refactor: cleanly reject invalid PBES2 p2c

panva · panva · commit 0cdb851ca597 · 2026-04-27T17:18:50.000+02:00
diff --git a/src/lib/pbes2kw.ts b/src/lib/pbes2kw.ts
@@ -28,6 +28,9 @@ async function deriveKey(
   if (!(p2s instanceof Uint8Array) || p2s.length < 8) {
     throw new JWEInvalid('PBES2 Salt Input must be 8 or more octets')
   }
+  if (!Number.isSafeInteger(p2c) || Math.sign(p2c) !== 1) {
+    throw new JWEInvalid('PBES2 Count Input must be a positive integer')
+  }
 
   const salt = concatSalt(alg, p2s)
   const keylen = parseInt(alg.slice(13, 16), 10)
diff --git a/test/jwe/flattened.decrypt.test.ts b/test/jwe/flattened.decrypt.test.ts
@@ -1,7 +1,7 @@
 import test from 'ava'
 import * as crypto from 'crypto'
 
-import { FlattenedEncrypt, flattenedDecrypt } from '../../src/index.js'
+import { FlattenedEncrypt, base64url, flattenedDecrypt } from '../../src/index.js'
 
 test.before(async (t) => {
   const encode = TextEncoder.prototype.encode.bind(new TextEncoder())
@@ -251,6 +251,27 @@ test('decrypt PBES2 p2c limit', async (t) => {
   )
 })
 
+test('PBES2 p2c must be a positive integer on decrypt', async (t) => {
+  const jwe = await new FlattenedEncrypt(new Uint8Array(0))
+    .setProtectedHeader({ alg: 'PBES2-HS256+A128KW', enc: 'A128CBC-HS256' })
+    .setKeyManagementParameters({ p2c: 1 })
+    .encrypt(new Uint8Array(32))
+
+  const protectedHeader = JSON.parse(new TextDecoder().decode(base64url.decode(jwe.protected!)))
+  protectedHeader.p2c = 1.5
+  jwe.protected = base64url.encode(JSON.stringify(protectedHeader))
+
+  await t.throwsAsync(
+    flattenedDecrypt(jwe, new Uint8Array(32), {
+      keyManagementAlgorithms: ['PBES2-HS256+A128KW'],
+    }),
+    {
+      code: 'ERR_JWE_INVALID',
+      message: 'PBES2 Count Input must be a positive integer',
+    },
+  )
+})
+
 test('decrypt with PBES2 is not allowed by default', async (t) => {
   const jwe = await new FlattenedEncrypt(new Uint8Array(0))
     .setProtectedHeader({ alg: 'PBES2-HS256+A128KW', enc: 'A128CBC-HS256' })
diff --git a/test/jwe/flattened.encrypt.test.ts b/test/jwe/flattened.encrypt.test.ts
@@ -225,3 +225,18 @@ test('Default PBES2 Count', async (t) => {
     2048,
   )
 })
+
+test('PBES2 p2c must be a positive integer on encrypt', async (t) => {
+  for (const p2c of [0, -1, 1.5]) {
+    await t.throwsAsync(
+      new FlattenedEncrypt(t.context.plaintext)
+        .setProtectedHeader({ alg: 'PBES2-HS256+A128KW', enc: 'A128GCM' })
+        .setKeyManagementParameters({ p2c })
+        .encrypt(t.context.secret),
+      {
+        code: 'ERR_JWE_INVALID',
+        message: 'PBES2 Count Input must be a positive integer',
+      },
+    )
+  }
+})

Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,9 @@ async function deriveKey(`
`28`	`28`	`if (!(p2s instanceof Uint8Array) \|\| p2s.length < 8) {`
`29`	`29`	`throw new JWEInvalid('PBES2 Salt Input must be 8 or more octets')`
`30`	`30`	`}`
	`31`	`+ if (!Number.isSafeInteger(p2c) \|\| Math.sign(p2c) !== 1) {`
	`32`	`+ throw new JWEInvalid('PBES2 Count Input must be a positive integer')`
	`33`	`+ }`
`31`	`34`
`32`	`35`	`const salt = concatSalt(alg, p2s)`
`33`	`36`	`const keylen = parseInt(alg.slice(13, 16), 10)`