go-jose icon indicating copy to clipboard operation
go-jose copied to clipboard
verified publisher icon square

NewEncrypter does not handles neither non-pointer JWKs as Recipient Keys, nor non-JWK

Open alee792 opened this issue 4 years ago • 1 comments

The following block will fail with "square/go-jose: unsupported key type/format" if a JSONWebKey is passed by value.

var key jose.JSONWebKey = <whatever>
enc, err := jose.NewEncrypter(
        jose.A128GCM,
        jose.Recipient{
        	Algorithm: jose.RSA_OAEP_256,
        	Key:       key,
        	KeyID:   key.KeyID,
        },
        nil,
)

I would expect passing by value to work because NewEncrypter supports it: https://github.com/square/go-jose/blob/c9ac459e06bc9a5ab7efd5d3b3f421d6de27401f/crypter.go#L140-L141

However, when non-DIRECT and non-ECDH-ES recipient algos are handled by the default case, JWK by value is missing: https://github.com/square/go-jose/blob/c9ac459e06bc9a5ab7efd5d3b3f421d6de27401f/crypter.go#L260-L273

Additionally, the default case does not add the specified Recipient KeyID in the same way as the other two cases: https://github.com/square/go-jose/blob/c9ac459e06bc9a5ab7efd5d3b3f421d6de27401f/crypter.go#L182-L184

The passed KeyID just gets dropped and is only added if the key is asserted to *JSONWebKey and retrieved from there.

If my read is correct, I'm more than happy to PR a fix! :)

alee792 avatar Sep 10 '21 19:09 alee792

Will be addressed by #364.

The second issue is a misread. The recipient, which holds the key ID, is actually added to the encrypter directly.

alee792 avatar Oct 20 '21 20:10 alee792