Fix type 0 not being blocked on key wrapping (#14388)

* Fix type 0 not being blocked on key wrapping * Move block type0 below key null check
2025-12-10 13:23:34 +00:00 · 2025-04-23 18:45:29 +02:00
parent 3aa1378c99
commit ef80c23707
2 changed files with 45 additions and 0 deletions
--- a/libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts
+++ b/libs/common/src/key-management/crypto/services/encrypt.service.implementation.ts
@@ -116,6 +116,12 @@ export class EncryptServiceImplementation implements EncryptService {
      throw new Error("No encryption key provided.");
    }

+    if (this.blockType0) {
+      if (key.inner().type === EncryptionType.AesCbc256_B64 || key.key.byteLength < 64) {
+        throw new Error("Type 0 encryption is not supported.");
+      }
+    }
+
    if (plainValue == null) {
      return Promise.resolve(null);
    }
--- a/libs/common/src/key-management/crypto/services/encrypt.service.spec.ts
+++ b/libs/common/src/key-management/crypto/services/encrypt.service.spec.ts
@@ -55,6 +55,19 @@ describe("EncryptService", () => {
        "No wrappingKey provided for wrapping.",
      );
    });
+    it("fails if type 0 key is provided with flag turned on", async () => {
+      (encryptService as any).blockType0 = true;
+      const mock32Key = mock<SymmetricCryptoKey>();
+      mock32Key.key = makeStaticByteArray(32);
+      mock32Key.inner.mockReturnValue({
+        type: 0,
+        encryptionKey: mock32Key.key,
+      });
+
+      await expect(encryptService.wrapSymmetricKey(mock32Key, mock32Key)).rejects.toThrow(
+        "Type 0 encryption is not supported.",
+      );
+    });
  });

  describe("wrapDecapsulationKey", () => {
@@ -83,6 +96,19 @@ describe("EncryptService", () => {
        "No wrappingKey provided for wrapping.",
      );
    });
+    it("throws if type 0 key is provided with flag turned on", async () => {
+      (encryptService as any).blockType0 = true;
+      const mock32Key = mock<SymmetricCryptoKey>();
+      mock32Key.key = makeStaticByteArray(32);
+      mock32Key.inner.mockReturnValue({
+        type: 0,
+        encryptionKey: mock32Key.key,
+      });
+
+      await expect(
+        encryptService.wrapDecapsulationKey(new Uint8Array(200), mock32Key),
+      ).rejects.toThrow("Type 0 encryption is not supported.");
+    });
  });

  describe("wrapEncapsulationKey", () => {
@@ -111,6 +137,19 @@ describe("EncryptService", () => {
        "No wrappingKey provided for wrapping.",
      );
    });
+    it("throws if type 0 key is provided with flag turned on", async () => {
+      (encryptService as any).blockType0 = true;
+      const mock32Key = mock<SymmetricCryptoKey>();
+      mock32Key.key = makeStaticByteArray(32);
+      mock32Key.inner.mockReturnValue({
+        type: 0,
+        encryptionKey: mock32Key.key,
+      });
+
+      await expect(
+        encryptService.wrapEncapsulationKey(new Uint8Array(200), mock32Key),
+      ).rejects.toThrow("Type 0 encryption is not supported.");
+    });
  });

  describe("onServerConfigChange", () => {