Solved: Regarding the JWE Proxy sample

Report Inappropriate Content · 08-23-2016 11:53 AM

@DinoI was trying the proxy using tha java callout for decryption.The java callout decryption policy has some properties that needs to be set.

I was trying to change the algorithm to A128GCM.It worked fine .For a fail case scenario in the algorithm property I set some random value say "hello" .The proxy is still working .I am not able to get exactly which algorithm is being called internally so that the proxy is giving the result in encrypted format even if I am not providing a meaningful algorithm name.It should throw some exception , which is not happening .Please let me know .I want to implement the A128GCM algorithm .

Report Inappropriate Content

@DinoI tried can again.Its working now.There was some configuration issue.Thanks a ton for your response .

View solution in original post

DChiesa

hi can you show the specific configuration of the JWE callout policy?

I just tried this and got the expected runtime error "invalid algorithm".

See below for my configuration and the exception (shown in Trace)

And the exception:

Report Inappropriate Content

@Dino . Could you please check the same by not providing the correct algorithm in case of JWE Decryption callout policy. I am afraid its not checking for proper algorithm names .

DChiesa

Hi. I'm sorry, I don't understand what you're asking for, here.

Are you asking that the JWE callout perform validation of the algorithm name?

It does throw an exception when you use an invalid algorithm. What specifically would you like it to do, that it is not currently doing?

Report Inappropriate Content

For Encryption Callout it is running fine , throwing an invalid algorithm exception.

But for Decryption part it is not checking for algorithm validation .Though it is able to decrypt the jwe .I just wanted to know how it is able to decrypt without specifying the algorithm name . Please find the attached screenshot .

DChiesa

@Surya Prakash Sahoo ok, I'm clear.

I've checked the code. In fact the JWE itself specifies the algorithm that must be used for decryption. For decryption, there is no need to specify the algorithm. (In fact the callout was not reading this property at all). So in your case, the JWE was decrypted successfully.

But, I can see that there may be a case where, after decryption, you'd like to verify that a particular encryption algorithm was used. Accordingly, I have modified the JWE Decryptor callout.

Now, If you specify an algorithm property, then the callout verifies that the algorithm included in the JWE matches the one provided in the property. If you do not specify an algorithm property, then the JWE Decryptor callout does not verify that the algorithm is any particular value. This is somewhat permissive, and therefore probably not what you want, but in some cases it might be.

"git pull" the latest code to get this behavior.

Report Inappropriate Content

@Dino . Thanks for the quick turn around.

Using Eclipse I was trying to run the the pom file provided in the callout Maven project ,as I need to implement A128KW key wrap algorithm by changing the JweEncryptorCallout.java file and I need to recreate the "jwe-edge-callout.jar" from it . Before yesterday's update it was running fine . Please find the screenshots for the errors getting generated while providing the Maven "install" command .

DChiesa

Are you having a new problem now?

I don't understand what you're asking.

Report Inappropriate Content

@DinoI tried can again.Its working now.There was some configuration issue.Thanks a ton for your response .