Skip to content

Commit

Permalink
fix: jwt decryption when key management alg is direct
Browse files Browse the repository at this point in the history 
The JWT.verify method didn't provide a parameter to receive a sharedKey.

Signed-off-by: Goncalo Frade <[email protected]>
  • Loading branch information
@beatt83
beatt83 committed Nov 27, 2024
1 parent 420fc33 commit 57fe5a0
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 2 deletions.
12 changes: 10 additions & 2 deletions Sources/JSONWebToken/JWT+Verification.swift
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ extension JWT {
jwtString: String,
senderKey: KeyRepresentable? = nil,
recipientKey: KeyRepresentable? = nil,
sharedKey: KeyRepresentable? = nil,
nestedKeys: [KeyRepresentable] = [],
expectedIssuer: String? = nil,
expectedAudience: String? = nil
Expand All @@ -61,6 +62,7 @@ extension JWT {
jwtString: jws.payload.tryToString(),
senderKey: key,
recipientKey: nil,
sharedKey: sharedKey,
nestedKeys: nestedKeys,
expectedIssuer: expectedIssuer,
expectedAudience: expectedAudience
Expand All @@ -82,7 +84,8 @@ extension JWT {

let decryptedPayload = try jwe.decrypt(
senderKey: senderKey,
recipientKey: recipientKey
recipientKey: recipientKey,
sharedKey: sharedKey
)

if jwe.protectedHeader.contentType == "JWT" {
Expand All @@ -95,6 +98,7 @@ extension JWT {
jwtString: decryptedPayload.tryToString(),
senderKey: senderKey,
recipientKey: key,
sharedKey: sharedKey,
nestedKeys: nestedKeys,
expectedIssuer: expectedIssuer,
expectedAudience: expectedAudience
Expand Down Expand Up @@ -134,6 +138,7 @@ extension JWT {
signerKey: KeyRepresentable? = nil,
senderKey: KeyRepresentable? = nil,
recipientKey: KeyRepresentable? = nil,
sharedKey: KeyRepresentable? = nil,
nestedKeys: [KeyRepresentable] = [],
expectedIssuer: String? = nil,
expectedAudience: String? = nil
Expand All @@ -152,6 +157,7 @@ extension JWT {
jwtString: jws.payload.tryToString(),
senderKey: key,
recipientKey: nil,
sharedKey: sharedKey,
nestedKeys: nestedKeys,
expectedIssuer: expectedIssuer,
expectedAudience: expectedAudience
Expand All @@ -173,7 +179,8 @@ extension JWT {

let decryptedPayload = try jwe.decrypt(
senderKey: senderKey,
recipientKey: recipientKey
recipientKey: recipientKey,
sharedKey: sharedKey
)

if jwe.protectedHeader.contentType == "JWT" {
Expand All @@ -186,6 +193,7 @@ extension JWT {
jwtString: decryptedPayload.tryToString(),
senderKey: senderKey,
recipientKey: key,
sharedKey: sharedKey,
nestedKeys: nestedKeys,
expectedIssuer: expectedIssuer,
expectedAudience: expectedAudience
Expand Down
32 changes: 32 additions & 0 deletions Tests/JWTTests/JWTTests.swift
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import JSONWebKey
@testable import JSONWebToken
import JSONWebSignature
import JSONWebEncryption
import XCTest

final class JWTTests: XCTestCase {
Expand Down Expand Up @@ -279,6 +280,37 @@ final class JWTTests: XCTestCase {
XCTAssertTrue(areJSONStringsEqual(jsonString, expectedJSON))
}

func testJWE() throws {
let expiredAt = Date().addingTimeInterval(60)

let header = DefaultJWEHeaderImpl(
keyManagementAlgorithm: .direct,
encodingAlgorithm: .a256GCM
)

let kekData = Data(count: 256 / 8)

let jwt = try JWT.encrypt(
claims: {
ObjectClaim(key: "body") {
StringClaim(key: "foo", value: "bar")
}
IssuerClaim(value: "DLTA Studio")
ExpirationTimeClaim(value: expiredAt)
},
protectedHeader: header,
senderKey: nil,
recipientKey: nil,
sharedKey: nil,
cek: kekData
)

let jwtString = jwt.jwtString

let verifiedJWT = try JWT.verify(jwtString: jwtString, sharedKey: JWK(keyType: .octetSequence, key: kekData))
let verifiedPayload = verifiedJWT.payload
}

private func areJSONStringsEqual(_ lhs: String, _ rhs: String) -> Bool {
guard
let lhsData = lhs.data(using: .utf8),
Expand Down

0 comments on commit 57fe5a0

Please sign in to comment.