Bug in AAD input composition for Direct encrption / decryption

Reported by Otso Kassinen

Dear Nimbus JOSE+JWT maintainers,

First of all, I'd like to thank you for the great JWE library you have provided!

I have the following bug report to make. (The JOSE version used: I git cloned the code on May 8th and used that.)

We noticed that in the file DirectEncrypter.java, there is the following line: byte[] aad = StringUtils.toByteArray(readOnlyJWEHeader.toBase64URL() + "." + encryptedKey);

Because encryptedKey is null, this causes the string "null" (yes, the four characters n, u, l, l) to be written after the dot. Of course, the correct behavior would be to write nothing (empty string) after the dot.

The bug causes the generated JWE to be erroneous. The same bug is also in DirectDecrypter.java, causing the MAC check to fail.

I temp-fixed the bugs for myself by commenting out the part, where encryptedKey is appended to the string.

Please reply, so I'll know this report was received.

Best regards, - Otso Kassinen University of Oulu