fix: limit default PBES2 alg's computational expense

panva · panva · commit c1512be6601a · 2022-09-01T09:45:24.000+02:00
Also adds an option to opt-in to higher computation expense.
diff --git a/docs/README.md b/docs/README.md
@@ -1490,6 +1490,10 @@ operation.
   - `keyManagementAlgorithms`: `string[]` Array of algorithms to accept as the `alg` (key management),
     when the JWE does not use an Key Management algorithm from this list the decryption will fail. 
     **Default:** 'undefined' - accepts all algorithms available on the key or key store.
+  - `maxPBES2Count`: `number` (PBES2 Key Management Algorithms only) Maximum allowed "p2c" (PBES2
+    Count) Header Parameter value. The PBKDF2 iteration count defines the algorithm's computational
+    expense.
+    **Default:** '10000'
   - `complete`: `<boolean>` When true returns an object with the parsed headers, verified
     AAD, the content encryption key, the key that was used to unwrap or derive the content
     encryption key, and cleartext instead of only the cleartext.
diff --git a/lib/jwe/decrypt.js b/lib/jwe/decrypt.js
@@ -52,7 +52,7 @@ const validateAlgorithms = (algorithms, option) => {
 /*
  * @public
  */
-const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], complete = false, keyManagementAlgorithms, contentEncryptionAlgorithms } = {}) => {
+const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], complete = false, keyManagementAlgorithms, contentEncryptionAlgorithms, maxPBES2Count = 10000 } = {}) => {
   key = getKey(key, true)
 
   keyManagementAlgorithms = validateAlgorithms(keyManagementAlgorithms, 'keyManagementAlgorithms')
@@ -142,6 +142,12 @@ const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], c
 
     check(key, ...(alg === 'dir' ? ['decrypt', enc] : ['keyManagementDecrypt', alg]))
 
+    if (alg.startsWith('PBES2')) {
+      if (opts && opts.p2c > maxPBES2Count) {
+        throw new errors.JWEInvalid('JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds')
+      }
+    }
+
     try {
       if (alg === 'dir') {
         cek = JWK.asKey(key, { alg: enc, use: 'enc' })
diff --git a/test/jwe/sanity.test.js b/test/jwe/sanity.test.js
@@ -606,3 +606,13 @@ test('"enc" value must be supported error (when no alg was specified)', t => {
     JWE.encrypt('foo', k, { enc: 'foo' })
   }, { instanceOf: errors.JOSENotSupported, message: 'unsupported encrypt alg: foo' })
 })
+
+if (!('electron' in process.versions)) {
+  test('decrypt PBES2 p2c limit', t => {
+    const k = generateSync('oct', 256)
+    const jwe = JWE.encrypt('foo', k, { alg: 'PBES2-HS256+A128KW' })
+    t.throws(() => {
+      JWE.decrypt(jwe, k, { maxPBES2Count: 1000 })
+    }, { instanceOf: errors.JWEInvalid, message: 'JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds' })
+  })
+}
diff --git a/types/index.d.ts b/types/index.d.ts
@@ -401,6 +401,7 @@ export namespace JWE {
     crit?: string[];
     contentEncryptionAlgorithms?: string[];
     keyManagementAlgorithms?: string[];
+    maxPBES2Count?: number;
   }
 
   interface completeDecrypt {

Original file line number	Diff line number	Diff line change
`@@ -401,6 +401,7 @@ export namespace JWE {`
`401`	`401`	`crit?: string[];`
`402`	`402`	`contentEncryptionAlgorithms?: string[];`
`403`	`403`	`keyManagementAlgorithms?: string[];`
	`404`	`+ maxPBES2Count?: number;`
`404`	`405`	`}`
`405`	`406`
`406`	`407`	`interface completeDecrypt {`