server.issuer.keys.add() issue

[erinwu]

What

• cannot add a use: 'enc' key

Line of Code

• oauth2-mock-server/src/lib/jwk-store.ts

  Line 64 in 801fd2e

  const jwkUse: JWK.Key = { ...jwk, use: 'sig' };

Suggested Fix

• const jwkUse: JWK.Key = { use: 'sig', ...jwk};

[nulltoken]

@erinwu Can you please provide us will a minimal but complete repro case?

[erinwu]

@nulltoken Below is my code.

const newKey = await server.issuer.keys.add({ // add a RSA-OAEP-256 encrypted key
kty: 'RSA',
kid: 'some-key',
alg: 'RSA-OAEP-256',
use: 'enc',
e: 'AQAB',
n: 'idWPro_...0xKZhnWmjQE8d9xE8e1Z3Ll1LYbw', // eslint-disable-line max-len
});`

the newKey value should be JWKBaseKeyObject { keystore: JWKStore {}, length: 2048, kty: 'RSA', kid: 'some-key', use: 'enc', alg: 'RSA-OAEP-256' } but with the current code, it is JWKBaseKeyObject { keystore: JWKStore {}, length: 2048, kty: 'RSA', kid: 'some-key', use: 'sig', alg: 'RSA-OAEP-256' }

[nulltoken]

@erinwu Thanks a lot for your answer. Can you please also describe the impact on your own use case this 'sig' normalization causes? What does it prevent you to do? How does this block you in your test process?

[erinwu]

@nulltoken Currently, our project is using ^1.5.1, and I tried to update it to ^3.0.2 in order to resolve node-forge security vulnerability (i.e. Upgrade node-forge to version 0.10.0 or later).
During the process, the following error occurs and future debugging found this code changed at v2.0.0...v3.0.0 .

no valid key found in issuer's jwks_uri for key parameters {"alg":"RSA-OAEP-256","use":"enc"}
RPError: no valid key found in issuer's jwks_uri for key parameters {"alg":"RSA-OAEP-256","use":"enc"}

[nulltoken]

@erinwu OK. I think I've spotted the issue.

This happened during #48

-  async add(jwk) {
-    const jwkUse = { use: 'sig', ...jwk };
+  async add(jwk: JWK.Key): Promise<JWK.Key> {
+    const jwkUse: JWK.Key = { ...jwk, use: 'sig' };

I'm not sure how that happened. However, it looks like we didn't have any test to cover this use case.
So a "let's value use with sig when unspecified" has been turned into "let's blindly overwrite use with sig". Duh.

Thanks for the report! We'll shortly revert to the previous behavior, add some tests to cover this behavior and publish a patch version.

[erinwu]

@erinwu OK. I think I've spotted the issue.

This happened during #48

-  async add(jwk) {
-    const jwkUse = { use: 'sig', ...jwk };
+  async add(jwk: JWK.Key): Promise<JWK.Key> {
+    const jwkUse: JWK.Key = { ...jwk, use: 'sig' };

I'm not sure how that happened. However, it looks like we didn't have any test to cover this use case.
So a "let's value use with sig when unspecified" has been turned into "let's blindly overwrite use with sig". Duh.

Thanks for the report! We'll shortly revert to the previous behavior, add some tests to cover this behavior and publish a patch version.

@nulltoken Thank you a lot for the help.

[poveden]

@erinwu Version 3.0.3 is live on npm. Please confirm that your issue has been fixed. Thanks!

[erinwu]

@poveden @nulltoken It works perfectly. Thank you.