JWE decryption using A128CBC_HS256 fails to decrypt valid tokens

awardle commented 4 years ago

JWE tokens generated using A128CBC_HS256 by other libraries fail to be decrypted correctly as the authentication fails. This seems to be due wrong length authentication tag being checked. It should only check the first 128 bits.

If you try to decrypt the example token given in RFC7516 the decryption fails.

RFC7518 specifies only the first 128 bits to be used in the tag

Example


using System;
using JsonWebToken;         

public class Program
{
    public static void Main()
    {
        // Key and token from https://www.rfc-editor.org/rfc/rfc7516.html#appendix-A.3

        Jwk encryptionKey = new SymmetricJwk("GawgguFyGrWKav7AX4VKUg");
        string token = "eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.6KB707dM9YTIgHtLvtgWQ8mKwboJW3of9locizkDTHzBC2IlrT1oOQ.AxY8DCtDaGlsbGljb3RoZQ.KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY.U0m_YmjN04DJvceFICbCVQ";

        JwtReader jwtReader = new JwtReader(encryptionKey);
        var policy = new TokenValidationPolicyBuilder().AcceptUnsecureToken().Build();

        var result = jwtReader.TryReadToken(token, policy);
        Console.WriteLine($"Decryption Statue: {result.Status}");

        // The token should be decrypted and equal "Live long and prosper." However it fails decryption
    }
}

https://dotnetfiddle.net/YdEJXG

ycrumeyrolle commented 4 years ago

Fixed in v1.7. Also added some missing tests with rfc7518 test vectors, including https://www.rfc-editor.org/rfc/rfc7516.html#appendix-A.3

ycrumeyrolle commented 4 years ago

https://dotnetfiddle.net/S2mDov

uruk-project / Jwt

JWE decryption using A128CBC_HS256 fails to decrypt valid tokens #475