ECDH-ES+A256KW - Key not found or is invalid

[EugenePikalov]

Description

With ECDH-ES+A256KW produce exception "Key not found or is invalid " .

Steps to reproduce

<?php


include './vendor/autoload.php';

$set = new SimpleJWT\Keys\KeySet();
$key = '{"kty": "EC",
"d": "3DCgwJeF_IRdhF1B8JYRZOm4Frt_XrknFotgE_RcVj_z053yhHF4zhM6W-z7dd2X","use": "enc","crv": "P-384",
"x": "q4yHCxdvXDA6PODaM9IkpjCUh9gRgpkIN_gV1i5HzJUOHCkC4HMrFiIduZZsVdQf",
"y": "fFrsS5ZIlf0CKAnxRXhnbSHcGTByVxULEPyN_9jKOlb85wZv4VoIEtIBxeHYkLCe","alg": "ECDH-ES+A256KW"}';
// JWK format
$key = new SimpleJWT\Keys\ECKey($key, 'json', null, 'ECDH-ES+A256KW');
$set->add($key);
$token = 'eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiVDFIazlQell6SUY5NW9ESDJENTFZXzJGVUZuZ3RKZWxpbW11UTZJbHlyVWhuVGlfYlk1ZFplY0lPNExQRmp1byIsInkiOiJlLVBQbTNEQjB0N2F1RUNCV0Q0MkZxMlVDeXNuQ0NjQUxDUy1NWHMwclV3U0pLQmFMWTcwb1lzcWprMnJQVjROIiwiY3J2IjoiUC0zODQifX0.6vW-S_7om9iHMYc2JzkwijQV4msn55YRrDYQ2EMs3-bg3Y7I0dBrDA.CQ45omsfTgrZlrJd.58LMMeqXOogn6i6JI5VbrFucwI_hStOGNXgOqXsExNARXlYPSHweSXXGS_nYaa90srl9a5HTbn1YJEtduB0YKekULRXK1la5uOiHnw5tuRJUqXVTA-_l_Nv7PZWzPZOua2quUGMw5c8y55c8qImO02gw_tbopnqwROUHR-eeBMiRwEkpBDl8AlSOQsLd-6MZ3kqaLuGyhw0rQ9DPZlucB1DB0rF2WYEwnz72I1aB2XLmrVuIRkTbVRRxMp9Qt8BLP8Uay-8Qr3HvMfQDftKydtAKiQLXHTMLoo5H8s69i-1baFynJjH4nNpnujJGONkBSQg9RmWf-5CdiZnQC1g4hSvL5p6RM0sGXR4jORlzd-TNSmZeOe1mvEHifCmeyCQ1T0NNBrtsSUeT6lckEFjyvjKau6eZxoa3nyzpzMooNw8u-e-s9uctYmdVmYm75PWqkzencTnccTtmZjuBdehplM0SLbGYrxoxIoBBoozrACeIQITHi73DB1kSQdbfOfb_nuo26PEaIgvsncj-he0v.y3mcOAn4nXDleSobp2eQYg';

$res = SimpleJWT\JWE::decrypt($token,$set,'ECDH-ES+A256KW');
echo $res->getPlaintext();

Expected behaviour

Expected {"refreshToken":"0607a317-044c-49dc-83ea-89bbf7766c03","authToken":"c8945473-6217-4ec7-a543-09371ee156e3","deviceId":"ffaa1991-273d-4f45-a4c2-6bfbf682db24","serverPublic":{"kty":"EC","crv":"P-384","x":"qL6f_m1pa35_UHnZFQ-4MzuSPzbQJiPmzJqbwQC4KdxnPuSe2uGpwiBMmVzr6NyZ","y":"LI_AYpAWP3DZTXHgWApUOZJHmpFJ4zhpQx8YWNueEiyQVPeP58DCjmD7LtxSrmGv"},"tokenExpirationDateTime":"2023-08-12 11:49:45.0350 +0000"}

Environment

• Version 0.7.0
• Server OS: Windows, Centos
• PHP: 8.2

Additional information

Works only with changes in JWE::decrypt

        $key_enc = AlgorithmFactory::create($headers['alg']);

        /** @var \SimpleJWT\Crypt\Encryption\EncryptionAlgorithm $content_enc */
        $content_enc = AlgorithmFactory::create($headers['enc']);


        if (false and $key_enc instanceof KeyDerivationAlgorithm) {

[kelvinmo]

Please note there are a couple of issues with the code above.

1. The JSON key shouldn't have a alg parameter.
2. When creating the ECKey the correct constructor is new SimpleJWT\Keys\ECKey($key, 'json'); rather than new SimpleJWT\Keys\ECKey($key, 'json', null, 'ECDH-ES+A256KW');

With the pull request applied, the following test case now runs properly:

use PHPUnit\Framework\TestCase;

class Issue159Test extends TestCase {
    function testIssue159() {
        $set = new SimpleJWT\Keys\KeySet();
        $key = '{"kty": "EC",
        "d": "3DCgwJeF_IRdhF1B8JYRZOm4Frt_XrknFotgE_RcVj_z053yhHF4zhM6W-z7dd2X","use": "enc","crv": "P-384",
        "x": "q4yHCxdvXDA6PODaM9IkpjCUh9gRgpkIN_gV1i5HzJUOHCkC4HMrFiIduZZsVdQf",
        "y": "fFrsS5ZIlf0CKAnxRXhnbSHcGTByVxULEPyN_9jKOlb85wZv4VoIEtIBxeHYkLCe"}';//,"alg": "ECDH-ES+A256KW"}';

        //$key = new SimpleJWT\Keys\ECKey($key, 'json', null, 'ECDH-ES+A256KW');
        $key = new SimpleJWT\Keys\ECKey($key, 'json');
        $set->add($key);

        $keys = $set->get(['kty' => 'EC', '@use' => 'enc', '@key_ops' => 'deriveKey']);


        $token = 'eyJhbGciOiJFQ0RILUVTK0EyNTZLVyIsImVuYyI6IkEyNTZHQ00iLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiVDFIazlQell6SUY5NW9ESDJENTFZXzJGVUZuZ3RKZWxpbW11UTZJbHlyVWhuVGlfYlk1ZFplY0lPNExQRmp1byIsInkiOiJlLVBQbTNEQjB0N2F1RUNCV0Q0MkZxMlVDeXNuQ0NjQUxDUy1NWHMwclV3U0pLQmFMWTcwb1lzcWprMnJQVjROIiwiY3J2IjoiUC0zODQifX0.6vW-S_7om9iHMYc2JzkwijQV4msn55YRrDYQ2EMs3-bg3Y7I0dBrDA.CQ45omsfTgrZlrJd.58LMMeqXOogn6i6JI5VbrFucwI_hStOGNXgOqXsExNARXlYPSHweSXXGS_nYaa90srl9a5HTbn1YJEtduB0YKekULRXK1la5uOiHnw5tuRJUqXVTA-_l_Nv7PZWzPZOua2quUGMw5c8y55c8qImO02gw_tbopnqwROUHR-eeBMiRwEkpBDl8AlSOQsLd-6MZ3kqaLuGyhw0rQ9DPZlucB1DB0rF2WYEwnz72I1aB2XLmrVuIRkTbVRRxMp9Qt8BLP8Uay-8Qr3HvMfQDftKydtAKiQLXHTMLoo5H8s69i-1baFynJjH4nNpnujJGONkBSQg9RmWf-5CdiZnQC1g4hSvL5p6RM0sGXR4jORlzd-TNSmZeOe1mvEHifCmeyCQ1T0NNBrtsSUeT6lckEFjyvjKau6eZxoa3nyzpzMooNw8u-e-s9uctYmdVmYm75PWqkzencTnccTtmZjuBdehplM0SLbGYrxoxIoBBoozrACeIQITHi73DB1kSQdbfOfb_nuo26PEaIgvsncj-he0v.y3mcOAn4nXDleSobp2eQYg';

        $res = SimpleJWT\JWE::decrypt($token,$set,'ECDH-ES+A256KW');
        $payload = json_decode($res->getPlaintext(), true);

        $this->assertEquals('0607a317-044c-49dc-83ea-89bbf7766c03', $payload['refreshToken']);
        $this->assertEquals('c8945473-6217-4ec7-a543-09371ee156e3', $payload['authToken']);
    }
}

[EugenePikalov]

It works. Thank you for your prompt reply