS_PRE + 2048; + buf = malloc(n); + if (!buf) { + lwsl_notice("%s: malloc %d failed\n", __func__, n); + return -1; + } + + p = start = buf + LWS_PRE; + end = buf + n - LWS_PRE - 1; + + /* + * temporary JWS protected header plaintext + */ + + p += lws_snprintf(p, end - p, "{\"alg\":\"RS256\",\"jwk\":"); + n = lws_jwk_export(jwk, 0, p, end - p); + if (n < 0) { + lwsl_notice("failed to export jwk\n"); + + goto bail; + } + p += n; + p += lws_snprintf(p, end - p, ",\"nonce\":\"%s\"}", nonce); + + /* + * prepare the signed outer JSON with all the parts in + */ + + p1 = out; + end1 = out + out_len - 1; + + p1 += lws_snprintf(p1, end1 - p1, "{\"protected\":\""); + b64_hdr = p1; + n = lws_jws_base64_enc(start, p - start, p1, end1 - p1); + if (n < 0) { + lwsl_notice("%s: failed to encode protected\n", __func__); + goto bail; + } + b64_hdr_len = n; + p1 += n; + + p1 += lws_snprintf(p1, end1 - p1, "\",\"payload\":\""); + b64_pay = p1; + n = lws_jws_base64_enc(payload, len, p1, end1 - p1); + if (n < 0) { + lwsl_notice("%s: failed to encode payload\n", __func__); + goto bail; + } + b64_pay_len = n; + + p1 += n; + p1 += lws_snprintf(p1, end1 - p1, "\",\"signature\":\""); + + /* + * taking the b64 protected header and the b64 payload, sign them + * and place the signature into the packet + */ + n = lws_jws_sign_from_b64(b64_hdr, b64_hdr_len, b64_pay, b64_pay_len, + p1, end1 - p1, LWS_GENHASH_TYPE_SHA256, jwk); + if (n < 0) { + lwsl_notice("sig gen failed\n"); + + goto bail; + } + p1 += n; + p1 += lws_snprintf(p1, end1 - p1, "\"}"); + + free(buf); + + return p1 - out; + +bail: + free(buf); + + return -1; +} + + +#if defined(LWS_WITH_SELFTESTS) +/* + * These are the inputs and outputs from the worked example in RFC7515 + * Appendix A.1. + * + * 1) has a fixed header + payload, and a fixed SHA256 HMAC key, and must give + * a fixed BASE64URL result. + * + * 2) has a fixed header + payload and is signed with a key given in JWK format + */ +int +lws_jws_selftest(void) +{ + struct lws_genhmac_ctx ctx; + struct lws_jwk jwk; + char buf[2048], *p = buf, *end = buf + sizeof(buf) - 1, *enc_ptr, *p1; + uint8_t digest[LWS_GENHASH_LARGEST]; + int n; + + /* Test 1: SHA256 on RFC7515 worked example */ + + /* 1.1: decode the JWK oct key */ + + if (lws_jwk_import(&jwk, key_jwk, strlen(key_jwk)) < 0) { + lwsl_notice("Failed to decode JWK test key\n"); + return -1; + } + + /* 1.2: create JWS known hdr + known payload */ + + n = lws_jws_encode_section(test1, strlen(test1), 1, &p, end); + if (n < 0) + goto bail; + if (strcmp(buf, test1_enc)) + goto bail; + + enc_ptr = p + 1; /* + 1 skips the . */ + n = lws_jws_encode_section(test2, strlen(test2), 0, &p, end); + if (n < 0) + goto bail; + if (strcmp(enc_ptr, test2_enc)) + goto bail; + + /* 1.3: use HMAC SHA-256 with known key on the hdr . payload */ + + if (lws_genhmac_init(&ctx, LWS_GENHMAC_TYPE_SHA256, + jwk.el.e[JWK_KEY_E].buf, jwk.el.e[JWK_KEY_E].len)) + goto bail; + if (lws_genhmac_update(&ctx, (uint8_t *)buf, p - buf)) + goto bail_destroy_hmac; + lws_genhmac_destroy(&ctx, digest); + + /* 1.4: append a base64 encode of the computed HMAC digest */ + + enc_ptr = p + 1; /* + 1 skips the . */ + n = lws_jws_encode_section((const char *)digest, 32, 0, &p, end); + if (n < 0) + goto bail; + if (strcmp(enc_ptr, hash_enc)) /* check against known B64URL hash */ + goto bail; + + /* 1.5: Check we can agree the signature matches the payload */ + + if (lws_jws_confirm_sig(buf, p - buf, &jwk) < 0) { + lwsl_notice("confirm sig failed\n"); + goto bail; + } + + lws_jwk_destroy(&jwk); /* finished with the key from the first test */ + + /* Test 2: RSA256 on RFC7515 worked example */ + + /* 2.1: turn the known JWK key for the RSA test into a lws_jwk */ + + if (lws_jwk_import(&jwk, rfc7515_rsa_key, strlen(rfc7515_rsa_key))) { + lwsl_notice("Failed to read JWK key\n"); + goto bail2; + } + + /* 2.2: check the signature on the test packet from RFC7515 A-1 */ + + if (lws_jws_confirm_sig(rfc7515_rsa_a1, strlen(rfc7515_rsa_a1), + &jwk) < 0) { + lwsl_notice("confirm rsa sig failed\n"); + goto bail; + } + + /* 2.3: generate our own signature for a copy of the test packet */ + + memcpy(buf, rfc7515_rsa_a1, strlen(rfc7515_rsa_a1)); + + /* set p to second . */ + p = strchr(buf + 1, '.'); + p1 = strchr(p + 1, '.'); + + n = lws_jws_sign_from_b64(buf, p - buf, p + 1, p1 - (p + 1), + p1 + 1, sizeof(buf) - (p1 - buf) - 1, + LWS_GENHASH_TYPE_SHA256, &jwk); + if (n < 0) + goto bail; + + puts(buf); + + /* 2.4: confirm our signature can be verified */ + + if (lws_jws_confirm_sig(buf, (p1 + 1 + n) - buf, &jwk) < 0) { + lwsl_notice("confirm rsa sig 2 failed\n"); + goto bail; + } + + lws_jwk_destroy(&jwk); + + /* end */ + + lwsl_notice("%s: selftest OK\n", __func__); + + return 0; + +bail_destroy_hmac: + lws_genhmac_destroy(&ctx, NULL); + +bail: + lws_jwk_destroy(&jwk); +bail2: + lwsl_err("%s: selftest failed ++++++++++++++++++++\n", __func__); + + return 1; +} +#endif diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h index 2cc48246..3005d44b 100644 --- a/lib/libwebsockets.h +++ b/lib/libwebsockets.h @@ -1774,8 +1774,164 @@ LWS_VISIBLE LWS_EXTERN int lws_genrsa_render_pkey_asn1(struct lws_genrsa_ctx *ctx, int _private, uint8_t *pkey_asn1, size_t pkey_asn1_len); ///@} -#endif +/*! \defgroup jwk JSON Web Keys + * ## JSON Web Keys API + * + * Lws provides an API to parse JSON Web Keys into a struct lws_genrsa_elements. + * + * "oct" and "RSA" type keys are supported. For "oct" keys, they are held in + * the "e" member of the struct lws_genrsa_elements. + * + * Keys elements are allocated on the heap. You must destroy the allocations + * in the struct lws_genrsa_elements by calling + * lws_jwk_destroy_genrsa_elements() when you are finished with it. + */ +///@{ + +struct lws_jwk { + char keytype[5]; /**< "oct" or "RSA" */ + struct lws_genrsa_elements el; /**< OCTet key is in el.e */ +}; + +/** lws_jwk_import() - Create a JSON Web key from the textual representation + * + * \param s: the JWK object to create + * \param in: a single JWK JSON stanza in utf-8 + * \param len: the length of the JWK JSON stanza in bytes + * + * Creates an lws_jwk struct filled with data from the JSON representation. + * "oct" and "rsa" key types are supported. + * + * For "oct" type keys, it is loaded into el.e. + */ +LWS_VISIBLE LWS_EXTERN int +lws_jwk_import(struct lws_jwk *s, const char *in, size_t len); + +/** lws_jwk_destroy() - Destroy a JSON Web key + * + * \param s: the JWK object to destroy + * + * All allocations in the lws_jwk are destroyed + */ +LWS_VISIBLE LWS_EXTERN void +lws_jwk_destroy(struct lws_jwk *s); + +/** lws_jwk_export() - Export a JSON Web key to a textual representation + * + * \param s: the JWK object to export + * \param _private: 0 = just export public parts, 1 = export everything + * \param p: the buffer to write the exported JWK to + * \param len: the length of the buffer \p p in bytes + * + * Returns length of the used part of the buffer if OK, or -1 for error. + * + * Serializes the content of the JWK into a char buffer. + */ +LWS_VISIBLE LWS_EXTERN int +lws_jwk_export(struct lws_jwk *s, int _private, char *p, size_t len); + +/** lws_jwk_load() - Import a JSON Web key from a file + * + * \param s: the JWK object to load into + * \param filename: filename to load from + * + * Returns 0 for OK or -1 for failure + */ +LWS_VISIBLE int +lws_jwk_load(struct lws_jwk *s, const char *filename); + +/** lws_jwk_save() - Export a JSON Web key to a file + * + * \param s: the JWK object to save from + * \param filename: filename to save to + * + * Returns 0 for OK or -1 for failure + */ +LWS_VISIBLE int +lws_jwk_save(struct lws_jwk *s, const char *filename); +///@} + + +/*! \defgroup jws JSON Web Signature + * ## JSON Web Signature API + * + * Lws provides an API to check and create RFC7515 JSON Web Signatures + * + * SHA256/384/512 HMAC, and RSA 256/384/512 are supported. + * + * The API uses your TLS library crypto, but works exactly the same no matter + * what you TLS backend is. + */ +///@{ + +LWS_VISIBLE LWS_EXTERN int +lws_jws_confirm_sig(const char *in, size_t len, struct lws_jwk *jwk); + +/** + * lws_jws_sign_from_b64() - add b64 sig to b64 hdr + payload + * + * \param b64_hdr: protected header encoded in b64, may be NULL + * \param hdr_len: bytes in b64 coding of protected header + * \param b64_pay: payload encoded in b64 + * \param pay_len: bytes in b64 coding of payload + * \param b64_sig: buffer to write the b64 encoded signature into + * \param sig_len: max bytes we can write at b64_sig + * \param hash_type: one of LWS_GENHASH_TYPE_SHA[256|384|512] + * \param jwk: the struct lws_jwk containing the signing key + * + * This adds a b64-coded JWS signature of the b64-encoded protected header + * and b64-encoded payload, at \p b64_sig. The signature will be as large + * as the N element of the RSA key when the RSA key is used, eg, 512 bytes for + * a 4096-bit key, and then b64-encoding on top. + * + * In some special cases, there is only payload to sign and no header, in that + * case \p b64_hdr may be NULL, and only the payload will be hashed before + * signing. + * + * Returns the length of the encoded signature written to \p b64_sig, or -1. + */ +LWS_VISIBLE LWS_EXTERN int +lws_jws_sign_from_b64(const char *b64_hdr, size_t hdr_len, const char *b64_pay, + size_t pay_len, char *b64_sig, size_t sig_len, + enum lws_genhash_types hash_type, struct lws_jwk *jwk); + +/** + * lws_jws_create_packet() - add b64 sig to b64 hdr + payload + * + * \param jwk: the struct lws_jwk containing the signing key + * \param payload: unencoded payload JSON + * \param len: length of unencoded payload JSON + * \param nonce: Nonse string to include in protected header + * \param out: buffer to take signed packet + * \param out_len: size of \p out buffer + * + * This creates a "flattened" JWS packet from the jwk and the plaintext + * payload, and signs it. The packet is written into \p out. + * + * This does the whole packet assembly and signing, calling through to + * lws_jws_sign_from_b64() as part of the process. + * + * Returns the length written to \p out, or -1. + */ +LWS_VISIBLE LWS_EXTERN int +lws_jws_create_packet(struct lws_jwk *jwk, const char *payload, size_t len, + const char *nonce, char *out, size_t out_len); + +/** + * lws_jws_base64_enc() - encode input data into b64url data + * + * \param in: the incoming plaintext + * \param in_len: the length of the incoming plaintext in bytes + * \param out: the buffer to store the b64url encoded data to + * \param out_max: the length of \p out in bytes + * + * Returns either -1 if problems, or the number of bytes written to \p out. + */ +LWS_VISIBLE LWS_EXTERN int +lws_jws_base64_enc(const char *in, size_t in_len, char *out, size_t out_max); +///@} +#endif /*! \defgroup extensions Extension related functions * ##Extension releated functions diff --git a/lib/private-libwebsockets.h b/lib/private-libwebsockets.h index 4911de70..144258a9 100644 --- a/lib/private-libwebsockets.h +++ b/lib/private-libwebsockets.h @@ -1221,6 +1221,9 @@ lws_restart_ws_ping_pong_timer(struct lws *wsi); struct lws * lws_adopt_socket_vhost(struct lws_vhost *vh, lws_sockfd_type accept_fd); +int +lws_jws_base64_enc(const char *in, size_t in_len, char *out, size_t out_max); + enum { LWS_EV_READ = (1 << 0), @@ -2500,6 +2503,8 @@ lws_ssl_capable_write_no_ssl(struct lws *wsi, unsigned char *buf, int len); LWS_EXTERN int LWS_WARN_UNUSED_RESULT lws_ssl_pending_no_ssl(struct lws *wsi); +int lws_jws_selftest(void); + #ifdef LWS_WITH_HTTP_PROXY struct lws_rewrite { hubbub_parser *parser;