Skip to content

Feature/jwe compression#71

Open
jattsson wants to merge 4 commits into
cdbattags:masterfrom
jattsson:feature/jwe-compression
Open

Feature/jwe compression#71
jattsson wants to merge 4 commits into
cdbattags:masterfrom
jattsson:feature/jwe-compression

Conversation

@jattsson
Copy link
Copy Markdown

@jattsson jattsson commented Apr 21, 2026

Summary

Closes #70.

Adds RFC 7516 §4.1.3 zip header parameter support for both sign
(encrypt) and verify (decrypt), wired up to the registered DEF
value (raw DEFLATE per RFC 1951). Compression is opt-in
compress-then-encrypt leaks plaintext information through ciphertext
length (CRIME / BREACH), so the registry ships empty and callers
enable the DEF alg by injecting their own lua-zlib:

jwt:register_zlib_compression(require "zlib")

A generic jwt:register_compression_alg(name, handler) is also
exposed so callers can bind alternate backends (pure-Lua DEFLATE,
project-specific zip values, etc.) — register_zlib_compression
is itself just a wrapper over it.

No new hard dependency is added to the rockspec; users who want DEF
install lua-zlib themselves.

Notes for reviewers

Commits

  1. feat: core support — registry, sign_jwe / parse_jwe hooks,
    str_const entries.
  2. test: round-trip for dir + RSA-OAEP-256 + ECDH-ES,
    size-shrinkage sanity check, error paths, custom-handler dispatch.
  3. refactor: flip to opt-in via register_zlib_compression;
    README + TEST 63 added.
  4. fix: reject unsupported zip before any crypto — a JWE whose
    zip isn't registered is now rejected immediately after the alg
    check in parse_jwe, before any RSA-OAEP / ECDH-ES key unwrap or
    AEAD decrypt, so a malformed header can't force expensive crypto.

Test coverage

  • Round-trip across every currently-supported JWE key-management alg
    family (dir, RSA-OAEP-256, ECDH-ES).
  • Size-shrinkage assertion on a compressible payload — catches silent
    regressions where deflate degrades to a pass-through.
  • Unknown zip rejected on both sign and verify paths.
  • Custom-handler registration exercised end-to-end.
  • Full suite: 892 tests green across 11 files.

Security notes

  • README has an opt-in security note covering CRIME / BREACH.
  • Decompression-bomb risk is documented on register_zlib_compression
    — consumers accepting untrusted JWEs should bound ciphertext size
    before verify.

jattsson added 4 commits April 21, 2026 12:50
@jattsson
feat: add JWE payload compression ("zip":"DEF") support
231061e 
Implements RFC 7516 §4.1.3 compression for JWE payloads, honored on
both sign and verify. A pluggable `compression_algs` registry is
exposed via `jwt:register_compression_alg(name, handler)`; the default
"DEF" (raw DEFLATE / RFC 1951) handler lazily requires `lua-zlib` so
it stays an optional dependency — callers without lua-zlib installed
can supply their own handler.

Refs cdbattags#70
@jattsson
test: cover JWE compression (zip=DEF) round-trip and error paths
3fadca0 
Adds tests for dir, RSA-OAEP-256 and ECDH-ES round-trips with zip=DEF,
a size-shrinkage sanity check on compressible payloads, and error paths
for unknown zip values on both sign and verify plus custom handler
registration. Installs lua-zlib (pinned to 1.3-0 which ships a source
rock, avoiding the git-only install path) and its zlib1g-dev dependency
in the CI container. README documents the zip header and the new
jwt:register_compression_alg API.

Refs cdbattags#70
@jattsson
refactor: make JWE compression opt-in via register_zlib_compression
63a89fe 
Compress-then-encrypt leaks information about the plaintext through
ciphertext length (CRIME / BREACH family), so compression should not
be active unless the operator has considered the threat model.

The compression registry is now empty by default. Callers enable the
"DEF" zip alg by passing their own lua-zlib module:

    jwt:register_zlib_compression(require "zlib")

This also keeps lua-zlib as a fully caller-owned dependency — the
library does not require or reference it. register_zlib_compression
delegates to register_compression_alg so registration goes through a
single validated path, and alternate handlers (or additional zip
values) can still be registered directly.

Refs cdbattags#70
@jattsson
fix: reject unsupported JWE zip values before decryption
89762be 
An incoming JWE with an unknown zip header (e.g. zip=FOO) was only
rejected after the CEK had been unwrapped and the AEAD payload had
been decrypted, letting an attacker force expensive RSA-OAEP / ECDH
work with any malformed header. Validate zip against the registry
right after the alg check so such tokens are rejected cheaply.

Refs cdbattags#70
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Support for JWE compression

1 participant

@jattsson