I have a requirement to generate JWE token from both Java and .Net 4.6 c# application (the JWE tokens will be passed between Java and .Net apps). Java application is using Nimbus Jose library and .Net application is using jose-jwt package available in nuget.
I am currently working on a sample. However, for the same key,Key Id and payload, Java and .Net applications generate different JWE tokens.
Java encryption code sample(done by another 3rd party and it is not possible to change their implementation):
String payload = "{\"testP\":\"test\"}";
byte[] key=<secret key bytes here>;
Payload payload = new Payload(payload);
JWEHeader jweHeader = new JWEHeader.Builder(JWEAlgorithm.A256KW, EncryptionMethod.A256GCM).keyID("test_kid").build();
JWEObject jweObject = new JWEObject(jweHeader, payload);
jweObject.encrypt(new AESEncrypter(key));
String encryptedPayload = jweObject.serialize();
.Net code
using Jose;
----------------------------------------
----------------------------------------
string payload= "{\"testP\":\"test\"}";
var headers= new Dictionary<string, object> { {"kid","test_kid"},};
byte[] secretKey =<secret key bytes here>;
var jweToken=JWT.Encode(payload, secretKey, JweAlgorithm.A256KW, JweEncryption.A256GCM, extraHeaders: headers);
The two JWE tokens are different. What am I missing here in the .Net code (I'm suppose to change only the .Net code)? Is there any other .Net 4.6 compatible library that we can use for JWE?
That's the normal behaviour. In addition to the key materials, an Initialization Vector (IV) is generated during the computation of the token (see step 9. in section 5.1 of the RFC7516).
This IV shall be a random byte string and entropy shall be sufficient for uniqueness.