Open anblanco opened 1 year ago
So I tried seeing what would happen if I patched my local branch of JwtTokenUtilities to accept A256GCM.
The next exception thrown is
System.NotSupportedException: IDX10715: Encryption using algorithm: 'A256GCM' is not supported.
at AuthenticatedEncryptionProvider.cs
So while we do have the ability to decrypt A256GCM JWTs, it seems that encryption with A256GCM is currently not supported.
@anblanco what you are seeing is we did not add support for creating JWE's with A256GCM, just validating. There are some internal restrictions for creation with A256GCM, we will check with our crypto board to see if we can support creation at this time.
@brentschmaltz - Thanks for the context. I did not realize there were intentional restrictions around A256GCM
As an alternative to official library support, what if we allow calling code to provide a custom CryptoProviderFactory
?
This code currently throws IDX10617: Encryption failed. Keywrap is only supported for: 'A128CBC-HS256', 'A192CBC-HS384' and 'A256CBC-HS512'. The content encryption specified is: 'A256GCM'
// A256GCM Encryption
var encryptingCredentials = new EncryptingCredentials(
key: encryptionKey,
alg: SecurityAlgorithms.Aes256KW,
enc: SecurityAlgorithms.Aes256Gcm);
encryptingCredentials.CryptoProviderFactory = new CustomCryptoProviderFactory();
If we loosened the restriction in JwtTokenUtilities, then by default
// A256GCM Encryption
var encryptingCredentials = new EncryptingCredentials(
key: encryptionKey,
alg: SecurityAlgorithms.Aes256KW,
enc: SecurityAlgorithms.Aes256Gcm);
Would still throw System.NotSupportedException: IDX10715: Encryption using algorithm: 'A256GCM' is not supported.
, while still allowing consumers to provide their own CrypoProviderFactory
Is your feature request related to a problem? Please describe. I'm working on code that parses a JWT provided by Google Play Integrity.
The token format is
I am able to successfully validate these tokens when using JsonWebTokenHandler.
However, if I try to create a token of this format the an exception is thrown
Describe the solution you'd like I would like to be able to create tokens of this format. My original intention was to write unit tests with test keys to assert that my code could correctly parse these JWTs.
Describe alternatives you've considered As an alternative I used the following as my app logic is agnostic to the JWA used
Additional context
I also noticed that A256GCM is not listed in the supported algorithms