Consider creating a policy to catch unchecked exceptions produced by JOSE crypto providers

I just discovered that BouncyCastle may actually throw an unchecked exception on attempting to decrypt an AESGCM JWE with an invalid / missing authentication tag.

Testcase: testWithA128GCM took 6.713 sec
        Caused an ERROR
null
java.lang.NegativeArraySizeException
        at     org.bouncycastle.jcajce.provider.symmetric.util.BaseBlockCipher.engineDoFinal(Unknown Source)
        at javax.crypto.Cipher.doFinal(Cipher.java:1813)
        at com.nimbusds.jose.crypto.RSADecrypter.decrypt(Unknown Source)
        at com.nimbusds.jose.JWEObject.decrypt(Unknown Source)
        at com.nimbusds.jose.crypto.RSA1_5Test.testWithA128GCM(Unknown Source)

Comments (1)