Encrypt with ECDH JWK, error: `unsupported key type for ECDH-ES: *ecdsa.PrivateKey`

[justincranford]

Describe the bug

When I use an ECDH JWK in a jwe.Encrypt() call, I get this error:

Error: jwe.Encrypt: failed to create recipient #0: failed to encrypt key: encrypt: unsupported key type for ECDH-ES: *ecdsa.PrivateKey

To reproduce:

1. Generate ECDH raw key.
2. Import into JWK
3. Set protected headers
4. Encrypt plaintext with the JWK
5. Decrypt JWE message with the JWK

For comparison, I wrote a test to cover AES, RSA, and ECDH JWKs. Both AES and RSA work end-to-end, but encrypt with ECDH JWK returns an error saying the JWK is ECDSA.

Please attach the output of go version

go version
go version go1.24.3 windows/amd64

To Reproduce / Expected behavior

I created a repo with just one test file. You can clone it and run the test to reproduce the issue.

• https://github.com/justincranford/jwe-encrypt-decrypt/blob/main/import_encrypt_decrypt_test.go

The test covers AES, RSA, and ECDH. For each type, the test imports into JWK, encrypts, and decrypts. AES and RSA work end-to-end, but ECDH fails during encrypt.

Additional context

1. I looked at an ECDH test in jwe_test.go. I think it covers raw keys, not JWKs. I didn't find an example using JWKs.

2. I tried to debug jwk.Import(). In convert.go, I noticed ecdhPrivateKeyToECJWK calls ecdsaPrivateKeyToJWK. I don't know if the encrypt error is related to that import code, but I thought I would mention it.

3. For context, I am trying to write a KMS app with coverage of all alg and enc options in JOSE RFCs, including ECDH. I store JWKs in my DB, because it is a convenient format to adding protected headers like kid, alg, enc, iat, exp, and etc. I can serialize them all in one column, instead of saving those values as separate columns.

[lestrrat]

Unfortunately, there's no good way to differentiate an ECDH key and an ECDSA key when represented as a JWK. They both are serialized as "typ": "EC", with pretty much the same fields. You can, however, extract ecdh.(Private|Protected)Key out of a jwk.Key by using jwk.Export and specify the appropriate ecdh struct.

IIRC the thinking back then was that since we can't differentiate between ECDH/ECDSA key, we shouldn't try to be smart to auto-detect, because that's usually how you end up with security vulnerabilities.

Since the user (you) are the only one who knows if the key is correctly stored as ECDH/ECDSA, and since the underlying code is going to do this conversion anyway, it's probably better to store this extra bit of information in your DB and run jwk.Export to get the raw ecdh.PrivateKey/PublicKey. WDYT?

[justincranford]

Good news. I downgraded to v3.0.7 and the test works again for ECDH. No workaround required.

go get github.com/lestrrat-go/jwx/v3@v3.0.7
go mod tidy
go test ./... --count=1

https://github.com/justincranford/jwe-encrypt-decrypt/blob/107901d4ae27537f11ccf584d6194cb41a367648/go.mod#L7

Is there something in v3.0.8 that changed how jwk.import or jwe.encrypt works internally?

• https://github.com/lestrrat-go/jwx/releases/tag/v3.0.8

[justincranford]

I just tried v3.0.0 to v3.0.10 inclusive, to see when the issue started:

• v3.0.0 to v3.0.7 => The ECDH test passes
• v3.0.8 to v3.0.10 => The ECDH test fails

Looking back, I updated all of my dependencies 8 days ago. Next time I will update one dependency at a time.

That update is where my project picked up v3.0.8, and that version is the first which gives me the ECDH error.
justincranford/cryptoutil@b7d527b#r163412727

[lestrrat]

Oh I see. You're passing a private key to encrypt. You need the public key to encrypt. But yeah, since it's a private key, it encompasses the public key, it should figure out what to do.
Sorry, the error message threw me off, as I thought it was key conversion error. I suppose the error message can also be tweaked.

I suppose something like this might work (untested). This diff is against v3.0.10.

diff --git a/jwe/encrypt.go b/jwe/encrypt.go
index a71e7168..4b47c10f 100644
--- a/jwe/encrypt.go
+++ b/jwe/encrypt.go
@@ -97,8 +97,13 @@ func (e *encrypter) EncryptKey(cek []byte) (keygen.ByteSource, error) {
                }
 
                // Handle ecdsa.PublicKey by value - convert to pointer
-               if pk, ok := keyToUse.(ecdsa.PublicKey); ok {
-                       keyToUse = &pk
+               switch key := keyToUse.(type) {
+               case ecdsa.PublicKey:
+                       keyToUse = &key
+               case *ecdsa.PrivateKey:
+                       keyToUse = &key.PublicKey
+               case ecdh.PrivateKey:
+                       keyToUse = key.PublicKey()
                }
 
                // Determine key type and call appropriate function

I haven't tested it yet; it would help if you could actually provide me with a Go test case and not a separate executable so I can just copy the relevant parts.

[justincranford]

Interesting!

I see what you mean. I call encrypt with an ECDH or RSA private JWK. ECDH private JWK stopped working in v3.0.8+, but RSA private JWK still works.

I think an error makes sense, and I would update my code. However, I can see your argument for continuing to support private JWKs too, since they encompass the public key.

Whatever you choose, it could help to make ECDH and RSA consistent.

---

Are you able to copy parts of the test? I covered ECDH, RSA, and AES to look for differences. The test case loop just has 1) import, 2) encrypt, 3) decrypt, and 3) compare.

• https://github.com/justincranford/jwe-encrypt-decrypt/blob/c379f67ef67b3a7cfae453bf324d0dbeac715705/import_encrypt_decrypt_test.go#L35-L37