1/*- 2 * Copyright 2014 Square Inc. 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17package jose 18 19import ( 20 "crypto/elliptic" 21 "crypto/x509" 22 "encoding/base64" 23 "errors" 24 "fmt" 25 26 "gopkg.in/square/go-jose.v2/json" 27) 28 29// KeyAlgorithm represents a key management algorithm. 30type KeyAlgorithm string 31 32// SignatureAlgorithm represents a signature (or MAC) algorithm. 33type SignatureAlgorithm string 34 35// ContentEncryption represents a content encryption algorithm. 36type ContentEncryption string 37 38// CompressionAlgorithm represents an algorithm used for plaintext compression. 39type CompressionAlgorithm string 40 41// ContentType represents type of the contained data. 42type ContentType string 43 44var ( 45 // ErrCryptoFailure represents an error in cryptographic primitive. This 46 // occurs when, for example, a message had an invalid authentication tag or 47 // could not be decrypted. 48 ErrCryptoFailure = errors.New("square/go-jose: error in cryptographic primitive") 49 50 // ErrUnsupportedAlgorithm indicates that a selected algorithm is not 51 // supported. This occurs when trying to instantiate an encrypter for an 52 // algorithm that is not yet implemented. 53 ErrUnsupportedAlgorithm = errors.New("square/go-jose: unknown/unsupported algorithm") 54 55 // ErrUnsupportedKeyType indicates that the given key type/format is not 56 // supported. This occurs when trying to instantiate an encrypter and passing 57 // it a key of an unrecognized type or with unsupported parameters, such as 58 // an RSA private key with more than two primes. 59 ErrUnsupportedKeyType = errors.New("square/go-jose: unsupported key type/format") 60 61 // ErrInvalidKeySize indicates that the given key is not the correct size 62 // for the selected algorithm. This can occur, for example, when trying to 63 // encrypt with AES-256 but passing only a 128-bit key as input. 64 ErrInvalidKeySize = errors.New("square/go-jose: invalid key size for algorithm") 65 66 // ErrNotSupported serialization of object is not supported. This occurs when 67 // trying to compact-serialize an object which can't be represented in 68 // compact form. 69 ErrNotSupported = errors.New("square/go-jose: compact serialization not supported for object") 70 71 // ErrUnprotectedNonce indicates that while parsing a JWS or JWE object, a 72 // nonce header parameter was included in an unprotected header object. 73 ErrUnprotectedNonce = errors.New("square/go-jose: Nonce parameter included in unprotected header") 74) 75 76// Key management algorithms 77const ( 78 ED25519 = KeyAlgorithm("ED25519") 79 RSA1_5 = KeyAlgorithm("RSA1_5") // RSA-PKCS1v1.5 80 RSA_OAEP = KeyAlgorithm("RSA-OAEP") // RSA-OAEP-SHA1 81 RSA_OAEP_256 = KeyAlgorithm("RSA-OAEP-256") // RSA-OAEP-SHA256 82 A128KW = KeyAlgorithm("A128KW") // AES key wrap (128) 83 A192KW = KeyAlgorithm("A192KW") // AES key wrap (192) 84 A256KW = KeyAlgorithm("A256KW") // AES key wrap (256) 85 DIRECT = KeyAlgorithm("dir") // Direct encryption 86 ECDH_ES = KeyAlgorithm("ECDH-ES") // ECDH-ES 87 ECDH_ES_A128KW = KeyAlgorithm("ECDH-ES+A128KW") // ECDH-ES + AES key wrap (128) 88 ECDH_ES_A192KW = KeyAlgorithm("ECDH-ES+A192KW") // ECDH-ES + AES key wrap (192) 89 ECDH_ES_A256KW = KeyAlgorithm("ECDH-ES+A256KW") // ECDH-ES + AES key wrap (256) 90 A128GCMKW = KeyAlgorithm("A128GCMKW") // AES-GCM key wrap (128) 91 A192GCMKW = KeyAlgorithm("A192GCMKW") // AES-GCM key wrap (192) 92 A256GCMKW = KeyAlgorithm("A256GCMKW") // AES-GCM key wrap (256) 93 PBES2_HS256_A128KW = KeyAlgorithm("PBES2-HS256+A128KW") // PBES2 + HMAC-SHA256 + AES key wrap (128) 94 PBES2_HS384_A192KW = KeyAlgorithm("PBES2-HS384+A192KW") // PBES2 + HMAC-SHA384 + AES key wrap (192) 95 PBES2_HS512_A256KW = KeyAlgorithm("PBES2-HS512+A256KW") // PBES2 + HMAC-SHA512 + AES key wrap (256) 96) 97 98// Signature algorithms 99const ( 100 EdDSA = SignatureAlgorithm("EdDSA") 101 HS256 = SignatureAlgorithm("HS256") // HMAC using SHA-256 102 HS384 = SignatureAlgorithm("HS384") // HMAC using SHA-384 103 HS512 = SignatureAlgorithm("HS512") // HMAC using SHA-512 104 RS256 = SignatureAlgorithm("RS256") // RSASSA-PKCS-v1.5 using SHA-256 105 RS384 = SignatureAlgorithm("RS384") // RSASSA-PKCS-v1.5 using SHA-384 106 RS512 = SignatureAlgorithm("RS512") // RSASSA-PKCS-v1.5 using SHA-512 107 ES256 = SignatureAlgorithm("ES256") // ECDSA using P-256 and SHA-256 108 ES384 = SignatureAlgorithm("ES384") // ECDSA using P-384 and SHA-384 109 ES512 = SignatureAlgorithm("ES512") // ECDSA using P-521 and SHA-512 110 PS256 = SignatureAlgorithm("PS256") // RSASSA-PSS using SHA256 and MGF1-SHA256 111 PS384 = SignatureAlgorithm("PS384") // RSASSA-PSS using SHA384 and MGF1-SHA384 112 PS512 = SignatureAlgorithm("PS512") // RSASSA-PSS using SHA512 and MGF1-SHA512 113) 114 115// Content encryption algorithms 116const ( 117 A128CBC_HS256 = ContentEncryption("A128CBC-HS256") // AES-CBC + HMAC-SHA256 (128) 118 A192CBC_HS384 = ContentEncryption("A192CBC-HS384") // AES-CBC + HMAC-SHA384 (192) 119 A256CBC_HS512 = ContentEncryption("A256CBC-HS512") // AES-CBC + HMAC-SHA512 (256) 120 A128GCM = ContentEncryption("A128GCM") // AES-GCM (128) 121 A192GCM = ContentEncryption("A192GCM") // AES-GCM (192) 122 A256GCM = ContentEncryption("A256GCM") // AES-GCM (256) 123) 124 125// Compression algorithms 126const ( 127 NONE = CompressionAlgorithm("") // No compression 128 DEFLATE = CompressionAlgorithm("DEF") // DEFLATE (RFC 1951) 129) 130 131// A key in the protected header of a JWS object. Use of the Header... 132// constants is preferred to enhance type safety. 133type HeaderKey string 134 135const ( 136 HeaderType HeaderKey = "typ" // string 137 HeaderContentType = "cty" // string 138 139 // These are set by go-jose and shouldn't need to be set by consumers of the 140 // library. 141 headerAlgorithm = "alg" // string 142 headerEncryption = "enc" // ContentEncryption 143 headerCompression = "zip" // CompressionAlgorithm 144 headerCritical = "crit" // []string 145 146 headerAPU = "apu" // *byteBuffer 147 headerAPV = "apv" // *byteBuffer 148 headerEPK = "epk" // *JSONWebKey 149 headerIV = "iv" // *byteBuffer 150 headerTag = "tag" // *byteBuffer 151 headerX5c = "x5c" // []*x509.Certificate 152 153 headerJWK = "jwk" // *JSONWebKey 154 headerKeyID = "kid" // string 155 headerNonce = "nonce" // string 156 headerB64 = "b64" // bool 157 158 headerP2C = "p2c" // *byteBuffer (int) 159 headerP2S = "p2s" // *byteBuffer ([]byte) 160 161) 162 163// supportedCritical is the set of supported extensions that are understood and processed. 164var supportedCritical = map[string]bool{ 165 headerB64: true, 166} 167 168// rawHeader represents the JOSE header for JWE/JWS objects (used for parsing). 169// 170// The decoding of the constituent items is deferred because we want to marshal 171// some members into particular structs rather than generic maps, but at the 172// same time we need to receive any extra fields unhandled by this library to 173// pass through to consuming code in case it wants to examine them. 174type rawHeader map[HeaderKey]*json.RawMessage 175 176// Header represents the read-only JOSE header for JWE/JWS objects. 177type Header struct { 178 KeyID string 179 JSONWebKey *JSONWebKey 180 Algorithm string 181 Nonce string 182 183 // Unverified certificate chain parsed from x5c header. 184 certificates []*x509.Certificate 185 186 // Any headers not recognised above get unmarshalled 187 // from JSON in a generic manner and placed in this map. 188 ExtraHeaders map[HeaderKey]interface{} 189} 190 191// Certificates verifies & returns the certificate chain present 192// in the x5c header field of a message, if one was present. Returns 193// an error if there was no x5c header present or the chain could 194// not be validated with the given verify options. 195func (h Header) Certificates(opts x509.VerifyOptions) ([][]*x509.Certificate, error) { 196 if len(h.certificates) == 0 { 197 return nil, errors.New("square/go-jose: no x5c header present in message") 198 } 199 200 leaf := h.certificates[0] 201 if opts.Intermediates == nil { 202 opts.Intermediates = x509.NewCertPool() 203 for _, intermediate := range h.certificates[1:] { 204 opts.Intermediates.AddCert(intermediate) 205 } 206 } 207 208 return leaf.Verify(opts) 209} 210 211func (parsed rawHeader) set(k HeaderKey, v interface{}) error { 212 b, err := json.Marshal(v) 213 if err != nil { 214 return err 215 } 216 217 parsed[k] = makeRawMessage(b) 218 return nil 219} 220 221// getString gets a string from the raw JSON, defaulting to "". 222func (parsed rawHeader) getString(k HeaderKey) string { 223 v, ok := parsed[k] 224 if !ok || v == nil { 225 return "" 226 } 227 var s string 228 err := json.Unmarshal(*v, &s) 229 if err != nil { 230 return "" 231 } 232 return s 233} 234 235// getByteBuffer gets a byte buffer from the raw JSON. Returns (nil, nil) if 236// not specified. 237func (parsed rawHeader) getByteBuffer(k HeaderKey) (*byteBuffer, error) { 238 v := parsed[k] 239 if v == nil { 240 return nil, nil 241 } 242 var bb *byteBuffer 243 err := json.Unmarshal(*v, &bb) 244 if err != nil { 245 return nil, err 246 } 247 return bb, nil 248} 249 250// getAlgorithm extracts parsed "alg" from the raw JSON as a KeyAlgorithm. 251func (parsed rawHeader) getAlgorithm() KeyAlgorithm { 252 return KeyAlgorithm(parsed.getString(headerAlgorithm)) 253} 254 255// getSignatureAlgorithm extracts parsed "alg" from the raw JSON as a SignatureAlgorithm. 256func (parsed rawHeader) getSignatureAlgorithm() SignatureAlgorithm { 257 return SignatureAlgorithm(parsed.getString(headerAlgorithm)) 258} 259 260// getEncryption extracts parsed "enc" from the raw JSON. 261func (parsed rawHeader) getEncryption() ContentEncryption { 262 return ContentEncryption(parsed.getString(headerEncryption)) 263} 264 265// getCompression extracts parsed "zip" from the raw JSON. 266func (parsed rawHeader) getCompression() CompressionAlgorithm { 267 return CompressionAlgorithm(parsed.getString(headerCompression)) 268} 269 270func (parsed rawHeader) getNonce() string { 271 return parsed.getString(headerNonce) 272} 273 274// getEPK extracts parsed "epk" from the raw JSON. 275func (parsed rawHeader) getEPK() (*JSONWebKey, error) { 276 v := parsed[headerEPK] 277 if v == nil { 278 return nil, nil 279 } 280 var epk *JSONWebKey 281 err := json.Unmarshal(*v, &epk) 282 if err != nil { 283 return nil, err 284 } 285 return epk, nil 286} 287 288// getAPU extracts parsed "apu" from the raw JSON. 289func (parsed rawHeader) getAPU() (*byteBuffer, error) { 290 return parsed.getByteBuffer(headerAPU) 291} 292 293// getAPV extracts parsed "apv" from the raw JSON. 294func (parsed rawHeader) getAPV() (*byteBuffer, error) { 295 return parsed.getByteBuffer(headerAPV) 296} 297 298// getIV extracts parsed "iv" from the raw JSON. 299func (parsed rawHeader) getIV() (*byteBuffer, error) { 300 return parsed.getByteBuffer(headerIV) 301} 302 303// getTag extracts parsed "tag" from the raw JSON. 304func (parsed rawHeader) getTag() (*byteBuffer, error) { 305 return parsed.getByteBuffer(headerTag) 306} 307 308// getJWK extracts parsed "jwk" from the raw JSON. 309func (parsed rawHeader) getJWK() (*JSONWebKey, error) { 310 v := parsed[headerJWK] 311 if v == nil { 312 return nil, nil 313 } 314 var jwk *JSONWebKey 315 err := json.Unmarshal(*v, &jwk) 316 if err != nil { 317 return nil, err 318 } 319 return jwk, nil 320} 321 322// getCritical extracts parsed "crit" from the raw JSON. If omitted, it 323// returns an empty slice. 324func (parsed rawHeader) getCritical() ([]string, error) { 325 v := parsed[headerCritical] 326 if v == nil { 327 return nil, nil 328 } 329 330 var q []string 331 err := json.Unmarshal(*v, &q) 332 if err != nil { 333 return nil, err 334 } 335 return q, nil 336} 337 338// getS2C extracts parsed "p2c" from the raw JSON. 339func (parsed rawHeader) getP2C() (int, error) { 340 v := parsed[headerP2C] 341 if v == nil { 342 return 0, nil 343 } 344 345 var p2c int 346 err := json.Unmarshal(*v, &p2c) 347 if err != nil { 348 return 0, err 349 } 350 return p2c, nil 351} 352 353// getS2S extracts parsed "p2s" from the raw JSON. 354func (parsed rawHeader) getP2S() (*byteBuffer, error) { 355 return parsed.getByteBuffer(headerP2S) 356} 357 358// getB64 extracts parsed "b64" from the raw JSON, defaulting to true. 359func (parsed rawHeader) getB64() (bool, error) { 360 v := parsed[headerB64] 361 if v == nil { 362 return true, nil 363 } 364 365 var b64 bool 366 err := json.Unmarshal(*v, &b64) 367 if err != nil { 368 return true, err 369 } 370 return b64, nil 371} 372 373// sanitized produces a cleaned-up header object from the raw JSON. 374func (parsed rawHeader) sanitized() (h Header, err error) { 375 for k, v := range parsed { 376 if v == nil { 377 continue 378 } 379 switch k { 380 case headerJWK: 381 var jwk *JSONWebKey 382 err = json.Unmarshal(*v, &jwk) 383 if err != nil { 384 err = fmt.Errorf("failed to unmarshal JWK: %v: %#v", err, string(*v)) 385 return 386 } 387 h.JSONWebKey = jwk 388 case headerKeyID: 389 var s string 390 err = json.Unmarshal(*v, &s) 391 if err != nil { 392 err = fmt.Errorf("failed to unmarshal key ID: %v: %#v", err, string(*v)) 393 return 394 } 395 h.KeyID = s 396 case headerAlgorithm: 397 var s string 398 err = json.Unmarshal(*v, &s) 399 if err != nil { 400 err = fmt.Errorf("failed to unmarshal algorithm: %v: %#v", err, string(*v)) 401 return 402 } 403 h.Algorithm = s 404 case headerNonce: 405 var s string 406 err = json.Unmarshal(*v, &s) 407 if err != nil { 408 err = fmt.Errorf("failed to unmarshal nonce: %v: %#v", err, string(*v)) 409 return 410 } 411 h.Nonce = s 412 case headerX5c: 413 c := []string{} 414 err = json.Unmarshal(*v, &c) 415 if err != nil { 416 err = fmt.Errorf("failed to unmarshal x5c header: %v: %#v", err, string(*v)) 417 return 418 } 419 h.certificates, err = parseCertificateChain(c) 420 if err != nil { 421 err = fmt.Errorf("failed to unmarshal x5c header: %v: %#v", err, string(*v)) 422 return 423 } 424 default: 425 if h.ExtraHeaders == nil { 426 h.ExtraHeaders = map[HeaderKey]interface{}{} 427 } 428 var v2 interface{} 429 err = json.Unmarshal(*v, &v2) 430 if err != nil { 431 err = fmt.Errorf("failed to unmarshal value: %v: %#v", err, string(*v)) 432 return 433 } 434 h.ExtraHeaders[k] = v2 435 } 436 } 437 return 438} 439 440func parseCertificateChain(chain []string) ([]*x509.Certificate, error) { 441 out := make([]*x509.Certificate, len(chain)) 442 for i, cert := range chain { 443 raw, err := base64.StdEncoding.DecodeString(cert) 444 if err != nil { 445 return nil, err 446 } 447 out[i], err = x509.ParseCertificate(raw) 448 if err != nil { 449 return nil, err 450 } 451 } 452 return out, nil 453} 454 455func (dst rawHeader) isSet(k HeaderKey) bool { 456 dvr := dst[k] 457 if dvr == nil { 458 return false 459 } 460 461 var dv interface{} 462 err := json.Unmarshal(*dvr, &dv) 463 if err != nil { 464 return true 465 } 466 467 if dvStr, ok := dv.(string); ok { 468 return dvStr != "" 469 } 470 471 return true 472} 473 474// Merge headers from src into dst, giving precedence to headers from l. 475func (dst rawHeader) merge(src *rawHeader) { 476 if src == nil { 477 return 478 } 479 480 for k, v := range *src { 481 if dst.isSet(k) { 482 continue 483 } 484 485 dst[k] = v 486 } 487} 488 489// Get JOSE name of curve 490func curveName(crv elliptic.Curve) (string, error) { 491 switch crv { 492 case elliptic.P256(): 493 return "P-256", nil 494 case elliptic.P384(): 495 return "P-384", nil 496 case elliptic.P521(): 497 return "P-521", nil 498 default: 499 return "", fmt.Errorf("square/go-jose: unsupported/unknown elliptic curve") 500 } 501} 502 503// Get size of curve in bytes 504func curveSize(crv elliptic.Curve) int { 505 bits := crv.Params().BitSize 506 507 div := bits / 8 508 mod := bits % 8 509 510 if mod == 0 { 511 return div 512 } 513 514 return div + 1 515} 516 517func makeRawMessage(b []byte) *json.RawMessage { 518 rm := json.RawMessage(b) 519 return &rm 520} 521