The library unconditionally adds JWE header as additional authenticated data

[jaimeperez]

Hi!

I'm having problems interoperating with other libraries when validating the authentication tag. More specifically, if a JWE is generated including no additional authenticated data, the library will unconditionally add the JWE header to it in JWE::calculateAuthenticationTagCBC(). This code affects mainly the generation of JWE tokens themselves. When decrypting JWE tokens generated with other libraries, the JWT class will add the header to $jwe->auth_data in JWT::decode().

AFAICS, there's nothing in the drafts saying that the header should be always included in the additional authenticated data, and if it was the case, then it should be the user the one setting it before calling JWE::decrypt(). At least when the AAD is not mandated to be in some way in the standard (like with AES_GCM), I think the library should be completely agnostic, and handling of auth data is out of its scope.

Thanks in advance!

[nov]

Which library allows you to specify JWE AAD in JWE compact serialization format?
In compact serialization, all JWE header should be JWE Protected Header, thus all header should be integrity protected.

[jaimeperez]

Hi Nov, and thanks for the prompt response!

You are absolutely right, I was looking into the wrong specs (mainly JWA), and I've seen now that the JOSE header equals the JWE protected header in case of compact serialization, so in that case the header should indeed be included in the computation of the authentication tag. My problem then is that the library I'm using to generate JWE tokens is ignoring that part of the RFC, so the authentication tag does not include the header. I've already notified them of the problem 😃