Sample code for 30+ languages & platforms
Pascal (Lazarus/Delphi)

JWE using RSAES-OAEP and AES GCM

See more JSON Web Encryption (JWE) Examples

This example duplicates the example A.1 in RFC 7516 for JSON Web Encryption (JWE).

Chilkat Pascal (Lazarus/Delphi) Downloads

Pascal (Lazarus/Delphi)
program ChilkatDemo;

// Demonstrates using the Chilkat Pascal wrapper via the C bridge DLL.
// Builds as a console application under Lazarus (FPC) or Delphi.

{$IFDEF FPC}
  {$MODE DELPHI}
{$ENDIF}
{$APPTYPE CONSOLE}

uses
  {$IFDEF UNIX}
  cthreads,
  {$ENDIF}
  SysUtils,
  CkDllLoader,
  Chilkat.Jwe,
  Chilkat.StringBuilder,
  Chilkat.PrivateKey,
  Chilkat.PublicKey,
  Chilkat.JsonObject;

// ---------------------------------------------------------------------------

procedure RunDemo;
var
  success: Boolean;
  plaintext: string;
  jweProtHdr: TJsonObject;
  sbJwk: TStringBuilder;
  rsaPrivKey: TPrivateKey;
  rsaPubKey: TPublicKey;
  jwe: TJwe;
  strJwe: string;
  jwe2: TJwe;
  originalPlaintext: string;
  sbJwe: TStringBuilder;

begin
  success := False;

  //  This requires the Chilkat API to have been previously unlocked.
  //  See Global Unlock Sample for sample code.

  //  Note: This example requires Chilkat v9.5.0.66 or greater.

  plaintext := 'The true sign of intelligence is not knowledge but imagination.';

  //  ---------------------------------
  //  A.1.1 JOSE Header
  //  First build the JWE Protected Header.
  //  We want to build this: {"alg":"RSA-OAEP","enc":"A256GCM"}
  jweProtHdr := TJsonObject.Create;
  jweProtHdr.AppendString('alg','RSA-OAEP');
  jweProtHdr.AppendString('enc','A256GCM');
  WriteLn('JWE Protected Header: ' + jweProtHdr.Emit());
  WriteLn('--');

  //  ---------------------------------
  //  A.1.2 Content Encryption Key
  //  Note: Chilkat automatically generates the random CEK internally.
  //  The application does not need to explicitly take this step.

  //  ---------------------------------
  //  A.1.3.  Key Encryption
  //  The application should load an RSA private key from any format.
  //  However, the application does not need to explicitly construct the JWE Encrypted Key.
  //  Chilkat automatically does it internally.
  //  The design of the Chilkat JWE API is to allow the application to create the JWE
  //  after specifying the inputs.  (This is in contrast to forcing the application developer
  //  to painstakingly go through each step of the JWE construction process.)

  //  The specific RSA key used in the A.1 example is the following JWK:
  sbJwk := TStringBuilder.Create;
  sbJwk.Append('{"kty": "RSA",');
  sbJwk.Append('"n": "oahUIoWw0K0usKNuOR6H4wkf4oBUXHTxRvgb48E-BVvxkeDNjbC4he8rUW');
  sbJwk.Append('cJoZmds2h7M70imEVhRU5djINXtqllXI4DFqcI1DgjT9LewND8MW2Krf3S');
  sbJwk.Append('psk_ZkoFnilakGygTwpZ3uesH-PFABNIUYpOiN15dsQRkgr0vEhxN92i2a');
  sbJwk.Append('sbOenSZeyaxziK72UwxrrKoExv6kc5twXTq4h-QChLOln0_mtUZwfsRaMS');
  sbJwk.Append('tPs6mS6XrgxnxbWhojf663tuEQueGC-FCMfra36C9knDFGzKsNa7LZK2dj');
  sbJwk.Append('YgyD3JR_MB_4NUJW_TqOQtwHYbxevoJArm-L5StowjzGy-_bq6Gw",');
  sbJwk.Append('"e": "AQAB",');
  sbJwk.Append('"d": "kLdtIj6GbDks_ApCSTYQtelcNttlKiOyPzMrXHeI-yk1F7-kpDxY4-WY5N');
  sbJwk.Append('WV5KntaEeXS1j82E375xxhWMHXyvjYecPT9fpwR_M9gV8n9Hrh2anTpTD9');
  sbJwk.Append('3Dt62ypW3yDsJzBnTnrYu1iwWRgBKrEYY46qAZIrA2xAwnm2X7uGR1hghk');
  sbJwk.Append('qDp0Vqj3kbSCz1XyfCs6_LehBwtxHIyh8Ripy40p24moOAbgxVw3rxT_vl');
  sbJwk.Append('t3UVe4WO3JkJOzlpUf-KTVI2Ptgm-dARxTEtE-id-4OJr0h-K-VFs3VSnd');
  sbJwk.Append('VTIznSxfyrj8ILL6MG_Uv8YAu7VILSB3lOW085-4qE3DzgrTjgyQ",');
  sbJwk.Append('"p": "1r52Xk46c-LsfB5P442p7atdPUrxQSy4mti_tZI3Mgf2EuFVbUoDBvaRQ-');
  sbJwk.Append('SWxkbkmoEzL7JXroSBjSrK3YIQgYdMgyAEPTPjXv_hI2_1eTSPVZfzL0lf');
  sbJwk.Append('fNn03IXqWF5MDFuoUYE0hzb2vhrlN_rKrbfDIwUbTrjjgieRbwC6Cl0",');
  sbJwk.Append('"q": "wLb35x7hmQWZsWJmB_vle87ihgZ19S8lBEROLIsZG4ayZVe9Hi9gDVCOBm');
  sbJwk.Append('UDdaDYVTSNx_8Fyw1YYa9XGrGnDew00J28cRUoeBB_jKI1oma0Orv1T9aX');
  sbJwk.Append('IWxKwd4gvxFImOWr3QRL9KEBRzk2RatUBnmDZJTIAfwTs0g68UZHvtc",');
  sbJwk.Append('"dp": "ZK-YwE7diUh0qR1tR7w8WHtolDx3MZ_OTowiFvgfeQ3SiresXjm9gZ5KL');
  sbJwk.Append('hMXvo-uz-KUJWDxS5pFQ_M0evdo1dKiRTjVw_x4NyqyXPM5nULPkcpU827');
  sbJwk.Append('rnpZzAJKpdhWAgqrXGKAECQH0Xt4taznjnd_zVpAmZZq60WPMBMfKcuE",');
  sbJwk.Append('"dq": "Dq0gfgJ1DdFGXiLvQEZnuKEN0UUmsJBxkjydc3j4ZYdBiMRAy86x0vHCj');
  sbJwk.Append('ywcMlYYg4yoC4YZa9hNVcsjqA3FeiL19rk8g6Qn29Tt0cj8qqyFpz9vNDB');
  sbJwk.Append('UfCAiJVeESOjJDZPYHdHY8v1b-o-Z2X5tvLx-TCekf7oxyeKDUqKWjis",');
  sbJwk.Append('"qi": "VIMpMYbPf47dT1w_zDUXfPimsSegnMOA1zTaX7aGk_8urY6R8-ZW1FxU7');
  sbJwk.Append('AlWAyLWybqq6t16VFd7hQd0y6flUK4SlOydB61gwanOsXGOAOv82cHq0E3');
  sbJwk.Append('eL4HrtZkUuKvnPrMnsUUFlfUdybVzxyjz9JF_XyaY14ardLSjf4L_FNY"}');

  //  Load this JWK into a Chilkat private key object.
  rsaPrivKey := TPrivateKey.Create;
  success := rsaPrivKey.LoadJwk(sbJwk.GetAsString());
  if (success = False) then
    begin
      WriteLn(rsaPrivKey.LastErrorText);
      Exit;
    end;

  //  The public key is used to encrypt (i.e. create the JWE), 
  //  and the private key is used to decrypt.
  //  The RSA public key is simply a subset of the private key.  The RSA public key
  //  is composed of the "n" and "e" members shown above.  These are also known as the
  //  modulus and exponent.
  //  We can simply get the public key object from the private key object
  rsaPubKey := TPublicKey.Create;
  rsaPrivKey.ToPublicKey(rsaPubKey);

  //  ---------------------------------
  //  A.1.4.  Initialization Vector
  //  Chilkat automatically generates the necessary random IV internally.  
  //  The application does not need to do this explicitly.

  //  ---------------------------------
  //  A.1.5.  Additional Authenticated Data
  //  The Additional Authenticated Data encryption parameter is
  //  ASCII(BASE64URL(UTF8(JWE Protected Header))).
  //  Again, Chilkat automatically takes care of this internally.
  //  The application does not need to explicitly take this step.

  //  ---------------------------------
  //  A.1.6.  Content Encryption
  //  Again... this step is handled by Chilkat internally.

  //  ---------------------------------
  //  A.1.7.  Complete Representation
  //  The application need only call the Encrypt, EncryptSb, or EncryptBd method
  //  return the fully assembled JWE.  
  //  The final representation in the Compact Serialization 
  //  is the string BASE64URL(UTF8(JWE Protected Header)) || '.' ||
  //  BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization
  //  Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE
  //  Authentication Tag).

  jwe := TJwe.Create;
  jwe.SetProtectedHeader(jweProtHdr);
  jwe.SetPublicKey(0,rsaPubKey);

  strJwe := jwe.Encrypt(plaintext,'utf-8');
  if (jwe.LastMethodSuccess = False) then
    begin
      WriteLn(jwe.LastErrorText);
      Exit;
    end;

  //  Note: The RSA OAEP algorithm uses random padding bytes internally.
  //  Therefore, the results will appear different each time -- even if the
  //  identical plaintext is encrypted with the identical RSA key. 
  //  (Do not expect the appearance of the results to be the same as what
  //  is published in the RFC.  However, what is published in the RFC *should*
  //  be decryptable using the code that follows.)
  WriteLn(strJwe);

  //  Let's decrypt the JWE that was just produced.
  //  Do the following to decrypt a JWE:
  //  1) Load the JWE.
  //  2) Set the private key for decryption.
  //  3) Decrypt.
  jwe2 := TJwe.Create;
  success := jwe2.LoadJwe(strJwe);
  if (success = False) then
    begin
      WriteLn(jwe2.LastErrorText);
      Exit;
    end;

  //  Provide the RSA private key for decryption.
  //  (The JWE was encrypted for a single recipient at index 0.)
  jwe2.SetPrivateKey(0,rsaPrivKey);

  //  Decrypt.
  originalPlaintext := jwe2.Decrypt(0,'utf-8');
  if (jwe2.LastMethodSuccess = False) then
    begin
      WriteLn(jwe2.LastErrorText);
      Exit;
    end;

  WriteLn('original text: ');
  WriteLn(originalPlaintext);

  //  ---------------------------------------------------------------------------------
  //  It should also be possible to decrypt the JWE as shown in RFC 7516, Appendix A.1.7
  //  because it was produced using the same RSA key.

  sbJwe := TStringBuilder.Create;
  sbJwe.Append('eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00ifQ.');
  sbJwe.Append('OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMTYUmKoTCVJRgckCL9kiMT03JGe');
  sbJwe.Append('ipsEdY3mx_etLbbWSrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImGyFDb');
  sbJwe.Append('Sv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdYwam_lDp5XnZAYpQdb76FdIKLaV');
  sbJwe.Append('mqgfwX7XWRxv2322i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eObdv0je8');
  sbJwe.Append('1860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6vFWXRcZ_ZT2LawVCWTIy3brGPi');
  sbJwe.Append('6UklfCpIMfIjf7iGdXKHzg.');
  sbJwe.Append('48V1_ALb6US04U3b.');
  sbJwe.Append('5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo4vpzs9tX_EFShS8iB7j6ji');
  sbJwe.Append('SdiwkIr3ajwQzaBtQD_A.');
  sbJwe.Append('XFBoMYUZodetZdvTiFvSkQ');

  success := jwe2.LoadJweSb(sbJwe);
  if (success = False) then
    begin
      WriteLn(jwe2.LastErrorText);
      Exit;
    end;

  //  Provide the RSA private key for decryption.
  jwe2.SetPrivateKey(0,rsaPrivKey);

  //  Decrypt.
  originalPlaintext := jwe2.Decrypt(0,'utf-8');
  if (jwe2.LastMethodSuccess = False) then
    begin
      WriteLn(jwe2.LastErrorText);
      Exit;
    end;

  WriteLn(originalPlaintext);


  jweProtHdr.Free;
  sbJwk.Free;
  rsaPrivKey.Free;
  rsaPubKey.Free;
  jwe.Free;
  jwe2.Free;
  sbJwe.Free;

end;

// ---------------------------------------------------------------------------

begin

  try
    RunDemo;
  except
    on E: Exception do
      WriteLn('Unhandled exception: ', E.ClassName, ': ', E.Message);
  end;

  WriteLn;
  {$IFDEF MSWINDOWS}
  WriteLn('Press Enter to exit...');
  ReadLn;
  {$ENDIF}
end.