1. Brian Campbell Avatar Brian Campbell
  2. Untitled project
  3. jose4j
  4. Issues

Encrypting Claims JSON using JWE

Issue #105 invalid
Arul created an issue

I am using the Hello World JWE example from wiki. In my case, payload is set to Claims Json, that's the only difference, I use an AES key generated using Java API.

      KeyGenerator generator = KeyGenerator.getInstance("AES");
      generator.init(128);
      SecretKey key = generator.generateKey()

When encrypting, I set the payload to this:

    JsonWebEncryption jwe = new JsonWebEncryption();
    jwe.setPayload(claims.toJson());
    jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.A128KW); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);
    jwe.setKey(key);
    token = jwe.getCompactSerialization();

When decrypting, I get the claims using this code:

JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setKey(key);
jwe.setCompactSerialization(token);
JwtClaims claims = JwtClaims.parse(jwe.getPayload());

Is this a valid scenario? It works fine with Java. But, I am having issues with decrypting this token using non-Java libraries (python-jose). Appreciate any help.

Comments (4)

  1. Brian Campbell repo owner

    As best I can tell, python-jose only supports JWS signed tokens and doesn't support encryption/JWE at all. Which would explain why you can't decrypt using python-jose. A JWT that is a JWE with JSON claims is valid but both parties need to support JWE. A fair number of the JWT/JOSE libraries out there only do JWS and not JWE. Many JWT uses aren't encrypted but just signed (or MAC integrity protected) with JWS - perhaps that'd be sufficient for what you are looking to do? I can only speculate though. More JWT example usage, which may be helpful, can be found at https://bitbucket.org/b_c/jose4j/wiki/JWT%20Examples

  2. Arul reporter

    Thank you Brian for clarifying this. My requirement is to encrypt sensitive data sent in JWT token. Do you recommend a content enc alg that is widely implemented/supported in libraries? We use AES_128_CBC_HMAC_SHA_256.

  3. Brian Campbell repo owner

    I don't know for sure but, yes, I'd imagine AES_128_CBC_HMAC_SHA_256 is the most widely supported content encryption algorithm.

  5. Log in to comment
Assignee
Type
bug
Priority
major
Status
invalid
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!