Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix EC encryption #114

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix EC encryption #114

wants to merge 1 commit into from

Conversation

hawk259
Copy link

@hawk259 hawk259 commented Mar 7, 2022

jose_jwe_enc using elliptic curve keys does not add the algo or epk values to the protected header value it generates.

These values will be missing when generating a compact serialized JWE string and will fail decrypting because the protected value is missing them.

The patch below tweaks things to include them in the protected value.

lib/jwe.c change to match lib/jws.c putting it protected instead of header.

lib/openssl/ecdhes.c changes to put things in both protected and header.

I do not have test cases for other encryption cases, but I think "protected" might need to be added to the add_entity call in other files in lib/openssl.

@sarroutbi
Copy link
Collaborator

Hello @hawk259 : this change seems to break unit tests ... is it because they need to be changed? I am not sure change can be merged if unit tests are broken ...

@hawk259
Copy link
Author

hawk259 commented Jun 14, 2023

I have been trying to figure out how to fix the tests, but not making much progress.

Here is a test that you can try to add to see how things break:

  1. setup keys and call jose_jwe_enc on a string
  2. generate a JWT token string using <protected>.<encrypted_key>.<iv>.<ciphertext>.<tag> keys from jwe object
  3. Using that string, split on ., create a json object with the above keys, setup keys and call jose_jwe_dec passing that object.

The jose_jwe_dec will fail because it doesn't have enough info in the protected value to decrypt the strings. The problem is the things needed are saved in the header value, but not copied to protected value.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants