feat: feat: added support for direct symmetric key encryption alg (dir)

The client can now encrypt/decrypt JWTs using direct secret-derived symmetric encryption scheme
panva · Jun 27, 2019 · f1b4282 · f1b4282
1 parent 81e91ee
commit f1b4282
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 4 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -602,10 +602,10 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
 
     let keyOrStore;
 
-    if (expectedAlg.match(/^(RSA|ECDH)/)) {
+    if (expectedAlg.match(/^(?:RSA|ECDH)/)) {
       keyOrStore = instance(this).get('keystore');
     } else {
-      keyOrStore = await this.joseSecret(expectedAlg);
+      keyOrStore = await this.joseSecret(expectedAlg === 'dir' ? expectedEnc : expectedAlg);
     }
 
     const payload = jose.JWE.decrypt(idToken, keyOrStore);
@@ -1011,10 +1011,14 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
    * @api private
    */
   async joseSecret(alg) {
-    if (String(alg).match(/^A(\d{3})(?:GCM)?KW$/)) {
+    if (/^A(\d{3})(?:GCM)?KW$/.test(alg)) {
       return this.derivedKey(parseInt(RegExp.$1, 10));
     }
 
+    if (/^A(\d{3})(?:GCM|CBC-HS(\d{3}))$/.test(alg)) {
+      return this.derivedKey(parseInt(RegExp.$2 || RegExp.$1, 10));
+    }
+
     if (instance(this).has('jose_secret')) {
       return instance(this).get('jose_secret');
     }
@@ -1309,7 +1313,7 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
         use: 'enc',
       }, true);
     } else {
-      key = await this.joseSecret(fields.alg);
+      key = await this.joseSecret(fields.alg === 'dir' ? fields.enc : fields.alg);
     }
 
     return jose.JWE.encrypt(signed, key, {

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -3176,6 +3176,21 @@ describe('Client', () => {
           });
       });
 
+      it('encrypts for issuer using pre-shared client_secret (dir + A128CBC-HS256)', function () {
+        const client = new this.issuer.Client({
+          client_id: 'client_id',
+          client_secret: 'GfsT479VMy5ZZZPquadPbN3wKzaFGYo1CTkb0IFFzDNODLEAuC2GUV3QsTye3xNQ',
+          request_object_encryption_alg: 'dir',
+          request_object_encryption_enc: 'A128CBC-HS256',
+        });
+
+        return client.requestObject({ state: 'foobar' })
+          .then((encrypted) => {
+            const parts = encrypted.split('.');
+            expect(JSON.parse(base64url.decode(parts[0]))).to.contain({ alg: 'dir', enc: 'A128CBC-HS256', cty: 'JWT' }).and.not.have.property('kid');
+          });
+      });
+
       it('throws on non-object inputs', function () {
         const client = new this.issuer.Client({ client_id: 'client_id', request_object_signing_alg: 'none' });
         return client.requestObject(true).then(fail, (err) => {