Dangerous error handling resulting in an all-zero encryptedKey

[TaaviE]

In PKI.js/src/EnvelopedData.ts, the error is silently ignored, resulting in an all-zero encryptedKey.

PKI.js/src/EnvelopedData.ts

Lines 997 to 1005 in 1bb60c2

	const encryptedKey = await crypto.encrypt(publicKey.algorithm, publicKey, exportedSessionKey);
	//#region RecipientEncryptedKey
	recipientInfo.encryptedKey = new asn1js.OctetString({ valueHex: encryptedKey });
	//#endregion
	}
	catch {
	// nothing
	}

encrypt can very visibly throw, so this is very dangerous in practice:

PKI.js/src/EnvelopedData.ts

Line 870 in 1bb60c2

throw new Error(`Incorrect curve OID for index ${index}`);

A cryptographic library must not return invalid data nor ignore errors. A flaw like that should get a security advisory.