Addressing comments. Adding logging, nil out generated keys

ameyapat · ameyapat · commit eb033f903ec2 · 2025-11-14T16:09:44.000-08:00
diff --git a/IdentityCore/src/JWEResponse/MSIDJweResponse+EcdhAesGcm.m b/IdentityCore/src/JWEResponse/MSIDJweResponse+EcdhAesGcm.m
@@ -44,6 +44,8 @@ - (nullable NSDictionary *)decryptJweResponseWithPrivateStk:(nonnull SecKeyRef)p
                                                   jweCrypto:(nonnull MSIDJWECrypto *)jweCrypto
                                                       error:(NSError * _Nullable __autoreleasing * _Nullable)error
 {
+    MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"Starting to decrypt JWE response using ECDH-AESGCM using jwe_crypto : %@", jweCrypto.urlEncodedJweCrypto);
+    
     // 1. Check for necessary request parameters
     NSData *apv = [NSData msidDataFromBase64UrlEncodedString:jweCrypto.apv.APV];
     
@@ -65,7 +67,7 @@ - (nullable NSDictionary *)decryptJweResponseWithPrivateStk:(nonnull SecKeyRef)p
     {
         if (error)
         {
-            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Unexpected server response, no epk present in JWE header", nil, nil, nil, nil, nil, NO);
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Unexpected server response, no epk present in JWE header", nil, nil, nil, nil, nil, YES);
         }
         MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Unexpected server response, no epk present in JWE header, epk %@", epk);
         return nil;
@@ -174,7 +176,8 @@ - (NSData *)calculateDerivedKeyWithSharedKey:(NSData *)sharedSecret
                                                              partyUInfo:apu
                                                              partyVInfo:apv
                                                                   error:&concatKDFError];
-
+    // Deallocating sharedSecret as it is no longer needed
+    sharedSecret = nil;
     if (!derivedKey)
     {
         if (error)
@@ -196,7 +199,7 @@ - (NSDictionary *)decryptJweResponseUsingSymmetricKey:(NSData *)symmetricKey
     {
         if (error)
         {
-            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Symmetric key is nil", nil, nil, nil, nil, nil, NO);
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Symmetric key is nil", nil, nil, nil, nil, nil, YES);
         }
         return nil;
     }
@@ -209,12 +212,14 @@ - (NSDictionary *)decryptJweResponseUsingSymmetricKey:(NSData *)symmetricKey
     // Since only A256GCM is supported, we can decrypt jwe message using AES256GCM.
     MSIDAesGcmDecryptor *decryptor = [MSIDAesGcmDecryptor new];
     NSData *decryptedData = [decryptor decryptWithAES256GCMHandlerWithMessage:self.payload iv:self.iv key:symmetricKey tag:self.tag aad:self.aad error:error];
-    
+    // Deallocate symmetricKey as it is no longer needed
+    symmetricKey = nil;
     if (!decryptedData)
     {
         if (error)
         {
-            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Unexpected server response, failed to decrypt JWE", nil, nil, nil, nil, nil, NO);
+            NSError *subError = *error ? *error : nil;
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Unexpected server response, failed to decrypt JWE", nil, [subError description], subError, nil, nil, YES);
         }
         MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Unexpected server response, failed to decrypt JWE");
         return nil;
@@ -223,6 +228,14 @@ - (NSDictionary *)decryptJweResponseUsingSymmetricKey:(NSData *)symmetricKey
     MSIDJsonSerializer *serializer = [MSIDJsonSerializer new];
     
     NSDictionary *jsonResult = [serializer deserializeJSON:decryptedData error:error];
+    if (!jsonResult)
+    {
+        if (error)
+        {
+            NSError *subError = *error ? *error : nil;
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Failed to serialize decrypted data to JSON", nil, [subError description], subError, nil, nil, YES);
+        }
+    }
     return jsonResult;
 }
 
@@ -232,16 +245,16 @@ - (BOOL)IsJweResponseAlgorithmSupported:(NSError * _Nullable __autoreleasing * _
     {
         if (error)
         {
-            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, [NSString stringWithFormat:@"Unsupported JWE algorithm : %@", self.headerAlgorithm], nil, nil, nil, nil, nil, NO);
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, [NSString stringWithFormat:@"Unsupported JWE algorithm : %@", self.headerAlgorithm], nil, nil, nil, nil, nil, YES);
         }
         return NO;
     }
     
-    if (![self.jweHeader[@"enc"] isEqualToString:MSID_RESPONSE_ENCRYPTION_ALGORITHM_A256GCM])
+    if (![self.headerEncryptionAlgorithm isEqualToString:MSID_RESPONSE_ENCRYPTION_ALGORITHM_A256GCM])
     {
         if (error)
         {
-            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, [NSString stringWithFormat:@"Unsupported JWE encryption algorithm : %@", self.jweHeader[@"enc"]], nil, nil, nil, nil, nil, NO);
+            *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, [NSString stringWithFormat:@"Unsupported JWE encryption algorithm : %@", self.jweHeader[@"enc"]], nil, nil, nil, nil, nil, YES);
         }
         return NO;
     }
diff --git a/IdentityCore/src/MSIDJweResponse.h b/IdentityCore/src/MSIDJweResponse.h
@@ -31,6 +31,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property (readonly, nonatomic) NSData *payload;
 @property (readonly, nonatomic) NSData *headerContext;
 @property (readonly, nonatomic) NSString *headerAlgorithm;
+@property (readonly, nonatomic) NSString *headerEncryptionAlgorithm;
 @property (readonly, nonatomic) NSData *tag;
 @property (readonly, nonatomic) NSData *aad;
 @property (readonly, nonatomic) NSDictionary *jweHeader;
diff --git a/IdentityCore/src/MSIDJweResponse.m b/IdentityCore/src/MSIDJweResponse.m
@@ -68,6 +68,7 @@ - (id)initWithRawJWE:(NSString *)rawJWE
         {
             NSDictionary *dict = (NSDictionary *)jsonObject;
             _headerAlgorithm = [dict objectForKey:@"alg"];
+            _headerEncryptionAlgorithm = [dict objectForKey:@"enc"];
             if([dict objectForKey:@"ctx"])
             {
                 _headerContext = [[NSData alloc] initWithBase64EncodedString:[dict objectForKey:@"ctx"] options:0];

Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ - (nullable NSDictionary *)decryptJweResponseWithPrivateStk:(nonnull SecKeyRef)p`
`44`	`44`	`jweCrypto:(nonnull MSIDJWECrypto *)jweCrypto`
`45`	`45`	`error:(NSError * _Nullable __autoreleasing * _Nullable)error`
`46`	`46`	`{`
	`47`	`+ MSID_LOG_WITH_CTX(MSIDLogLevelInfo, nil, @"Starting to decrypt JWE response using ECDH-AESGCM using jwe_crypto : %@", jweCrypto.urlEncodedJweCrypto);`
	`48`	`+`
`47`	`49`	`// 1. Check for necessary request parameters`
`48`	`50`	`NSData *apv = [NSData msidDataFromBase64UrlEncodedString:jweCrypto.apv.APV];`
`49`	`51`
`@@ -65,7 +67,7 @@ - (nullable NSDictionary *)decryptJweResponseWithPrivateStk:(nonnull SecKeyRef)p`
`65`	`67`	`{`
`66`	`68`	`if (error)`
`67`	`69`	`{`
`68`		`- *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Unexpected server response, no epk present in JWE header", nil, nil, nil, nil, nil, NO);`
	`70`	`+ *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Unexpected server response, no epk present in JWE header", nil, nil, nil, nil, nil, YES);`
`69`	`71`	`}`
`70`	`72`	`MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Unexpected server response, no epk present in JWE header, epk %@", epk);`
`71`	`73`	`return nil;`
`@@ -174,7 +176,8 @@ - (NSData )calculateDerivedKeyWithSharedKey:(NSData )sharedSecret`
`174`	`176`	`partyUInfo:apu`
`175`	`177`	`partyVInfo:apv`
`176`	`178`	`error:&concatKDFError];`
`177`		`-`
	`179`	`+ // Deallocating sharedSecret as it is no longer needed`
	`180`	`+ sharedSecret = nil;`
`178`	`181`	`if (!derivedKey)`
`179`	`182`	`{`
`180`	`183`	`if (error)`
`@@ -196,7 +199,7 @@ - (NSDictionary )decryptJweResponseUsingSymmetricKey:(NSData )symmetricKey`
`196`	`199`	`{`
`197`	`200`	`if (error)`
`198`	`201`	`{`
`199`		`- *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Symmetric key is nil", nil, nil, nil, nil, nil, NO);`
	`202`	`+ *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Symmetric key is nil", nil, nil, nil, nil, nil, YES);`
`200`	`203`	`}`
`201`	`204`	`return nil;`
`202`	`205`	`}`
`@@ -209,12 +212,14 @@ - (NSDictionary )decryptJweResponseUsingSymmetricKey:(NSData )symmetricKey`
`209`	`212`	`// Since only A256GCM is supported, we can decrypt jwe message using AES256GCM.`
`210`	`213`	`MSIDAesGcmDecryptor *decryptor = [MSIDAesGcmDecryptor new];`
`211`	`214`	`NSData *decryptedData = [decryptor decryptWithAES256GCMHandlerWithMessage:self.payload iv:self.iv key:symmetricKey tag:self.tag aad:self.aad error:error];`
`212`		`-`
	`215`	`+ // Deallocate symmetricKey as it is no longer needed`
	`216`	`+ symmetricKey = nil;`
`213`	`217`	`if (!decryptedData)`
`214`	`218`	`{`
`215`	`219`	`if (error)`
`216`	`220`	`{`
`217`		`- *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Unexpected server response, failed to decrypt JWE", nil, nil, nil, nil, nil, NO);`
	`221`	`+ NSError subError = error ? *error : nil;`
	`222`	`+ *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Unexpected server response, failed to decrypt JWE", nil, [subError description], subError, nil, nil, YES);`
`218`	`223`	`}`
`219`	`224`	`MSID_LOG_WITH_CTX(MSIDLogLevelError, nil, @"Unexpected server response, failed to decrypt JWE");`
`220`	`225`	`return nil;`
`@@ -223,6 +228,14 @@ - (NSDictionary )decryptJweResponseUsingSymmetricKey:(NSData )symmetricKey`
`223`	`228`	`MSIDJsonSerializer *serializer = [MSIDJsonSerializer new];`
`224`	`229`
`225`	`230`	`NSDictionary *jsonResult = [serializer deserializeJSON:decryptedData error:error];`
	`231`	`+ if (!jsonResult)`
	`232`	`+ {`
	`233`	`+ if (error)`
	`234`	`+ {`
	`235`	`+ NSError subError = error ? *error : nil;`
	`236`	`+ *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, @"Failed to serialize decrypted data to JSON", nil, [subError description], subError, nil, nil, YES);`
	`237`	`+ }`
	`238`	`+ }`
`226`	`239`	`return jsonResult;`
`227`	`240`	`}`
`228`	`241`
`@@ -232,16 +245,16 @@ - (BOOL)IsJweResponseAlgorithmSupported:(NSError * _Nullable __autoreleasing * _`
`232`	`245`	`{`
`233`	`246`	`if (error)`
`234`	`247`	`{`
`235`		`- *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, [NSString stringWithFormat:@"Unsupported JWE algorithm : %@", self.headerAlgorithm], nil, nil, nil, nil, nil, NO);`
	`248`	`+ *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, [NSString stringWithFormat:@"Unsupported JWE algorithm : %@", self.headerAlgorithm], nil, nil, nil, nil, nil, YES);`
`236`	`249`	`}`
`237`	`250`	`return NO;`
`238`	`251`	`}`
`239`	`252`
`240`		`- if (![self.jweHeader[@"enc"] isEqualToString:MSID_RESPONSE_ENCRYPTION_ALGORITHM_A256GCM])`
	`253`	`+ if (![self.headerEncryptionAlgorithm isEqualToString:MSID_RESPONSE_ENCRYPTION_ALGORITHM_A256GCM])`
`241`	`254`	`{`
`242`	`255`	`if (error)`
`243`	`256`	`{`
`244`		`- *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, [NSString stringWithFormat:@"Unsupported JWE encryption algorithm : %@", self.jweHeader[@"enc"]], nil, nil, nil, nil, nil, NO);`
	`257`	`+ *error = MSIDCreateError(MSIDErrorDomain, MSIDErrorInternal, [NSString stringWithFormat:@"Unsupported JWE encryption algorithm : %@", self.jweHeader[@"enc"]], nil, nil, nil, nil, nil, YES);`
`245`	`258`	`}`
`246`	`259`	`return NO;`
`247`	`260`	`}`
Original file line number	Diff line number	Diff line change
`@@ -68,6 +68,7 @@ - (id)initWithRawJWE:(NSString *)rawJWE`
`68`	`68`	`{`
`69`	`69`	`NSDictionary dict = (NSDictionary )jsonObject;`
`70`	`70`	`_headerAlgorithm = [dict objectForKey:@"alg"];`
	`71`	`+ _headerEncryptionAlgorithm = [dict objectForKey:@"enc"];`
`71`	`72`	`if([dict objectForKey:@"ctx"])`
`72`	`73`	`{`
`73`	`74`	`_headerContext = [[NSData alloc] initWithBase64EncodedString:[dict objectForKey:@"ctx"] options:0];`