Lightweight C library for HTML5 websockets
JSON Web Signature


LWS_VISIBLE LWS_EXTERN int lws_jws_confirm_sig (const char *in, size_t len, struct lws_jwk *jwk)
LWS_VISIBLE LWS_EXTERN int lws_jws_sign_from_b64 (const char *b64_hdr, size_t hdr_len, const char *b64_pay, size_t pay_len, char *b64_sig, size_t sig_len, enum lws_genhash_types hash_type, struct lws_jwk *jwk)
LWS_VISIBLE LWS_EXTERN int lws_jws_create_packet (struct lws_jwk *jwk, const char *payload, size_t len, const char *nonce, char *out, size_t out_len)
LWS_VISIBLE LWS_EXTERN int lws_jws_base64_enc (const char *in, size_t in_len, char *out, size_t out_max)

Detailed Description

JSON Web Signature API

Lws provides an API to check and create RFC7515 JSON Web Signatures

SHA256/384/512 HMAC, and RSA 256/384/512 are supported.

The API uses your TLS library crypto, but works exactly the same no matter what you TLS backend is.

Function Documentation

◆ lws_jws_base64_enc()

LWS_VISIBLE LWS_EXTERN int lws_jws_base64_enc ( const char *  in,
size_t  in_len,
char *  out,
size_t  out_max 

#include <include/libwebsockets/lws-jws.h>

lws_jws_base64_enc() - encode input data into b64url data

inthe incoming plaintext
in_lenthe length of the incoming plaintext in bytes
outthe buffer to store the b64url encoded data to
out_maxthe length of out in bytes

Returns either -1 if problems, or the number of bytes written to out.

◆ lws_jws_create_packet()

LWS_VISIBLE LWS_EXTERN int lws_jws_create_packet ( struct lws_jwk jwk,
const char *  payload,
size_t  len,
const char *  nonce,
char *  out,
size_t  out_len 

#include <include/libwebsockets/lws-jws.h>

lws_jws_create_packet() - add b64 sig to b64 hdr + payload

jwkthe struct lws_jwk containing the signing key
payloadunencoded payload JSON
lenlength of unencoded payload JSON
nonceNonse string to include in protected header
outbuffer to take signed packet
out_lensize of out buffer

This creates a "flattened" JWS packet from the jwk and the plaintext payload, and signs it. The packet is written into out.

This does the whole packet assembly and signing, calling through to lws_jws_sign_from_b64() as part of the process.

Returns the length written to out, or -1.

◆ lws_jws_sign_from_b64()

LWS_VISIBLE LWS_EXTERN int lws_jws_sign_from_b64 ( const char *  b64_hdr,
size_t  hdr_len,
const char *  b64_pay,
size_t  pay_len,
char *  b64_sig,
size_t  sig_len,
enum lws_genhash_types  hash_type,
struct lws_jwk jwk 

#include <include/libwebsockets/lws-jws.h>

lws_jws_sign_from_b64() - add b64 sig to b64 hdr + payload

b64_hdrprotected header encoded in b64, may be NULL
hdr_lenbytes in b64 coding of protected header
b64_paypayload encoded in b64
pay_lenbytes in b64 coding of payload
b64_sigbuffer to write the b64 encoded signature into
sig_lenmax bytes we can write at b64_sig
hash_typeone of LWS_GENHASH_TYPE_SHA[256|384|512]
jwkthe struct lws_jwk containing the signing key

This adds a b64-coded JWS signature of the b64-encoded protected header and b64-encoded payload, at b64_sig. The signature will be as large as the N element of the RSA key when the RSA key is used, eg, 512 bytes for a 4096-bit key, and then b64-encoding on top.

In some special cases, there is only payload to sign and no header, in that case b64_hdr may be NULL, and only the payload will be hashed before signing.

Returns the length of the encoded signature written to b64_sig, or -1.