dan/jose
1
0
Fork 0
mirror of https://github.com/danbulant/jose synced 2026-05-21 05:18:59 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
jose/lib/jwe/decrypt.js
Filip Skokan 5b53cb0155 fix: limit calculation of missing RSA private components 
- this deprecates the use of `JWK.importKey` in favor of
`JWK.asKey`
- this deprecates the use of `JWKS.KeyStore.fromJWKS` in favor of
`JWKS.asKeyStore`

Both `JWK.importKey` and `JWKS.KeyStore.fromJWKS` could have resulted
in the process getting blocked when large bitsize RSA private keys
were missing their components and could also result in an endless
calculation loop when the private key's private exponent was outright
invalid or tampered with.

The new methods still allow to import private RSA keys with these
optimization key parameters missing but its disabled by default and one
should choose to enable it when working with keys from trusted sources

It is recommended not to use @panva/jose versions with this feature in
its original on-by-default form - v1.1.0 and v1.2.0 These will
2019-06-20 23:32:13 +02:00

210 lines
7.2 KiB
JavaScript
Raw Blame History

const { createSecretKey } = require('crypto')
const { inflateRawSync } = require('zlib')
const base64url = require('../help/base64url')
const { KeyStore } = require('../jwks')
const Key = require('../jwk/key/base')
const errors = require('../errors')
const { check, decrypt, keyManagementDecrypt } = require('../jwa')
const JWK = require('../jwk')
const generateCEK = require('./generate_cek')
const validateHeaders = require('./validate_headers')
const { detect: resolveSerialization } = require('./serializers')
const SINGLE_RECIPIENT = new Set(['compact', 'flattened'])
const combineHeader = (prot = {}, unprotected = {}, header = {}) => {
if (typeof prot === 'string') {
prot = base64url.JSON.decode(prot)
}
const p2s = prot.p2s || unprotected.p2s || header.p2s
const apu = prot.apu || unprotected.apu || header.apu
const apv = prot.apv || unprotected.apv || header.apv
const iv = prot.iv || unprotected.iv || header.iv
const tag = prot.tag || unprotected.tag || header.tag
return {
...prot,
...unprotected,
...header,
...(typeof p2s === 'string' ? { p2s: base64url.decodeToBuffer(p2s) } : undefined),
...(typeof apu === 'string' ? { apu: base64url.decodeToBuffer(apu) } : undefined),
...(typeof apv === 'string' ? { apv: base64url.decodeToBuffer(apv) } : undefined),
...(typeof iv === 'string' ? { iv: base64url.decodeToBuffer(iv) } : undefined),
...(typeof tag === 'string' ? { tag: base64url.decodeToBuffer(tag) } : undefined)
}
}
/*
* @public
*/
const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], complete = false, algorithms } = {}) => {
if (!(key instanceof Key) && !(key instanceof KeyStore)) {
throw new TypeError('key must be an instance of a key instantiated by JWK.asKey or a JWKS.KeyStore')
}
if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some(s => typeof s !== 'string' || !s))) {
throw new TypeError('"algorithms" option must be an array of non-empty strings')
} else if (algorithms) {
algorithms = new Set(algorithms)
}
if (!Array.isArray(crit) || crit.some(s => typeof s !== 'string' || !s)) {
throw new TypeError('"crit" option must be an array of non-empty strings')
}
if (!serialization) {
serialization = resolveSerialization(jwe)
} else if (serialization !== resolveSerialization(jwe)) {
throw new errors.JWEInvalid()
}
let alg, ciphertext, enc, encryptedKey, iv, opts, prot, tag, unprotected, cek, aad, header
// treat general format with one recipient as flattened
// skips iteration and avoids multi errors in this case
if (serialization === 'general' && jwe.recipients.length === 1) {
serialization = 'flattened'
const { recipients, ...root } = jwe
jwe = { ...root, ...recipients[0] }
}
if (SINGLE_RECIPIENT.has(serialization)) {
if (serialization === 'compact') { // compact serialization format
([prot, encryptedKey, iv, ciphertext, tag] = jwe.split('.'))
} else { // flattened serialization format
({ protected: prot, encrypted_key: encryptedKey, iv, ciphertext, tag, unprotected, aad, header } = jwe)
}
if (!skipValidateHeaders) {
validateHeaders(prot, unprotected, [{ header }], true, crit)
}
opts = combineHeader(prot, unprotected, header)
;({ alg, enc } = opts)
if (algorithms && !algorithms.has(alg === 'dir' ? enc : alg)) {
throw new errors.JOSEAlgNotWhitelisted('alg not whitelisted')
}
if (key instanceof KeyStore) {
const keystore = key
let keys
if (opts.alg === 'dir') {
keys = keystore.all({ kid: opts.kid, alg: opts.enc, key_ops: ['decrypt'] })
} else {
keys = keystore.all({ kid: opts.kid, alg: opts.alg, key_ops: ['unwrapKey'] })
}
switch (keys.length) {
case 0:
throw new errors.JWKSNoMatchingKey()
case 1:
// treat the call as if a Key instance was passed in
// skips iteration and avoids multi errors in this case
key = keys[0]
break
default: {
const errs = []
for (const key of keys) {
try {
return jweDecrypt(true, serialization, jwe, key, { crit, complete, algorithms: algorithms ? [...algorithms] : undefined })
} catch (err) {
errs.push(err)
continue
}
}
const multi = new errors.JOSEMultiError(errs)
if ([...multi].some(e => e instanceof errors.JWEDecryptionFailed)) {
throw new errors.JWEDecryptionFailed()
}
throw multi
}
}
}
check(key, ...(alg === 'dir' ? ['decrypt', enc] : ['keyManagementDecrypt', alg]))
try {
if (alg === 'dir') {
cek = JWK.asKey(key, { alg: enc, use: 'enc' })
} else if (alg === 'ECDH-ES') {
const unwrapped = keyManagementDecrypt(alg, key, undefined, opts)
cek = JWK.asKey(createSecretKey(unwrapped), { alg: enc, use: 'enc' })
} else {
const unwrapped = keyManagementDecrypt(alg, key, base64url.decodeToBuffer(encryptedKey), opts)
cek = JWK.asKey(createSecretKey(unwrapped), { alg: enc, use: 'enc' })
}
} catch (err) {
// To mitigate the attacks described in RFC 3218, the
// recipient MUST NOT distinguish between format, padding, and length
// errors of encrypted keys. It is strongly recommended, in the event
// of receiving an improperly formatted key, that the recipient
// substitute a randomly generated CEK and proceed to the next step, to
// mitigate timing attacks.
cek = generateCEK(enc)
}
let adata
if (aad) {
adata = Buffer.concat([
Buffer.from(prot || ''),
Buffer.from('.'),
Buffer.from(aad)
])
} else {
adata = Buffer.from(prot || '')
}
try {
iv = base64url.decodeToBuffer(iv)
} catch (err) {}
try {
tag = base64url.decodeToBuffer(tag)
} catch (err) {}
let cleartext = decrypt(enc, cek, base64url.decodeToBuffer(ciphertext), { iv, tag, aad: adata })
if (opts.zip) {
cleartext = inflateRawSync(cleartext)
}
if (complete) {
const result = { cleartext, key }
if (aad) result.aad = aad
if (header) result.header = header
if (unprotected) result.unprotected = unprotected
if (prot) result.protected = base64url.JSON.decode(prot)
return result
}
return cleartext
}
validateHeaders(jwe.protected, jwe.unprotected, jwe.recipients.map(({ header }) => ({ header })), true, crit)
// general serialization format
const { recipients, ...root } = jwe
const errs = []
for (const recipient of recipients) {
try {
return jweDecrypt(true, 'flattened', { ...root, ...recipient }, key, { crit, complete, algorithms: algorithms ? [...algorithms] : undefined })
} catch (err) {
errs.push(err)
continue
}
}
const multi = new errors.JOSEMultiError(errs)
if ([...multi].some(e => e instanceof errors.JWEDecryptionFailed)) {
throw new errors.JWEDecryptionFailed()
} else if ([...multi].every(e => e instanceof errors.JWKSNoMatchingKey)) {
throw new errors.JWKSNoMatchingKey()
}
throw multi
}
module.exports = jweDecrypt.bind(undefined, false, undefined)
Reference in a new issue View git blame Copy permalink