Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-15309

JWTs are always SignedThenEncrypted when encrypted using JwtEncryptionHandler#encryptJwt

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 6.5.0, 7.0.0
    • Fix Version/s: 7.0.0, 6.5.3
    • Component/s: oauth2
    • Labels:
    • Needs backport:
      Yes

      Description

      Bug description

      When I encrypt a JWT using JwtEncryptionHandler with a JwtClaimsSet and serialise it (JwtReconstructionHandler#build), then deserialise it using JwtReconstruction#reconstructJwt, the instance returned is a SignedThenEncryptedJwt, rather than an EncryptedJwt. This leads to an error when decrypting via JwtDecryptionHandler as the payload is treated as a nested JWT.

      How to reproduce the issue

      Details steps outlining how to recreate the issue (remove this text)

      1. Create an encrypted JWT using JwtEncryptionHandler#encryptJwt with a JwtClaimsSet
      2. Serialise to string using JwtEncryptionHandler#build
      3. Reconstruct the JWT with EncrytpedJwt jwt = JwtReconstruction#reconstructJwt(jwtString, EncryptedJwt.class);
      Expected behaviour
      I get an EncryptedJwt
      Current behaviour
      I get a SignedThenEncryptedJwt
      

      Work around

      None without changing the code.

      Code analysis

      JwtEncryptionHandler#encryptedJwt(JwtClaimsSet) calls addJwtContentType, which adds the "typ" property to the headers used by JEH for creating an encrypted JWT. This causes JwtReconstruction to treat it as a SignedThenEncryptedJwt.

       

      org.forgerock.openam.jwt.JwtEncryptionHandler
      public Jwt encryptJwt(JwtClaimsSet claimsSet, Purpose<? extends CryptoKey> purpose)
              throws NoSuchSecretException {
          return addJwtContentType(
                  prepareEncryption(jwtBuilderFactory::jwe,
                          jwtEncryptionOptions.getCredentials().getActiveSecret(purpose).getOrThrowUninterruptibly()))
                  .claims(claimsSet)
                  .asJwt();
      }
      
      org.forgerock.json.jose.common.JwtReconstruction
      if (jweHeader.getContentType() != null) {
                  return new SignedThenEncryptedJwt(jweHeader, encodedHeader, encryptedContentEncryptionKey,
                          initialisationVector, ciphertext, authenticationTag);
              } else {
                  return new EncryptedJwt(jweHeader, encodedHeader, encryptedContentEncryptionKey, initialisationVector,
                          ciphertext, authenticationTag);
              }
      

        Attachments

          Activity

            People

            • Assignee:
              michael.carter Michael Carter
              Reporter:
              michael.carter Michael Carter
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: