diff --git a/implementation/jwt-build/src/main/java/io/smallrye/jwt/build/impl/JwtEncryptionImpl.java b/implementation/jwt-build/src/main/java/io/smallrye/jwt/build/impl/JwtEncryptionImpl.java index 0a322262..b630c80a 100644 --- a/implementation/jwt-build/src/main/java/io/smallrye/jwt/build/impl/JwtEncryptionImpl.java +++ b/implementation/jwt-build/src/main/java/io/smallrye/jwt/build/impl/JwtEncryptionImpl.java @@ -10,6 +10,7 @@ import javax.crypto.SecretKey; +import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwe.JsonWebEncryption; import org.jose4j.jwk.JsonWebKey; @@ -174,6 +175,7 @@ private String encryptInternal(Key key) { jwe.getHeaders().setObjectHeaderValue("cty", "JWT"); } String keyAlgorithm = getKeyEncryptionAlgorithm(key); + jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, keyAlgorithm)); jwe.setAlgorithmHeaderValue(keyAlgorithm); jwe.setEncryptionMethodHeaderParameter(getContentEncryptionAlgorithm()); jwe.setKey(key); diff --git a/implementation/jwt-build/src/test/java/io/smallrye/jwt/build/JwtEncryptTest.java b/implementation/jwt-build/src/test/java/io/smallrye/jwt/build/JwtEncryptTest.java index 9eef1810..b05c340c 100644 --- a/implementation/jwt-build/src/test/java/io/smallrye/jwt/build/JwtEncryptTest.java +++ b/implementation/jwt-build/src/test/java/io/smallrye/jwt/build/JwtEncryptTest.java @@ -41,6 +41,7 @@ import org.jose4j.base64url.Base64Url; import org.jose4j.json.JsonUtil; +import org.jose4j.jwa.AlgorithmConstraints; import org.jose4j.jwe.JsonWebEncryption; import org.jose4j.jwk.EcJwkGenerator; import org.jose4j.jwk.EllipticCurveJsonWebKey; @@ -546,6 +547,8 @@ private static JsonWebEncryption getJsonWebEncryption(String compactJwe, Key dec if (relaxKeyValidation) { jwe.setDoKeyValidation(false); } + jwe.setAlgorithmConstraints(new AlgorithmConstraints(AlgorithmConstraints.ConstraintType.PERMIT, + jwe.getAlgorithmNoConstraintCheck().getAlgorithmIdentifier())); return jwe; }