fix: allow ECDH-ES with AES_CBC_HMAC_SHA2 key sizes larger than 256 bits

panva · Jan 25, 2020 · a65e9c4 · a65e9c4
1 parent 34206e7
commit a65e9c4
Show file tree

Hide file tree

Showing 3 changed files with 1 addition and 63 deletions.
diff --git a/lib/helpers/client_schema.js b/lib/helpers/client_schema.js
@@ -321,18 +321,6 @@ module.exports = function getSchema(provider) {
         this.sector_identifier_uri = undefined;
       }
 
-      [
-        'authorization_encrypted_response_enc',
-        'id_token_encrypted_response_enc',
-        'introspection_encrypted_response_enc',
-        'request_object_encryption_enc',
-        'userinfo_encrypted_response_enc',
-      ].forEach((attr) => {
-        if (['A192CBC-HS384', 'A256CBC-HS512'].includes(this[attr]) && this[attr.replace(/_enc$/, '_alg')] === 'ECDH-ES') {
-          this.invalidate(`${this[attr]} is not possible with ECDH-ES`);
-        }
-      });
-
       // SECTOR IDENTIFIER VALIDATION
       sectorIdentifier({
         subjectType: this.subject_type,

diff --git a/package.json b/package.json
@@ -53,7 +53,7 @@
     "debug": "^4.1.1",
     "ejs": "^3.0.1",
     "got": "^9.6.0",
-    "jose": "^1.20.0",
+    "jose": "^1.21.1",
     "jsesc": "^2.5.2",
     "koa": "^2.11.0",
     "koa-compose": "^4.1.0",

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -631,16 +631,6 @@ describe('Client metadata validation', () => {
         allows(this.title, value, {
           jwks: { keys: [sigKey] },
         }, configuration);
-        if (value === 'ECDH-ES') {
-          rejects(this.title, value, 'A192CBC-HS384 is not possible with ECDH-ES', {
-            id_token_encrypted_response_enc: 'A192CBC-HS384',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-          rejects(this.title, value, 'A256CBC-HS512 is not possible with ECDH-ES', {
-            id_token_encrypted_response_enc: 'A256CBC-HS512',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-        }
       });
       rejects(this.title, 'not-an-alg', undefined, undefined, configuration);
     });
@@ -693,16 +683,6 @@ describe('Client metadata validation', () => {
         allows(this.title, value, {
           jwks: { keys: [sigKey] },
         }, configuration);
-        if (value === 'ECDH-ES') {
-          rejects(this.title, value, 'A192CBC-HS384 is not possible with ECDH-ES', {
-            userinfo_encrypted_response_enc: 'A192CBC-HS384',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-          rejects(this.title, value, 'A256CBC-HS512 is not possible with ECDH-ES', {
-            userinfo_encrypted_response_enc: 'A256CBC-HS512',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-        }
       });
       rejects(this.title, 'not-an-alg', undefined, undefined, configuration);
     });
@@ -756,16 +736,6 @@ describe('Client metadata validation', () => {
         allows(this.title, value, {
           jwks: { keys: [sigKey] },
         }, configuration);
-        if (value === 'ECDH-ES') {
-          rejects(this.title, value, 'A192CBC-HS384 is not possible with ECDH-ES', {
-            introspection_encrypted_response_enc: 'A192CBC-HS384',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-          rejects(this.title, value, 'A256CBC-HS512 is not possible with ECDH-ES', {
-            introspection_encrypted_response_enc: 'A256CBC-HS512',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-        }
       });
       rejects(this.title, 'not-an-alg', undefined, undefined, configuration);
     });
@@ -819,16 +789,6 @@ describe('Client metadata validation', () => {
         allows(this.title, value, {
           jwks: { keys: [sigKey] },
         }, configuration);
-        if (value === 'ECDH-ES') {
-          rejects(this.title, value, 'A192CBC-HS384 is not possible with ECDH-ES', {
-            authorization_encrypted_response_enc: 'A192CBC-HS384',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-          rejects(this.title, value, 'A256CBC-HS512 is not possible with ECDH-ES', {
-            authorization_encrypted_response_enc: 'A256CBC-HS512',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-        }
       });
       rejects(this.title, 'not-an-alg', undefined, undefined, configuration);
     });
@@ -886,16 +846,6 @@ describe('Client metadata validation', () => {
         'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
       ].filter(Boolean).forEach((value) => {
         allows(this.title, value, undefined, configuration);
-        if (value === 'ECDH-ES') {
-          rejects(this.title, value, 'A192CBC-HS384 is not possible with ECDH-ES', {
-            request_object_encryption_enc: 'A192CBC-HS384',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-          rejects(this.title, value, 'A256CBC-HS512 is not possible with ECDH-ES', {
-            request_object_encryption_enc: 'A256CBC-HS512',
-            jwks: { keys: [sigKey] },
-          }, configuration);
-        }
       });
       rejects(this.title, 'not-an-alg', undefined, undefined, configuration);
     });