(feat) add rsa-oaep algo support for JWE

lib/resty/evp.lua

@@ -12,6 +12,7 @@ local ngx = ngx
 
 
 local CONST = {
+    SHA1_DIGEST = "SHA1",
     SHA256_DIGEST = "SHA256",
     SHA512_DIGEST = "SHA512",
     -- ref : https://github.com/openssl/openssl/blob/master/include/openssl/rsa.h

lib/resty/jwt.lua

@@ -73,6 +73,7 @@ local str_const = {
   A256CBC_HS512_CIPHER_MODE = "aes-256-cbc",
   A256GCM = "A256GCM",
   A256GCM_CIPHER_MODE = "aes-256-gcm",
+  RSA_OAEP = "RSA-OAEP",
   RSA_OAEP_256 = "RSA-OAEP-256",
   DIR = "dir",
   reason = "reason",
@@ -255,7 +256,7 @@ local function parse_jwe(self, preshared_key, encoded_header, encoded_encrypted_
   end
 
   local alg = header.alg
-  if alg ~= str_const.DIR and alg ~= str_const.RSA_OAEP_256 then
+  if alg ~= str_const.DIR and alg ~= str_const.RSA_OAEP_256 and alg ~= str_const.RSA_OAEP then
     error({reason="invalid algorithm: " .. alg})
   end
 
@@ -265,11 +266,15 @@ local function parse_jwe(self, preshared_key, encoded_header, encoded_encrypted_
         error({reason="preshared key must not be null"})
     end
     key, _, enc_key = derive_keys(header.enc, preshared_key)
-  elseif alg == str_const.RSA_OAEP_256 then
+  elseif alg == str_const.RSA_OAEP_256 or alg == str_const.RSA_OAEP then
     if not preshared_key  then
         error({reason="rsa private key must not be null"})
     end
-    local rsa_decryptor, err = evp.RSADecryptor:new(preshared_key, nil, evp.CONST.RSA_PKCS1_OAEP_PADDING, evp.CONST.SHA256_DIGEST)
+    local digest_alg = evp.CONST.SHA256_DIGEST
+    if alg == str_const.RSA_OAEP then
+      digest_alg = evp.CONST.SHA1_DIGEST
+    end
+    local rsa_decryptor, err = evp.RSADecryptor:new(preshared_key, nil, evp.CONST.RSA_PKCS1_OAEP_PADDING, digest_alg)
     if err then
         error({reason="failed to create rsa object: ".. err})
     end
@@ -467,7 +472,7 @@ local function sign_jwe(self, secret_key, jwt_obj)
   if alg ==  str_const.DIR then
     _, mac_key, enc_key = derive_keys(enc, secret_key)
     encrypted_key = ""
-  elseif alg == str_const.RSA_OAEP_256 then
+  elseif alg == str_const.RSA_OAEP_256 or alg == str_const.RSA_OAEP then
     local cert, err
     if secret_key:find("CERTIFICATE") then
         cert, err = evp.Cert:new(secret_key)
@@ -477,7 +482,11 @@ local function sign_jwe(self, secret_key, jwt_obj)
     if not cert then
         error({reason="Decode secret is not a valid cert/public key: " .. (err and err or secret_key)})
     end
-    local rsa_encryptor = evp.RSAEncryptor:new(cert, evp.CONST.RSA_PKCS1_OAEP_PADDING, evp.CONST.SHA256_DIGEST)
+    local digest_alg = evp.CONST.SHA256_DIGEST
+    if alg == str_const.RSA_OAEP then
+      digest_alg = evp.CONST.SHA1_DIGEST
+    end
+    local rsa_encryptor = evp.RSAEncryptor:new(cert, evp.CONST.RSA_PKCS1_OAEP_PADDING, digest_alg)
     if err then
         error("failed to create rsa object for encryption ".. err)
     end