I am trying to decrypt a compact JWE
formatted response message with the crypto.subtle
libraries.
I am sending to the Server my public key in JWK format
with curve algo ECDH-ES+A128KW
, encryption A256GCM
, curve name P-256
.
The server sends me back a compact JWE
response.
As I understand this flow, it should be something like:
- Client sends the public key to the Server
- Server responds to client back the
compact JWE
message - Client derives the shared
AES 128 KW
key based on servers public key and own private key - Client unwraps the
AES 128 GCM
key using the sharedAES 128 KW
key - Clients decrypts the ciphertext using the
AES 128 GCM
key.
When my code reaches the unwrapKey
step, i am only getting the error The operation failed for an operation-specific reason. At the moment I fail to find the problem.
My code looks like this right now:
export const decryptCompactJWE = async (
compactJWE: string,
privateKey: CryptoKey
) => {
const [protectedHeader, encryptedKey, iv, ciphertext, tag] =
compactJWE.split(".");
const header = JSON.parse(Buffer.from(protectedHeader, "base64").toString());
console.log("header:", header);
const publicKey = await crypto.subtle.importKey(
"jwk",
header.epk,
{
name: "ECDH",
namedCurve: "P-256",
},
true,
["deriveKey", "deriveBits"]
);
const derivedKey = await crypto.subtle.deriveKey(
{ name: "ECDH", public: publicKey },
privateKey,
{ name: "AES-KW", length: 128 },
true,
["unwrapKey"]
);
const myJWK = await crypto.subtle.exportKey("jwk", derivedKey);
console.log("jwk", myJWK);
const myAESKey = await crypto.subtle.unwrapKey(
"raw",
Buffer.from(encryptedKey, "base64url"),
derivedKey,
"AES-KW",
{ name: "AES-GCM" },
false,
["decrypt"]
);
console.log(myAESKey);
return crypto.subtle.decrypt(
{ name: "AES-GCM", iv: Buffer.from(iv, "base64url") },
myAESKey,
Buffer.from(ciphertext, "base64url")
);
};
Here is my test data:
const privateKey = {
kty: "EC",
crv: "P-256",
ext: true,
key_ops: ["deriveKey", "deriveBits"],
d: "vPZxnkg-j1xZ_8BZfH6jIvV52NvG2pxsZhmYgI9BEec",
x: "CorZZG9qa5korQ6eVLenbFz2QyGKkpoEYlAJxF1JzGA",
y: "yIEnQSGlMNVp6JEzZO3QvjQ0UDAwepzUZqwgsv0OTQE",
};
const JWE_RESPONSE = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhHQ00iLCJraWQiOiJhYmMxMjMiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiNmNReW1GUlJSTjVkVHdoOHA5dWx1NkgwS3paSkRGcm4xdjFKb2NzVURCUSIsInkiOiJTSGliQjFEMnBHMmVMbUxMV09HTTB4UUtCRDFpM3ZtZjJRNjZIM2RnbzJ3IiwiY3J2IjoiUC0yNTYifX0.OwriqBm-PXkIj_QwbqKZRVxql0sja2-p.UrZs5Ixu_rFCxpCw.z9Rfhw.m6AgqKsttsp9TV2dREgbWw";
So far I looked up a all examples I could find to implement this and based on those it kinda looks okay. The debugger is not stepping into the native crypto.subtle code and the error message is also not telling much about what is going wrong for me. The existing examples I found so far, are mostly less complex and skip the key derive part.
WebCrypto is a low level API that in particular does not support JWT/JWS/JWE, so decrypting the token with WebCrypto alone means a corresponding effort, since some functionalities have to be implemented by yourself.
According to the header, the token is encrypted with:
Here ECDH-ES+A128KW means that a shared secret is derived with ECDH, from which a wrapping key is determined using Concat KDF. With this key the encrypted key is unwrapped using AES-KW. Finally, the unwrapped key is applied to decrypt the content using AES-128/GCM, see here.
In the posted code Concat KDF is not taken into account. This and some other issues are the reason why decryption fails. Since WebCrypto does not support Concat KDF, a custom implementation is needed (or an additional library), which affects the whole implementation.
The following changes and fixes are required in the individual processing steps:
Deriving the shared secret
One of the inputs to Concat KDF is the shared secret. First, the private and the public key involved are imported. Then the shared secret can be determined most efficiently with
deriveBits()
.The gives as shared secret (hex encoded):
Keep in mind here:
Determining the wrapping key
From the shared secret the 16 bytes wrapping key can now be derived with Concat KDF. Concat KDF is described in Section 5.8.1 of NIST.800-56A. A JavaScript implementation can be found e.g. here.
Concat KDF has a number of other input data in addition to the shared secret, which are described here and illustrated here with an example. These are:
This gives as wrapping key (hex encoded):
Note that aside from the sample data in this question, the Concat KDF implementation adapted for above code has not been tested further!
Unwrapping of the encrypted key and decryption of the ciphertext
After importing the wrapping key, the encrypted key can be unwrapped (AES-KW). With the unwrapped key the ciphertext can be decrypted (AES-128, GCM).
The gives as decrypted data (UTF-8 decoded):
Note regarding AES/GCM that:
All together: