A128GCMKW with A128GCM content encryption uses AES256GCM
Issue #170
closed
Hi Brian,
Thanks for using your library for test my CPP implementation of JWE. I found a bug (or better an inconsequence) in your library. It is verified using following test I added in the GeneralJWETests:
@Test
public void tryDecryptWithTestPlainTextFromJOSECPP() throws JoseException
{
String joseKey ="{\"k\":\"XIy6sXcvHiiS0QHePnb58w\",\"kty\":\"oct\"}";
String encrypted ="eyJhbGciOiJBMTI4R0NNS1ciLCJlbmMiOiJBMTI4R0NNIiwiaXYiOiJlVmZjaXdlOWNKczdrMUpMIiwidGFnIjoiaklVUEpYSThfRmZYdmtSMi05UWkyUSJ9.KkzMXPRJcPtnHC9X-IFe3SvqQOvBGTPyp6v5zgN4zls.QzaKcPLWj8A1wY7W.L0iBWem899_gOBjN_lHAHkJDlOU66jJXHP6wjCG7zsfRqQa9wW8JvP1EeE7yAsZ4zNSSDdCaIiSUFKcQbrPvxA.b-s97SD01_G52wtnd8Q2HA";
JsonWebKey jwk = JsonWebKey.Factory.newJwk(joseKey);
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setKey(jwk.getKey());
jwe.setCompactSerialization(encrypted);
String payload =jwe.getPayload();
System.out.println("Plain Text: " + payload);
}
I configure to use A128GCMKW key wrapping with A128GCM content encryption, but as a bug in mine code, the key-wrapped CEK is 32 bytes long. My C++ tests worked because I choose the A128GCM content encryption and ignore the last 16 bytes of the CEK.
The small bug in your part is that (I think) you choose the AES algorithm according to the length of the key and not according to the protected header definitions.
Greetings,
David
Comments (3)
-
repo owner
-
repo owner
- changed status to resolved
Check the length of the CEK against the expected key length of the content encryption algorithm (fixing Issue
#170)→ <<cset d18b8075c76b>>
-
repo owner
- changed status to closed
released in v0.7.3
- Log in to comment
Yeah, I think you are correct. It’s a bit of a byproduct of how the underlying APIs for AES work in Java in conjunction with how I”m trying to use them with this library.
I’m not sure exactly what the proper expected behavior should be when processing a JWE where the CEK length doesn’t match the expected key length of the indicated content encryption algorithm. The example you have fails with a tag mismatch (it does AES GCM with the 256 bit key). Probably it should fail more explicitly indicating that the key length doesn’t match the required key length for the algorithm in the enc header.