RSA_OAEPTest.testDecryptWith256GCM fails on MAC/GCM check
Issue #11
resolved
The JUnit test using the RSA key pair and encrypted JWE from http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-08#appendix-A.1 fails with the following message:
Testsuite: com.nimbusds.jose.crypto.RSA_OAEPTest
Tests run: 3, Failures: 0, Errors: 1, Time elapsed: 0.836 sec
Testcase: testWithA128GCM took 0.478 sec
Testcase: testWithA256GCM took 0.187 sec
Testcase: testDecryptWith256GCM took 0.168 sec
Caused an ERROR
mac check in GCM failed
com.nimbusds.jose.JOSEException: mac check in GCM failed
at com.nimbusds.jose.crypto.RSADecrypter.decrypt(Unknown Source)
at com.nimbusds.jose.JWEObject.decrypt(Unknown Source)
at com.nimbusds.jose.crypto.RSA_OAEPTest.testDecryptWith256GCM(Unknown Source)
Caused by: javax.crypto.BadPaddingException: mac check in GCM failed
at org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
at javax.crypto.Cipher.doFinal(Cipher.java:1813)
Comments (10)
-
-
reporter
Interesting. Axel's code uses exactly the same statement to get the cipher:
Could the JWE example be potentially wrong?
-
reporter
Here is an email from Mike Jones detailing how AES-GCM is done in JWE:
http://www.ietf.org/mail-archive/web/jose/current/msg00496.html
-
reporter
Oops, I noticed our AES-GCM does not produce the so called 128-bit "authentication tag" for the last JWE part. Could that be the culprit?
About the auth tag:
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-08#section-4.9
Instead of the of auth tag we have an empty JWE part (specified as null):
-
On deeper inspection, the "Bad Padding Exception" is actually a wrapper around a different exception that gets thrown when the MAC doesn't match, so padding may or may not be the actual problem.
-
reporter
I think I found the solution to doing proper AESGCM, we should be passing an javax.crypto.spec.GCMParameterSpec to the Cipher instead of the common IvParameterSpec! This should then produce the AEAD part (the integrity JWE part) that we miss.
Hopefully I'll be able to implement that before tonight's opera. Fingers crossed :)
-
reporter
- changed status to open
-
reporter
-
assigned issue to
Vladimir Dzhuvinov
-
assigned issue to
-
commented out failing test (see
#11), added note-well to RSAEncrypter and RSADecrypter during development→ <<cset dcc8f8459f6b>>
-
reporter
- changed status to resolved
Fixed in f013548
- Log in to comment
Since the error being thrown is a padding exception, I think it's stemming from a disconnect between this call:
And what was used to generate the JWE example.