RSA-OAEP-384,RSA-OAEP-512 key management algos support

Author: dvsekhvalnov

jose.go

@@ -37,6 +37,8 @@ const (
 	RSA1_5             = "RSA1_5"             //RSAES with PKCS #1 v1.5 padding, RFC 3447
 	RSA_OAEP           = "RSA-OAEP"           //RSAES using Optimal Assymetric Encryption Padding, RFC 3447
 	RSA_OAEP_256       = "RSA-OAEP-256"       //RSAES using Optimal Assymetric Encryption Padding with SHA-256, RFC 3447
+	RSA_OAEP_384       = "RSA-OAEP-384"       //RSAES using Optimal Assymetric Encryption Padding with SHA-384, RFC 3447
+	RSA_OAEP_512       = "RSA-OAEP-512"       //RSAES using Optimal Assymetric Encryption Padding with SHA-512, RFC 3447
 	A128KW             = "A128KW"             //AES Key Wrap Algorithm using 128 bit keys, RFC 3394
 	A192KW             = "A192KW"             //AES Key Wrap Algorithm using 192 bit keys, RFC 3394
 	A256KW             = "A256KW"             //AES Key Wrap Algorithm using 256 bit keys, RFC 3394

jose_test.go

@@ -2141,6 +2141,30 @@ func (s *TestSuite) TestDecrypt_RSA_OAEP_256_A256CBC_HS512(c *C) {
 	c.Assert(test, Equals, `{"exp":1392553211,"sub":"alice","nbf":1392552611,"aud":["https:\/\/app-one.com","https:\/\/app-two.com"],"iss":"https:\/\/openid.net","jti":"586dd129-a29f-49c8-9de7-454af1155e27","iat":1392552611}`)
 }
 
+func (s *TestSuite) TestDecrypt_RSA_OAEP_384_A192GCM(c *C) {
+	//given
+	token := "eyJlbmMiOiJBMTkyR0NNIiwiYWxnIjoiUlNBLU9BRVAtMzg0In0.pT2_03Aa03PWky6L5LoW9UR2KYbdgQqpiU2lRsZxfKk2OUC-MPs6rAECylRtSPOWMYhW1NKaGrmt07jAi7gCs2ijwgpyD1VyM3GmmOrnsWwP_MW8WTWIpnLgaL1ajHjrlM3ZZuSFNLSw-O_-JfY6JHKUeCbq7Gta95l6AESDDGLxVW_wJnZLkNVqY-pq5_eBR1Gk1jOWpxb68MTr8k8gLivvuRRBWRiX4i52kcRFFaKcNp65ZmXTr3HOgf0BiGSzEZQFDwwpzGE5aaD8DcWEyn8R3LsxZU9puOILdkKo7MvHNkjZkTHWQFpe9L4Ppd8wX-fh4mLweyCCcJylzJHN1g.Vz8ymkRo6KT-ADV4.BmVs6Y4PE6zR2ALEDYjC8bCUQjALvsWwhbt9MU-Vo0mZpCIXZdwW8sAIF9n62GH7FPoNQbaXTXfpziyGPGFCxiB6StkppiGFo5Af4mGXx55YFNXghMkZfS9Oy3Ib0SbagF0GNR_cWXyfzanHCeskqcYOICEHwiAdONzwLhgCXt57R3TdoK6EL_wJKy6vhEL2pOsg5woj2P7NLuGezNUoB1vrpqTbySeoS8eZJ3Rz54_ShzdcVl8kBJ7WRRN_Iw.yErR3LUS8PbBClIwF7kI_Q"
+
+	//when
+	test, _, err := Decode(token, PrivKey())
+
+	//then
+	c.Assert(err, IsNil)
+	c.Assert(test, Equals, `{"sub":"alice","aud":["https://app-one.com","https://app-two.com"],"nbf":1731426506,"iss":"https://openid.net","exp":1731427106,"iat":1731426506,"jti":"49c091f4-f176-4227-ab82-b236beac2b94"}`)
+}
+
+func (s *TestSuite) TestDecrypt_RSA_OAEP_512_A256GCM(c *C) {
+	//given
+	token := "eyJlbmMiOiJBMjU2R0NNIiwiYWxnIjoiUlNBLU9BRVAtNTEyIn0.dDvBnxku8qBk0Ry8MRoIkWVszEsI0NKiBQtYnDQ6sq8mQyFp9dEbF-4_0a6_e6qZs5lyEjE-4y9Y-dV3rKymTXHqOVtsyUvrF_bGQ5rOThBkd08wcpEe7OiFIuWWcujJQ5p77IAkBlpedt3hb7tE2kbhMkocTSUXzWmWjLIka3teYUfbv2Rifacpj_XPXejDgYifVMnOcN7LFjbhEl7aajpy9nseWx9ihnAFbPdf7fT8cm9lEM8damUoFPIH4KUrHmAk72F49yT8OODjY-Sl93Q1vo1PbVMX-J6kTY3h0CcsAabnLs3Cn8OamHXxeWtQsWKmfazmOIp_uRCisTgwcg.hrJ7S_BfciovKcRB.YSqRYn0c-NQ3C86O7kpFev0Wt5RpOi_hHknLVgn04zwZGZGqS3zr7t5v-j4bHgouFhv1GdN5xvu0gFW1xXjo0_ZxcLNmHFmOAa3I7LtsPy4cW3Hkuy3wEblLg8cRoPTaLSvRPt9w2j_wy1beH9zrEqcf_KC3cKCzmoY0FatVwof5V9ICqtfFunv4h6ows-Fwhi_zzuL7zO5ydR-MH7D5Yhq1ni6SvRogp3Utfj2R_4jTGy8jGRRowfjsXR-GuQ.w15ByyQnK2G1_qnmkQU8QA"
+
+	//when
+	test, _, err := Decode(token, PrivKey())
+
+	//then
+	c.Assert(err, IsNil)
+	c.Assert(test, Equals, `{"sub":"alice","aud":["https://app-one.com","https://app-two.com"],"nbf":1731426506,"iss":"https://openid.net","exp":1731427106,"iat":1731426506,"jti":"6278505b-6dcd-483c-8dd1-7c35b7d1a1e5"}`)
+}
+
 func (s *TestSuite) TestEncrypt_RSA_OAEP_256_A128GCM(c *C) {
 	//given
 	payload := `{"hello": "world"}`

rsa_oaep.go

@@ -1,57 +1,72 @@
 package jose
 
 import (
-	"errors"
-	"crypto/rsa"
 	"crypto/rand"
-	"hash"
+	"crypto/rsa"
 	"crypto/sha1"
 	"crypto/sha256"
+	"crypto/sha512"
+	"errors"
+	"hash"
+
 	"github.com/dvsekhvalnov/jose2go/arrays"
 )
 
 // RS-AES using OAEP key management algorithm implementation
 func init() {
-	RegisterJwa(&RsaOaep {shaSizeBits:1})
-	RegisterJwa(&RsaOaep {shaSizeBits:256})
+	RegisterJwa(&RsaOaep{shaSizeBits: 1})
+	RegisterJwa(&RsaOaep{shaSizeBits: 256})
+	RegisterJwa(&RsaOaep{shaSizeBits: 384})
+	RegisterJwa(&RsaOaep{shaSizeBits: 512})
 }
 
-type RsaOaep struct{
+type RsaOaep struct {
 	shaSizeBits int
-	// func shaF() hash.Hash
 }
 
 func (alg *RsaOaep) Name() string {
 	switch alg.shaSizeBits {
-		case 1:	return RSA_OAEP
-		default: return RSA_OAEP_256
+	case 1:
+		return RSA_OAEP
+	case 256:
+		return RSA_OAEP_256
+	case 384:
+		return RSA_OAEP_384
+	default:
+		return RSA_OAEP_512
 	}
 }
 
 func (alg *RsaOaep) WrapNewKey(cekSizeBits int, key interface{}, header map[string]interface{}) (cek []byte, encryptedCek []byte, err error) {
-	if pubKey,ok:=key.(*rsa.PublicKey);ok {
-		if cek,err = arrays.Random(cekSizeBits>>3);err==nil {			
-			encryptedCek,err=rsa.EncryptOAEP(alg.sha(),rand.Reader,pubKey,cek,nil)
+	if pubKey, ok := key.(*rsa.PublicKey); ok {
+		if cek, err = arrays.Random(cekSizeBits >> 3); err == nil {
+			encryptedCek, err = rsa.EncryptOAEP(alg.sha(), rand.Reader, pubKey, cek, nil)
 			return
 		}
 
-		return nil,nil,err
+		return nil, nil, err
 	}
 
-	return nil,nil,errors.New("RsaOaep.WrapNewKey(): expected key to be '*rsa.PublicKey'")
+	return nil, nil, errors.New("RsaOaep.WrapNewKey(): expected key to be '*rsa.PublicKey'")
 }
 
 func (alg *RsaOaep) Unwrap(encryptedCek []byte, key interface{}, cekSizeBits int, header map[string]interface{}) (cek []byte, err error) {
-	if privKey,ok:=key.(*rsa.PrivateKey);ok {		
-		return rsa.DecryptOAEP(alg.sha(), rand.Reader, privKey, encryptedCek, nil)		
+	if privKey, ok := key.(*rsa.PrivateKey); ok {
+		return rsa.DecryptOAEP(alg.sha(), rand.Reader, privKey, encryptedCek, nil)
 	}
-	
-	return nil,errors.New("RsaOaep.Unwrap(): expected key to be '*rsa.PrivateKey'")		
+
+	return nil, errors.New("RsaOaep.Unwrap(): expected key to be '*rsa.PrivateKey'")
 }
 
 func (alg *RsaOaep) sha() hash.Hash {
 	switch alg.shaSizeBits {
-		case 1: return sha1.New()
-		default: return sha256.New()
+	case 1:
+		return sha1.New()
+	case 256:
+		return sha256.New()
+	case 384:
+		return sha512.New384()
+	default:
+		return sha512.New()
 	}
 }