/*
* oxAuth is available under the MIT License (2008). See http://opensource.org/licenses/MIT for full text.
*
* Copyright (c) 2014, Gluu
*/
package org.xdi.oxauth.model.jwe;
import org.bouncycastle.crypto.BlockCipher;
import org.bouncycastle.crypto.CipherParameters;
import org.bouncycastle.crypto.InvalidCipherTextException;
import org.bouncycastle.crypto.engines.AESEngine;
import org.bouncycastle.crypto.engines.AESWrapEngine;
import org.bouncycastle.crypto.modes.GCMBlockCipher;
import org.bouncycastle.crypto.params.AEADParameters;
import org.bouncycastle.crypto.params.KeyParameter;
import org.xdi.oxauth.model.crypto.encryption.BlockEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.encryption.KeyEncryptionAlgorithm;
import org.xdi.oxauth.model.crypto.signature.RSAPrivateKey;
import org.xdi.oxauth.model.exception.InvalidJweException;
import org.xdi.oxauth.model.exception.InvalidParameterException;
import org.xdi.oxauth.model.util.Base64Util;
import org.xdi.oxauth.model.util.Util;
import javax.crypto.*;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.io.UnsupportedEncodingException;
import java.nio.charset.Charset;
import java.security.*;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.RSAPrivateKeySpec;
import java.util.Arrays;
/**
* @author Javier Rojas Blum
* @version July 31, 2016
*/
public class JweDecrypterImpl extends AbstractJweDecrypter {
private PrivateKey privateKey;
private RSAPrivateKey rsaPrivateKey;
private byte[] sharedSymmetricKey;
public JweDecrypterImpl(byte[] sharedSymmetricKey) {
if (sharedSymmetricKey != null) {
this.sharedSymmetricKey = sharedSymmetricKey.clone();
}
}
public JweDecrypterImpl(RSAPrivateKey rsaPrivateKey) {
this.rsaPrivateKey = rsaPrivateKey;
}
public JweDecrypterImpl(PrivateKey privateKey) {
this.privateKey = privateKey;
}
@Override
public byte[] decryptEncryptionKey(String encodedEncryptedKey) throws InvalidJweException {
if (getKeyEncryptionAlgorithm() == null) {
throw new InvalidJweException("The key encryption algorithm is null");
}
if (encodedEncryptedKey == null) {
throw new InvalidJweException("The encoded encryption key is null");
}
try {
if (getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.RSA_OAEP
|| getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.RSA1_5) {
if (rsaPrivateKey == null && privateKey == null) {
throw new InvalidJweException("The RSA private key is null");
}
//Cipher cipher = Cipher.getInstance(getKeyEncryptionAlgorithm().getAlgorithm(), "BC");
Cipher cipher = Cipher.getInstance(getKeyEncryptionAlgorithm().getAlgorithm());
if (rsaPrivateKey != null) {
KeyFactory keyFactory = KeyFactory.getInstance(getKeyEncryptionAlgorithm().getFamily(), "BC");
RSAPrivateKeySpec privKeySpec = new RSAPrivateKeySpec(rsaPrivateKey.getModulus(), rsaPrivateKey.getPrivateExponent());
java.security.interfaces.RSAPrivateKey privKey = (java.security.interfaces.RSAPrivateKey) keyFactory.generatePrivate(privKeySpec);
cipher.init(Cipher.DECRYPT_MODE, privKey);
} else {
cipher.init(Cipher.DECRYPT_MODE, privateKey);
}
byte[] decryptedKey = cipher.doFinal(Base64Util.base64urldecode(encodedEncryptedKey));
return decryptedKey;
} else if (getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.A128KW
|| getKeyEncryptionAlgorithm() == KeyEncryptionAlgorithm.A256KW) {
if (sharedSymmetricKey == null) {
throw new InvalidJweException("The shared symmetric key is null");
}
if (sharedSymmetricKey.length != 16) { // 128 bit
MessageDigest sha = MessageDigest.getInstance("SHA-1");
sharedSymmetricKey = sha.digest(sharedSymmetricKey);
sharedSymmetricKey = Arrays.copyOf(sharedSymmetricKey, 16);
}
byte[] encryptedKey = Base64Util.base64urldecode(encodedEncryptedKey);
SecretKeySpec keyEncryptionKey = new SecretKeySpec(sharedSymmetricKey, "AES");
AESWrapEngine aesWrapEngine = new AESWrapEngine();
CipherParameters params = new KeyParameter(keyEncryptionKey.getEncoded());
aesWrapEngine.init(false, params);
byte[] decryptedKey = aesWrapEngine.unwrap(encryptedKey, 0, encryptedKey.length);
return decryptedKey;
} else {
throw new InvalidJweException("The key encryption algorithm is not supported");
}
} catch (NoSuchPaddingException e) {
throw new InvalidJweException(e);
} catch (NoSuchAlgorithmException e) {
throw new InvalidJweException(e);
} catch (IllegalBlockSizeException e) {
throw new InvalidJweException(e);
} catch (BadPaddingException e) {
throw new InvalidJweException(e);
} catch (NoSuchProviderException e) {
throw new InvalidJweException(e);
} catch (InvalidKeyException e) {
throw new InvalidJweException(e);
} catch (InvalidKeySpecException e) {
throw new InvalidJweException(e);
} catch (InvalidCipherTextException e) {
throw new InvalidJweException(e);
}
}
@Override
public String decryptCipherText(String encodedCipherText, byte[] contentMasterKey, byte[] initializationVector,
byte[] authenticationTag, byte[] additionalAuthenticatedData) throws InvalidJweException {
if (getBlockEncryptionAlgorithm() == null) {
throw new InvalidJweException("The block encryption algorithm is null");
}
if (contentMasterKey == null) {
throw new InvalidJweException("The content master key (CMK) is null");
}
if (initializationVector == null) {
throw new InvalidJweException("The initialization vector is null");
}
if (authenticationTag == null) {
throw new InvalidJweException("The authentication tag is null");
}
if (additionalAuthenticatedData == null) {
throw new InvalidJweException("The additional authentication data is null");
}
try {
if (getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A128GCM
|| getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A256GCM) {
final int MAC_SIZE_BITS = 128;
byte[] cipherText = Base64Util.base64urldecode(encodedCipherText);
KeyParameter key = new KeyParameter(contentMasterKey);
AEADParameters aeadParameters = new AEADParameters(key, MAC_SIZE_BITS, initializationVector, additionalAuthenticatedData);
SecretKeySpec sks = new SecretKeySpec(contentMasterKey, "AES");
BlockCipher blockCipher = new AESEngine();
CipherParameters params = new KeyParameter(sks.getEncoded());
blockCipher.init(false, params);
GCMBlockCipher aGCMBlockCipher = new GCMBlockCipher(blockCipher);
aGCMBlockCipher.init(false, aeadParameters);
byte[] input = new byte[cipherText.length + authenticationTag.length];
System.arraycopy(cipherText, 0, input, 0, cipherText.length);
System.arraycopy(authenticationTag, 0, input, cipherText.length, authenticationTag.length);
int len = aGCMBlockCipher.getOutputSize(input.length);
byte[] out = new byte[len];
int outOff = aGCMBlockCipher.processBytes(input, 0, input.length, out, 0);
aGCMBlockCipher.doFinal(out, outOff);
String plaintext = new String(out, Charset.forName(Util.UTF8_STRING_ENCODING));
return plaintext;
} else if (getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A128CBC_PLUS_HS256
|| getBlockEncryptionAlgorithm() == BlockEncryptionAlgorithm.A256CBC_PLUS_HS512) {
byte[] cipherText = Base64Util.base64urldecode(encodedCipherText);
byte[] cek = KeyDerivationFunction.generateCek(contentMasterKey, getBlockEncryptionAlgorithm());
Cipher cipher = Cipher.getInstance(getBlockEncryptionAlgorithm().getAlgorithm());
IvParameterSpec ivParameter = new IvParameterSpec(initializationVector);
cipher.init(Cipher.DECRYPT_MODE, new SecretKeySpec(cek, "AES"), ivParameter);
byte[] decodedPlainTextBytes = cipher.doFinal(cipherText);
String decodedPlainText = new String(decodedPlainTextBytes, Charset.forName(Util.UTF8_STRING_ENCODING));
// Integrity check
String securedInputValue = new String(additionalAuthenticatedData, Charset.forName(Util.UTF8_STRING_ENCODING))
+ "." + encodedCipherText;
byte[] cik = KeyDerivationFunction.generateCik(contentMasterKey, getBlockEncryptionAlgorithm());
SecretKey secretKey = new SecretKeySpec(cik, getBlockEncryptionAlgorithm().getIntegrityValueAlgorithm());
Mac mac = Mac.getInstance(getBlockEncryptionAlgorithm().getIntegrityValueAlgorithm());
mac.init(secretKey);
byte[] integrityValue = mac.doFinal(securedInputValue.getBytes(Util.UTF8_STRING_ENCODING));
if (!Arrays.equals(integrityValue, authenticationTag)) {
throw new InvalidJweException("The authentication tag is not valid");
}
return decodedPlainText;
} else {
throw new InvalidJweException("The block encryption algorithm is not supported");
}
} catch (InvalidCipherTextException e) {
throw new InvalidJweException(e);
} catch (NoSuchPaddingException e) {
throw new InvalidJweException(e);
} catch (BadPaddingException e) {
throw new InvalidJweException(e);
} catch (InvalidAlgorithmParameterException e) {
throw new InvalidJweException(e);
} catch (NoSuchAlgorithmException e) {
throw new InvalidJweException(e);
} catch (IllegalBlockSizeException e) {
throw new InvalidJweException(e);
} catch (UnsupportedEncodingException e) {
throw new InvalidJweException(e);
} catch (NoSuchProviderException e) {
throw new InvalidJweException(e);
} catch (InvalidKeyException e) {
throw new InvalidJweException(e);
} catch (InvalidParameterException e) {
throw new InvalidJweException(e);
}
}
}