JWE arbitrary content compression/decompression error
lhazlewood opened this issue · 0 comments
lhazlewood commented
Discussed in #936
Originally posted by mnylen April 21, 2024
Hey!
I noticed that compression/decompression does not work when passing arbitrary content instead of claims.
The compression is not done at all, but the zip field in the header is set, and while parsing encrypted content, I get io.jsonwebtoken.CompressionException: Decompression failed. Cause: incorrect header check
Sample code below:
public static void main(final String[] args) {
var secretKey = Jwts.ENC.A128GCM.key().build();
var encodedJwe = Jwts
.builder()
.content("hello, world!")
.compressWith(Jwts.ZIP.DEF)
.encryptWith(secretKey, Jwts.ENC.A128GCM)
.compact();
System.out.println("encodedJwe: " + encodedJwe);
var decodedJwe = Jwts.parser().decryptWith(secretKey).build().parseEncryptedContent(encodedJwe);
System.out.println("decodedJwe: " + decodedJwe);
}
Is this supposed to work? If not, maybe the builder shouldn't allow calling compact() if both content + compressWith are set, as this can produce unreadable JWEs.
In this example, the parseEncryptedContent() fails with this stack trace:
Exception in thread "main" io.jsonwebtoken.CompressionException: Decompression failed. Cause: incorrect header check
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
at io.jsonwebtoken.lang.Classes.instantiate(Classes.java:274)
at io.jsonwebtoken.impl.lang.PropagatingExceptionFunction.apply(PropagatingExceptionFunction.java:69)
at io.jsonwebtoken.impl.compression.AbstractCompressionAlgorithm.decompress(AbstractCompressionAlgorithm.java:143)
at io.jsonwebtoken.impl.Payload.decompress(Payload.java:129)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:592)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:362)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:94)
at io.jsonwebtoken.impl.io.AbstractParser.parse(AbstractParser.java:36)
at io.jsonwebtoken.impl.io.AbstractParser.parse(AbstractParser.java:29)
at io.jsonwebtoken.impl.DefaultJwtParser.parseEncryptedContent(DefaultJwtParser.java:866)
at ...
Caused by: java.util.zip.ZipException: incorrect header check
at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:181)
at java.base/java.io.FilterInputStream.read(FilterInputStream.java:95)
at io.jsonwebtoken.impl.compression.AbstractCompressionAlgorithm.doDecompress(AbstractCompressionAlgorithm.java:161)
at io.jsonwebtoken.impl.compression.DeflateCompressionAlgorithm.doDecompress(DeflateCompressionAlgorithm.java:54)
at io.jsonwebtoken.impl.compression.AbstractCompressionAlgorithm$4.apply(AbstractCompressionAlgorithm.java:85)
at io.jsonwebtoken.impl.compression.AbstractCompressionAlgorithm$4.apply(AbstractCompressionAlgorithm.java:82)
at io.jsonwebtoken.impl.lang.PropagatingExceptionFunction.apply(PropagatingExceptionFunction.java:57)
... 9 more
```</div>