Help with Compact (JWE) encryption - CryptoKey instances for asymmetric algorithms must not be of type "secret"

[58bits]

Hi All,

I'm trying to use Jose to create general purpose encrypt and decrypt helper functions.

I believe I should be using the JSON Web Encryption (JWE) Compact encryption and decryption methods described in the docs, but I'm having real difficulty putting everything together.

I'd like to use a symmetric algorithm A256GCM - as well as import my key from a base64 encoded string secret.

Here's what I've got so far:

I generated my CryptoKey as follows:

async function generateCryptoKey() {
  const key = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, [
    'encrypt',
    'decrypt',
  ])
  return key
}

.. and then used two helper function to export, save, and re-import the key

async function exportKeyToBase64(cryptoKey: CryptoKey) {
  // Export the key as a raw buffer
  const exported = await crypto.subtle.exportKey('raw', cryptoKey)

  // Convert the buffer to a base64 string
  const base64Key = btoa(String.fromCharCode(...new Uint8Array(exported)))

  return base64Key
}

async function importKeyFromBase64(base64Key: string) {
  // Decode the base64 string to a binary string
  const binaryString = atob(base64Key)

  // Convert the binary string to an array buffer
  const keyBuffer = new Uint8Array([...binaryString].map((char) => char.charCodeAt(0))).buffer

  // Import the buffer as a CryptoKey
  const cryptoKey = await crypto.subtle.importKey(
    'raw', // Format of the key
    keyBuffer, // Key material
    { name: 'AES-GCM' }, // Algorithm the key will be used with
    true, // Whether the key is extractable (we allow this for re-export)
    ['encrypt', 'decrypt'] // Key usage
  )

  return cryptoKey
}

And then created what I thought was a 'symmetric' algorithm instance of CompactEncrypt

export async function encryptObject(obj: any) {
  const secretKey = await importKeyFromBase64(base64SecretKey)
  const payload = new TextEncoder().encode(JSON.stringify(obj))
  const jwe = await new CompactEncrypt(payload)
    .setProtectedHeader({ alg: 'A256GCM', enc: 'A256GCM' })
    .encrypt(secretKey)

  console.log(jwe)
  return jwe
}

But I receive the following errror when trying to encrypt:

TypeError: CryptoKey instances for asymmetric algorithms must not be of type "secret"

Any suggestions or help would be greatly appreciated.

[panva]

A256GCM is not a key management algorithm, it's a content encryption algorithm, so change alg in the protected header to dir to directly use the passed key for the content encryption.

[58bits]

A256GCM is not a key management algorithm, it's a content encryption algorithm, so change alg in the protected header to dir to directly use the passed key for the content encryption.

Ah - okay - that worked!

Thanks a lot for taking the time to reply. Much appreciated.