I am having difficulties decrypting my JWE token in python once it has been encrypted using ASP.Net.
Here is my C# code (fake passwords):
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("ae743683f78d498a9026d0c87020b9d3"));
var secret = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("MbPeShVmYq3t6w9z"));
var signingCreds = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
var encryptingCreds = new EncryptingCredentials(secret, SecurityAlgorithms.Aes128KW, SecurityAlgorithms.Aes128CbcHmacSha256);
var handler = new JwtSecurityTokenHandler();
var jwtSecurityToken = handler.CreateJwtSecurityToken(
_issuer,
_audience,
new ClaimsIdentity(claimsList),
DateTime.Now,
_expires,
DateTime.Now,
signingCreds,
encryptingCreds);
var token = handler.WriteToken(jwtSecurityToken);
The token looks like this when using the encrypting credentials (should typ not be JWE?):
{
{
"alg": "A128KW",
"enc": "A128CBC-HS256",
"typ": "JWT"
}.{
"userId": "151aedd5-76c3-4eb2-8b73-a16004315731",
"prop1": "test1",
"prop2": "test2",
"nbf": 1549894420,
"exp": 1550240017,
"iat": 1549894420,
"iss": "https://localhost:56880/",
"aud": "https://localhost:56880/"
}
}
This is the token when encrypted:
eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwidHlwIjoiSldUIn0.4w4MZv5WFALGbXhmaYqtTv1VGrUpQpDJ0jN8VmLpQwDRU0j16RbPyg.hGt_z5j8THCiNEhpVvlJmw.WehLBKdyB_eYtDRvHxJHgYwa4GA7f8oKYf3GgIqAAih1eVqU084kHu1lIhC8ibxxziwmFZ4IhBFT-nWgWQrH9thhgqndF4ojtGRBgdHtW3GDAgYV6fgI11h6meyBBuLBs7mkQC5PX8EYsMTDiNE9iNTH4pWtDElc07CGGXlHsm6ntuq7G3sinagZtZMchy1shTY73NTS40FqW37C9HTIPDbrTdsm-USHcGaBMLSmjF5eOZ9Po3p4fhRT42l_gwJc9tlurttYBucvIiO1r_3NB8xGeORizYW1P_P9XGusAFy4L8h8XU9P0FctsMjUFy64LOIK8Qv8YZVq4q82vv-r9uGH6bApUdpCIcYFfGu86w63t1QLQcDT_OYMCqwo9ZmZP5Gd07lB1ypNZbP6hQTgkosp3js3i4K4bFQY7CiSXB_pSTH623TMLHNfUXWMRMIBHmXGr-zTZiKj5vkVUZLjNg.sdBUYvadnwMhkCXP8sABgA
I have tried a couple of different python packages, including 2 versions of jose (python-jose and jose), but could not get jose to work with encryption (did not seem to support the A128KW algorithm).
I am now trying jwcrypto but it seems to expect me to generate a new key rather than use my existing one (the one used to encrypt the JWT in ASP.Net):
from jwcrypto import jwk, jwe
encrypted_token = request.cookies.get(cookie_name)
private_key = "MbPeShVmYq3t6w9z"
jwk_key = jwk.JWK()
# not sure how to use my existing "private_key" value,
# and no support for "A128KW" with jwcrypto despite
# the documentation saying there is support
key = jwk_key.import_key(alg='A128KW', kty="A256CBC-HS512")
jwe_token = jwe.JWE()
jwe_token.deserialize(encrypted_token)
jwe_token.decrypt(key) # decrypt requires an instance of JWK
decrypted_payload = jwe_token.payload
How can I get this to work? Thanks for any advice you can give.
It looks like python-jose DO NOT support JWE. In their online documentation or in the source code I cannot find any line of code related to the JWE parsing or encryption/decryption.
Hopefully in the library list from jwt.io, I've found jwcrypto that should support such encrypted token (see this example dealing with A256KW) and in the srouce code we can see A128KW is listed.
You can give it a try.
from jwcrypto import jwk, jwe
encrypted_token = request.cookies.get(cookie_name)
key = jwk.JWK.from_json('{"kty":"oct","k":"TWJQZVNoVm1ZcTN0Nnc5eg"}')
jwe_token = jwe.JWE()
jwe_token.deserialize(encrypted_token)
jwe_token.decrypt(key)
decrypted_payload = jwe_token.payload