Skip to content

Commit 8da90cc

Browse files
SpomkySpomky
committed
Check IV and CEK sizes correspond to the algorithms requirements
1 parent 622a7e0 commit 8da90cc

File tree

1 file changed

+25
-0
lines changed

1 file changed

+25
-0
lines changed

src/Component/Encryption/JWEDecrypter.php

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -125,6 +125,8 @@ private function decryptRecipientKey(JWE $jwe, JWKSet $jwkset, int $i): ?string
125125
$key_encryption_algorithm = $this->getKeyEncryptionAlgorithm($completeHeader);
126126
$content_encryption_algorithm = $this->getContentEncryptionAlgorithm($completeHeader);
127127

128+
$this->checkIvSize($jwe->getIV(), $content_encryption_algorithm->getIVSize());
129+
128130
foreach ($jwkset as $jwk) {
129131
try {
130132
KeyChecker::checkKeyUsage($jwk, 'decryption');
@@ -135,6 +137,8 @@ private function decryptRecipientKey(JWE $jwe, JWKSet $jwkset, int $i): ?string
135137
}
136138
$cek = $this->decryptCEK($key_encryption_algorithm, $content_encryption_algorithm, $jwk, $recipient, $completeHeader);
137139
if (null !== $cek) {
140+
$this->checkCekSize($cek, $key_encryption_algorithm, $content_encryption_algorithm);
141+
138142
return $this->decryptPayload($jwe, $cek, $content_encryption_algorithm, $completeHeader);
139143
}
140144
} catch (\Exception $e) {
@@ -146,6 +150,27 @@ private function decryptRecipientKey(JWE $jwe, JWKSet $jwkset, int $i): ?string
146150
return null;
147151
}
148152

153+
private function checkCekSize(string $cek, KeyEncryptionAlgorithm $keyEncryptionAlgorithm, ContentEncryptionAlgorithm $algorithm): void
154+
{
155+
if ($keyEncryptionAlgorithm instanceof DirectEncryption || $keyEncryptionAlgorithm instanceof KeyAgreement) {
156+
return;
157+
}
158+
if (mb_strlen($cek, '8bit') !== $algorithm->getCEKSize() / 8) {
159+
var_dump(mb_strlen($cek, '8bit'), $algorithm->getCEKSize() / 8);
160+
throw new \InvalidArgumentException('Invalid CEK size');
161+
}
162+
}
163+
164+
private function checkIvSize(?string $iv, int $requiredIvSize): void
165+
{
166+
if (null === $iv && 0 !== $requiredIvSize) {
167+
throw new \InvalidArgumentException('Invalid IV size');
168+
}
169+
if (\is_string($iv) && mb_strlen($iv, '8bit') !== $requiredIvSize / 8) {
170+
throw new \InvalidArgumentException('Invalid IV size');
171+
}
172+
}
173+
149174
private function checkRecipients(JWE $jwe)
150175
{
151176
if (0 === $jwe->countRecipients()) {

0 commit comments

Comments
 (0)