fix: limit default PBES2 alg's computational expense

Also adds an option to opt-in to higher computation expense.

Author: panva

src/jwe/flattened/decrypt.ts

@@ -188,9 +188,9 @@ export async function flattenedDecrypt(
 
   let cek: KeyLike | Uint8Array
   try {
-    cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader)
+    cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader, options)
   } catch (err) {
-    if (err instanceof TypeError) {
+    if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
       throw err
     }
     // https://www.rfc-editor.org/rfc/rfc7516#section-11.5

src/lib/decrypt_key_management.ts

@@ -4,7 +4,7 @@ import { decrypt as pbes2Kw } from '../runtime/pbes2kw.js'
 import { decrypt as rsaEs } from '../runtime/rsaes.js'
 import { decode as base64url } from '../runtime/base64url.js'
 
-import type { JWEHeaderParameters, KeyLike, JWK } from '../types.d'
+import type { DecryptOptions, JWEHeaderParameters, KeyLike, JWK } from '../types.d'
 import { JOSENotSupported, JWEInvalid } from '../util/errors.js'
 import { bitLength as cekLength } from '../lib/cek.js'
 import { importJWK } from '../key/import.js'
@@ -17,6 +17,7 @@ async function decryptKeyManagement(
   key: KeyLike | Uint8Array,
   encryptedKey: Uint8Array | undefined,
   joseHeader: JWEHeaderParameters,
+  options?: DecryptOptions,
 ): Promise<KeyLike | Uint8Array> {
   checkKeyType(alg, key, 'decrypt')
 
@@ -96,6 +97,11 @@ async function decryptKeyManagement(
       if (typeof joseHeader.p2c !== 'number')
         throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`)
 
+      const p2cLimit = options?.maxPBES2Count || 10_000
+
+      if (joseHeader.p2c > p2cLimit)
+        throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`)
+
       if (typeof joseHeader.p2s !== 'string')
         throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`)
 

src/types.d.ts

@@ -401,6 +401,13 @@ export interface DecryptOptions extends CritOption {
    * with compressed plaintext.
    */
   inflateRaw?: InflateFunction
+
+  /**
+   * (PBES2 Key Management Algorithms only) Maximum allowed "p2c" (PBES2 Count) Header Parameter
+   * value. The PBKDF2 iteration count defines the algorithm's computational expense. By default
+   * this value is set to 10000.
+   */
+  maxPBES2Count?: number
 }
 
 /** JWE Deflate option. */

test/jwe/flattened.decrypt.test.mjs

@@ -1,6 +1,6 @@
 import test from 'ava'
 import * as crypto from 'crypto'
-import { root } from '../dist.mjs'
+import { root, conditional } from '../dist.mjs'
 
 const { FlattenedEncrypt, flattenedDecrypt, base64url } = await import(root)
 
@@ -177,8 +177,8 @@ test('JWE format validation', async (t) => {
     jwe.encrypted_key = 'foo'
 
     await t.throwsAsync(flattenedDecrypt(jwe, t.context.secret), {
-      message: 'decryption operation failed',
-      code: 'ERR_JWE_DECRYPTION_FAILED',
+      message: 'Encountered unexpected JWE Encrypted Key',
+      code: 'ERR_JWE_INVALID',
     })
   }
 })
@@ -239,3 +239,15 @@ test('decrypt empty data (CBC)', async (t) => {
   const { plaintext } = await flattenedDecrypt(jwe, new Uint8Array(32))
   t.is(plaintext.byteLength, 0)
 })
+
+conditional({ electron: 0 })('decrypt PBES2 p2c limit', async (t) => {
+  const jwe = await new FlattenedEncrypt(new Uint8Array(0))
+    .setProtectedHeader({ alg: 'PBES2-HS256+A128KW', enc: 'A128CBC-HS256' })
+    .setKeyManagementParameters({ p2c: 2049 })
+    .encrypt(new Uint8Array(32))
+
+  await t.throwsAsync(flattenedDecrypt(jwe, new Uint8Array(32), { maxPBES2Count: 2048 }), {
+    message: 'JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds',
+    code: 'ERR_JWE_INVALID',
+  })
+})