What happened?

The decrypt method under src/runtime/node/decrypt.js invokes checkIvfLength, which assumes the byte length of the IV must be the byte length of the encryption key. While this may be required for many block cipher modes, it is not required for GCM. This same issue was officially fixed by Node.js back in v6: nodejs/node#6376

As such, jose should be updated to support IVs that are longer than encrypted key when operating with GCM block ciphers. This issue prevents encrypted JWTs produced by python-jose from being decrypted by the jose NPM module.

This is actively blocking the development of a Sublime Text plugin to interface with the LSP services for AWS Q Developer.

Version

5.3.0

Runtime

Node.js

Runtime Details

Node 18.18.1

Code to reproduce

I've confirmed that commenting out the checkIvfLength invocation in the decrypt method within src/runtime/node/decrypt.js successfully decrypts a JWT using A256GCM encryption and the dir algorithm.

My integration testing used the decodeCredentialsRequestToken method in aws/language-server-runtimes, which successfully decrypts a JWT using A256GCM encryption and the dir algorithm once the checkIvfLength invocation is commented out in the decrypted method.

Required

• I have searched the issues tracker and discussions for similar topics and couldn't find anything related.
• I agree to follow this project's Code of Conduct