Wrong iv length in JWE header

hidekatsu-izuno / josekit-rs

JOSE (Javascript Object Signing and Encryption) library for Rust (based on OpenSSL).

Apache License 2.0

69 stars 30 forks source link

Wrong iv length in JWE header #32

Closed kilork closed 3 months ago

kilork commented 3 months ago

Hi, I see a small disruption in implementation, or maybe I am reading something wrong (but seems like it is not only me, but also other libraries who fail to parse JWE token created by josekit).

Currently iv is randomly generated from 32 bytes. But according to RFC it must be 96 bits, or 12 bytes.

Reference:

https://datatracker.ietf.org/doc/html/rfc7518#section-4.7.1.1

hidekatsu-izuno commented 3 months ago

Thank you for your reporting. I have identified it as a bug. I will release a fixed version.

hidekatsu-izuno commented 3 months ago

I have released v0.8.6.

kilork commented 3 months ago

Great! Thank you for your library, it is very useful!