Skip to content

Commit

Permalink
feat: added support for direct symmetric key encryption alg ('dir')
Browse files Browse the repository at this point in the history 
The provider now (optionally) supports direct encryption for all
JWT-encryption enabled responses and objects

- ID Token
- UserInfo endpoint response
- Request Objects
- Token Introspection endpoint response
- JWT Authorization Endpoint responses

This also fixes (encryption keys were not properly derived before)
- symmetric encryption for JWT introspection responses
- symmetric encryption for JWT authorization responses

This also refactors

- client.keystore to be a lazy getter
- client.keystore.get to lazily derive client secret based keys as they
  are needed
  • Loading branch information
@panva
panva committed Jun 25, 2019
1 parent 7dbd672 commit 1a50c82
Show file tree
Hide file tree
Showing 13 changed files with 414 additions and 286 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -732,7 +732,7 @@ nodejs.
* IdToken constructor now requires the client instance
to be passed in as a second argument. IdToken instance `.sign()` now
takes just one argument with the options.
* when a symmetrical endpoint authentication signing alg
* when a symmetric endpoint authentication signing alg
is not specified the secret will be validated such that it can be used
with all available HS bit lengths
* audience helper `token` argument will no longer be
Expand Down
40 changes: 20 additions & 20 deletions docs/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2803,12 +2803,12 @@ _**default value**_:
'RSA-OAEP', 'RSA1_5',
// asymmetric ECDH-ES based
'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
// symmetric AES
'A128KW', 'A192KW', 'A256KW',
// symmetric AES GCM based
'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric AES key wrapping
'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric PBES2 + AES
'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
// direct encryption
'dir',
]
```
</details>
Expand Down Expand Up @@ -2900,12 +2900,12 @@ _**default value**_:
'RSA-OAEP', 'RSA1_5',
// asymmetric ECDH-ES based
'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
// symmetric AES
'A128KW', 'A192KW', 'A256KW',
// symmetric AES GCM based
'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric AES key wrapping
'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric PBES2 + AES
'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
// direct encryption
'dir',
]
```
</details>
Expand Down Expand Up @@ -2998,12 +2998,12 @@ _**default value**_:
'RSA-OAEP', 'RSA1_5',
// asymmetric ECDH-ES based
'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
// symmetric AES
'A128KW', 'A192KW', 'A256KW',
// symmetric AES GCM based
'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric AES key wrapping
'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric PBES2 + AES
'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
// direct encryption
'dir',
]
```
</details>
Expand Down Expand Up @@ -3128,12 +3128,12 @@ _**default value**_:
'RSA-OAEP', 'RSA1_5',
// asymmetric ECDH-ES based
'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
// symmetric AES
'A128KW', 'A192KW', 'A256KW',
// symmetric AES GCM based
'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric AES key wrapping
'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric PBES2 + AES
'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
// direct encryption
'dir',
]
```
</details>
Expand Down Expand Up @@ -3290,12 +3290,12 @@ _**default value**_:
'RSA-OAEP', 'RSA1_5',
// asymmetric ECDH-ES based
'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
// symmetric AES
'A128KW', 'A192KW', 'A256KW',
// symmetric AES GCM based
'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric AES key wrapping
'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
// symmetric PBES2 + AES
'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
// direct encryption
'dir',
]
```
</details>
Expand Down
2 changes: 1 addition & 1 deletion lib/actions/authorization/process_request_object.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ module.exports = async function processRequestObject(PARAM_LIST, ctx, next) {
}

let decrypted;
if (/^(A|P)/.test(header.alg)) {
if (/^(A|P|dir$)/.test(header.alg)) {
decrypted = await JWT.decrypt(params.request, client.keystore);
trusted = true;
} else {
Expand Down
6 changes: 4 additions & 2 deletions lib/consts/jwa.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,14 @@ const signingAlgValues = [
];

const encryptionAlgValues = [
// asymmetric
// asymmetric kw
'RSA-OAEP', 'RSA1_5',
'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
// symmetric
// symmetric kw
'A128GCMKW', 'A192GCMKW', 'A256GCMKW', 'A128KW', 'A192KW', 'A256KW',
'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
// no kw
'dir',
];

const encryptionEncValues = [
Expand Down
2 changes: 1 addition & 1 deletion lib/helpers/configuration.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -274,7 +274,7 @@ module.exports = class Configuration {
.filter(filterHSandNone);

this.requestObjectEncryptionAlgValues = this.features.encryption.enabled
? whitelist.requestObjectEncryptionAlgValues.filter(RegExp.prototype.test.bind(/^(A|P)/)) : [];
? whitelist.requestObjectEncryptionAlgValues.filter(RegExp.prototype.test.bind(/^(A|P|dir$)/)) : [];
this.requestObjectEncryptionEncValues = this.features.encryption.enabled
? whitelist.requestObjectEncryptionEncValues.slice() : [];
this.requestObjectSigningAlgValues = whitelist.requestObjectSigningAlgValues.slice();
Expand Down
40 changes: 20 additions & 20 deletions lib/helpers/defaults.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2131,12 +2131,12 @@ const DEFAULTS = {
* 'RSA-OAEP', 'RSA1_5',
* // asymmetric ECDH-ES based
* 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
* // symmetric AES
* 'A128KW', 'A192KW', 'A256KW',
* // symmetric AES GCM based
* 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric AES key wrapping
* 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric PBES2 + AES
* 'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
* // direct encryption
* 'dir',
* ]
* ```
*/
Expand All @@ -2158,12 +2158,12 @@ const DEFAULTS = {
* 'RSA-OAEP', 'RSA1_5',
* // asymmetric ECDH-ES based
* 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
* // symmetric AES
* 'A128KW', 'A192KW', 'A256KW',
* // symmetric AES GCM based
* 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric AES key wrapping
* 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric PBES2 + AES
* 'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
* // direct encryption
* 'dir',
* ]
* ```
*/
Expand All @@ -2184,12 +2184,12 @@ const DEFAULTS = {
* 'RSA-OAEP', 'RSA1_5',
* // asymmetric ECDH-ES based
* 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
* // symmetric AES
* 'A128KW', 'A192KW', 'A256KW',
* // symmetric AES GCM based
* 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric AES key wrapping
* 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric PBES2 + AES
* 'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
* // direct encryption
* 'dir',
* ]
* ```
*/
Expand All @@ -2211,12 +2211,12 @@ const DEFAULTS = {
* 'RSA-OAEP', 'RSA1_5',
* // asymmetric ECDH-ES based
* 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
* // symmetric AES
* 'A128KW', 'A192KW', 'A256KW',
* // symmetric AES GCM based
* 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric AES key wrapping
* 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric PBES2 + AES
* 'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
* // direct encryption
* 'dir',
* ]
* ```
*/
Expand All @@ -2238,12 +2238,12 @@ const DEFAULTS = {
* 'RSA-OAEP', 'RSA1_5',
* // asymmetric ECDH-ES based
* 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
* // symmetric AES
* 'A128KW', 'A192KW', 'A256KW',
* // symmetric AES GCM based
* 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric AES key wrapping
* 'A128KW', 'A192KW', 'A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW',
* // symmetric PBES2 + AES
* 'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
* // direct encryption
* 'dir',
* ]
* ```
*/
Expand Down
Loading

0 comments on commit 1a50c82

Please sign in to comment.