Skip to content

Commit 70b0d76

Browse files
linuxwolflinuxwolf
authored
Bug: better error when given key does not support requested algorithms (#186)
1 parent dd0fc16 commit 70b0d76

File tree

2 files changed

+154
-1
lines changed

2 files changed

+154
-1
lines changed

lib/jwe/encrypt.js

+4-1
Original file line numberDiff line numberDiff line change
@@ -181,7 +181,7 @@ function JWEEncrypter(cfg, fields, recipients) {
181181
// generate Ephemeral EC Key
182182
var tks,
183183
rpromise;
184-
if (props.alg.indexOf("ECDH-ES") === 0) {
184+
if (algAlg.indexOf("ECDH-ES") === 0) {
185185
tks = algKey.keystore.temp();
186186
if (r.epk) {
187187
rpromise = Promise.resolve(r.epk).
@@ -582,6 +582,9 @@ function createEncrypt(opts, rcpts) {
582582
if (!props.alg) {
583583
props.alg = key.algorithms(JWK.MODE_WRAP)[0];
584584
}
585+
if (!props.alg) {
586+
return Promise.reject(new Error("key not valid for encrypting to recipient " + idx));
587+
}
585588
header.alg = props.alg;
586589

587590
// determine the key reference

test/jwe/alg-mismatch-test.js

+150
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,150 @@
1+
"use strict";
2+
3+
var chai = require("chai"),
4+
merge = require("../../lib/util/merge.js");
5+
6+
var JWE = require("../../lib/jwe"),
7+
JWK = require("../../lib/jwk");
8+
9+
var assert = chai.assert;
10+
11+
describe.only("jwe/alg-mismatch", function () {
12+
var a256kw = {
13+
key: {
14+
"kty": "oct",
15+
"kid": "ZMPuzBFdkJTtOxRFoCZcOot3UeaOLiyrUJblGy4PZm0",
16+
"alg": "A256KW",
17+
"k": "XZtS3MuR387VRdNHbMDubwLf3uS2QIWFf2f4xnX6aak"
18+
}
19+
};
20+
var a128gcm = {
21+
key: {
22+
"kty": "oct",
23+
"kid": "OJe4kYHZLYSA1yA4HOD57Jk70BXdF3g4Nx-j09zBDF8",
24+
"alg": "A128GCM",
25+
"k": "htqVDWv1ke9tGz0Hwqjy0g"
26+
}
27+
};
28+
var rsa_oaep = {
29+
key: {
30+
"kty": "RSA",
31+
"kid": "w3WoHBaDi6JHTyVV4ueFsMUeaGzjZzNmpITzJkKjuiU",
32+
"alg": "RSA-OAEP",
33+
"e": "AQAB",
34+
"n": "muye3G-8larVUwnjsJgTCaN_vWnFcOHQnLJTqFDSNxSiQdTfMLBBtszK1wNVCZmjxqJ17H7T_uTaOz8aJV7eENphfJulE5Iy8kdo23t782y9PXzcqH1OSiYY9SEPtWin7XfnPrOWwCZs5TulpRObH_wk8PA9_L7EZqqqMkEDwvOd34TOC04QrztbQjhdEpObTNad0r5kYh7OFsDJtbndoBiSAYGlL4chhuRWePl7IS0pVTMtJ3wDYwMCVaFfuw_MRRWusRZ3v8AlLsOpq8VdsBAkdsYxkTBQfcTWDBRLGknUSkbEkKvEs5IwiXzMWqDk7U-0_L9X8CwRV50trBM_1w",
35+
"d": "B9r1lyHHQyN9W4-Fzv92_6cdpAIH89hPVpKoMUGf1xEhxQrBIlvdiSJLKqnNlwYGSt0T86DeqO77rcNeVQTBZ8Na7BGMRjjEgopiY7aYK1iZI9P_8D8iSBo0a8F4ZW9gDGdm_0Pl4epQ3TKwDHW5CN8lFF5qFjWqCbafmJq5URoq9APRvSSAIpVMw321bSumAOLZ8R1CFqcdtD45TNahes1QlHnEnFuFQIS-kbO_SCy9S8bAllITn8j0M3qxEJHSgSlLHvbZ5TQZto4BUeK6usR85-3nE6bzvXs3nhkm75E-I8r43-UV4W8n3iZKDD-vSEhrSUY51M7D8haypuTM4Q",
36+
"p": "zLlrkNnMmpavTnJE-n_KGFeF_FA98C4xVnWxrdGNiGZpJV9DAnju1NI2YYZBzZdVWFO8ty20Pbnz2luerpfZEH0FA4uh4orQSv-hAJ2CkO-IHevOvJLnf3jIZSy4s6wuqqrK1HicHyU5SBrpUBmfCejufjnOou6qYtNWfr1LZ3E",
37+
"q": "wbobkbU5QSnsoUg_vKQdeHCWmGv9tBMrnDHlxjgmm4dHeDSrLTgqApdnsM-3rdpFGSa-7SYuPO1ZHU_XC8rILVaGhCUShfLqPCCFDHG22ZRLWBhFRAfpfT6xAyUYfPNK30ccqp1-1L2ldhUy8MWwTrtetG93v3sHIccsWyVdx8c",
38+
"dp": "zJSiZE7yAq2AJCFWwwj-mNKlxx0cuC5BCYh1dSCKkfrdKgaHPSpCaJRk2ZJDocKP-8M6O8dFbcWsZNHXwdtmg-6bGw7nSC61tay8ZJQCTPnBCT2DC7i19BFsGIbXUF1JCS3BoQ-h3BHjqyWRb4UbA9kssyDrWLCtvjI5Jk_d0VE",
39+
"dq": "P2KoUJVuBU81WFPuXseHyPd1nqt-2COJmlKNLr0CjNLHZKI--82rmSt2xtg_7gdDooYV5Dwg1tiF1txfrUENHCB6ZNRIakFfuIqfXcH7JNeri0htqWO5VrxjaHcDuyZTchivXXeonuzqLWekQjk8hZYy13C9So5zd-7WKYBhXdM",
40+
"qi": "bmK6i31vxlOYVpWB88XHmg6c-eGywybYF8FxXrp1McyYfx4aJt-oL5OQSHprqe3-F2y-JPG82y2XVh7oUDl-vzKY-izGEUAkkz5sZZEIYDsDjkPRjwZfQ79dsTe4T9mZ3nFH5aq_wDFMZsNlOdrRaf2FZjPcWXYN265RRhJWMYI"
41+
}
42+
};
43+
44+
var hs256 = {
45+
key: {
46+
"kty": "oct",
47+
"kid": "ZMPuzBFdkJTtOxRFoCZcOot3UeaOLiyrUJblGy4PZm0",
48+
"alg": "HS256",
49+
"k": "XZtS3MuR387VRdNHbMDubwLf3uS2QIWFf2f4xnX6aak"
50+
}
51+
};
52+
var rs256 = {
53+
key: {
54+
"kty": "RSA",
55+
"kid": "w3WoHBaDi6JHTyVV4ueFsMUeaGzjZzNmpITzJkKjuiU",
56+
"alg": "RS256",
57+
"e": "AQAB",
58+
"n": "muye3G-8larVUwnjsJgTCaN_vWnFcOHQnLJTqFDSNxSiQdTfMLBBtszK1wNVCZmjxqJ17H7T_uTaOz8aJV7eENphfJulE5Iy8kdo23t782y9PXzcqH1OSiYY9SEPtWin7XfnPrOWwCZs5TulpRObH_wk8PA9_L7EZqqqMkEDwvOd34TOC04QrztbQjhdEpObTNad0r5kYh7OFsDJtbndoBiSAYGlL4chhuRWePl7IS0pVTMtJ3wDYwMCVaFfuw_MRRWusRZ3v8AlLsOpq8VdsBAkdsYxkTBQfcTWDBRLGknUSkbEkKvEs5IwiXzMWqDk7U-0_L9X8CwRV50trBM_1w",
59+
"d": "B9r1lyHHQyN9W4-Fzv92_6cdpAIH89hPVpKoMUGf1xEhxQrBIlvdiSJLKqnNlwYGSt0T86DeqO77rcNeVQTBZ8Na7BGMRjjEgopiY7aYK1iZI9P_8D8iSBo0a8F4ZW9gDGdm_0Pl4epQ3TKwDHW5CN8lFF5qFjWqCbafmJq5URoq9APRvSSAIpVMw321bSumAOLZ8R1CFqcdtD45TNahes1QlHnEnFuFQIS-kbO_SCy9S8bAllITn8j0M3qxEJHSgSlLHvbZ5TQZto4BUeK6usR85-3nE6bzvXs3nhkm75E-I8r43-UV4W8n3iZKDD-vSEhrSUY51M7D8haypuTM4Q",
60+
"p": "zLlrkNnMmpavTnJE-n_KGFeF_FA98C4xVnWxrdGNiGZpJV9DAnju1NI2YYZBzZdVWFO8ty20Pbnz2luerpfZEH0FA4uh4orQSv-hAJ2CkO-IHevOvJLnf3jIZSy4s6wuqqrK1HicHyU5SBrpUBmfCejufjnOou6qYtNWfr1LZ3E",
61+
"q": "wbobkbU5QSnsoUg_vKQdeHCWmGv9tBMrnDHlxjgmm4dHeDSrLTgqApdnsM-3rdpFGSa-7SYuPO1ZHU_XC8rILVaGhCUShfLqPCCFDHG22ZRLWBhFRAfpfT6xAyUYfPNK30ccqp1-1L2ldhUy8MWwTrtetG93v3sHIccsWyVdx8c",
62+
"dp": "zJSiZE7yAq2AJCFWwwj-mNKlxx0cuC5BCYh1dSCKkfrdKgaHPSpCaJRk2ZJDocKP-8M6O8dFbcWsZNHXwdtmg-6bGw7nSC61tay8ZJQCTPnBCT2DC7i19BFsGIbXUF1JCS3BoQ-h3BHjqyWRb4UbA9kssyDrWLCtvjI5Jk_d0VE",
63+
"dq": "P2KoUJVuBU81WFPuXseHyPd1nqt-2COJmlKNLr0CjNLHZKI--82rmSt2xtg_7gdDooYV5Dwg1tiF1txfrUENHCB6ZNRIakFfuIqfXcH7JNeri0htqWO5VrxjaHcDuyZTchivXXeonuzqLWekQjk8hZYy13C9So5zd-7WKYBhXdM",
64+
"qi": "bmK6i31vxlOYVpWB88XHmg6c-eGywybYF8FxXrp1McyYfx4aJt-oL5OQSHprqe3-F2y-JPG82y2XVh7oUDl-vzKY-izGEUAkkz5sZZEIYDsDjkPRjwZfQ79dsTe4T9mZ3nFH5aq_wDFMZsNlOdrRaf2FZjPcWXYN265RRhJWMYI"
65+
}
66+
};
67+
68+
var plaintext = "this is the secret";
69+
70+
function encryptAllowed(vector, opts) {
71+
opts = merge({
72+
format: "compact"
73+
}, opts || {});
74+
75+
var p;
76+
p = JWE.createEncrypt(opts, vector.key).final(plaintext, "utf8");
77+
p = p.then(function(result) {
78+
assert.ok(result);
79+
});
80+
return p;
81+
}
82+
function encryptDisallowed(vector, opts) {
83+
opts = merge({
84+
format: "compact"
85+
}, opts);
86+
87+
var p;
88+
p = JWE.createEncrypt(opts, vector.key).final(plaintext, "utf8");
89+
p = p.then(function () {
90+
assert.ok(false, "unexpected success");
91+
}, function (err) {
92+
assert.ok(err.message);
93+
});
94+
return p;
95+
}
96+
97+
before(function () {
98+
var pending = [a128gcm, a256kw, rsa_oaep, hs256, rs256].map(function (v) {
99+
var p = JWK.asKey(v.key);
100+
p = p.then(function (jwk) {
101+
v.key = jwk;
102+
});
103+
return p;
104+
});
105+
return Promise.all(pending);
106+
});
107+
108+
it("disallows on explicit key management algorithm mismatch", function () {
109+
var opts = {
110+
fields: {
111+
alg: "dir"
112+
}
113+
};
114+
115+
var pending = [
116+
encryptAllowed(a128gcm, opts),
117+
encryptDisallowed(a256kw, opts),
118+
encryptDisallowed(rsa_oaep, opts),
119+
encryptDisallowed(rs256, opts),
120+
encryptDisallowed(hs256, opts)
121+
];
122+
return Promise.all(pending);
123+
});
124+
it("disallows on implicit key-specified mismatch", function () {
125+
var opts = {
126+
fields: {
127+
alg: "RSA-OAEP"
128+
}
129+
};
130+
131+
var pending = [
132+
encryptDisallowed(a128gcm, opts),
133+
encryptDisallowed(a256kw, opts),
134+
encryptAllowed(rsa_oaep, opts),
135+
encryptDisallowed(rs256, opts),
136+
encryptDisallowed(hs256, opts)
137+
];
138+
return Promise.all(pending);
139+
});
140+
it("disallows on implicit key usage mismatch", function () {
141+
var pending = [
142+
encryptAllowed(a128gcm),
143+
encryptAllowed(a256kw),
144+
encryptAllowed(rsa_oaep),
145+
encryptDisallowed(rs256),
146+
encryptDisallowed(hs256)
147+
];
148+
return Promise.all(pending);
149+
});
150+
});

0 commit comments

Comments
 (0)