Merge commit from fork

jsha · web-flow · commit 0e59876635f3 · 2026-03-31T16:33:50.000-07:00
* cipher: fix panic on KeyUnwrap of too-short slice

* jwe: don't call KeyUnwrap on empty (encrypted) key

Also don't call `aead.decrypt` on an empty key.

* test: make asymmetric_test more precise

These two test cases were passing a nil recipient, and checking for "any error"
instead of a specific error, which meant that introducing a nil recipient check
in `decryptKey` caused the test to stop testing what it meant to test, but
continue passing. Now we check for a specific error.

* test: TestKeyUnwrapShort

* jwe: TestEmptyEncryptedKey

* test: add `shorten` and `empty` corruptors
diff --git a/asymmetric.go b/asymmetric.go
@@ -414,6 +414,9 @@ func (ctx ecKeyGenerator) genKey() ([]byte, rawHeader, error) {
 
 // Decrypt the given payload and return the content encryption key.
 func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
+	if recipient == nil {
+		return nil, errors.New("go-jose/go-jose: missing recipient")
+	}
 	epk, err := headers.getEPK()
 	if err != nil {
 		return nil, errors.New("go-jose/go-jose: invalid epk header")
@@ -461,13 +464,18 @@ func (ctx ecDecrypterSigner) decryptKey(headers rawHeader, recipient *recipientI
 		return nil, ErrUnsupportedAlgorithm
 	}
 
+	encryptedKey := recipient.encryptedKey
+	if len(encryptedKey) == 0 {
+		return nil, errors.New("go-jose/go-jose: missing JWE Encrypted Key")
+	}
+
 	key := deriveKey(string(algorithm), keySize)
 	block, err := aes.NewCipher(key)
 	if err != nil {
 		return nil, err
 	}
 
-	return josecipher.KeyUnwrap(block, recipient.encryptedKey)
+	return josecipher.KeyUnwrap(block, encryptedKey)
 }
 
 func (ctx edDecrypterSigner) signPayload(payload []byte, alg SignatureAlgorithm) (Signature, error) {
diff --git a/asymmetric_test.go b/asymmetric_test.go
@@ -22,6 +22,7 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"errors"
+	"github.com/go-jose/go-jose/v4/json"
 	"io"
 	"testing"
 )
@@ -163,24 +164,35 @@ func TestInvalidECDecrypt(t *testing.T) {
 
 	generator := randomKeyGenerator{size: 16}
 
+	recipient := recipientInfo{
+		// decryptKey will error out before the contents here matter
+		encryptedKey: []byte("not used"),
+	}
 	// Missing epk header
 	headers := rawHeader{}
 
 	if err := headers.set(headerAlgorithm, ECDH_ES); err != nil {
 		t.Fatal(err)
 	}
 
-	if _, err := dec.decryptKey(headers, nil, generator); err == nil {
+	want := "go-jose/go-jose: missing epk header"
+	_, err := dec.decryptKey(headers, &recipient, generator)
+	if err == nil {
 		t.Error("ec decrypter accepted object with missing epk header")
+	} else if err.Error() != want {
+		t.Errorf("decryptKey with missing epk header: got %q, want %q", err, want)
 	}
 
 	// Invalid epk header
-	if err := headers.set(headerEPK, &JSONWebKey{}); err == nil {
-		t.Fatal("epk header should be invalid")
-	}
+	invalid := json.RawMessage("invalid")
+	headers["epk"] = &invalid
 
-	if _, err := dec.decryptKey(headers, nil, generator); err == nil {
+	want = "go-jose/go-jose: invalid epk header"
+	_, err = dec.decryptKey(headers, &recipient, generator)
+	if err == nil {
 		t.Error("ec decrypter accepted object with invalid epk header")
+	} else if err.Error() != want {
+		t.Errorf("decryptKey with invalid epk header: got %q, want %q", err, want)
 	}
 }
 
@@ -367,6 +379,12 @@ func TestInvalidECPublicKey(t *testing.T) {
 		D: fromBase64Int("0_NxaRPUMQoAJt50Gz8YiTr8gRTwyEaCumd-MToTmIo"),
 	}
 
+	recipient := recipientInfo{
+		// encryptedKey must be non-empty to pass initial checks, but the actual
+		// bytes don't matter because we'll error out before using them.
+		encryptedKey: []byte("not used"),
+	}
+
 	headers := rawHeader{}
 
 	if err := headers.set(headerAlgorithm, ECDH_ES); err != nil {
@@ -381,9 +399,15 @@ func TestInvalidECPublicKey(t *testing.T) {
 		privateKey: ecTestKey256,
 	}
 
-	if _, err := dec.decryptKey(headers, nil, randomKeyGenerator{size: 16}); err == nil {
+	_, err := dec.decryptKey(headers, &recipient, randomKeyGenerator{size: 16})
+	if err == nil {
 		t.Fatal("decrypter accepted JWS with invalid ECDH public key")
 	}
+
+	want := "go-jose/go-jose: invalid epk header"
+	if err.Error() != want {
+		t.Errorf("decryptKey with invalid ECDH public key: got %q, want %q", err, want)
+	}
 }
 
 func TestInvalidAlgorithmEC(t *testing.T) {
diff --git a/cipher/key_wrap.go b/cipher/key_wrap.go
@@ -66,12 +66,20 @@ func KeyWrap(block cipher.Block, cek []byte) ([]byte, error) {
 }
 
 // KeyUnwrap implements NIST key unwrapping; it unwraps a content encryption key (cek) with the given block cipher.
+//
+// https://datatracker.ietf.org/doc/html/rfc7518#section-4.4
+// https://datatracker.ietf.org/doc/html/rfc7518#section-4.6
+// https://datatracker.ietf.org/doc/html/rfc7518#section-4.8
 func KeyUnwrap(block cipher.Block, ciphertext []byte) ([]byte, error) {
+	n := (len(ciphertext) / 8) - 1
+	if n <= 0 {
+		return nil, errors.New("go-jose/go-jose: JWE Encrypted Key too short")
+	}
+
 	if len(ciphertext)%8 != 0 {
 		return nil, errors.New("go-jose/go-jose: key wrap input must be 8 byte blocks")
 	}
 
-	n := (len(ciphertext) / 8) - 1
 	r := make([][]byte, n)
 
 	for i := range r {
diff --git a/cipher/key_wrap_test.go b/cipher/key_wrap_test.go
@@ -23,6 +23,47 @@ import (
 	"testing"
 )
 
+func TestKeyUnwrapShort(t *testing.T) {
+	// Test vectors from: http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
+	kek0, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
+	block0, _ := aes.NewCipher(kek0)
+	want := "go-jose/go-jose: JWE Encrypted Key too short"
+	_, err := KeyUnwrap(block0, nil)
+	if err == nil {
+		t.Error("KeyUnwrap(_, nil): got nil, want error")
+	} else if err.Error() != want {
+		t.Errorf("KeyUnwrap(_, nil): got %q, want %q", err, want)
+	}
+
+	input := []byte{}
+	_, err = KeyUnwrap(block0, []byte{})
+	if err == nil {
+		t.Errorf("KeyUnwrap(_, %q): got nil, want error", input)
+	} else if err.Error() != want {
+		t.Errorf("KeyUnwrap(_, %q): got %q, want %q", input, err, want)
+	}
+
+	for n := 0; n < 16; n++ {
+		input := bytes.Repeat([]byte("a"), n)
+		_, err = KeyUnwrap(block0, input)
+		if err == nil {
+			t.Errorf("KeyUnwrap(_, %q): got nil, want error", input)
+		} else if err.Error() != want {
+			t.Errorf("KeyUnwrap(_, nil): got %q, want %q", err, want)
+		}
+	}
+
+	input = bytes.Repeat([]byte("a"), 17)
+	want = "go-jose/go-jose: key wrap input must be 8 byte blocks"
+	_, err = KeyUnwrap(block0, input)
+	if err == nil {
+		t.Errorf("KeyUnwrap(_, %q): got nil, want error", input)
+	} else if err.Error() != want {
+		t.Errorf("KeyUnwrap(_, %q): got %q, want %q", input, err, want)
+	}
+
+}
+
 func TestAesKeyWrap(t *testing.T) {
 	// Test vectors from: http://csrc.nist.gov/groups/ST/toolkit/documents/kms/key-wrap.pdf
 	kek0, _ := hex.DecodeString("000102030405060708090A0B0C0D0E0F")
diff --git a/crypter_test.go b/crypter_test.go
@@ -191,6 +191,8 @@ func TestRoundtripsJWECorrupted(t *testing.T) {
 		func(obj *JSONWebEncryption) (string, error) { return obj.FullSerialize(), nil },
 	}
 
+	// corrupter functions return true to skip (i.e. no change was made so no error is expected),
+	// or false to do the test and expect an error.
 	bitflip := func(slice []byte) bool {
 		if len(slice) > 0 {
 			slice[0] ^= 0xFF
@@ -199,6 +201,22 @@ func TestRoundtripsJWECorrupted(t *testing.T) {
 		return true
 	}
 
+	shorten := func(slice *[]byte) bool {
+		if len(*slice) > 0 {
+			*slice = (*slice)[:len(*slice)-1]
+			return false
+		}
+		return true
+	}
+
+	empty := func(slice *[]byte) bool {
+		if len(*slice) > 0 {
+			*slice = nil
+			return false
+		}
+		return true
+	}
+
 	corrupters := []func(*JSONWebEncryption) bool{
 		func(obj *JSONWebEncryption) bool {
 			// Set invalid ciphertext
@@ -216,6 +234,14 @@ func TestRoundtripsJWECorrupted(t *testing.T) {
 			// Mess with encrypted key
 			return bitflip(obj.recipients[0].encryptedKey)
 		},
+		func(obj *JSONWebEncryption) bool {
+			// Remove encrypted key
+			return empty(&obj.recipients[0].encryptedKey)
+		},
+		func(obj *JSONWebEncryption) bool {
+			// Shorten encrypted key
+			return shorten(&obj.recipients[0].encryptedKey)
+		},
 		func(obj *JSONWebEncryption) bool {
 			// Mess with GCM-KW auth tag
 			tag, _ := obj.protected.getTag()
diff --git a/jwe_test.go b/jwe_test.go
@@ -718,6 +718,55 @@ func TestJWEWithNullAlg(t *testing.T) {
 	}
 }
 
+func TestEmptyEncryptedKey(t *testing.T) {
+	// These inputs use key wrapping with an empty wrapped key.
+	// All fields except the unprotected header are empty; in particular "JWE Encrypted Key" is empty.
+	serializedCompact := `eyJhbGciOiJQQkVTMi1IUzUxMitBMjU2S1ciLCJjdHkiOiJhcHBsaWNhdGlvbi9qd2sranNvbiIsImVuYyI6IkEyNTZHQ00iLCJwMmMiOjIxMDAwMCwicDJzIjoiY000YyJ9....`
+	serializedJSON := `{"unprotected":{"alg":"PBES2-HS512+A256KW","cty":"application/jwk+json","enc":"A256GCM","p2c":210000,"p2s":"cM4c"}}`
+	acceptedAlgs := []KeyAlgorithm{PBES2_HS512_A256KW}
+	acceptedContentAlgs := []ContentEncryption{A256GCM}
+	item, err := ParseEncrypted(serializedCompact, acceptedAlgs, acceptedContentAlgs)
+	if err != nil {
+		t.Fatalf("ParseEncrypted(%q): %s", serializedCompact, err)
+	}
+
+	secret := []byte("valid-key-used-for-decryption")
+
+	// Note: we check this "want" value to distinguish from other error cases, but future refactorings to give
+	// a more useful error message would be okay.
+	want := "go-jose/go-jose: error in cryptographic primitive"
+	_, err = item.Decrypt(secret)
+	if err == nil {
+		t.Errorf("Decrypt() after ParseEncrypted() with empty encrypted key should fail")
+	} else if err.Error() != want {
+		t.Errorf("Decrypt() after ParseEncrypted() with empty encrypted key: got %q, want %q", err, want)
+	}
+
+	item, err = ParseEncryptedCompact(serializedCompact, acceptedAlgs, acceptedContentAlgs)
+	if err != nil {
+		t.Fatalf("ParseEncryptedCompact(%q): %s", serializedCompact, err)
+	}
+
+	_, err = item.Decrypt(secret)
+	if err == nil {
+		t.Errorf("Decrypt() after ParseEncryptedCompact() with empty encrypted key should fail")
+	} else if err.Error() != want {
+		t.Errorf("Decrypt() after ParseEncryptedCompact() with empty encrypted key: got %q, want %q", err, want)
+	}
+
+	item, err = ParseEncryptedJSON(serializedJSON, acceptedAlgs, acceptedContentAlgs)
+	if err != nil {
+		t.Fatalf("ParseEncryptedJSON(%q): %s", serializedJSON, err)
+	}
+
+	_, err = item.Decrypt(secret)
+	if err == nil {
+		t.Errorf("Decrypt() after ParseEncryptedJSON() with empty encrypted key should fail")
+	} else if err.Error() != want {
+		t.Errorf("Decrypt() after ParseEncryptedJSON() with empty encrypted key: got %q, want %q", err, want)
+	}
+}
+
 func BenchmarkParseEncryptedCompat(b *testing.B) {
 	msg := "eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhHQ00ifQ.dGVzdA.dGVzdA.dGVzdA.dGVzdA"
 	for range b.N {
diff --git a/symmetric.go b/symmetric.go
@@ -366,11 +366,21 @@ func (ctx *symmetricKeyCipher) encryptKey(cek []byte, alg KeyAlgorithm) (recipie
 
 // Decrypt the content encryption key.
 func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipientInfo, generator keyGenerator) ([]byte, error) {
-	switch headers.getAlgorithm() {
-	case DIRECT:
-		cek := make([]byte, len(ctx.key))
-		copy(cek, ctx.key)
-		return cek, nil
+	if recipient == nil {
+		return nil, fmt.Errorf("go-jose/go-jose: missing recipient")
+	}
+
+	alg := headers.getAlgorithm()
+	if alg == DIRECT {
+		return bytes.Clone(ctx.key), nil
+	}
+
+	encryptedKey := recipient.encryptedKey
+	if len(encryptedKey) == 0 {
+		return nil, fmt.Errorf("go-jose/go-jose: missing JWE Encrypted Key")
+	}
+
+	switch alg {
 	case A128GCMKW, A192GCMKW, A256GCMKW:
 		aead := newAESGCM(len(ctx.key))
 
@@ -385,7 +395,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
 
 		parts := &aeadParts{
 			iv:         iv.bytes(),
-			ciphertext: recipient.encryptedKey,
+			ciphertext: encryptedKey,
 			tag:        tag.bytes(),
 		}
 
@@ -401,7 +411,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
 			return nil, err
 		}
 
-		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
+		cek, err := josecipher.KeyUnwrap(block, encryptedKey)
 		if err != nil {
 			return nil, err
 		}
@@ -445,7 +455,7 @@ func (ctx *symmetricKeyCipher) decryptKey(headers rawHeader, recipient *recipien
 			return nil, err
 		}
 
-		cek, err := josecipher.KeyUnwrap(block, recipient.encryptedKey)
+		cek, err := josecipher.KeyUnwrap(block, encryptedKey)
 		if err != nil {
 			return nil, err
 		}
