diff --git a/src/jwe/flattened/decrypt.ts b/src/jwe/flattened/decrypt.ts index 109847a3aa..f2cc02d8e3 100644 --- a/src/jwe/flattened/decrypt.ts +++ b/src/jwe/flattened/decrypt.ts @@ -179,7 +179,11 @@ export async function flattenedDecrypt( let encryptedKey!: Uint8Array if (jwe.encrypted_key !== undefined) { - encryptedKey = base64url(jwe.encrypted_key!) + try { + encryptedKey = base64url(jwe.encrypted_key!) + } catch { + throw new JWEInvalid('Failed to base64url decode the encrypted_key') + } } let resolvedKey = false @@ -205,8 +209,18 @@ export async function flattenedDecrypt( cek = generateCek(enc) } - const iv = base64url(jwe.iv) - const tag = base64url(jwe.tag) + let iv: Uint8Array + let tag: Uint8Array + try { + iv = base64url(jwe.iv) + } catch { + throw new JWEInvalid('Failed to base64url decode the iv') + } + try { + tag = base64url(jwe.tag) + } catch { + throw new JWEInvalid('Failed to base64url decode the tag') + } const protectedHeader: Uint8Array = encoder.encode(jwe.protected ?? '') let additionalData: Uint8Array @@ -217,7 +231,13 @@ export async function flattenedDecrypt( additionalData = protectedHeader } - let plaintext = await decrypt(enc, cek, base64url(jwe.ciphertext), iv, tag, additionalData) + let ciphertext: Uint8Array + try { + ciphertext = base64url(jwe.ciphertext) + } catch { + throw new JWEInvalid('Failed to base64url decode the ciphertext') + } + let plaintext = await decrypt(enc, cek, ciphertext, iv, tag, additionalData) if (joseHeader.zip === 'DEF') { plaintext = await (options?.inflateRaw || inflate)(plaintext) @@ -230,7 +250,11 @@ export async function flattenedDecrypt( } if (jwe.aad !== undefined) { - result.additionalAuthenticatedData = base64url(jwe.aad!) + try { + result.additionalAuthenticatedData = base64url(jwe.aad!) + } catch { + throw new JWEInvalid('Failed to base64url decode the aad') + } } if (jwe.unprotected !== undefined) { diff --git a/src/jws/flattened/verify.ts b/src/jws/flattened/verify.ts index 19fbd34487..4477616891 100644 --- a/src/jws/flattened/verify.ts +++ b/src/jws/flattened/verify.ts @@ -173,7 +173,7 @@ export async function flattenedVerify( try { signature = base64url(jws.signature) } catch { - throw new JWSInvalid('Failed to parse the base64url encoded signature') + throw new JWSInvalid('Failed to base64url decode the signature') } const verified = await verify(alg, key, signature, data) @@ -183,7 +183,11 @@ export async function flattenedVerify( let payload: Uint8Array if (b64) { - payload = base64url(jws.payload) + try { + payload = base64url(jws.payload) + } catch { + throw new JWSInvalid('Failed to base64url decode the payload') + } } else if (typeof jws.payload === 'string') { payload = encoder.encode(jws.payload) } else { diff --git a/src/lib/decrypt_key_management.ts b/src/lib/decrypt_key_management.ts index 7279306559..404295e3e7 100644 --- a/src/lib/decrypt_key_management.ts +++ b/src/lib/decrypt_key_management.ts @@ -53,13 +53,21 @@ async function decryptKeyManagement( if (joseHeader.apu !== undefined) { if (typeof joseHeader.apu !== 'string') throw new JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`) - partyUInfo = base64url(joseHeader.apu) + try { + partyUInfo = base64url(joseHeader.apu) + } catch { + throw new JWEInvalid('Failed to base64url decode the apu') + } } if (joseHeader.apv !== undefined) { if (typeof joseHeader.apv !== 'string') throw new JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`) - partyVInfo = base64url(joseHeader.apv) + try { + partyVInfo = base64url(joseHeader.apv) + } catch { + throw new JWEInvalid('Failed to base64url decode the apv') + } } const sharedSecret = await ECDH.deriveKey( @@ -105,7 +113,13 @@ async function decryptKeyManagement( if (typeof joseHeader.p2s !== 'string') throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`) - return pbes2Kw(alg, key, encryptedKey, joseHeader.p2c, base64url(joseHeader.p2s)) + let p2s: Uint8Array + try { + p2s = base64url(joseHeader.p2s) + } catch { + throw new JWEInvalid('Failed to base64url decode the p2s') + } + return pbes2Kw(alg, key, encryptedKey, joseHeader.p2c, p2s) } case 'A128KW': case 'A192KW': @@ -127,8 +141,18 @@ async function decryptKeyManagement( if (typeof joseHeader.tag !== 'string') throw new JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`) - const iv = base64url(joseHeader.iv) - const tag = base64url(joseHeader.tag) + let iv: Uint8Array + try { + iv = base64url(joseHeader.iv) + } catch { + throw new JWEInvalid('Failed to base64url decode the iv') + } + let tag: Uint8Array + try { + tag = base64url(joseHeader.tag) + } catch { + throw new JWEInvalid('Failed to base64url decode the tag') + } return aesGcmKw(alg, key, encryptedKey, iv, tag) } diff --git a/src/runtime/browser/asn1.ts b/src/runtime/browser/asn1.ts index 84152a819f..342f822909 100644 --- a/src/runtime/browser/asn1.ts +++ b/src/runtime/browser/asn1.ts @@ -243,7 +243,7 @@ export const fromX509: PEMImportFunction = (pem, alg, options?) => { spki = getSPKI(pem) } catch (cause) { // @ts-ignore - throw new TypeError('failed to parse the X.509 certificate', { cause }) + throw new TypeError('Failed to parse the X.509 certificate', { cause }) } return fromSPKI(spki, alg, options) } diff --git a/src/util/decode_jwt.ts b/src/util/decode_jwt.ts index b313900d9c..bbbafe7500 100644 --- a/src/util/decode_jwt.ts +++ b/src/util/decode_jwt.ts @@ -33,7 +33,7 @@ export function decodeJwt(jwt: string) { try { decoded = base64url(payload) } catch { - throw new JWTInvalid('Failed to parse the base64url encoded payload') + throw new JWTInvalid('Failed to base64url decode the payload') } let result: unknown