(PowerBuilder) JWE Using General JWE JSON Serialization

This example duplicates the example A.4 in RFC 7516 for JSON Web Encryption (JWE).

This example demonstrates the capability for encrypting the same plaintext to multiple recipients. Two recipients are present in this example.

Note: This example requires Chilkat v9.5.0.66 or greater.

Chilkat ActiveX Downloads ActiveX for 32-bit and 64-bit Windows

integer li_rc
integer li_Success
string ls_Plaintext
oleobject loo_Jwe
oleobject loo_JweProtHdr
oleobject loo_JweRecipientHdr1
integer li_RecipientIndex
oleobject loo_JweRecipientHdr2
oleobject loo_JweUnprotHdr
oleobject loo_SbJwk
oleobject loo_RsaPrivKey
oleobject loo_RsaPubKey
string ls_AesWrappingKey
string ls_StrJwe
oleobject loo_JsonTemp
oleobject loo_Jwe2
integer li_CaseSensitive
string ls_OriginalPlaintext
oleobject loo_SbJwe

// This requires the Chilkat API to have been previously unlocked.
// See Global Unlock Sample for sample code.

// Note: This example requires Chilkat v9.5.0.66 or greater.

ls_Plaintext = "Live long and prosper."

loo_Jwe = create oleobject
li_rc = loo_Jwe.ConnectToNewObject("Chilkat_9_5_0.Jwe")
if li_rc < 0 then
    destroy loo_Jwe
    MessageBox("Error","Connecting to COM object failed")
    return
end if

// First build the JWE Protected Header: {"enc":"A128CBC-HS256"}
loo_JweProtHdr = create oleobject
li_rc = loo_JweProtHdr.ConnectToNewObject("Chilkat_9_5_0.JsonObject")

loo_JweProtHdr.AppendString("enc","A128CBC-HS256")
loo_Jwe.SetProtectedHeader(loo_JweProtHdr)

// The first recipient uses the RSAES-PKCS1-v1_5 algorithm to encrypt
// the CEK.  The second uses AES Key Wrap to encrypt the CEK.  Key ID
// values are supplied for both keys.  The two JWE Per-Recipient
// Unprotected Header values used to represent these algorithms and key
// IDs are:
// 
//      {"alg":"RSA1_5","kid":"2011-04-29"}
// 
// and
// 
//      {"alg":"A128KW","kid":"7"}

loo_JweRecipientHdr1 = create oleobject
li_rc = loo_JweRecipientHdr1.ConnectToNewObject("Chilkat_9_5_0.JsonObject")

loo_JweRecipientHdr1.AppendString("alg","RSA1_5")
loo_JweRecipientHdr1.AppendString("kid","2011-04-29")
li_RecipientIndex = 0
loo_Jwe.SetRecipientHeader(li_RecipientIndex,loo_JweRecipientHdr1)

loo_JweRecipientHdr2 = create oleobject
li_rc = loo_JweRecipientHdr2.ConnectToNewObject("Chilkat_9_5_0.JsonObject")

loo_JweRecipientHdr2.AppendString("alg","A128KW")
loo_JweRecipientHdr2.AppendString("kid","7")
li_RecipientIndex = 1
loo_Jwe.SetRecipientHeader(li_RecipientIndex,loo_JweRecipientHdr2)

// Set the Shared Unprotected Header:  {"jku":"https://server.example.com/keys.jwks"}
loo_JweUnprotHdr = create oleobject
li_rc = loo_JweUnprotHdr.ConnectToNewObject("Chilkat_9_5_0.JsonObject")

loo_JweUnprotHdr.AppendString("jku","https://server.example.com/keys.jwks")
loo_Jwe.SetUnprotectedHeader(loo_JweUnprotHdr)

// Note: The intent of specifying a "kid" (an acronym for "Key ID") is that
// the software would somehow download the keys.jwks from https://server.example.com/keys.jwks,
// and would select the key (whatever format it may be, such as RSA, or an AES key wrap key, etc.),
// and then automatically use it. 

// This example keeps the "kid" and "jku" in their respective headers, but does not actually fetch
// the keys from some URL.  We'll just provide the keys directly..

// Recipient 0 uses this RSA key:
loo_SbJwk = create oleobject
li_rc = loo_SbJwk.ConnectToNewObject("Chilkat_9_5_0.StringBuilder")

loo_SbJwk.Append("{\"kty\":\"RSA\",")
loo_SbJwk.Append("\"n\":\"sXchDaQebHnPiGvyDOAT4saGEUetSyo9MKLOoWFsueri23bOdgWp4Dy1Wl")
loo_SbJwk.Append("UzewbgBHod5pcM9H95GQRV3JDXboIRROSBigeC5yjU1hGzHHyXss8UDpre")
loo_SbJwk.Append("cbAYxknTcQkhslANGRUZmdTOQ5qTRsLAt6BTYuyvVRdhS8exSZEy_c4gs_")
loo_SbJwk.Append("7svlJJQ4H9_NxsiIoLwAEk7-Q3UXERGYw_75IDrGA84-lA_-Ct4eTlXHBI")
loo_SbJwk.Append("Y2EaV7t7LjJaynVJCpkv4LKjTTAumiGUIuQhrNhZLuF_RJLqHpM2kgWFLU")
loo_SbJwk.Append("7-VTdL1VbC2tejvcI2BlMkEpk1BzBZI0KQB0GaDWFLN-aEAw3vRw\",")
loo_SbJwk.Append("\"e\":\"AQAB\",")
loo_SbJwk.Append("\"d\":\"VFCWOqXr8nvZNyaaJLXdnNPXZKRaWCjkU5Q2egQQpTBMwhprMzWzpR8Sxq")
loo_SbJwk.Append("1OPThh_J6MUD8Z35wky9b8eEO0pwNS8xlh1lOFRRBoNqDIKVOku0aZb-ry")
loo_SbJwk.Append("nq8cxjDTLZQ6Fz7jSjR1Klop-YKaUHc9GsEofQqYruPhzSA-QgajZGPbE_")
loo_SbJwk.Append("0ZaVDJHfyd7UUBUKunFMScbflYAAOYJqVIVwaYR5zWEEceUjNnTNo_CVSj")
loo_SbJwk.Append("-VvXLO5VZfCUAVLgW4dpf1SrtZjSt34YLsRarSb127reG_DUwg9Ch-Kyvj")
loo_SbJwk.Append("T1SkHgUWRVGcyly7uvVGRSDwsXypdrNinPA4jlhoNdizK2zF2CWQ\",")
loo_SbJwk.Append("\"p\":\"9gY2w6I6S6L0juEKsbeDAwpd9WMfgqFoeA9vEyEUuk4kLwBKcoe1x4HG68")
loo_SbJwk.Append("ik918hdDSE9vDQSccA3xXHOAFOPJ8R9EeIAbTi1VwBYnbTp87X-xcPWlEP")
loo_SbJwk.Append("krdoUKW60tgs1aNd_Nnc9LEVVPMS390zbFxt8TN_biaBgelNgbC95sM\",")
loo_SbJwk.Append("\"q\":\"uKlCKvKv_ZJMVcdIs5vVSU_6cPtYI1ljWytExV_skstvRSNi9r66jdd9-y")
loo_SbJwk.Append("BhVfuG4shsp2j7rGnIio901RBeHo6TPKWVVykPu1iYhQXw1jIABfw-MVsN")
loo_SbJwk.Append("-3bQ76WLdt2SDxsHs7q7zPyUyHXmps7ycZ5c72wGkUwNOjYelmkiNS0\",")
loo_SbJwk.Append("\"dp\":\"w0kZbV63cVRvVX6yk3C8cMxo2qCM4Y8nsq1lmMSYhG4EcL6FWbX5h9yuv")
loo_SbJwk.Append("ngs4iLEFk6eALoUS4vIWEwcL4txw9LsWH_zKI-hwoReoP77cOdSL4AVcra")
loo_SbJwk.Append("Hawlkpyd2TWjE5evgbhWtOxnZee3cXJBkAi64Ik6jZxbvk-RR3pEhnCs\",")
loo_SbJwk.Append("\"dq\":\"o_8V14SezckO6CNLKs_btPdFiO9_kC1DsuUTd2LAfIIVeMZ7jn1Gus_Ff")
loo_SbJwk.Append("7B7IVx3p5KuBGOVF8L-qifLb6nQnLysgHDh132NDioZkhH7mI7hPG-PYE_")
loo_SbJwk.Append("odApKdnqECHWw0J-F0JWnUd6D2B_1TvF9mXA2Qx-iGYn8OVV1Bsmp6qU\",")
loo_SbJwk.Append("\"qi\":\"eNho5yRBEBxhGBtQRww9QirZsB66TrfFReG_CcteI1aCneT0ELGhYlRlC")
loo_SbJwk.Append("tUkTRclIfuEPmNsNDPbLoLqqCVznFbvdB7x-Tl-m0l_eFTj2KiqwGqE9PZ")
loo_SbJwk.Append("B9nNTwMVvH3VRRSLWACvPnSiwP8N5Usy-WRXS-V7TbpxIhvepTfE0NNo\"")
loo_SbJwk.Append("}")

// Load this JWK into a Chilkat private key object.
loo_RsaPrivKey = create oleobject
li_rc = loo_RsaPrivKey.ConnectToNewObject("Chilkat_9_5_0.PrivateKey")

li_Success = loo_RsaPrivKey.LoadJwk(loo_SbJwk.GetAsString())
if li_Success <> 1 then
    Write-Debug loo_RsaPrivKey.LastErrorText
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    return
end if

// Get the public key for encryption.  (The RSA private key is used for decryption.)
loo_RsaPubKey = loo_RsaPrivKey.GetPublicKey()
li_RecipientIndex = 0
loo_Jwe.SetPublicKey(li_RecipientIndex,loo_RsaPubKey)
destroy loo_RsaPubKey

// Recipient 1 uses AES Key Wrap
ls_AesWrappingKey = "GawgguFyGrWKav7AX4VKUg"
li_RecipientIndex = 1
loo_Jwe.SetWrappingKey(li_RecipientIndex,ls_AesWrappingKey,"base64url")

// OK.. everything has been specified.
// Now encrypt.  Chilkat will use the general JSON serialization because it is only
// possible serializationto use given there are multiple recipients. 
ls_StrJwe = loo_Jwe.Encrypt(ls_Plaintext,"utf-8")
if loo_Jwe.LastMethodSuccess <> 1 then
    Write-Debug loo_Jwe.LastErrorText
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    return
end if

// The strJwe is in the most compact form possible (a single line).
// Let's load it into a JSON object and examine in a non-compact pretty-printed format:
loo_JsonTemp = create oleobject
li_rc = loo_JsonTemp.ConnectToNewObject("Chilkat_9_5_0.JsonObject")

loo_JsonTemp.Load(ls_StrJwe)
loo_JsonTemp.EmitCompact = 0
Write-Debug loo_JsonTemp.Emit()

// The JWE looks like this:
// (Note: Because of random values used in the encryption process, your encrypted results will be different.)

// 	{ 
// 	  "protected": "eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0",
// 	  "unprotected": { 
// 	    "jku": "https://server.example.com/keys.jwks"
// 	  },
// 	  "recipients": [
// 	    { 
// 	      "header": { 
// 	        "alg": "RSA1_5",
// 	        "kid": "2011-04-29"
// 	      },
// 	      "encrypted_key": "WlUggejR-vStJVNKgjG2mQrVv74aga1FFutT8E-n-yJEOTsOVnGjhj1NW_Snd9DqHAhFrc7NEvKCFplKWGnusBZxxjm1JpdUa0MIpkGmncJHQQdfm21vcbEUbDmfqVY79SnEis3tih1D3qmyp_Bxti4byDAHJIOJv_cj0Sx8oHZzgGtOLjtHsydyo1MtBIqI0w86i_uhUuraihZ3ngj67YZ6uqpR6lulkPIVohfF3oJ0D3Ay_XOCHWlHYkTg6VZsa0FDrPtfB2pG3TxTBPwI4IMj5uF_D3zrg51dCYKU1Gah71ujLaXRE5q9XF7oOknxiWQuWc7Ox8JP03lSx-DiVA"
// 	    },
// 	    { 
// 	      "header": { 
// 	        "alg": "A128KW",
// 	        "kid": "7"
// 	      },
// 	      "encrypted_key": "8diBP2aUUB_Jl5WxCuMJLN6HsppE3rhSjcecee0fBcwB31zbPAVejQ"
// 	    } 
// 	  ],
// 	  "iv": "JqahFKx5Z8SFT_LnkfOq0Q",
// 	  "ciphertext": "YcSdjlszsaY1ADcs4Vw85H_WoAqnkDIJaJsTkmCj05s",
// 	  "tag": "G3KF2CZ-DMhm0cqUbhJKMA"
// 	} 

// To decrypt, we don't need both recipient keys.  We can decrypt with one key or the other.
// The FindRecipient method can be used to find a particular recipient index.

// First, load the JWE..
loo_Jwe2 = create oleobject
li_rc = loo_Jwe2.ConnectToNewObject("Chilkat_9_5_0.Jwe")

li_Success = loo_Jwe2.LoadJwe(ls_StrJwe)
if li_Success <> 1 then
    Write-Debug loo_Jwe2.LastErrorText
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    destroy loo_JsonTemp
    destroy loo_Jwe2
    return
end if

// Let's say we have the AES key wrap key, and we know the "kid" equals "7".
li_CaseSensitive = 0
li_RecipientIndex = loo_Jwe2.FindRecipient("kid","7",li_CaseSensitive)
if li_RecipientIndex < 0 then
    Write-Debug "Unable to find recipient with kid=7"
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    destroy loo_JsonTemp
    destroy loo_Jwe2
    return
end if

// Set the AES wrap key for the recipient index.
loo_Jwe2.SetWrappingKey(li_RecipientIndex,ls_AesWrappingKey,"base64url")

// Decrypt
ls_OriginalPlaintext = loo_Jwe2.Decrypt(li_RecipientIndex,"utf-8")
if loo_Jwe2.LastMethodSuccess <> 1 then
    Write-Debug loo_Jwe2.LastErrorText
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    destroy loo_JsonTemp
    destroy loo_Jwe2
    return
end if

Write-Debug "original text decrypted with AES key wrap key: "
Write-Debug ls_OriginalPlaintext

// Now, let's do the same with the RSA private key:
li_RecipientIndex = loo_Jwe2.FindRecipient("kid","2011-04-29",li_CaseSensitive)
if li_RecipientIndex < 0 then
    Write-Debug "Unable to find recipient with kid=2011-04-29"
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    destroy loo_JsonTemp
    destroy loo_Jwe2
    return
end if

// Set the RSA private key for the recipient index.
loo_Jwe2.SetPrivateKey(li_RecipientIndex,loo_RsaPrivKey)

// Decrypt
ls_OriginalPlaintext = loo_Jwe2.Decrypt(li_RecipientIndex,"utf-8")
if loo_Jwe2.LastMethodSuccess <> 1 then
    Write-Debug loo_Jwe2.LastErrorText
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    destroy loo_JsonTemp
    destroy loo_Jwe2
    return
end if

Write-Debug "original text decrypted with RSA private key: "
Write-Debug ls_OriginalPlaintext

// ---------------------------------------------------------------------------------
// It should also be possible to decrypt the JWE as shown in RFC 7516, Appendix A.4.7
// because it was produced using the same keys.

loo_SbJwe = create oleobject
li_rc = loo_SbJwe.ConnectToNewObject("Chilkat_9_5_0.StringBuilder")

loo_SbJwe.Append("{")
loo_SbJwe.Append("\"protected\":")
loo_SbJwe.Append("\"eyJlbmMiOiJBMTI4Q0JDLUhTMjU2In0\",")
loo_SbJwe.Append("\"unprotected\":")
loo_SbJwe.Append("{\"jku\":\"https://server.example.com/keys.jwks\"},")
loo_SbJwe.Append("\"recipients\":[")
loo_SbJwe.Append("{\"header\":")
loo_SbJwe.Append("{\"alg\":\"RSA1_5\",\"kid\":\"2011-04-29\"},")
loo_SbJwe.Append("\"encrypted_key\":")
loo_SbJwe.Append("\"UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0-")
loo_SbJwe.Append("kFm1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ__deLKx")
loo_SbJwe.Append("GHZ7PcHALUzoOegEI-8E66jX2E4zyJKx-YxzZIItRzC5hlRirb6Y5Cl_p-ko3")
loo_SbJwe.Append("YvkkysZIFNPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPh")
loo_SbJwe.Append("cCdZ6XDP0_F8rkXds2vE4X-ncOIM8hAYHHi29NX0mcKiRaD0-D-ljQTP-cFPg")
loo_SbJwe.Append("wCp6X-nZZd9OHBv-B3oWh2TbqmScqXMR4gp_A\"},")
loo_SbJwe.Append("{\"header\":")
loo_SbJwe.Append("{\"alg\":\"A128KW\",\"kid\":\"7\"},")
loo_SbJwe.Append("\"encrypted_key\":")
loo_SbJwe.Append("\"6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ\"}],")
loo_SbJwe.Append("\"iv\":")
loo_SbJwe.Append("\"AxY8DCtDaGlsbGljb3RoZQ\",")
loo_SbJwe.Append("\"ciphertext\":")
loo_SbJwe.Append("\"KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY\",")
loo_SbJwe.Append("\"tag\":")
loo_SbJwe.Append("\"Mz-VPPyU4RlcuYv1IwIvzw\"")
loo_SbJwe.Append("}")

li_Success = loo_Jwe2.LoadJweSb(loo_SbJwe)
if li_Success <> 1 then
    Write-Debug loo_Jwe2.LastErrorText
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    destroy loo_JsonTemp
    destroy loo_Jwe2
    destroy loo_SbJwe
    return
end if

// We can decrypt with either key.  Let's use the AES key wrap key...
li_RecipientIndex = loo_Jwe2.FindRecipient("kid","7",li_CaseSensitive)
if li_RecipientIndex < 0 then
    Write-Debug "Unable to find recipient with kid=7"
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    destroy loo_JsonTemp
    destroy loo_Jwe2
    destroy loo_SbJwe
    return
end if

// Set the AES wrap key for the recipient index.
loo_Jwe2.SetWrappingKey(li_RecipientIndex,ls_AesWrappingKey,"base64url")

// Decrypt
ls_OriginalPlaintext = loo_Jwe2.Decrypt(li_RecipientIndex,"utf-8")
if loo_Jwe2.LastMethodSuccess <> 1 then
    Write-Debug loo_Jwe2.LastErrorText
    destroy loo_Jwe
    destroy loo_JweProtHdr
    destroy loo_JweRecipientHdr1
    destroy loo_JweRecipientHdr2
    destroy loo_JweUnprotHdr
    destroy loo_SbJwk
    destroy loo_RsaPrivKey
    destroy loo_JsonTemp
    destroy loo_Jwe2
    destroy loo_SbJwe
    return
end if

Write-Debug "original text decrypted from published JWE, with AES key wrap key: "
Write-Debug ls_OriginalPlaintext

// The output:

// original text decrypted with AES key wrap key: 
// Live long and prosper.
// original text decrypted with RSA private key: 
// Live long and prosper.
// original text decrypted from published JWE, with AES key wrap key: 
// Live long and prosper.


destroy loo_Jwe
destroy loo_JweProtHdr
destroy loo_JweRecipientHdr1
destroy loo_JweRecipientHdr2
destroy loo_JweUnprotHdr
destroy loo_SbJwk
destroy loo_RsaPrivKey
destroy loo_JsonTemp
destroy loo_Jwe2
destroy loo_SbJwe