search

web-token / jwt-framework

JWT Framework
MIT License
888 stars 105 forks source link

Can you still allow $contentEncryptionAlgorithmManager in JWEDecrypter? External API needs it to work #579

Closed ziming closed 3 months ago

ziming commented 3 months ago

Description

Hi I am trying to upgrade to v4 of your library, however, If i were to remove $contentEncryptionAlgorithmManager when creating my JWEDecrypter object, An external API integration of mine will fail.

I cannot change how an external API operates, so will be good if you still allow us to pass these 2 items to JWEDecrypter so that I can upgrade to v4 of this library.

My code in v3 that works

$keyEncryptionAlgorithmManager = new AlgorithmManager([new RSAOAEP]);

        $contentEncryptionAlgorithmManager = new AlgorithmManager([new A256GCM]);

        $jweDecrypter = new JWEDecrypter(
            $keyEncryptionAlgorithmManager,
            $contentEncryptionAlgorithmManager
        );

        $recipient = 0;

        $jweDecrypter->decryptUsingKey($jwe, $jwk, $recipient);

        $payload = $jwe->getPayload();

        $payload = str_replace('"', '', $payload);

My code in v4 that fails because without $contentEncryptionAlgorithmManager I cannot decrypt what the external API sends back to me.

$keyEncryptionAlgorithmManager = new AlgorithmManager([new RSAOAEP]);

        $contentEncryptionAlgorithmManager = new AlgorithmManager([new A256GCM]);

        $jweDecrypter = new JWEDecrypter(
            $keyEncryptionAlgorithmManager,
// without 2nd argument in v4, it fails
        );

        $recipient = 0;

        $jweDecrypter->decryptUsingKey($jwe, $jwk, $recipient); // Fail this time!

        $payload = $jwe->getPayload();

        $payload = str_replace('"', '', $payload);
Spomky commented 3 months ago

For the last minor 3.x and 4.0, you should pass only one algorithm manager and set null for the second one.

$algorithmManager = new AlgorithmManager([new RSAOAEP, new A256GCM]);
$jweDecrypter = new JWEDecrypter($algorithmManager, null);

$recipient = 0;
$jweDecrypter->decryptUsingKey($jwe, $jwk, $recipient); // Fail this time!
$payload = $jwe->getPayload();
$payload = str_replace('"', '', $payload);
ziming commented 3 months ago

Hi @Spomky

Yes I did that in the last minor of v3

$jweDecrypter = new JWEDecrypter($algorithmManager, null);

        $jweDecrypter->decryptUsingKey($jwe, $jwk, $recipient); // error

I got this error

The algorithm "A256GCM" is not supported.

The external api return me a response that needs the $contentEncryptionAlgorithmManager (2nd argument) or i cannot decrypt it. So I don't have a choice

as for the $jwk and $jwe, they are the following (previously working if i pass in the 2nd argument to new JweDecrypter)


            $jwk = JWKFactory::createFromKey(
                config('private_key_content'),
                $passphrase
            );

        $serializerManager = new JWESerializerManager([
            new \Jose\Component\Encryption\Serializer\CompactSerializer,
        ]);

        $jwe = $serializerManager->unserialize($responseDataToken);

If it helps to give more context, the code is in 1 of my open source libraries

https://github.com/ziming/laravel-myinfo-sg/blob/master/src/Services/MyinfoSecurityService.php

Under the method decryptJWE

Thank you. So I hope you can allow them again in v4 as I'm constrained by external API requirements

Spomky commented 3 months ago

Hello,

I am sorry, but I cannot reproduce the issue. Herefater example with the exact same code lines. Only the dependency version is changed

ziming commented 3 months ago

Hi, my bad. My miss out on the part where you put the 2nd algorithm inside $algorithmnManager

$algorithmManager = new AlgorithmManager([new RSAOAEP, new A256GCM]);

Sorry

github-actions[bot] commented 2 months ago

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.