Strange behavior when not providing key (nil) (alg: 'dir')

[vmeyet]

Issue

When using the algorithm "dir" and not giving a encryption key, the lib allow me to encrypt the message anyway (without knowing the encryption key)

pry(main)> JWE.encrypt('plain', nil, alg: 'dir')
=> "eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..gOyySHAV-rYOmDd1.zfWUxIY.W7YvYlp7I01ZEJe3ZGntJw"

# How should I decipher it?

The issue is more pernicious and prod like in the following case:

pry(main)> cipher = JWE.encrypt('plain', ENV['ENCRYPTION_KEY'], alg: 'dir')
pry(main)> JWE.decrypt(cipher, ENV['ENCRYPTION_KEY'])
=> JWE::InvalidData: Invalid ciphertext or authentication tag

When using an ENV variable to hold the key, and forgetting to set that variable on the server.

Expected Behavior

An error raised, when not providing an encryption key when trying to encrypt the message

Reason

In https://github.com/jwt/ruby-jwe/blob/master/lib/jwe.rb#L31 we set the key directly if the alg is "dir"

cipher.cek = key if alg == 'dir'

In https://github.com/jwt/ruby-jwe/blob/master/lib/jwe/enc/aes_gcm.rb#L45-L47

the attr accessor set the variable @cek on the instance and when calling :cek afterward the variable @cek is set to random_bytes. That is used to encrypt the plain text.

   attr_accessor :cek
   ...
   def cek
     @cek ||= SecureRandom.random_bytes(key_length)
   end

When deciphering the cipher, the cipher key (random bytes) and the encryption key (nil) does not match an we get a CipherError

[francescobbo]

Good catch! I'm fixing this now.