module JWE

Public Class Methods

__rodauth_oauth_decrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM") click to toggle source

this is a monkey-patch! it’s necessary, as the original jwe does not support jwks. if this works long term, it may be merged upstreamm.

# File lib/rodauth/oauth/jwe_extensions.rb, line 9
def self.__rodauth_oauth_decrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM")
  header, enc_key, iv, ciphertext, tag = Serialization::Compact.decode(payload)
  header = JSON.parse(header)

  key = find_key_by_kid(jwks, header["kid"], alg, enc)

  check_params(header, key)

  cek = Alg.decrypt_cek(header["alg"], key, enc_key)
  cipher = Enc.for(header["enc"], cek, iv, tag)

  plaintext = cipher.decrypt(ciphertext, payload.split(".").first)

  apply_zip(header, plaintext, :decompress)
end
__rodauth_oauth_encrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM", **more_headers) click to toggle source
# File lib/rodauth/oauth/jwe_extensions.rb, line 25
def self.__rodauth_oauth_encrypt_from_jwks(payload, jwks, alg: "RSA-OAEP", enc: "A128GCM", **more_headers)
  header = generate_header(alg, enc, more_headers)

  key = find_key_by_alg_enc(jwks, alg, enc)

  check_params(header, key)
  payload = apply_zip(header, payload, :compress)

  cipher = Enc.for(enc)
  cipher.cek = key if alg == "dir"

  json_hdr = header.to_json
  ciphertext = cipher.encrypt(payload, Base64.jwe_encode(json_hdr))

  generate_serialization(json_hdr, Alg.encrypt_cek(alg, key, cipher.cek), ciphertext, cipher)
end
find_key_by_alg_enc(jwks, alg, enc) click to toggle source
# File lib/rodauth/oauth/jwe_extensions.rb, line 54
def self.find_key_by_alg_enc(jwks, alg, enc)
  jwk = jwks.find do |key, _|
    (key[:alg] || key["alg"]) == alg &&
      (key[:enc] || key["enc"]) == enc
  end

  raise DecodeError, "No key found" unless jwk

  ::JWT::JWK.import(jwk).keypair
end
find_key_by_kid(jwks, kid, alg, enc) click to toggle source
# File lib/rodauth/oauth/jwe_extensions.rb, line 42
def self.find_key_by_kid(jwks, kid, alg, enc)
  raise DecodeError, "No key id (kid) found from token headers" unless kid

  jwk = jwks.find { |key, _| (key[:kid] || key["kid"]) == kid }

  raise DecodeError, "Could not find public key for kid #{kid}" unless jwk
  raise DecodeError, "Expected a different encryption algorithm" unless alg == (jwk[:alg] || jwk["alg"])
  raise DecodeError, "Expected a different encryption method" unless enc == (jwk[:enc] || jwk["enc"])

  ::JWT::JWK.import(jwk).keypair
end