Payload null error

[apksundar1980]

EC key type key encryption alogorithm ECDH-ES+A192KW not able to decrypt

Steps to replicate $id_token = 'eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTUyMSIsIngiOiJBWGYwTTdoLXNNRFZ4Z055WFNRaHFFdjZQaTRKVFRWc3Mwd3FOTEdxbm1saFBwSmpNQVk2YnFRZUQzcDk4YWszTWJFU1Axbzk0WHNmS3B2MGgxZkcyNXhkIiwieSI6IkFRNU5JczNfTW1MZ0J0S0hhaHZ4ZGpEbGdLd3VkalgzbXhfcmZxYjEyZUhXWlkxc1FHeGlldHhUMTdsd3RXdFpxZi1qRlRFWUlaV1FOVS1XbEpmcWVTNVkifSwia2lkIjoiQUtDcmVkaXQgRGVtbyBOZXcgMiIsImN0eSI6IkpXVCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJhbGciOiJFQ0RILUVTK0ExOTJLVyJ9.6DDfdwE1107X0PU7fco3FwRB6JcWhJC7QfOK3EJZbu0y8zT8rqdVXftS3ZHa_XM-AnSGsDMg7MEpxQV08tdDQW3k01Bxzf8q.IUwKDo9d9fpm5_n6FbQOqA.eML6A-S0vh4qq7EqbJjTy6FUPqNlKwB0Z30Q0YD3zg8Ux2XpbehT6vCl3Ka6ohdtl-B2zwrxvT5maDtTncDsfPuOK2g0PbBd0px08p0GZPTBAaIVHqiddqABYt7tLfkL7psl4Oq-zQZzCbKR88QeicWYda4gk5m1VT2y61w78MCj65i6LwG4UgfdpQ6C_tlsP7DPy15twOYeLzlM_XlqUJTOrdHVU4FyWqlAbgJaldYRK7GSCO_1t09tFxkuicapiteje-1wVuPlaVs46TYe-as21inysbCDsdMH6ks_KapD7xwiW31f-mrG-4b49Blw6JSAVT4xHwi2NIufMfxwVwf5kGSKdNDAKXYyvgJ2vDlSNf2eYAaKPUn5qM7ACgwJH8DUzLyk1eWAEbDiylgnCemQEfTirepiAz5oF0kE7nVE_iuD11pEPyAeIpuhW3sOc5FV_SNfCDRl41un8sVayrwteofTqlmTTn3GzBN8vls_5e3LFNUw77lXEH-ND7UhM8sQtJzubuXnRIgVg1BKfLRaAfiDqsmp1s2MyDkFN8Xk0FHWiEi2Dn4Xg6tsQ4i4UlKYap86r1r0qG3Q5CH4yiWDn5WpMXVGT2bIzcYjA.ClZMNgqC6WJnRzQusI-5M-8EOJ0yLm1ah3dLQ9ktwEo';

    $key = new JWK([
        "kty" => "EC",
        "d" => "",
        "use"=> "enc",
        "crv" => "P-521",

        "alg" => "ECDH-ES+A192KW"

        ]);
       $jwt = Load::jwe($id_token)
        ->algs(['ECDH-ES+A192KW', new ECDHESA192KW()])
        ->encs(['A256CBC-HS512', new A256CBCHS512()])

        ->key($key)
        ->run()
    ;

    print_r($jwt);exit;

Output Allowed memory size of 134217728 bytes exhausted (tried to allocate 98570240 bytes) vendor/web-token/jwt-encryption/JWEDecrypter.php:226

[apksundar1980]

Allowed memory size of 134217728 bytes exhausted (tried to allocate 98570240 bytes) It goes to unwrapAgreementKey($recipientkey,$senderKey,.....) this function and got the above allowed memory size error

[apksundar1980]

Easy way $jwt = Load::jwe($id_token) ->algs(['ECDH-ES+A192KW', new ECDHESA192KW()]) ->encs(['A256CBC-HS512', new A256CBCHS512()])

        ->key($key)
        ->run()
    ;

print_r($jwt);exit;

Below are the error compes above easy way code Argument 1 passed to Jose\Component\Core\Util\JsonConverter::decode() must be of the type string, null given, called in /var/www/html/login/vendor/web-token/jwt-easy/Decrypt.php on line 116

Another way $serializer = new CompactSerializer(); $jwe_object = $serializer->unserialize($id_token); $success = $jweDecrypter->decryptUsingKey($jwe_object,$key,0);

Below are comes above method

No error but there is no payload. it is empty. success variable has false

[Spomky]

Hi,

The code you provided looks good. You can simply do as follow, but it's fine anyway

$key = new JWK([
    "kty" => "EC",
    "d" => "",
    "use"=> "enc",
    "crv" => "P-521",
    "alg" => "ECDH-ES+A192KW"
]);

$jwt = Load::jwe($id_token)
    ->algs(['ECDH-ES+A192KW'])
    ->encs(['A256CBC-HS512'])
    ->key($key)
    ->run()
;

The error comes from your key. The parameters x and y shall be present, but they are missing here.

Regarding the memory error, may I suggest to increase the memory used by PHP. You can either

• set it directly when running a command php -d memory_limit=-1 script.php (-1 means unlimited)
• set it in your php.ini configuration file (explained in this blog post. I usually set memory_limit=4G in this file

[apksundar1980]

Hi Spomky,

Easy way method :

`$id_token = 'eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTUyMSIsIngiOiJBWGYwTTdoLXNNRFZ4Z055WFNRaHFFdjZQaTRKVFRWc3Mwd3FOTEdxbm1saFBwSmpNQVk2YnFRZUQzcDk4YWszTWJFU1Axbz$

    $key = new JWK([
                 "kty" => "EC",
                            "d" => "keypassed",
                            "use" => "enc",
                            "crv" => "P-521",
                            "x" => "AFvUtO-ggAqIWbmsZEKJde5dgJ3947vWMD_71jfwkKAbQK01OYYqo-dLNWnp6r6HrbtSoqcUXZiIKSSxMccpsKF-",
                            "y" => "AauFHKDi7svNagK8laoWKhFnWJQO3aJV1KOgSw70zcF89euhJgIXnfVZPL7McBmNaAhxuOzIftN-UR0bmIg-0OXT",
                            "alg"=> "ECDH-ES+A192KW"
        ]);

    $jwt = Load::jwe($id_token) // We want to load and decrypt the token in the variable $token
              ->algs(['ECDH-ES+A192KW']) // The key encryption algorithms allowed to be used
              ->encs(['A256CBC-HS512']) // The content encryption algorithms allowed to be used
              ->key($key) // Key used to decrypt the token
              ->run(); // Go!

    print_r($jwt);exit;

Below are the output Symfony\Component\Debug\Exception\FatalThrowableError Argument 1 passed to Jose\Component\Core\Util\JsonConverter::decode() must be of the type string, null given, called in /var/www/html/login/vendor/web-token/jwt-easy/Decrypt.php on line 116 `

[apksundar1980]

Another way

` $keyEncryptionAlgorithmManager = new AlgorithmManager([ new ECDHESA192KW(), ]);

    // The content encryption algorithm manager with the A256CBC-HS256 algorithm.
    $contentEncryptionAlgorithmManager = new AlgorithmManager([
        new A256CBCHS512(),
    ]);

    // The compression method manager with the DEF (Deflate) method.
    $compressionMethodManager = new CompressionMethodManager([
        new Deflate(),
    ]);

    $headerCheckerManager = new HeaderCheckerManager(
        [
            new AlgorithmChecker(['ES512']), // We check the header "alg" (algorithm)
        ],
        [
            new JWSTokenSupport(), // Adds JWS token type support
        ]
    );

    $jweDecrypter = new JWEDecrypter(
        $keyEncryptionAlgorithmManager,
        $contentEncryptionAlgorithmManager,
        $compressionMethodManager
    );

    $serializerManager = new JWESerializerManager([
        new CompactSerializer(),
    ]);
     $serializer = new CompactSerializer();
    $jwe_object = $serializer->unserialize($id_token);

$success = $jweDecrypter->decryptUsingKey($jwe_object,$key,0); print_r($jwe_object);exit; print_r($success);exit;

`

Below are the output $success variable has false (not set payload) Here are jwe_object output

Jose\Component\Encryption\JWE Object ( [recipients:Jose\Component\Encryption\JWE:private] => Array ( [0] => Jose\Component\Encryption\Recipient Object ( [header:Jose\Component\Encryption\Recipient:private] => Array ( ) [encryptedKey:Jose\Component\Encryption\Recipient:private] => �0�w
5�N���;}�7A����A��BYn�2�4���U]�Rݑ��s>t��3 ��)�t��CAm��Pq�� ) ) [ciphertext:Jose\Component\Encryption\JWE:private] => x��䴾��ĩ�cO.�P����
ѝ�CF�8����� }�P�/�������a���ז� L��U8%���%�]a� ��[t��q��j��z7��n>V����amb�+;0~���>��%�����o�o�A��HS���cH���p�H�M�c+�'kÕ#��h�ԟ������� L��M^X
,��p��
N*ަ 3�t�N�TO�=u�C�
�)����9�5��F^5�,U���ר}:��4��l�7���^ܱMS��q���R<�I���^tH�X5��E��:���l�̃�S|^Mh��`��x:��8��%)�����J��B��X9�Z�Td�l��b0 [iv:Jose\Component\Encryption\JWE:private] => !L �]��f����� [aad:Jose\Component\Encryption\JWE:private] => [tag:Jose\Component\Encryption\JWE:private] => VL6 ��bgG4.���3�8�2.mZ�wKC�-�J [sharedHeader:Jose\Component\Encryption\JWE:private] => Array ( ) [sharedProtectedHeader:Jose\Component\Encryption\JWE:private] => Array ( [epk] => Array ( [kty] => EC [crv] => P-521 [x] => AXf0M7h-sMDVxgNyXSQhqEv6Pi4JTTVss0wqNLGqnmlhPpJjMAY6bqQeD3p98ak3MbESP1o94XsfKpv0h1fG25xd [y] => AQ5NIs3_MmLgBtKHahvxdjDlgKwudjX3mx_rfqb12eHWZY1sQGxietxT17lwtWtZqf-jFTEYIZWQNU-WlJfqeS5Y ) [kid] => AKCredit Demo New 2 [cty] => JWT [enc] => A256CBC-HS512 [alg] => ECDH-ES+A192KW ) [encodedSharedProtectedHeader:Jose\Component\Encryption\JWE:private] => eyJlcGsiOnsia3R5IjoiRUMiLCJjcnYiOiJQLTUyMSIsIngiOiJBWGYwTTdoLXNNRFZ4Z055WFNRaHFFdjZQaTRKVFRWc3Mwd3FOTEdxbm1saFBwSmpNQVk2YnFRZUQzcDk4YWszTWJFU1Axbzk0WHNmS3B2MGgxZkcyNXhkIiwieSI6IkFRNU5JczNfTW1MZ0J0S0hhaHZ4ZGpEbGdLd3VkalgzbXhfcmZxYjEyZUhXWlkxc1FHeGlldHhUMTdsd3RXdFpxZi1qRlRFWUlaV1FOVS1XbEpmcWVTNVkifSwia2lkIjoiQUtDcmVkaXQgRGVtbyBOZXcgMiIsImN0eSI6IkpXVCIsImVuYyI6IkEyNTZDQkMtSFM1MTIiLCJhbGciOiJFQ0RILUVTK0ExOTJLVyJ9 [payload:Jose\Component\Encryption\JWE:private] => )

[apksundar1980]

Hi Spomky

Can i send the private key to you this email contact@spomky-labs.com for further investigation?

[apksundar1980]

memory size error resolved @Spomky Now Easy way getting below error Symfony\Component\Debug\Exception\FatalThrowableError Argument 1 passed to Jose\Component\Core\Util\JsonConverter::decode() must be of the type string, null given, called in /var/www/html/login/vendor/web-token/jwt-easy/Decrypt.php on line 116

and another way success variable false not set payload jwe_object (output decryption) is not having payload it is empty.

Above are the observations right now

Thanks

[apksundar1980]

Hi, memory error resolved. But not able to decrypt the payload.

Thanks, Sundar

On Wed, Sep 29, 2021 at 1:24 AM Florent Morselli @.***> wrote:

Hi,

The code you provided looks good. You can simply do as follow, but it's fine anyway

$key = new JWK([ "kty" => "EC", "d" => "", "use"=> "enc", "crv" => "P-521", "alg" => "ECDH-ES+A192KW" ]); $jwt = Load::jwe($id_token) ->algs(['ECDH-ES+A192KW']) ->encs(['A256CBC-HS512']) ->key($key) ->run() ;

The error comes from your key. The parameters x and y shall be present, but they are missing here.

Regarding the memory error, may I suggest to increase the memory used by PHP. You can either

• set it directly when running a command php -d memory_limit=-1 script.php (-1 means unlimited)
• set it in your php.ini configuration file (explained in this blog post https://haydenjames.io/understanding-php-memory_limit/. I usually set memory_limit=4G in this file

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/web-token/jwt-framework/issues/316#issuecomment-929576226, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABPO6YWZX2EUU2T5NYGN733UEIMQHANCNFSM5E46CFQQ . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[apksundar1980]

Hi Spomky,

Any update?

[apksundar1980]

I have given the correct key but not able to decrypt the payload. can you please help me?

[apksundar1980]

Hi @Spomky

any update? How to fix this error?

[Tigatok]

@apksundar1980 Before you try to decrypt it, does the actual object have the payload? I had to re-assign my withPayload instead of using the chained arrow commands.

[apksundar1980]

@Tigatok Before try decrypt. JWE object should not have the payload. Decrypt command only generate the payload and update the object.

[Spomky]

Hi @apksundar1980,

Thank you for the issue and the e-mails and thank you for your patience. I was almost-offline for personal reasons. Many conditions could lead to this behaviour: incorrect key, missing extension (GMP?), malformed token... The data you provided by e-mail is incomplete. The token seems to be truncated and the decrypting key is missing required private parameters. Would you mind to send the complete token and decryption key (in private!) so that I can check deeper on my side to figure out what is wrong.

Many thanks.

[apksundar1980]

Hi @Spomky

First of all I thank you very much for your great effort JWT Framework. Thank you very much for your email. I sent email (complete token and decryption key) to contact@spomky-labs.com. Please check.

Key is correct. GMP extension installed correctly and enabled. Token is correct.

Please let me know what is wrong in the program. Thank you very much.

[Spomky]

Hi @apksundar1980,

I am able to decrypt with the key you provided. This token is a nested token i.e. the JWE contains a JWS. This is why the easy way is failing. My mistake, I should clearly mention that that way of token loading does not support nested tokens.

Anyway, here is a working example. The only problem I am facing is that non of the signature verification key you share is acceptable. They all are designed for the ES512 alogrithm whilst the JWS is signed using the ES256 one.

Hope it helps.

use Jose\Component\Core\AlgorithmManager;
use Jose\Component\Core\JWK;
use Jose\Component\Encryption\Algorithm\ContentEncryption\A256CBCHS512;
use Jose\Component\Encryption\Algorithm\KeyEncryption\ECDHESA192KW;
use Jose\Component\Encryption\Compression\CompressionMethodManager;
use Jose\Component\Encryption\Compression\Deflate;
use Jose\Component\Encryption\JWEDecrypter;
use Jose\Component\Encryption\Serializer\CompactSerializer as JWESerializer;
use Jose\Component\Signature\Algorithm\ES256;
use Jose\Component\Signature\Serializer\CompactSerializer as JWSSerializer;
use Jose\Component\Signature\JWSVerifier;

$id_token = '/*The encrypted token goes here*/';

$decryptionKey = new JWK([
// Replace with the decryption key
]);
$verificationKey = new JWK([
// Replace with the signature verification key
]);

$keyEncryptionAlgorithmManager = new AlgorithmManager([new ECDHESA192KW()]);
$contentEncryptionAlgorithmManager = new AlgorithmManager([new A256CBCHS512()]);
$compressionMethodManager = new CompressionMethodManager([new Deflate(),]);

$jweDecrypter = new JWEDecrypter($keyEncryptionAlgorithmManager, $contentEncryptionAlgorithmManager, $compressionMethodManager);

$jweSerializer = new JWESerializer();
$jwe = $jweSerializer->unserialize($id_token);

$jweDecrypter->decryptUsingKey($jwe, $decryptionKey, 0);

$signatureAlgorithmManager = new AlgorithmManager([new ES256()]);
$jwsVerifier = new JWSVerifier($signatureAlgorithmManager);

$jwsSerializer = new JWSSerializer();
$jws = $jwsSerializer->unserialize($jwe->getPayload());
if (!$jwsVerifier->verifyWithKey($jws, $verificationKey, 0)) {
    dd('Invalid signature');
}
var_dump($jws->getPayload());

[apksundar1980]

Hi Spomky

It works with PHP7.4 but it was tried with php7.2. This is the issue Thanks for your support. Great.

[github-actions[bot]]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.