-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error decrypting JWE created from jose in v4.3.4 vs node-jose in v4.0.7 #692
Comments
Thanks for the detailed note. In RFC 7519 Appendix A.2, the example of a nested JWT takes just the JWS Compact Serialization form (without enclosing in quotes) as the plaintext/message for the JWE. I think that in general, JWS-in-JWE does not need to wrap the JWS in quotes / turn it into a JSON string prior to running the JWE. The Myinfo v3 spec (v3.2.6) is silent about this detail but the code sample does have an extra JSON parse step as myinfo-gov-client is doing, so that implies that it's required as a Myinfo-specific JWS-in-JWE implementation detail. Looks like a bug, from a regression in https://github.com/opengovsg/mockpass/pull/563/files#diff-3014c5111aef85faf3eeab80a6ef706e213621b4fea8b2c9c087f2b7c5681b47L42 |
Thanks for the reference to the RFC and MyInfo specs. It seems that the wrapping in quotes was a result of the Tried removing the |
Describe the bug
I am currently working on using MockPass with MyInfo Gov Client in my Demo App.
When calling the
/person
endpoint for MyInfo Personal in MockPass, the JWE from the response cannot be decrypted by MyInfoGovClient, namely_decryptJWE()
in https://github.com/opengovsg/myinfo-gov-client/blob/v4.1.2/src/MyInfoGovClient.class.ts as it assumes the payload is wrapped in quotes and attemptsJSON.parse()
.Traced it to the payload not being wrapped in quotes, due to the switch from
node-jose
tojose
package in MockPass.To Reproduce
Steps to reproduce the behavior:
Use the following function to decrypt the JWE (adapted from
_decryptJWE()
in https://github.com/opengovsg/myinfo-gov-client/blob/v4.1.2/src/MyInfoGovClient.class.ts):Use the above function to decrypt the JWE returned by
encryptPersona()
in v4.3.4 of MockPass, i.e. https://github.com/opengovsg/mockpass/blob/v4.3.4/lib/express/myinfo/controllers.js and an error will occur.Use the above function to decrypt the JWE returned by
encryptPersona()
in v4.0.7 of MockPass, i.e. https://github.com/opengovsg/mockpass/blob/v4.0.7/lib/express/myinfo/controllers.js and the original persona will be returned.Expected behavior
While this is definitely breaking backwards compatibility, I'm not sure whether the payload is supposed to be wrapped in quotes in the 1st place.
The text was updated successfully, but these errors were encountered: