Skip to content

Allow dynamic detection of decryption keys #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Allow dynamic detection of decryption keys #10

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,27 @@ plaintext = JWE.decrypt(encrypted, key)
puts plaintext #"The quick brown fox jumps over the lazy dog."
```

This example dynamically detects the key to use during decryption.

```ruby
require 'jwe'

keys = {
'A128GCM' => OpenSSL::PKey::RSA.generate(2048),
'A192GCM' => OpenSSL::PKey::RSA.generate(2048)
}
payload = "The quick brown fox jumps over the lazy dog."

encrypted = JWE.encrypt(payload, keys['A192GCM'], enc: 'A192GCM')
puts encrypted

plaintext = JWE.decrypt(encrypted, nil) do |headers|
enc = headers['enc']
keys[enc]
end
puts plaintext #"The quick brown fox jumps over the lazy dog."
```

## Available Algorithms

The RFC 7518 JSON Web Algorithms (JWA) spec defines the algorithms for [encryption](https://tools.ietf.org/html/rfc7518#section-5.1)
Expand Down
4 changes: 3 additions & 1 deletion lib/jwe.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,14 +39,16 @@ def self.encrypt(payload, key, alg: 'RSA-OAEP', enc: 'A128GCM', zip: nil)
Serialization::Compact.encode(header.to_json, encrypted_cek, cipher.iv, ciphertext, cipher.tag)
end

def self.decrypt(payload, key)
def self.decrypt(payload, key, &keyfinder)
header, enc_key, iv, ciphertext, tag = Serialization::Compact.decode(payload)
header = JSON.parse(header)
base64header = payload.split('.').first

raise ArgumentError.new("\"#{header['alg']}\" is not a valid alg method") unless VALID_ALG.include?(header['alg'])
raise ArgumentError.new("\"#{header['enc']}\" is not a valid enc method") unless VALID_ENC.include?(header['enc'])
raise ArgumentError.new("\"#{header['zip']}\" is not a valid zip method") unless header['zip'].nil? || VALID_ZIP.include?(header['zip'])

key = yield(header) if keyfinder
raise ArgumentError.new('The key must not be nil or blank') if key.nil? || (key.is_a?(String) && key.strip == '')

cek = Alg.for(header['alg']).new(key).decrypt(enc_key)
Expand Down
9 changes: 9 additions & 0 deletions spec/jwe_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,15 @@
end
end

it 'allows dynamic key detection' do
encrypted = JWE.encrypt(plaintext, rsa_key)
result = JWE.decrypt(encrypted, nil) do |header|
rsa_key
end

expect(result).to eq plaintext
end

it 'raises when passed a bad alg' do
expect { JWE.encrypt(plaintext, rsa_key, alg: 'TEST') }.to raise_error(ArgumentError)
end
Expand Down