dvsekhvalnov
commented
3 years ago Hi @jedlyq ,
this means token validation failed. May be you using wrong key?
Closed jedlyq closed 3 years ago
dvsekhvalnov
commented
3 years ago Hi @jedlyq ,
this means token validation failed. May be you using wrong key?
jedlyq
commented
3 years ago Hi, DV,
I double confirmed a few time, I was able to decode the same token with the same set of key using another programming languange
dvsekhvalnov
commented
3 years ago Well, if you want to share your key and payload i can try to test myself. At the moment i can't say more using given information.
Based on error message you getting, i think it is pretty clear, it can't decode content encryption key, that can happen in 2 cases:
dvsekhvalnov
commented
3 years ago @jedlyq , check this https://github.com/dvsekhvalnov/jose-jwt#notes also. Just noticed you are using P-521 curve.
Is your incoming token generated by some other library that do not rely on Microsoft Window crypto implementations? You may be running into elliptic curve math compatibility issue then.
jedlyq
commented
3 years ago Thanks so much. I think that's the cause.
dvsekhvalnov
commented
3 years ago Well, you can confirm by trying with P-256 curve - if it works, but others don't - that's it.
Unfortunately i can't do much about it. Was contacted twice by Microsoft, gave them all details and unit tests, never heard back :(
dvsekhvalnov
commented
3 years ago Closed due to inactivity, feel free to re-open.
Token Header: { "epk": { "kty": "EC", "crv": "P-521", "x": ".......", "y": "....." }, "kid": kid_enc", "cty": "JWT", "enc": "A256CBC-HS512", "alg": "ECDH-ES+A128KW" }
Below is the code extract (VS 2019, .Net4.61) CngKey cngKey = EccKey.New(receiverX, receiverY, receiverD, CngKeyUsages.KeyAgreement); string result= Jose.JWT.Decode(tokenB64Url, cngKey, Jose.JweAlgorithm.ECDH_ES_A128KW, Jose.JweEncryption.A256CBC_HS512);
An Exception thrown from AesKeyWrap's Unwrap(byte[] encryptedCek, byte[] kek) Exception: Jose.IntegrityException: 'AesKeyWrap integrity check failed.'