You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I noticed that compression/decompression does not work when passing arbitrary content instead of claims.
The compression is not done at all, but the zip field in the header is set, and while parsing encrypted content, I get io.jsonwebtoken.CompressionException: Decompression failed. Cause: incorrect header check
Sample code below:
public static void main(final String[] args) {
var secretKey = Jwts.ENC.A128GCM.key().build();
var encodedJwe = Jwts
.builder()
.content("hello, world!")
.compressWith(Jwts.ZIP.DEF)
.encryptWith(secretKey, Jwts.ENC.A128GCM)
.compact();
System.out.println("encodedJwe: " + encodedJwe);
var decodedJwe = Jwts.parser().decryptWith(secretKey).build().parseEncryptedContent(encodedJwe);
System.out.println("decodedJwe: " + decodedJwe);
}
Is this supposed to work? If not, maybe the builder shouldn't allow calling compact() if both content + compressWith are set, as this can produce unreadable JWEs.
In this example, the parseEncryptedContent() fails with this stack trace:
Exception in thread "main" io.jsonwebtoken.CompressionException: Decompression failed. Cause: incorrect header check
at java.base/jdk.internal.reflect.DirectConstructorHandleAccessor.newInstance(DirectConstructorHandleAccessor.java:62)
at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:502)
at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:486)
at io.jsonwebtoken.lang.Classes.instantiate(Classes.java:274)
at io.jsonwebtoken.impl.lang.PropagatingExceptionFunction.apply(PropagatingExceptionFunction.java:69)
at io.jsonwebtoken.impl.compression.AbstractCompressionAlgorithm.decompress(AbstractCompressionAlgorithm.java:143)
at io.jsonwebtoken.impl.Payload.decompress(Payload.java:129)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:592)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:362)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:94)
at io.jsonwebtoken.impl.io.AbstractParser.parse(AbstractParser.java:36)
at io.jsonwebtoken.impl.io.AbstractParser.parse(AbstractParser.java:29)
at io.jsonwebtoken.impl.DefaultJwtParser.parseEncryptedContent(DefaultJwtParser.java:866)
at ...
Caused by: java.util.zip.ZipException: incorrect header check
at java.base/java.util.zip.InflaterInputStream.read(InflaterInputStream.java:181)
at java.base/java.io.FilterInputStream.read(FilterInputStream.java:95)
at io.jsonwebtoken.impl.compression.AbstractCompressionAlgorithm.doDecompress(AbstractCompressionAlgorithm.java:161)
at io.jsonwebtoken.impl.compression.DeflateCompressionAlgorithm.doDecompress(DeflateCompressionAlgorithm.java:54)
at io.jsonwebtoken.impl.compression.AbstractCompressionAlgorithm$4.apply(AbstractCompressionAlgorithm.java:85)
at io.jsonwebtoken.impl.compression.AbstractCompressionAlgorithm$4.apply(AbstractCompressionAlgorithm.java:82)
at io.jsonwebtoken.impl.lang.PropagatingExceptionFunction.apply(PropagatingExceptionFunction.java:57)
... 9 more
```</div>
The text was updated successfully, but these errors were encountered:
Discussed in #936
Originally posted by mnylen April 21, 2024
Hey!
I noticed that compression/decompression does not work when passing arbitrary content instead of claims.
The compression is not done at all, but the
zipfield in the header is set, and while parsing encrypted content, I getio.jsonwebtoken.CompressionException: Decompression failed. Cause: incorrect header checkSample code below:
Is this supposed to work? If not, maybe the builder shouldn't allow calling
compact()if bothcontent+compressWithare set, as this can produce unreadable JWEs.In this example, the
parseEncryptedContent()fails with this stack trace:The text was updated successfully, but these errors were encountered: