* Adding JWE support

Author: danny-gallagher

lib/mcapi/encryption/crypto/jwe-crypto.rb

@@ -0,0 +1,117 @@
+# frozen_string_literal: true
+
+require 'json'
+require 'openssl'
+require 'base64'
+require 'securerandom'
+require_relative '../utils/utils'
+require_relative '../utils/openssl_rsa_oaep'
+
+module McAPI
+  module Encryption
+    #
+    # JWE Crypto class provide RSA/AES encrypt/decrypt methods
+    #
+    class JweCrypto
+      def initialize(config)
+        @encoding = config['dataEncoding']
+        @cert = OpenSSL::X509::Certificate.new(IO.binread(config['encryptionCertificate']))
+        if config['privateKey']
+          @private_key = OpenSSL::PKey.read(IO.binread(config['privateKey']))
+        elsif config['keyStore']
+          @private_key = OpenSSL::PKCS12.new(IO.binread(config['keyStore']), config['keyStorePassword']).key
+        end
+        @encrypted_value_field_name = config['encryptedValueFieldName'] || 'encryptedData'
+        @public_key_fingerprint = compute_public_fingerprint
+      end
+
+      def encrypt_data(data:)
+        cek = SecureRandom.random_bytes(32)
+        iv = SecureRandom.random_bytes(12)
+
+        md = OpenSSL::Digest::SHA256
+        encrypted_key = @cert.public_key.public_encrypt_oaep(cek, '', md, md)
+
+        header = generate_header('RSA-OAEP-256', 'A256GCM')
+        json_hdr = header.to_json
+        auth_data = jwe_encode(json_hdr)
+
+        cipher = OpenSSL::Cipher.new('aes-256-gcm')
+        cipher.encrypt
+        cipher.key = cek
+        cipher.iv = iv
+        cipher.padding = 0
+        cipher.auth_data = auth_data
+        cipher_text = cipher.update(data) + cipher.final
+
+        payload = generate_serialization(json_hdr, encrypted_key, cipher_text, iv, cipher.auth_tag)
+        {
+          @encrypted_value_field_name => payload
+        }
+      end
+
+      def decrypt_data(encrypted_data:)
+        parts = encrypted_data.split('.')
+        encrypted_header, encrypted_key, initialization_vector, cipher_text, authentication_tag = parts
+
+        jwe_header = jwe_decode(encrypted_header)
+        encrypted_key = jwe_decode(encrypted_key)
+        iv = jwe_decode(initialization_vector)
+        cipher_text = jwe_decode(cipher_text)
+        cipher_tag = jwe_decode(authentication_tag)
+
+        md = OpenSSL::Digest::SHA256
+        cek = @private_key.private_decrypt_oaep(encrypted_key, '', md, md)
+
+        enc_method = JSON.parse(jwe_header)['enc']
+
+        if enc_method == "A256GCM"
+          enc_string = "aes-256-gcm"
+        elsif enc_method == "A128CBC-HS256"
+          enc_string = "aes-128-cbc"
+        else
+          raise Exception, "Encryption method '#{enc_method}' not supported."
+        end
+
+        cipher = OpenSSL::Cipher.new(enc_string)
+        cipher.decrypt
+        cipher.key = cek
+        cipher.iv = iv
+        cipher.padding = 0
+        cipher.auth_data = encrypted_header
+        cipher.auth_tag = cipher_tag
+
+        plain_text = cipher.update(cipher_text) + cipher.final
+        plain_text
+      end
+
+      private
+
+      def compute_public_fingerprint
+        OpenSSL::Digest::SHA256.new(@cert.public_key.to_der).to_s
+      end
+
+      def generate_header(alg, enc)
+        header = { alg: alg, enc: enc, kid: @public_key_fingerprint, cty: 'application/json' }
+        header
+      end
+
+      def jwe_encode(payload)
+        ::Base64.urlsafe_encode64(payload).delete('=')
+      end
+
+      def jwe_decode(payload)
+        padlen = 4 - (payload.length % 4)
+        if padlen < 4
+          pad = '=' * padlen
+          payload += pad
+        end
+        ::Base64.urlsafe_decode64(payload)
+      end
+
+      def generate_serialization(hdr, cek, content, iv, tag)
+        [hdr, cek, iv, content, tag].map { |piece| jwe_encode(piece) }.join '.'
+      end
+    end
+  end
+end

lib/mcapi/encryption/field_level_encryption.rb

@@ -2,6 +2,7 @@
 
 require_relative 'crypto/crypto'
 require_relative 'utils/hash.ext'
+require_relative 'utils/utils'
 require 'json'
 
 module McAPI
@@ -36,7 +37,7 @@ def initialize(config)
       #
       def encrypt(endpoint, header, body)
         body = JSON.parse(body) if body.is_a?(String)
-        config = config?(endpoint)
+        config = McAPI::Utils.config?(endpoint, @config)
         body_map = body
         if config
           if !@is_with_header
@@ -50,7 +51,7 @@ def encrypt(endpoint, header, body)
             end
           end
         end
-        { header: header, body: config ? compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
+        { header: header, body: config ? McAPI::Utils.compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
       end
 
       #
@@ -62,7 +63,7 @@ def encrypt(endpoint, header, body)
       #
       def decrypt(response)
         response = JSON.parse(response)
-        config = config?(response['request']['url'])
+        config = McAPI::Utils.config?(response['request']['url'], @config)
         body_map = response
         if config
           if !@is_with_header
@@ -71,31 +72,31 @@ def decrypt(response)
             end
           else
             config['toDecrypt'].each do |v|
-              elem = elem_from_path(v['obj'], response['body'])
+              elem = McAPI::Utils.elem_from_path(v['obj'], response['body'])
               decrypt_with_header(v, elem, response) if elem[:node][v['element']]
             end
           end
         end
-        response['body'] = compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
+        response['body'] = McAPI::Utils.compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
         JSON.generate(response)
       end
 
       private
 
       def encrypt_with_body(path, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
 
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
         body = McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
-        unless json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+        unless McAPI::Utils.json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
           McAPI::Utils.delete_node(path['element'], body)
         end
         body
       end
 
       def encrypt_with_header(path, enc_params, header, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
 
         encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]), encryption_params: enc_params)
@@ -105,7 +106,7 @@ def encrypt_with_header(path, enc_params, header, body)
       end
 
       def decrypt_with_body(path, body)
-        elem = elem_from_path(path['element'], body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
         return unless elem && elem[:node]
 
         decrypted = @crypto.decrypt_data(elem[:node][@config['encryptedValueFieldName']],
@@ -130,46 +131,12 @@ def decrypt_with_header(path, elem, response)
                                                            response['headers'][@config['oaepHashingAlgorithmHeaderName']][0]))
       end
 
-      def elem_from_path(path, obj)
-        parent = nil
-        paths = path.split('.')
-        if path && !paths.empty?
-          paths.each do |e|
-            parent = obj
-            obj = json_root?(e) ? obj : obj[e]
-          end
-        end
-        { node: obj, parent: parent }
-      rescue StandardError
-        nil
-      end
-
-      def config?(endpoint)
-        return unless endpoint
-
-        endpoint = endpoint.split('?').shift
-        conf = @config['paths'].select { |e| endpoint.match(e['path']) }
-        conf.empty? ? nil : conf[0]
-      end
-
       def set_header(header, params)
         header[@config['encryptedKeyHeaderName']] = params[:encoded][:encryptedKey]
         header[@config['ivHeaderName']] = params[:encoded][:iv]
         header[@config['oaepHashingAlgorithmHeaderName']] = params[:oaepHashingAlgorithm].sub('-', '')
         header[@config['publicKeyFingerprintHeaderName']] = params[:publicKeyFingerprint]
       end
-
-      def json_root?(elem)
-        elem == '$'
-      end
-
-      def compute_body(config_param, body_map)
-        encryption_param?(config_param, body_map) ? body_map[0] : yield
-      end
-
-      def encryption_param?(enc_param, body_map)
-        enc_param.length == 1 && body_map.length == 1
-      end
     end
   end
 end

lib/mcapi/encryption/jwe_encryption.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require_relative 'crypto/jwe-crypto'
+require_relative 'utils/hash.ext'
+require 'json'
+
+module McAPI
+  module Encryption
+    #
+    # Performs JWE encryption on HTTP payloads.
+    #
+    class JweEncryption
+      #
+      # Create a new instance with the provided configuration
+      #
+      # @param [Hash] config Configuration object
+      #
+      def initialize(config)
+        @config = config
+        @crypto = McAPI::Encryption::JweCrypto.new(config)
+      end
+
+      #
+      # Encrypt parts of a HTTP request using the given config
+      #
+      # @param [String] endpoint HTTP URL for the current call
+      # @param [Object|nil] header HTTP header
+      # @param [String,Hash] body HTTP body
+      #
+      # @return [Hash] Hash with two keys:
+      # * :header header with encrypted value (if configured with header)
+      # * :body encrypted body
+      #
+      def encrypt(endpoint, body)
+        body = JSON.parse(body) if body.is_a?(String)
+        config = McAPI::Utils.config?(endpoint, @config)
+        body_map = body
+        if config
+          body_map = config['toEncrypt'].map do |v|
+            encrypt_with_body(v, body)
+          end
+        end
+        { body: config ? McAPI::Utils.compute_body(config['toEncrypt'], body_map) { body.json } : body.json }
+      end
+
+      #
+      # Decrypt part of the HTTP response using the given config
+      #
+      # @param [Object] response object as obtained from the http client
+      #
+      # @return [Object] response object with decrypted fields
+      #
+      def decrypt(response)
+        response = JSON.parse(response)
+        config = McAPI::Utils.config?(response['request']['url'], @config)
+        body_map = response
+        if config
+          body_map = config['toDecrypt'].map do |v|
+            decrypt_with_body(v, response['body'])
+          end
+        end
+        response['body'] = McAPI::Utils.compute_body(config['toDecrypt'], body_map) { response['body'] } unless config.nil?
+        JSON.generate(response)
+      end
+
+      private
+
+      def encrypt_with_body(path, body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
+        return unless elem && elem[:node]
+
+        encrypted_data = @crypto.encrypt_data(data: JSON.generate(elem[:node]))
+        body = McAPI::Utils.mutate_obj_prop(path['obj'], encrypted_data, body)
+        unless McAPI::Utils.json_root?(path['obj']) || path['element'] == "#{path['obj']}.#{@config['encryptedValueFieldName']}"
+          McAPI::Utils.delete_node(path['element'], body)
+        end
+        body
+      end
+
+      def decrypt_with_body(path, body)
+        elem = McAPI::Utils.elem_from_path(path['element'], body)
+        return unless elem && elem[:node]
+
+        decrypted = @crypto.decrypt_data(encrypted_data: elem[:node][@config['encryptedValueFieldName']])
+        begin
+          decrypted = JSON.parse(decrypted)
+        rescue JSON::ParserError
+          # ignored
+        end
+
+        McAPI::Utils.mutate_obj_prop(path['obj'], decrypted, body, path['element'], @encryption_response_properties)
+      end
+    end
+  end
+end