fix: allow multiple keys to match when selecting encryption key for r…

…equest object
panva · Jan 25, 2020 · fa3fa67 · fa3fa67
1 parent 2dfa313
commit fa3fa67
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 12 deletions.
diff --git a/lib/client.js b/lib/client.js
@@ -1507,11 +1507,11 @@ module.exports = (issuer, aadIssValidation = false) => class Client extends Base
     const fields = { alg: algorithms.encrypt.alg, enc: algorithms.encrypt.enc, cty: 'JWT' };
 
     if (fields.alg.match(/^(RSA|ECDH)/)) {
-      key = await this.issuer.queryKeyStore({
+      [key] = await this.issuer.queryKeyStore({
         alg: fields.alg,
         enc: fields.enc,
         use: 'enc',
-      }, false);
+      }, { allowMulti: true });
     } else {
       key = await this.joseSecret(fields.alg === 'dir' ? fields.enc : fields.alg);
     }

diff --git a/lib/issuer.js b/lib/issuer.js
@@ -105,7 +105,7 @@ class Issuer {
    */
   async queryKeyStore({
     kid, kty, alg, use, key_ops: ops,
-  }, allowKeyStore = true) {
+  }, { allowMulti = false } = {}) {
     const cache = instance(this).get('cache');
 
     const def = {
@@ -132,7 +132,7 @@ class Issuer {
       });
     }
 
-    if (keys.length > 1 && !kid) {
+    if (!allowMulti && keys.length > 1 && !kid) {
       throw new RPError({
         printf: ["multiple matching keys found in issuer's jwks_uri for key parameters %j, kid must be provided in this case", def],
         jwks: keystore,
@@ -141,14 +141,6 @@ class Issuer {
 
     cache.set(defHash, true);
 
-    if (!allowKeyStore) {
-      return keys[0];
-    }
-
-    if (keys.length === 1) {
-      return keys[0];
-    }
-
     return new jose.JWKS.KeyStore(keys);
   }
 

diff --git a/test/client/client_instance.test.js b/test/client/client_instance.test.js
@@ -3660,5 +3660,52 @@ describe('Client', () => {
         });
       });
     });
+
+    describe('#requestObject (encryption when multiple keys match)', function () {
+      before(function () {
+        this.keystore = new jose.JWKS.KeyStore();
+        return Promise.all([
+          this.keystore.generate('RSA'),
+          this.keystore.generate('RSA'),
+        ]);
+      });
+
+      before(function () {
+        this.issuer = new Issuer({
+          issuer: 'https://op.example.com',
+          jwks_uri: 'https://op.example.com/certs',
+        });
+      });
+
+      before(function () {
+        nock('https://op.example.com')
+          .get('/certs')
+          .reply(200, this.keystore.toJWKS());
+
+        return this.issuer.keystore();
+      });
+
+      after(nock.cleanAll);
+
+      it('encrypts for issuer using issuer\'s public key (explicit enc)', function () {
+        const client = new this.issuer.Client({ client_id: 'identifier', request_object_encryption_alg: 'RSA1_5', request_object_encryption_enc: 'A128CBC-HS256' });
+
+        return client.requestObject({ state: 'foobar' })
+          .then((encrypted) => {
+            const parts = encrypted.split('.');
+            expect(JSON.parse(base64url.decode(parts[0]))).to.contain({ alg: 'RSA1_5', enc: 'A128CBC-HS256', cty: 'JWT' }).and.have.property('kid');
+          });
+      });
+
+      it('encrypts for issuer using issuer\'s public key (default enc)', function () {
+        const client = new this.issuer.Client({ client_id: 'identifier', request_object_encryption_alg: 'RSA1_5' });
+
+        return client.requestObject({ state: 'foobar' })
+          .then((encrypted) => {
+            const parts = encrypted.split('.');
+            expect(JSON.parse(base64url.decode(parts[0]))).to.contain({ alg: 'RSA1_5', enc: 'A128CBC-HS256', cty: 'JWT' }).and.have.property('kid');
+          });
+      });
+    });
   });
 });