From 57fe5a03c83feaf73a84b23c02e641f86482e313 Mon Sep 17 00:00:00 2001 From: Goncalo Frade Date: Wed, 27 Nov 2024 19:24:43 +0000 Subject: [PATCH] fix: jwt decryption when key management alg is direct The JWT.verify method didn't provide a parameter to receive a sharedKey. Signed-off-by: Goncalo Frade --- Sources/JSONWebToken/JWT+Verification.swift | 12 ++++++-- Tests/JWTTests/JWTTests.swift | 32 +++++++++++++++++++++ 2 files changed, 42 insertions(+), 2 deletions(-) diff --git a/Sources/JSONWebToken/JWT+Verification.swift b/Sources/JSONWebToken/JWT+Verification.swift index c159327..b5e68e4 100644 --- a/Sources/JSONWebToken/JWT+Verification.swift +++ b/Sources/JSONWebToken/JWT+Verification.swift @@ -43,6 +43,7 @@ extension JWT { jwtString: String, senderKey: KeyRepresentable? = nil, recipientKey: KeyRepresentable? = nil, + sharedKey: KeyRepresentable? = nil, nestedKeys: [KeyRepresentable] = [], expectedIssuer: String? = nil, expectedAudience: String? = nil @@ -61,6 +62,7 @@ extension JWT { jwtString: jws.payload.tryToString(), senderKey: key, recipientKey: nil, + sharedKey: sharedKey, nestedKeys: nestedKeys, expectedIssuer: expectedIssuer, expectedAudience: expectedAudience @@ -82,7 +84,8 @@ extension JWT { let decryptedPayload = try jwe.decrypt( senderKey: senderKey, - recipientKey: recipientKey + recipientKey: recipientKey, + sharedKey: sharedKey ) if jwe.protectedHeader.contentType == "JWT" { @@ -95,6 +98,7 @@ extension JWT { jwtString: decryptedPayload.tryToString(), senderKey: senderKey, recipientKey: key, + sharedKey: sharedKey, nestedKeys: nestedKeys, expectedIssuer: expectedIssuer, expectedAudience: expectedAudience @@ -134,6 +138,7 @@ extension JWT { signerKey: KeyRepresentable? = nil, senderKey: KeyRepresentable? = nil, recipientKey: KeyRepresentable? = nil, + sharedKey: KeyRepresentable? = nil, nestedKeys: [KeyRepresentable] = [], expectedIssuer: String? = nil, expectedAudience: String? = nil @@ -152,6 +157,7 @@ extension JWT { jwtString: jws.payload.tryToString(), senderKey: key, recipientKey: nil, + sharedKey: sharedKey, nestedKeys: nestedKeys, expectedIssuer: expectedIssuer, expectedAudience: expectedAudience @@ -173,7 +179,8 @@ extension JWT { let decryptedPayload = try jwe.decrypt( senderKey: senderKey, - recipientKey: recipientKey + recipientKey: recipientKey, + sharedKey: sharedKey ) if jwe.protectedHeader.contentType == "JWT" { @@ -186,6 +193,7 @@ extension JWT { jwtString: decryptedPayload.tryToString(), senderKey: senderKey, recipientKey: key, + sharedKey: sharedKey, nestedKeys: nestedKeys, expectedIssuer: expectedIssuer, expectedAudience: expectedAudience diff --git a/Tests/JWTTests/JWTTests.swift b/Tests/JWTTests/JWTTests.swift index c66118e..881beb2 100644 --- a/Tests/JWTTests/JWTTests.swift +++ b/Tests/JWTTests/JWTTests.swift @@ -1,6 +1,7 @@ import JSONWebKey @testable import JSONWebToken import JSONWebSignature +import JSONWebEncryption import XCTest final class JWTTests: XCTestCase { @@ -279,6 +280,37 @@ final class JWTTests: XCTestCase { XCTAssertTrue(areJSONStringsEqual(jsonString, expectedJSON)) } + func testJWE() throws { + let expiredAt = Date().addingTimeInterval(60) + + let header = DefaultJWEHeaderImpl( + keyManagementAlgorithm: .direct, + encodingAlgorithm: .a256GCM + ) + + let kekData = Data(count: 256 / 8) + + let jwt = try JWT.encrypt( + claims: { + ObjectClaim(key: "body") { + StringClaim(key: "foo", value: "bar") + } + IssuerClaim(value: "DLTA Studio") + ExpirationTimeClaim(value: expiredAt) + }, + protectedHeader: header, + senderKey: nil, + recipientKey: nil, + sharedKey: nil, + cek: kekData + ) + + let jwtString = jwt.jwtString + + let verifiedJWT = try JWT.verify(jwtString: jwtString, sharedKey: JWK(keyType: .octetSequence, key: kekData)) + let verifiedPayload = verifiedJWT.payload + } + private func areJSONStringsEqual(_ lhs: String, _ rhs: String) -> Bool { guard let lhsData = lhs.data(using: .utf8),