libwebsockets/minimal-examples-lowlevel/crypto/minimal-crypto-jwe/README.md

2.9 KiB

lws minimal example for JWE

Demonstrates how to encrypt and decrypt using JWE and JWK, providing a commandline tool for creating encrypted JWE and decoding them.

build

 $ cmake . && make

usage

Stdin is either the plaintext (if encrypting) or JWE (if decrypting).

Stdout is either the JWE (if encrypting) or plaintext (if decrypting).

You must pass a private or public key JWK file in the -k option if encrypting, and must pass a private key JWK file in the -k option if decrypting. To be clear, for asymmetric keys the public part of the key is required to encrypt, and the private part required to decrypt.

For convenience, a pair of public and private keys are provided, key-rsa-4096.private and key-rsa-4096.pub, these were produced with just

 $ lws-crypto-jwk -t RSA -b 4096 --public key-rsa-4096.pub >key-rsa-4096.private

Similar keys for EC modes may be produced with

 $ lws-crypto-jwk -t EC -v P-256 --public key-ecdh-p-256.pub >key-ecdh-p-256.private

and for AES ("octet") symmetric keys

 $ lws-crypto-jwk -t OCT -b 128 >key-aes-128.private

JWEs produced with openssl and mbedtls backends are completely interchangeable.

Commandline option Meaning
-d Debug verbosity in decimal, eg, -d15
-e " " Encrypt (default is decrypt), eg, -e "RSA1_5 A128CBC-HS256". For decrypt, the cipher information comes from the input JWE.
-k JWK file to encrypt or decrypt with
-c Format the JWE as a linebroken C string
-f Output flattened representation (instead of compact by default)
 $ echo -n "plaintext0123456" | ./lws-crypto-jwe -k key-rsa-4096.private -e "RSA1_5 A128CBC-HS256"
[2018/12/19 16:20:25:6519] USER: LWS JWE example tool
[2018/12/19 16:20:25:6749] NOTICE: Creating Vhost 'default' (serving disabled), 1 protocols, IPv6 off
eyJhbGciOiJSU0ExXzUiLCAiZW5jIjoiQTEyOENCQy1IUzI1NiJ9.ivFr7qzx-pQ4V_edbjpdvR9OwWL9KmojPE2rXQM52oLtW0BtnxZu2_ezqhsAelyIcaworgfobs3u4bslXHMFbeJJjPb5xD0fBDe64OYXZH1NpUGTMJh9Ka4CrJ2B3xhxe7EByGAuGqmluqE0Yezj7rhSw7vlr5JAwuOJ8FaGa8aZ8ldki5G5h_S2Furlbjdcw3Rrxk7mCoMHcLoqzfZtggMPwGAMFogCqcwUo7oSLbBeGaa6hpMbfSysugseWdr8TzObQKPM52k6iVAlGwRaOg_qdLMgZiYRhHA6nFKTQd7XBbNY6qAS8sPuj7Zz344tF3RSfJ0zX_telG71sOtVv5fMpeDU-eCdpOWlCBfu6J6FQfAFu6SJryM4ajGOif09CwFI5qUQ33SOfQfS_M3nqSyd6Vu5M4lsDrb5wK7_XX5gqUwvI9wicf_8WWR-CQomRF-JvEASnA2SIf8QqYfa8R2rP9q6Md4vwO4EZrtxIsMDPsH-4ZEFu7vDjyy09QfIWWsnEb8-UgpVXensgt2m_2bZ76r1VB8-0nZLMwMyEhaH2wra9vX2FWao5UkmNJ7ht300f4_V6QzMFoePpwCvsufWBW6jcQLB-frCWe6uitWaZHEB4LxmNPKzQSz4QwwTKhpF1jNn8Xh1-w1m-2h0gj-oe-S8QBwPveqhPI1p2fI.snuhUTXHNu5mJ6dEPQqg6g.yl36qC4o0GE4nrquQ2YyCg.Vf0MoT7_kUrZdCNWXhq1DQ

Notice the logging is on stderr, and the output alone on stdout.

You can also pipe the output of the encrypt action directly into the decrypt action, eg

 $ echo -n "plaintext0123456" | \
   ./lws-crypto-jwe -k key-rsa-4096.pub -e "RSA1_5 A128CBC-HS256" | \
   ./lws-crypto-jwe -k key-rsa-4096.private

prints the plaintext on stdout.