Skip to content

Encrypt with ECDH JWK, error: unsupported key type for ECDH-ES: *ecdsa.PrivateKey #1434

@justincranford

Description

@justincranford

Describe the bug

When I use an ECDH JWK in a jwe.Encrypt() call, I get this error:

Error: jwe.Encrypt: failed to create recipient #0: failed to encrypt key: encrypt: unsupported key type for ECDH-ES: *ecdsa.PrivateKey

To reproduce:

  1. Generate ECDH raw key.
  2. Import into JWK
  3. Set protected headers
  4. Encrypt plaintext with the JWK
  5. Decrypt JWE message with the JWK

For comparison, I wrote a test to cover AES, RSA, and ECDH JWKs. Both AES and RSA work end-to-end, but encrypt with ECDH JWK returns an error saying the JWK is ECDSA.

Please attach the output of go version

go version
go version go1.24.3 windows/amd64

To Reproduce / Expected behavior

I created a repo with just one test file. You can clone it and run the test to reproduce the issue.

The test covers AES, RSA, and ECDH. For each type, the test imports into JWK, encrypts, and decrypts. AES and RSA work end-to-end, but ECDH fails during encrypt.

Additional context

  1. I looked at an ECDH test in jwe_test.go. I think it covers raw keys, not JWKs. I didn't find an example using JWKs.

  2. I tried to debug jwk.Import(). In convert.go, I noticed ecdhPrivateKeyToECJWK calls ecdsaPrivateKeyToJWK. I don't know if the encrypt error is related to that import code, but I thought I would mention it.

  3. For context, I am trying to write a KMS app with coverage of all alg and enc options in JOSE RFCs, including ECDH. I store JWKs in my DB, because it is a convenient format to adding protected headers like kid, alg, enc, iat, exp, and etc. I can serialize them all in one column, instead of saving those values as separate columns.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions