JOSE.JWK.block_encrypt error on passed message, working in isolation

Hey folks!

Lately I’ve been revisiting one of our internal services based on Phoenix, Mongodb, and some other stuff, and been updating dependencies. Everything seemed fine before switching MongoDB driver to an alternative, which required me tu update phoenix_pubsub / phoenix / joken / JOSE. And right now I’m facing exceptions on encryption/decryption which work in isolation, but do not work in the project.

Below you can find my example of encryption working and exception thrown in tests (same keys, algorithms, etc.).

dependencies used

{:jose, "~> 1.11.0"},
{:jason, "~> 1.1"}

exception while trying to encode

// logs
     2021-06-08 14:08:33.727 [debug] jwk: %JOSE.JWK{fields: %{}, keys: :undefined, kty: {:jose_jwk_kty_oct, <<181, 163, 44, 70, 126, 179, 112, 230, 248, 132, 74, 138, 173, 86, 158, 187, 104, 48, 164, 38, 59, 93, 77, 152, 152, 8, 119, 75, 228, 116, 10, 114>>}}
     2021-06-08 14:08:33.728 [debug] npt: "text to be encrypted"
     2021-06-08 14:08:33.728 [debug] jwe: %{"alg" => "A256KW", "enc" => "A256GCM"}

// failing line
     with {%{alg: :jose_jwe_alg_aes_kw, enc: :jose_jwe_enc_aes}, jwt} <- JOSE.JWE.block_encrypt(jwk, plain_text, jwe),
         {_, jwt_compact} <- JOSE.JWE.compact(jwt),
      do: {:ok, jwt_compact}
         ** (EXIT) an exception was raised:
             ** (ErlangError) Erlang error: {:badarg, {'api_ng.c', 143}, 'Bad key size'}
                 (crypto 5.0.2) :crypto.ng_crypto_one_time_nif(:aes_128_ecb, <<181, 163, 44, 70, 126, 179, 112, 230, 248, 132, 74, 138, 173, 86, 158, 187, 104, 48, 164, 38, 59, 93, 77, 152, 152, 8, 119, 75, 228, 116, 10, 114>>, "", <<166, 166, 166, 166, 166, 166, 166, 166, 156, 151, 247, 248, 181, 10, 42, 201>>, true, :undefined)
                 (jose 1.11.1) src/jwa/jose_jwa.erl:69: :jose_jwa."-block_encrypt/3-lbc$^0/2-0-"/3
                 (jose 1.11.1) src/jwa/jose_jwa_aes_kw.erl:73: :jose_jwa_aes_kw.do_wrap/5
                 (jose 1.11.1) src/jwa/jose_jwa_aes_kw.erl:63: :jose_jwa_aes_kw.do_wrap/4
                 (jose 1.11.1) src/jwe/jose_jwe_alg_aes_kw.erl:99: :jose_jwe_alg_aes_kw.key_encrypt/3
                 (jose 1.11.1) src/jwe/jose_jwe.erl:324: :jose_jwe.key_encrypt/3
                 (jose 1.11.1) src/jwe/jose_jwe.erl:232: :jose_jwe.block_encrypt/5
                 (<internal_name> 0.1.0) lib/<internal_name>/client.ex:168: <internal_name>.<internal_name>/3
                 (<internal_name> 0.1.0) lib/<internal_name>/client.ex:68: <internal_name>.Client.handle_call/3
                 (stdlib 3.15.1) gen_server.erl:721: :gen_server.try_handle_call/4
                 (stdlib 3.15.1) gen_server.erl:750: :gen_server.handle_msg/6
                 (stdlib 3.15.1) proc_lib.erl:226: :proc_lib.init_p_do_apply/3
         (elixir 1.12.0) lib/gen_server.ex:1024: GenServer.call/3
         (<internal_name> 0.1.0) lib<internal_name>/something.ex:155: anonymous fn/5 in <internal_name>.handle_call/3
         (elixir 1.12.0) lib/task/supervised.ex:90: Task.Supervised.invoke_mfa/2
         (stdlib 3.15.1) proc_lib.erl:226: :proc_lib.init_p_do_apply/3

working example:

 > iex -S mix
Erlang/OTP 23 [erts-11.2] [source] [64-bit] [smp:12:12] [ds:12:12:10] [async-threads:1] [hipe] [dtrace]

Interactive Elixir (1.11.4) - press Ctrl+C to exit (type h() ENTER for help)
iex(1)> jwk_base64 = "eyJrIjoidGFNc1JuNnpjT2I0aEVxS3JWYWV1Mmd3cENZN1hVMlltQWgzUy1SMENuSSIsImt0eSI6Im9jdCJ9"
"eyJrIjoidGFNc1JuNnpjT2I0aEVxS3JWYWV1Mmd3cENZN1hVMlltQWgzUy1SMENuSSIsImt0eSI6Im9jdCJ9"
iex(2)> jwk_json = Base.url_decode64!(jwk_base64)
"{\"k\":\"taMsRn6zcOb4hEqKrVaeu2gwpCY7XU2YmAh3S-R0CnI\",\"kty\":\"oct\"}"
iex(3)> jwk_wrap_key = JOSE.JWK.from({%{kty: :jose_jwk_kty_oct}, jwk_json})
%JOSE.JWK{
  fields: %{},
  keys: :undefined,
  kty: {:jose_jwk_kty_oct,
   <<181, 163, 44, 70, 126, 179, 112, 230, 248, 132, 74, 138, 173, 86, 158, 187,
     104, 48, 164, 38, 59, 93, 77, 152, 152, 8, 119, 75, 228, 116, 10, 114>>}
}
iex(4)> plain_text = "text to be encrypted"
"text to be encrypted"
iex(5)> jwe = %{"alg" => "A256KW", "enc" => "A256GCM"}
%{"alg" => "A256KW", "enc" => "A256GCM"}
iex(6)> JOSE.JWE.block_encrypt(jwk_wrap_key, plain_text, jwe)
{%{alg: :jose_jwe_alg_aes_kw, enc: :jose_jwe_enc_aes},
 %{
   "ciphertext" => "rZm1kJsqxguXTKKCXPaeZruSXKA",
   "encrypted_key" => "Qv3veT41-8x_WPKi0UJs1hE4wW7v81jZsCFawp7kJMesfPq3Elc9_A",
   "iv" => "Cs9bZYC4nBBLknqH",
   "protected" => "eyJhbGciOiJBMjU2S1ciLCJlbmMiOiJBMjU2R0NNIn0",
   "tag" => "Y4lsUSEhQRcJqvlgevUp7Q"
 }}

I hope that’s enough information here. And sorry if that may be a trivial problem with easy solution, but tbh I feel stumped, Elixir is not my primary programming language and I’ve been tasked with diving in the project.

Cheers!