Header is automatically included as AAD for JWE content encryption algorithm
Issue #127
closed
I need to communicate with server which expects AAD to be empty. Library automatically uses header as AAD but afaik it should be possible to use empty AAD: https://bitbucket.org/b_c/jose4j/src/7f9624414a1baf752adbc61d4a1be16253eeec23/src/main/java/org/jose4j/jwe/JsonWebEncryption.java#lines-271 Also I didn't find any evidence in JWE specification that AAD is mandatory and you need to use header for that always.
Comments (4)
-
-
reporter Thanks, you're right.
-
reporter - changed status to resolved
-
reporter - changed status to closed
- Log in to comment
In the JWE Compact Serialization, which is all this library supports, the header is always protected and thus always included in the AAD.
The JWE spec can be a little hard to follow but some relevant parts follow.
from https://tools.ietf.org/html/rfc7516#section-2
from https://tools.ietf.org/html/rfc7516#section-5.1