Bug: JWE encryption fails for ECDH keys (fix #3)

cisco · Oct 6, 2015 · 3ecb7be · 3ecb7be
1 parent 02e4598
commit 3ecb7be
Show file tree

Hide file tree

Showing 5 changed files with 123 additions and 2 deletions.
diff --git a/lib/jwe/encrypt.js b/lib/jwe/encrypt.js
@@ -210,7 +210,7 @@ function JWEEncrypter(cfg, fields, recipients) {
               p = encKey.then(function(jwk) {
                 // fixup encAlg
                 if (!encAlg) {
-                  fields.enc = encAlg = jwk.algorithms(JWK.MODE_ENCRYPT)[0];
+                  props.enc = fields.enc = encAlg = jwk.algorithms(JWK.MODE_ENCRYPT)[0];
                 }
                 return {
                   once: true,
@@ -220,7 +220,7 @@ function JWEEncrypter(cfg, fields, recipients) {
             } else {
               if (!encKey) {
                 if (!encAlg) {
-                  fields.enc = encAlg = cfg.contentAlg;
+                  props.enc = fields.enc = encAlg = cfg.contentAlg;
                 }
                 encKey = generateCEK(encAlg);
               }

diff --git a/lib/jwk/keystore.js b/lib/jwk/keystore.js
@@ -308,6 +308,19 @@ var JWKStore = function(registry, parent) {
     }
   });
 
+  /**
+   * @method JWK.KeyStore#temp
+   * @description
+   * Creates a temporary KeyStore based on this KeyStore.
+   *
+   * @returns {JWK.KeyStore} The temporary KeyStore.
+   */
+  Object.defineProperty(this, "temp", {
+    value: function() {
+      return new JWKStore(registry, this);
+    }
+  });
+
   /**
    * @method JWK.KeyStore#toJSON
    * @description

diff --git a/test/jwe/jwe-test.js b/test/jwe/jwe-test.js
@@ -18,6 +18,7 @@ var fixtures = {
   "5_2.key_encryption_using_rsa-oaep_with_aes-gcm": cloneDeep(require("jose-cookbook/jwe/5_2.key_encryption_using_rsa-oaep_with_aes-gcm.json")),
   "5_3.key_wrap_using_pbes2-aes-keywrap_with-aes-cbc-hmac-sha2": cloneDeep(require("jose-cookbook/jwe/5_3.key_wrap_using_pbes2-aes-keywrap_with-aes-cbc-hmac-sha2.json")),
   "5_4.key_agreement_with_key_wrapping_using_ecdh-es_and_aes-keywrap_with_aes-gcm": cloneDeep(require("jose-cookbook/jwe/5_4.key_agreement_with_key_wrapping_using_ecdh-es_and_aes-keywrap_with_aes-gcm.json")),
+  "5_5.key_agreement_using_ecdh-es_with_aes-cbc-hmac-sha2": cloneDeep(require("jose-cookbook/jwe/5_5.key_agreement_using_ecdh-es_with_aes-cbc-hmac-sha2.json")),
   "5_6.direct_encryption_using_aes-gcm": cloneDeep(require("jose-cookbook/jwe/5_6.direct_encryption_using_aes-gcm.json")),
   "5_8.key_wrap_using_aes-keywrap_with_aes-gcm": cloneDeep(require("jose-cookbook/jwe/5_8.key_wrap_using_aes-keywrap_with_aes-gcm.json")),
   "5_9.compressed_content": cloneDeep(require("jose-cookbook/jwe/5_9.compressed_content.json")),

diff --git a/test/jwe/roundtrip-test.js b/test/jwe/roundtrip-test.js
@@ -0,0 +1,72 @@
+"use strict";
+
+var forEach = require("lodash.foreach");
+var chai = require("chai");
+
+var JWE = require("../../lib/jwe"),
+    JWK = require("../../lib/jwk");
+
+var assert = chai.assert;
+
+describe("jwe/roundtrip", function() {
+  var vectors = [
+    {
+      desc: "ECDH-ES + A128CBC-HS256",
+      jwk: {
+        "kty": "EC",
+        "kid": "3f7b122d-e9d2-4ff7-bdeb-a1487063d799",
+        "crv": "P-256",
+        "x": "Hx02_oMKJnNb1-bgXfzeuBHagkh20muzegMOGEU8G_g",
+        "y": "Ez2IYifZI88vRiCpA4Y6W8oMKZOi2nhZStxilPYTDk0",
+        "d": "FS9F8-SyMjTZFXwCH7F--D8Qq_GSpG6FBEM-Nb8ily0"
+      },
+      alg: "ECDH-ES",
+      enc: "A128CBC-HS256",
+      plaintext: new Buffer("hello world", "utf8")
+    },
+    {
+      desc: "ECDH-ES+A128KW + A128GCM",
+      jwk: {
+        "kty": "EC",
+        "kid": "3f7b122d-e9d2-4ff7-bdeb-a1487063d799",
+        "crv": "P-256",
+        "x": "Hx02_oMKJnNb1-bgXfzeuBHagkh20muzegMOGEU8G_g",
+        "y": "Ez2IYifZI88vRiCpA4Y6W8oMKZOi2nhZStxilPYTDk0",
+        "d": "FS9F8-SyMjTZFXwCH7F--D8Qq_GSpG6FBEM-Nb8ily0"
+      },
+      alg: "ECDH-ES+A128KW",
+      enc: "A128GCM",
+      plaintext: new Buffer("hello world", "utf8")
+    }
+  ];
+  forEach(vectors, function(v) {
+    it("test " + v.desc + " encrypt + decrypt", function() {
+      var promise,
+          key;
+      promise = JWK.asKey(v.jwk);
+      promise = promise.then(function(jwk) {
+        key = jwk;
+        var cfg = {
+          contentAlg: v.enc
+        };
+        var recipient = {
+          key: key,
+          header: {
+            alg: v.alg
+          }
+        };
+        var jwe = JWE.createEncrypt(cfg, recipient);
+        return jwe.update(v.plaintext).final();
+      });
+      promise = promise.then(function(result) {
+        assert.ok(result);
+        var jwe = JWE.createDecrypt(key);
+        return jwe.decrypt(result);
+      });
+      promise = promise.then(function(result) {
+        assert.deepEqual(result.plaintext, v.plaintext);
+      });
+      return promise;
+    });
+  });
+});
diff --git a/test/jwk/keystore-test.js b/test/jwk/keystore-test.js
@@ -349,6 +349,41 @@ describe("jwk/keystore", function() {
     });
   });
 
+  describe("temp", function() {
+    var keystore;
+    before(function() {
+      var jwk = {
+        "kty": "DUMMY",
+        "kid": "someid",
+        "use": "sig",
+        "alg": "HS256",
+        "pub": util.base64url.encode(new Buffer("a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5", "hex")),
+        "prv": util.base64url.encode(new Buffer("bcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbc", "hex"))
+      };
+      keystore = createInstance();
+      return keystore.add(jwk);
+    });
+    it("it creates a child keystore", function() {
+      var tks = keystore.temp();
+      assert.deepEqual(tks.all(), keystore.all());
+
+      var jwk = {
+        "kty": "DUMMY",
+        "kid": "diffid",
+        "use": "enc",
+        "alg": "A256GCM",
+        "pub": util.base64url.encode(new Buffer("a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5a5", "hex")),
+        "prv": util.base64url.encode(new Buffer("bcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbc", "hex"))
+      };
+      var promise = tks.add(jwk);
+      promise = promise.then(function(key) {
+        assert.strictEqual(tks.get("diffid"), key);
+        assert.ok(!keystore.get("diffid"));
+      });
+      return promise;
+    });
+  });
+
   describe("query", function() {
 
   });