JWE class doesn't copy the input headers
ehsanidme opened this issue · 8 comments
When I use encrypt method of JWT class https://github.com/nov/json-jwt/blob/master/lib/json/jwt.rb#L45, in the encrypted result, the headers that I had in my jwt object gets dropped (I set cty header but it gets dropped in the result of that method). I think it is because JWE class initializer doesn't copy headers similar to JWS class. https://github.com/nov/json-jwt/blob/master/lib/json/jwe.rb#L26
I think there was a similar issue for JWS class that was fixed here #37
JWS signs JWT itself, thus JWT header becomes JWS header too.
JWE encrypts JWT as payload, thus JWT header also encrypted as a part of payload of JWE.
jwt = JSON::JWT.new(claims)
# set the content type header
jwt.cty = :JWT
# sign the JWT and convert to JWS
jwt = jwt.sign(private_key, algorithm)
# encrypt the JWT and convert to JWE
jwt = jwt.encrypt(public_key, enc_alg, enc_method)
The cty header won't be part of the object that is returned on the last line.
it's intended.
In that case, how can I include the cty header in my encrypted jwt?
it's in the payload of JWE.
if you see the JWT header content in the JWE header, it's not encrypted.
you want to encrypt them right?
Consider it like alg header where it is being set before calling encrypt method here https://github.com/nov/json-jwt/blob/master/lib/json/jwt.rb#L47.
Here is a JWE object in the screenshot, as you see kid, alg and enc, I just want to have cty in that list.
Ok I see, the payload already has that. Thanks for pointing that out.
@nov based on https://datatracker.ietf.org/doc/html/rfc7519#section-5.2, we should set cty on JWE or JWS when the token is signed or encrypted. The problem is encrypt method in JWT class, doesn't set the cty, and if we set it after we get the JWE object from encrypt method, then the token failes due to tampering (since it was done after encryption).
Shouldn't cty gets set on JWE that gets created in JWT.encrypt()?