Allow encryption with explicitly requested algorithm (#755) (#756)

smallrye · Dec 7, 2023 · 0abdca1 · 0abdca1
1 parent 3236da7
commit 0abdca1
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/implementation/jwt-build/src/main/java/io/smallrye/jwt/build/impl/JwtEncryptionImpl.java b/implementation/jwt-build/src/main/java/io/smallrye/jwt/build/impl/JwtEncryptionImpl.java
@@ -10,6 +10,7 @@
 
 import javax.crypto.SecretKey;
 
+import org.jose4j.jwa.AlgorithmConstraints;
 import org.jose4j.jwe.JsonWebEncryption;
 import org.jose4j.jwk.JsonWebKey;
 
@@ -174,6 +175,7 @@ private String encryptInternal(Key key) {
             jwe.getHeaders().setObjectHeaderValue("cty", "JWT");
         }
         String keyAlgorithm = getKeyEncryptionAlgorithm(key);
+        jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, keyAlgorithm));
         jwe.setAlgorithmHeaderValue(keyAlgorithm);
         jwe.setEncryptionMethodHeaderParameter(getContentEncryptionAlgorithm());
         jwe.setKey(key);

diff --git a/implementation/jwt-build/src/test/java/io/smallrye/jwt/build/JwtEncryptTest.java b/implementation/jwt-build/src/test/java/io/smallrye/jwt/build/JwtEncryptTest.java
@@ -41,6 +41,7 @@
 
 import org.jose4j.base64url.Base64Url;
 import org.jose4j.json.JsonUtil;
+import org.jose4j.jwa.AlgorithmConstraints;
 import org.jose4j.jwe.JsonWebEncryption;
 import org.jose4j.jwk.EcJwkGenerator;
 import org.jose4j.jwk.EllipticCurveJsonWebKey;
@@ -546,6 +547,8 @@ private static JsonWebEncryption getJsonWebEncryption(String compactJwe, Key dec
         if (relaxKeyValidation) {
             jwe.setDoKeyValidation(false);
         }
+        jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT,
+                jwe.getAlgorithmNoConstraintCheck().getAlgorithmIdentifier()));
         return jwe;
     }