Context
The RSA1_5 implicit-rejection fix (GHSA-5739-39v2-5754) needs the expected CEK length to build a constant-time random fallback. It currently relies on a hardcoded lookup table in RSA15:
private const CEK_LENGTHS = [
'A128GCM' => 16, 'A192GCM' => 24, 'A256GCM' => 32,
'A128CBC-HS256' => 32, 'A192CBC-HS384' => 48, 'A256CBC-HS512' => 64,
];Problem (SOLID)
This violates SRP/DRY/OCP: RSA15 (a key-encryption algorithm) should not know the CEK sizes of the content-encryption algorithms. The single source of truth is already ContentEncryptionAlgorithm::getCEKSize(). A custom/unknown enc is not in the table, so it falls back to the legacy throwing path (no implicit rejection for that case).
This table was kept deliberately on the maintenance branches (3.4.x / 4.x) to avoid a public BC break, since fixing it properly changes the KeyEncryption::decryptKey() / KeyWrapping::unwrapKey() signatures.
Action for the next major (5.0.0)
Inject the expected CEK size through the interface, exactly as already done for KeyAgreement / KeyAgreementWithKeyWrapping in JWEDecrypter::decryptCEK (which already passes $content_encryption_algorithm->getCEKSize()):
- add an expected-size parameter to
KeyEncryption::decryptKey() (and KeyWrapping::unwrapKey()),
- have
JWEDecrypter pass $content_encryption_algorithm->getCEKSize(),
- forward it through
RSA / RSA15 to RSACrypt::decrypt(),
- delete the
CEK_LENGTHS table.
This is a public BC break, hence scheduled for 5.0.0.
Context
The RSA1_5 implicit-rejection fix (GHSA-5739-39v2-5754) needs the expected CEK length to build a constant-time random fallback. It currently relies on a hardcoded lookup table in
RSA15:Problem (SOLID)
This violates SRP/DRY/OCP:
RSA15(a key-encryption algorithm) should not know the CEK sizes of the content-encryption algorithms. The single source of truth is alreadyContentEncryptionAlgorithm::getCEKSize(). A custom/unknownencis not in the table, so it falls back to the legacy throwing path (no implicit rejection for that case).This table was kept deliberately on the maintenance branches (3.4.x / 4.x) to avoid a public BC break, since fixing it properly changes the
KeyEncryption::decryptKey()/KeyWrapping::unwrapKey()signatures.Action for the next major (5.0.0)
Inject the expected CEK size through the interface, exactly as already done for
KeyAgreement/KeyAgreementWithKeyWrappinginJWEDecrypter::decryptCEK(which already passes$content_encryption_algorithm->getCEKSize()):KeyEncryption::decryptKey()(andKeyWrapping::unwrapKey()),JWEDecrypterpass$content_encryption_algorithm->getCEKSize(),RSA/RSA15toRSACrypt::decrypt(),CEK_LENGTHStable.This is a public BC break, hence scheduled for 5.0.0.