Fix type 0 not being blocked on key wrapping (#14388)

* Fix type 0 not being blocked on key wrapping * Move block type0 below key null check
2025-12-11 22:03:36 +00:00 · 2025-04-23 18:45:29 +02:00
parent 3aa1378c99
commit ef80c23707
2 changed files with 45 additions and 0 deletions
--- a/libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts
+++ b/libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts
@@ -116,6 +116,12 @@ export class EncryptServiceImplementation implements EncryptService {
      throw new Error("No encryption key provided.");
    }
    if (this.blockType0) {
      if (key.inner().type === EncryptionType.AesCbc256_B64 || key.key.byteLength < 64) {
        throw new Error("Type 0 encryption is not supported.");
      }
    }
    if (plainValue == null) {
      return Promise.resolve(null);
    }
--- a/libs/common/src/key-management/crypto/services/encrypt.service.spec.ts
+++ b/libs/common/src/key-management/crypto/services/encrypt.service.spec.ts
@@ -55,6 +55,19 @@ describe("EncryptService", () => {
        "No wrappingKey provided for wrapping.",
      );
    });
    it("fails if type 0 key is provided with flag turned on", async () => {
      (encryptService as any).blockType0 = true;
      const mock32Key = mock<SymmetricCryptoKey>();
      mock32Key.key = makeStaticByteArray(32);
      mock32Key.inner.mockReturnValue({
        type: 0,
        encryptionKey: mock32Key.key,
      });
      await expect(encryptService.wrapSymmetricKey(mock32Key, mock32Key)).rejects.toThrow(
        "Type 0 encryption is not supported.",
      );
    });
  });
  describe("wrapDecapsulationKey", () => {
@@ -83,6 +96,19 @@ describe("EncryptService", () => {
        "No wrappingKey provided for wrapping.",
      );
    });
    it("throws if type 0 key is provided with flag turned on", async () => {
      (encryptService as any).blockType0 = true;
      const mock32Key = mock<SymmetricCryptoKey>();
      mock32Key.key = makeStaticByteArray(32);
      mock32Key.inner.mockReturnValue({
        type: 0,
        encryptionKey: mock32Key.key,
      });
      await expect(
        encryptService.wrapDecapsulationKey(new Uint8Array(200), mock32Key),
      ).rejects.toThrow("Type 0 encryption is not supported.");
    });
  });
  describe("wrapEncapsulationKey", () => {
@@ -111,6 +137,19 @@ describe("EncryptService", () => {
        "No wrappingKey provided for wrapping.",
      );
    });
    it("throws if type 0 key is provided with flag turned on", async () => {
      (encryptService as any).blockType0 = true;
      const mock32Key = mock<SymmetricCryptoKey>();
      mock32Key.key = makeStaticByteArray(32);
      mock32Key.inner.mockReturnValue({
        type: 0,
        encryptionKey: mock32Key.key,
      });
      await expect(
        encryptService.wrapEncapsulationKey(new Uint8Array(200), mock32Key),
      ).rejects.toThrow("Type 0 encryption is not supported.");
    });
  });
  describe("onServerConfigChange", () => {