node-jose icon indicating copy to clipboard operation
node-jose copied to clipboard
verified publisher icon cisco

TypeError: Keystore must be provided while decrypting

Open codemaster101 opened this issue 6 years ago • 1 comments

Hi, I was trying to encrypt my data using node-jose

I created a key pair in the command line using jose-util generate-key --use enc --alg ECDH-ES+A256KW

I then encrypted the data using,

async function encrypt(data) {
	const pub = await jose.JWK.asKey(publicKey, 'json');
\	const encrypted = await jose.JWE.createEncrypt(
      {
        format: 'general',
        fields: {
          alg: 'ECDH-ES+A256KW',
          enc: 'A256GCM',
          cty: 'json',
        }
      },
      {
        key: pub
      },
    ).update(JSON.stringify(data))
    .final();

 console.log(encrypted);
}

Now when I try to decrypt the data it asks me for a keystore.

(node:14823) UnhandledPromiseRejectionWarning: TypeError: Keystore must be provided

I am trying to decrypt by simply feeding in the private key and the encrypted data. Why do I need the keystore? How should I use this keystore on a different computer? Should not the private key be enough?

Like so,

Where the environment variable is the private key and decrypt is the encrypted message. const decrypted = await jose.JWE.createDecrypt(process.env.DECRYPTION).decrypt(decrypt); Can someone please guide me here. Thank you!

codemaster101 avatar Feb 14 '20 07:02 codemaster101

hi @codemaster101

As a starter: A JWKS is not limited to public keys.

The point of having a keystore for decryption is a characteristic of JWT: You should not go ahead and use any random key for decryption, but use the keys that are specified in the JWT's header. In your case you (as a human) know, which key to use. But this is not the prime use case for JWT. In the case you want to use different keys for different purposes or need to verify that the token is really for you, using a JWKS allows the algorithm to determine the correct key for decrypting the token based on the token's public headers. This is basically how JWT is supposed to work.

In your case the simplest thing would be to wrap your private key a JWKS and use that keystore. All this can happen in memory. I let aside that environment variables are really not the best way for passing secrets around.

In case the key store is on a different computer, in a database or in a directory you can simply pull the key in. However, it might be smarter to store the JWKS instead of the plain key.

In node-jose-tools I use superagent for that purpose. In the LDAP provider for node-oidc-provider we pull the JWKS from an LDAP directory. In both cases you want to use the SSL encrypted versions of the protocols.

I hope that answers your questions.

phish108 avatar Feb 14 '20 07:02 phish108