Error Decrypting JWE

Question

Kind of new to the JWE Decryption thing. I have a server that performs the JWE and sent it to client based on a key that is shared between server and client.

I am using a Jose4j for decrypting and am getting this error

java.lang.NullPointerException: The plaintext payload for the JWE has not been set.

I am using the sample code as shown in this link,Receiver part

https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples

I don't have any insight into the server am just writing the client. I am confused if the paylaod itself is not coming or that framework is goofing up trying to decrypt.

Any pointers to debug the issue is appreciated

Regards, Aravind

Answer 1

That particular exception is only thrown from the getCompactSerialization() method when there is no payload set - getCompactSerialization() is the last step on sending/encrypting side to create the JWE. If you are decrypting, you shouldn't be calling that. Maybe you've got an accidental call somewhere? Otherwise, the code your using as well as an example raw JWE value might help troubleshot (and keys, if it's just a test and you can share them).

Answer 2

The JWE needs 2 levels of Decryption before getting plain text payload.

So first for JWE to JWS. then from JWS to JWT after verifying signature. below code will do that.

  // That other party, the receiver, can then use JsonWebEncryption to decrypt the message.
        JsonWebEncryption receiverJwe = new JsonWebEncryption();

        // Set the compact serialization on new Json Web Encryption object
        //This is the received payload JWE payload 
        receiverJwe.setCompactSerialization(result.toString());


        // Symmetric encryption, like we are doing here, requires that both parties have the same key.
        // The key will have had to have been securely exchanged out-of-band somehow.
        receiverJwe.setKey(secretKeySpec);

        // Set the "alg" header, which indicates the key management mode for this JWE.
        // In this example we are using the direct key management mode, which means
        // the given key will be used directly as the content encryption key.
        //receiverJwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.DIRECT);

        //receiverJwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);

        // Get the message that was encrypted in the JWE. This step performs the actual decryption steps.
        String jwsPayload = receiverJwe.getPlaintextString();

        // And do whatever you need to do with the clear text message.
        System.out.println("plaintext: " + jwsPayload);

        // Create a new JsonWebSignature object
        JsonWebSignature jws = new JsonWebSignature();

        jws.setCompactSerialization(jwsPayload);

        jws.setKey(secretKeySpec);

        boolean signatureVerified = jws.verifySignature();

        // Do something useful with the result of signature verification
        System.out.println("JWS Signature is valid: " + signatureVerified);

        // Get the payload, or signed content, from the JWS
        String payload = jws.getPayload();

        // Do something useful with the content
        System.out.println("JWS payload: " + payload);