2.9 KiB
lws minimal example for JWE
Demonstrates how to encrypt and decrypt using JWE and JWK, providing a commandline tool for creating encrypted JWE and decoding them.
build
$ cmake . && make
usage
Stdin is either the plaintext (if encrypting) or JWE (if decrypting).
Stdout is either the JWE (if encrypting) or plaintext (if decrypting).
You must pass a private or public key JWK file in the -k option if encrypting, and must pass a private key JWK file in the -k option if decrypting. To be clear, for asymmetric keys the public part of the key is required to encrypt, and the private part required to decrypt.
For convenience, a pair of public and private keys are provided,
key-rsa-4096.private
and key-rsa-4096.pub
, these were produced with just
$ lws-crypto-jwk -t RSA -b 4096 --public key-rsa-4096.pub >key-rsa-4096.private
Similar keys for EC modes may be produced with
$ lws-crypto-jwk -t EC -v P-256 --public key-ecdh-p-256.pub >key-ecdh-p-256.private
and for AES ("octet") symmetric keys
$ lws-crypto-jwk -t OCT -b 128 >key-aes-128.private
JWEs produced with openssl and mbedtls backends are completely interchangeable.
Commandline option | Meaning |
---|---|
-d | Debug verbosity in decimal, eg, -d15 |
-e " " | Encrypt (default is decrypt), eg, -e "RSA1_5 A128CBC-HS256". For decrypt, the cipher information comes from the input JWE. |
-k | JWK file to encrypt or decrypt with |
-c | Format the JWE as a linebroken C string |
-f | Output flattened representation (instead of compact by default) |
$ echo -n "plaintext0123456" | ./lws-crypto-jwe -k key-rsa-4096.private -e "RSA1_5 A128CBC-HS256"
[2018/12/19 16:20:25:6519] USER: LWS JWE example tool
[2018/12/19 16:20:25:6749] NOTICE: Creating Vhost 'default' (serving disabled), 1 protocols, IPv6 off
eyJhbGciOiJSU0ExXzUiLCAiZW5jIjoiQTEyOENCQy1IUzI1NiJ9.ivFr7qzx-pQ4V_edbjpdvR9OwWL9KmojPE2rXQM52oLtW0BtnxZu2_ezqhsAelyIcaworgfobs3u4bslXHMFbeJJjPb5xD0fBDe64OYXZH1NpUGTMJh9Ka4CrJ2B3xhxe7EByGAuGqmluqE0Yezj7rhSw7vlr5JAwuOJ8FaGa8aZ8ldki5G5h_S2Furlbjdcw3Rrxk7mCoMHcLoqzfZtggMPwGAMFogCqcwUo7oSLbBeGaa6hpMbfSysugseWdr8TzObQKPM52k6iVAlGwRaOg_qdLMgZiYRhHA6nFKTQd7XBbNY6qAS8sPuj7Zz344tF3RSfJ0zX_telG71sOtVv5fMpeDU-eCdpOWlCBfu6J6FQfAFu6SJryM4ajGOif09CwFI5qUQ33SOfQfS_M3nqSyd6Vu5M4lsDrb5wK7_XX5gqUwvI9wicf_8WWR-CQomRF-JvEASnA2SIf8QqYfa8R2rP9q6Md4vwO4EZrtxIsMDPsH-4ZEFu7vDjyy09QfIWWsnEb8-UgpVXensgt2m_2bZ76r1VB8-0nZLMwMyEhaH2wra9vX2FWao5UkmNJ7ht300f4_V6QzMFoePpwCvsufWBW6jcQLB-frCWe6uitWaZHEB4LxmNPKzQSz4QwwTKhpF1jNn8Xh1-w1m-2h0gj-oe-S8QBwPveqhPI1p2fI.snuhUTXHNu5mJ6dEPQqg6g.yl36qC4o0GE4nrquQ2YyCg.Vf0MoT7_kUrZdCNWXhq1DQ
Notice the logging is on stderr, and the output alone on stdout.
You can also pipe the output of the encrypt action directly into the decrypt action, eg
$ echo -n "plaintext0123456" | \
./lws-crypto-jwe -k key-rsa-4096.pub -e "RSA1_5 A128CBC-HS256" | \
./lws-crypto-jwe -k key-rsa-4096.private
prints the plaintext on stdout.