[jwe] Add option to explicitly clear per-recipient headers ("header") for flattened JSON serialization#1477
Merged
lestrrat merged 9 commits intodevelop/v3from Oct 13, 2025
Merged
[jwe] Add option to explicitly clear per-recipient headers ("header") for flattened JSON serialization#1477lestrrat merged 9 commits intodevelop/v3from
"header") for flattened JSON serialization#1477lestrrat merged 9 commits intodevelop/v3from
Conversation
|
Now everything works as expected 🎉 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fixes #1470
After much going back and forth, I have nailed down that the ONLY time the current implementation creates duplicate entries (that matter) are when flattened JSON serialization is used.
For full JSON serialization, we didn't merge anything to start with. This was fine. It's the user's responsibility to figure out how to create headers that are completely disjoint. But for flattened JSON, we merged the per-recipient headers and the protected header, and yet kept the per-recipient headers in tact. The fix is to nuke the headers stored in the per-recipient headers after merging -- the merge is NOT necessary, but it is my understanding that we would be erring on the safer side if we merged everything into the protected header so that the entirety of this metadata is used as AAD, thus making the flattened JSON serialization that we produce analogous to the compact format.
Now, I'm sure there is code somewhere that already relies on this behavior, so instead of just "fixing" this, we introduced an option to explicitly enable the new behavior. Code that wants to generate a flattened JSON serialization that clears the
"header"value should calljwe.Encrypt()withjwe.WithLegacyHeaderMerging(false).