fix: limit default PBES2 alg's computational expense

Also adds an option to opt-in to higher computation expense.

dist/browser/jwe/flattened/decrypt.js

@@ -95,10 +95,10 @@ async function flattenedDecrypt(jwe, key, options) {
     }
     let cek;
     try {
-        cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader);
+        cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader, options);
     }
     catch (err) {
-        if (err instanceof TypeError) {
+        if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
             throw err;
         }
         cek = generateCek(enc);

dist/browser/lib/decrypt_key_management.js

@@ -9,7 +9,7 @@ import { bitLengths as cekLengths } from '../lib/cek.js';
 import { importJWK } from '../key/import.js';
 import checkKeyType from './check_key_type.js';
 import isObject from './is_object.js';
-async function decryptKeyManagement(alg, key, encryptedKey, joseHeader) {
+async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
     checkKeyType(alg, key, 'decrypt');
     switch (alg) {
         case 'dir': {
@@ -63,6 +63,9 @@ async function decryptKeyManagement(alg, key, encryptedKey, joseHeader) {
                 throw new JWEInvalid('JWE Encrypted Key missing');
             if (typeof joseHeader.p2c !== 'number')
                 throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+            const p2cLimit = (options === null || options === void 0 ? void 0 : options.maxPBES2Count) || 10000;
+            if (joseHeader.p2c > p2cLimit)
+                throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
             if (typeof joseHeader.p2s !== 'string')
                 throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
             return pbes2Kw(alg, key, encryptedKey, joseHeader.p2c, base64url(joseHeader.p2s));

dist/deno/jwe/flattened/decrypt.ts

@@ -204,9 +204,9 @@ async function flattenedDecrypt(
 
   let cek: KeyLike | Uint8Array
   try {
-    cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader)
+    cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader, options)
   } catch (err) {
-    if (err instanceof TypeError) {
+    if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
       throw err
     }
     // https://tools.ietf.org/html/rfc7516#section-11.5

dist/deno/lib/decrypt_key_management.ts

@@ -5,7 +5,7 @@ import { decrypt as rsaEs } from '../runtime/rsaes.ts'
 import { unwrap as aesGcmKw } from '../runtime/aesgcmkw.ts'
 import { decode as base64url } from '../runtime/base64url.ts'
 
-import type { JWEHeaderParameters, KeyLike, JWK } from '../types.d.ts'
+import type { DecryptOptions, JWEHeaderParameters, KeyLike, JWK } from '../types.d.ts'
 import { JOSENotSupported, JWEInvalid } from '../util/errors.ts'
 import { bitLengths as cekLengths } from '../lib/cek.ts'
 import { importJWK } from '../key/import.ts'
@@ -17,6 +17,7 @@ async function decryptKeyManagement(
   key: KeyLike | Uint8Array,
   encryptedKey: Uint8Array | undefined,
   joseHeader: JWEHeaderParameters,
+  options?: DecryptOptions,
 ): Promise<KeyLike | Uint8Array> {
   checkKeyType(alg, key, 'decrypt')
 
@@ -96,6 +97,11 @@ async function decryptKeyManagement(
       if (typeof joseHeader.p2c !== 'number')
         throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`)
 
+      const p2cLimit = options?.maxPBES2Count || 10_000
+
+      if (joseHeader.p2c > p2cLimit)
+        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`)
+
       if (typeof joseHeader.p2s !== 'string')
         throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`)
 

dist/deno/types.d.ts

@@ -486,6 +486,13 @@ export interface DecryptOptions extends CritOption {
    * when you expect JWEs with compressed plaintext.
    */
   inflateRaw?: InflateFunction
+
+  /**
+   * (PBES2 Key Management Algorithms only) Maximum allowed "p2c" (PBES2 Count) Header Parameter
+   * value. The PBKDF2 iteration count defines the algorithm's computational expense. By default
+   * this value is set to 10000.
+   */
+  maxPBES2Count?: number
 }
 
 /**

dist/node/cjs/jwe/flattened/decrypt.js

@@ -98,10 +98,10 @@ async function flattenedDecrypt(jwe, key, options) {
     }
     let cek;
     try {
-        cek = await (0, decrypt_key_management_js_1.default)(alg, key, encryptedKey, joseHeader);
+        cek = await (0, decrypt_key_management_js_1.default)(alg, key, encryptedKey, joseHeader, options);
     }
     catch (err) {
-        if (err instanceof TypeError) {
+        if (err instanceof TypeError || err instanceof errors_js_1.JWEInvalid || err instanceof errors_js_1.JOSENotSupported) {
             throw err;
         }
         cek = (0, cek_js_1.default)(enc);

dist/node/cjs/lib/decrypt_key_management.js

@@ -11,7 +11,7 @@ const cek_js_1 = require("../lib/cek.js");
 const import_js_1 = require("../key/import.js");
 const check_key_type_js_1 = require("./check_key_type.js");
 const is_object_js_1 = require("./is_object.js");
-async function decryptKeyManagement(alg, key, encryptedKey, joseHeader) {
+async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
     (0, check_key_type_js_1.default)(alg, key, 'decrypt');
     switch (alg) {
         case 'dir': {
@@ -65,6 +65,9 @@ async function decryptKeyManagement(alg, key, encryptedKey, joseHeader) {
                 throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');
             if (typeof joseHeader.p2c !== 'number')
                 throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+            const p2cLimit = (options === null || options === void 0 ? void 0 : options.maxPBES2Count) || 10000;
+            if (joseHeader.p2c > p2cLimit)
+                throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
             if (typeof joseHeader.p2s !== 'string')
                 throw new errors_js_1.JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
             return (0, pbes2kw_js_1.decrypt)(alg, key, encryptedKey, joseHeader.p2c, (0, base64url_js_1.decode)(joseHeader.p2s));

dist/node/esm/jwe/flattened/decrypt.js

@@ -95,10 +95,10 @@ async function flattenedDecrypt(jwe, key, options) {
     }
     let cek;
     try {
-        cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader);
+        cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader, options);
     }
     catch (err) {
-        if (err instanceof TypeError) {
+        if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
             throw err;
         }
         cek = generateCek(enc);

dist/node/esm/lib/decrypt_key_management.js

@@ -9,7 +9,7 @@ import { bitLengths as cekLengths } from '../lib/cek.js';
 import { importJWK } from '../key/import.js';
 import checkKeyType from './check_key_type.js';
 import isObject from './is_object.js';
-async function decryptKeyManagement(alg, key, encryptedKey, joseHeader) {
+async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
     checkKeyType(alg, key, 'decrypt');
     switch (alg) {
         case 'dir': {
@@ -63,6 +63,9 @@ async function decryptKeyManagement(alg, key, encryptedKey, joseHeader) {
                 throw new JWEInvalid('JWE Encrypted Key missing');
             if (typeof joseHeader.p2c !== 'number')
                 throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+            const p2cLimit = (options === null || options === void 0 ? void 0 : options.maxPBES2Count) || 10000;
+            if (joseHeader.p2c > p2cLimit)
+                throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
             if (typeof joseHeader.p2s !== 'string')
                 throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
             return pbes2Kw(alg, key, encryptedKey, joseHeader.p2c, base64url(joseHeader.p2s));

dist/types/types.d.ts

@@ -199,6 +199,7 @@ export interface DecryptOptions extends CritOption {
   keyManagementAlgorithms?: string[]
   contentEncryptionAlgorithms?: string[]
   inflateRaw?: InflateFunction
+  maxPBES2Count?: number
 }
 export interface EncryptOptions extends CritOption {
   deflateRaw?: DeflateFunction

docs/interfaces/jwt_decrypt.JWTDecryptOptions.md

@@ -14,6 +14,7 @@ Combination of JWE Decryption options and JWT Claims Set verification options.
 - [inflateRaw](jwt_decrypt.JWTDecryptOptions.md#inflateraw)
 - [issuer](jwt_decrypt.JWTDecryptOptions.md#issuer)
 - [keyManagementAlgorithms](jwt_decrypt.JWTDecryptOptions.md#keymanagementalgorithms)
+- [maxPBES2Count](jwt_decrypt.JWTDecryptOptions.md#maxpbes2count)
 - [maxTokenAge](jwt_decrypt.JWTDecryptOptions.md#maxtokenage)
 - [subject](jwt_decrypt.JWTDecryptOptions.md#subject)
 - [typ](jwt_decrypt.JWTDecryptOptions.md#typ)
@@ -110,6 +111,16 @@ A list of accepted JWE "alg" (Algorithm) Header Parameter values.
 
 ___
 
+### maxPBES2Count
+
+• `Optional` **maxPBES2Count**: `number`
+
+(PBES2 Key Management Algorithms only) Maximum allowed "p2c" (PBES2 Count) Header Parameter
+value. The PBKDF2 iteration count defines the algorithm's computational expense. By default
+this value is set to 10000.
+
+___
+
 ### maxTokenAge
 
 • `Optional` **maxTokenAge**: `string` \| `number`

docs/interfaces/types.DecryptOptions.md

@@ -10,6 +10,7 @@ JWE Decryption options.
 - [crit](types.DecryptOptions.md#crit)
 - [inflateRaw](types.DecryptOptions.md#inflateraw)
 - [keyManagementAlgorithms](types.DecryptOptions.md#keymanagementalgorithms)
+- [maxPBES2Count](types.DecryptOptions.md#maxpbes2count)
 
 ## Properties
 
@@ -66,3 +67,13 @@ ___
 • `Optional` **keyManagementAlgorithms**: `string`[]
 
 A list of accepted JWE "alg" (Algorithm) Header Parameter values.
+
+___
+
+### maxPBES2Count
+
+• `Optional` **maxPBES2Count**: `number`
+
+(PBES2 Key Management Algorithms only) Maximum allowed "p2c" (PBES2 Count) Header Parameter
+value. The PBKDF2 iteration count defines the algorithm's computational expense. By default
+this value is set to 10000.

src/jwe/flattened/decrypt.ts

@@ -204,9 +204,9 @@ async function flattenedDecrypt(
 
   let cek: KeyLike | Uint8Array
   try {
-    cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader)
+    cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader, options)
   } catch (err) {
-    if (err instanceof TypeError) {
+    if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
       throw err
     }
     // https://tools.ietf.org/html/rfc7516#section-11.5

src/lib/decrypt_key_management.ts

@@ -5,7 +5,7 @@ import { decrypt as rsaEs } from '../runtime/rsaes.js'
 import { unwrap as aesGcmKw } from '../runtime/aesgcmkw.js'
 import { decode as base64url } from '../runtime/base64url.js'
 
-import type { JWEHeaderParameters, KeyLike, JWK } from '../types.d'
+import type { DecryptOptions, JWEHeaderParameters, KeyLike, JWK } from '../types.d'
 import { JOSENotSupported, JWEInvalid } from '../util/errors.js'
 import { bitLengths as cekLengths } from '../lib/cek.js'
 import { importJWK } from '../key/import.js'
@@ -17,6 +17,7 @@ async function decryptKeyManagement(
   key: KeyLike | Uint8Array,
   encryptedKey: Uint8Array | undefined,
   joseHeader: JWEHeaderParameters,
+  options?: DecryptOptions,
 ): Promise<KeyLike | Uint8Array> {
   checkKeyType(alg, key, 'decrypt')
 
@@ -96,6 +97,11 @@ async function decryptKeyManagement(
       if (typeof joseHeader.p2c !== 'number')
         throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`)
 
+      const p2cLimit = options?.maxPBES2Count || 10_000
+
+      if (joseHeader.p2c > p2cLimit)
+        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`)
+
       if (typeof joseHeader.p2s !== 'string')
         throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`)
 

src/types.d.ts

@@ -486,6 +486,13 @@ export interface DecryptOptions extends CritOption {
    * when you expect JWEs with compressed plaintext.
    */
   inflateRaw?: InflateFunction
+
+  /**
+   * (PBES2 Key Management Algorithms only) Maximum allowed "p2c" (PBES2 Count) Header Parameter
+   * value. The PBKDF2 iteration count defines the algorithm's computational expense. By default
+   * this value is set to 10000.
+   */
+  maxPBES2Count?: number
 }
 
 /**

test/jwe/flattened.decrypt.test.mjs

@@ -180,8 +180,8 @@ Promise.all([
         jwe.encrypted_key = 'foo';
 
         await t.throwsAsync(flattenedDecrypt(jwe, t.context.secret), {
-          message: 'decryption operation failed',
-          code: 'ERR_JWE_DECRYPTION_FAILED',
+          message: 'Encountered unexpected JWE Encrypted Key',
+          code: 'ERR_JWE_INVALID',
         });
       }
     });
@@ -220,6 +220,20 @@ Promise.all([
         });
       }
     });
+
+    if (!('electron' in process.versions)) {
+      test('decrypt PBES2 p2c limit', async (t) => {
+        const jwe = await new FlattenedEncrypt(new Uint8Array(0))
+          .setProtectedHeader({ alg: 'PBES2-HS256+A128KW', enc: 'A128CBC-HS256' })
+          .setKeyManagementParameters({ p2c: 2049 })
+          .encrypt(new Uint8Array(32));
+
+        await t.throwsAsync(flattenedDecrypt(jwe, new Uint8Array(32), { maxPBES2Count: 2048 }), {
+          code: 'ERR_JWE_INVALID',
+          message: 'JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds',
+        });
+      });
+    }
   },
   (err) => {
     test('failed to import', (t) => {