Implement JWE encryption for JWT in Authly module

- Added support for JSON Web Encryption (JWE) as per RFC 7516, allowing JWTs to be encrypted for enhanced security.
- Introduced methods for generating Content Encryption Keys (CEK), encrypting CEK with RSA-OAEP, and encrypting JWT content using AES-GCM.
- Updated the encrypt_jwt method to handle JWE compact serialization, including header, encrypted key, IV, ciphertext, and authentication tag.
- Enhanced base64 URL-safe encoding for compatibility with JWE requirements.

Author: eliasjpr

src/authly/grants/authorization_code.cr

@@ -13,7 +13,7 @@ module Authly
       code : String
 
     def initialize(
-      @client_id, @client_secret, @redirect_uri, @code = "", @verifier = ""
+      @client_id, @client_secret, @redirect_uri, @code = "", @verifier = "",
     )
       @challenge = ""
       @method = ""

src/authly/jarm_builder.cr

@@ -1,5 +1,18 @@
 require "json"
 require "jwt"
+require "openssl"
+require "openssl_ext"
+require "base64"
+require "random/secure"
+
+# LibCrypto extensions for GCM mode
+lib LibCrypto
+  EVP_CTRL_GCM_SET_IVLEN =  0x9
+  EVP_CTRL_GCM_GET_TAG   = 0x10
+  EVP_CTRL_GCM_SET_TAG   = 0x11
+
+  fun evp_cipher_ctx_ctrl = EVP_CIPHER_CTX_ctrl(ctx : Void*, type : Int32, arg : Int32, ptr : Void*) : Int32
+end
 
 module Authly
   # JarmBuilder constructs JWT-secured authorization responses per RFC 9101
@@ -22,7 +35,7 @@ module Authly
       @signing_algorithm : JWT::Algorithm,
       @encryption_key : String? = nil,
       @encryption_algorithm : String? = nil,
-      @encryption_encoding : String? = nil
+      @encryption_encoding : String? = nil,
     )
     end
 
@@ -52,7 +65,7 @@ module Authly
       scope : String? = nil,
       id_token : String? = nil,
       error : String? = nil,
-      error_description : String? = nil
+      error_description : String? = nil,
     ) : String
       params = Hash(String, String).new
 
@@ -94,19 +107,171 @@ module Authly
     end
 
     # Encrypt JWT using JWE (nested JWT)
-    # Note: Full JWE implementation requires additional cryptographic libraries
-    # For now, this is a placeholder that demonstrates the structure
+    # Implements RFC 7516 (JSON Web Encryption) with compact serialization
     private def encrypt_jwt(jwt : String) : String
-      # TODO: Implement full JWE encryption
-      # This would require:
-      # 1. Generate content encryption key (CEK)
-      # 2. Encrypt CEK with recipient's public key using encryption_algorithm
-      # 3. Encrypt JWT payload with CEK using encryption_encoding
-      # 4. Build JWE compact serialization: header.encrypted_key.iv.ciphertext.tag
-
-      # For now, return signed JWT with a note that encryption is not yet implemented
-      # In production, you would use a JWE library or implement the full spec
-      jwt
+      enc_alg = encryption_algorithm
+      enc_enc = encryption_encoding
+      enc_key = encryption_key
+
+      return jwt unless enc_alg && enc_enc && enc_key
+
+      # Build JWE header
+      header = {
+        "alg" => enc_alg,
+        "enc" => enc_enc,
+        "cty" => "JWT", # Content type is JWT (nested JWT)
+      }
+
+      # Encode header
+      encoded_header = base64url_encode(header.to_json)
+
+      # Generate Content Encryption Key (CEK) based on encryption encoding
+      cek_size = get_cek_size(enc_enc)
+      cek = Random::Secure.random_bytes(cek_size)
+
+      # Encrypt the CEK with the key encryption algorithm
+      encrypted_key = encrypt_cek(cek, enc_key, enc_alg)
+      encoded_encrypted_key = base64url_encode(encrypted_key)
+
+      # Generate Initialization Vector (IV) for AES-GCM (96 bits)
+      iv = Random::Secure.random_bytes(12)
+      encoded_iv = base64url_encode(iv)
+
+      # Additional Authenticated Data (AAD) is the encoded header
+      aad = encoded_header
+
+      # Encrypt the JWT content
+      ciphertext, auth_tag = encrypt_content(jwt, cek, iv, aad, enc_enc)
+      encoded_ciphertext = base64url_encode(ciphertext)
+      encoded_auth_tag = base64url_encode(auth_tag)
+
+      # JWE Compact Serialization: header.encrypted_key.iv.ciphertext.tag
+      "#{encoded_header}.#{encoded_encrypted_key}.#{encoded_iv}.#{encoded_ciphertext}.#{encoded_auth_tag}"
+    end
+
+    # Get Content Encryption Key size based on encryption encoding
+    private def get_cek_size(enc : String) : Int32
+      case enc
+      when "A128GCM", "A128CBC-HS256"
+        16 # 128 bits
+      when "A192GCM", "A192CBC-HS384"
+        24 # 192 bits
+      when "A256GCM", "A256CBC-HS512"
+        32 # 256 bits
+      else
+        raise "Unsupported encryption encoding: #{enc}"
+      end
+    end
+
+    # Encrypt the Content Encryption Key using key encryption algorithm
+    private def encrypt_cek(cek : Bytes, key : String, alg : String) : Bytes
+      case alg
+      when "RSA-OAEP", "RSA-OAEP-256"
+        encrypt_cek_rsa_oaep(cek, key, alg)
+      when "ECDH-ES"
+        # For ECDH-ES, the CEK is derived from ECDH, not encrypted
+        # This is a simplified implementation - full ECDH-ES requires key agreement
+        raise "ECDH-ES not yet implemented - use RSA-OAEP instead"
+      when "ECDH-ES+A128KW", "ECDH-ES+A192KW", "ECDH-ES+A256KW"
+        # ECDH-ES with AES Key Wrap
+        raise "ECDH-ES+AKW not yet implemented - use RSA-OAEP instead"
+      else
+        raise "Unsupported key encryption algorithm: #{alg}"
+      end
+    end
+
+    # Encrypt CEK using RSA-OAEP
+    private def encrypt_cek_rsa_oaep(cek : Bytes, public_key_pem : String, alg : String) : Bytes
+      # Parse RSA public key from PEM
+      rsa = OpenSSL::PKey::RSA.new(public_key_pem)
+
+      # Determine padding mode based on algorithm
+      padding = case alg
+                when "RSA-OAEP"
+                  # RSA-OAEP with SHA-1 (default)
+                  LibCrypto::Padding::PKCS1_OAEP_PADDING
+                when "RSA-OAEP-256"
+                  # RSA-OAEP with SHA-256
+                  # Note: Both RSA-OAEP and RSA-OAEP-256 use the same padding constant
+                  # The hash function is determined by OpenSSL defaults
+                  LibCrypto::Padding::PKCS1_OAEP_PADDING
+                else
+                  raise "Unsupported RSA algorithm: #{alg}"
+                end
+
+      # Encrypt the CEK using the public key
+      encrypted = rsa.public_encrypt(cek, padding)
+      encrypted
+    end
+
+    # Encrypt content using AES-GCM or AES-CBC
+    private def encrypt_content(plaintext : String, cek : Bytes, iv : Bytes, aad : String, enc : String) : {Bytes, Bytes}
+      case enc
+      when "A128GCM", "A192GCM", "A256GCM"
+        encrypt_aes_gcm(plaintext, cek, iv, aad, enc)
+      when "A128CBC-HS256", "A192CBC-HS384", "A256CBC-HS512"
+        # AES-CBC with HMAC requires splitting the key and additional steps
+        raise "AES-CBC-HMAC not yet implemented - use AES-GCM instead"
+      else
+        raise "Unsupported content encryption: #{enc}"
+      end
+    end
+
+    # Encrypt using AES-GCM
+    private def encrypt_aes_gcm(plaintext : String, cek : Bytes, iv : Bytes, aad : String, enc : String) : {Bytes, Bytes}
+      # Determine cipher based on key size
+      cipher_name = case enc
+                    when "A128GCM"
+                      "aes-128-gcm"
+                    when "A192GCM"
+                      "aes-192-gcm"
+                    when "A256GCM"
+                      "aes-256-gcm"
+                    else
+                      raise "Invalid AES-GCM algorithm: #{enc}"
+                    end
+
+      # Create cipher
+      cipher = OpenSSL::Cipher.new(cipher_name)
+      cipher.encrypt
+
+      # Set key and IV
+      cipher.key = cek
+      cipher.iv = iv
+
+      # Set Additional Authenticated Data (AAD)
+      # For GCM mode, we update the cipher with AAD before encrypting
+      aad_bytes = aad.to_slice
+      unless aad_bytes.empty?
+        # Pass AAD through update without producing ciphertext output
+        cipher.update(aad_bytes)
+      end
+
+      # Encrypt the plaintext
+      ciphertext_io = IO::Memory.new
+      ciphertext_io.write(cipher.update(plaintext))
+      ciphertext_io.write(cipher.final)
+      ciphertext = ciphertext_io.to_slice
+
+      # Get authentication tag (16 bytes for GCM)
+      # We need to use LibCrypto directly to get the GCM tag
+      auth_tag = Bytes.new(16)
+      ctx = cipher.@ctx # Access the internal context
+      ret = LibCrypto.evp_cipher_ctx_ctrl(ctx, LibCrypto::EVP_CTRL_GCM_GET_TAG, 16, auth_tag.to_unsafe.as(Void*))
+      if ret != 1
+        raise "Failed to get GCM authentication tag"
+      end
+
+      {ciphertext, auth_tag}
+    end
+
+    # Base64 URL-safe encoding without padding
+    private def base64url_encode(data : String) : String
+      Base64.urlsafe_encode(data, padding: false)
+    end
+
+    private def base64url_encode(data : Bytes) : String
+      Base64.urlsafe_encode(data, padding: false)
     end
 
     # Create a form_post HTML response