Skip to Main Content
  • Questions
  • DBMS_CRYPTO (or other) to decrypt nimbus JOSE token signed and encrypted with A128CBC_HS256

Breadcrumb

Question and Answer

Chris Saxon

Thanks for the question, Victor.

Asked: September 18, 2024 - 5:18 pm UTC

Last updated: September 25, 2024 - 2:50 pm UTC

Version: 19C

Viewed 100+ times

You Asked

Good afternoon.

I have an APEX application that receives a token.
This token has been created in JAVA with the nimbus JOSE library.

It is first signed with the following method:

 public static String signer(final String signerKey, final Payload payload) throws JOSEException, ParseException {
  JWSObject jwsObject = new JWSObject(new JWSHeader(JWSAlgorithm.HS256), payload);
  final OctetSequenceKey keySigner = OctetSequenceKey.parse(signerKey);
  JWSSigner jwssigner = new MACSigner(keySigner);  
  jwsObject.sign(jwssigner);
  return jwsObject.serialize();
 }


It is subsequently encrypted with the following method:

 public static String encrypt(final String PayloadString, final String cypherKey) throws ParseException, JOSEException {
  final Payload payload = new Payload(PayloadString);
  final JWEObject jweObject = new JWEObject(new JWEHeader.Builder(JWEAlgorithm.DIR, EncryptionMethod.A128CBC_HS256)
    .contentType("JWT").compressionAlgorithm(CompressionAlgorithm.DEF).build(), payload);
  final OctetSequenceKey keyEncrypter = OctetSequenceKey.parse(cypherKey);
  final JWEEncrypter jweEncrypter = new DirectEncrypter(keyEncrypter);
  jweObject.encrypt(jweEncrypter);
  return jweObject.serialize();
 }



I have both the encryption key and the signing key.

My question is whether it would be possible to decrypt said token from PL/SQL.
If possible, could you tell me how it could be done?

I've tried to do it with DBMS_CRYPTO but I haven't succeeded.

If it were not possible to do it with PL/SQL code, would it be possible to load the nimbus JOSE JAR file into Oracle to perform the decryption process?

Thank you in advance for your attention and help.

Greetings

and Chris said...

What exactly did you try with DBMS_CRYPTO? How did it fail to work?

It should be possible to decrypt the cipher text in PL/SQL provided you can match the encryption algorithm.

I'm guessing EncryptionMethod.A128CBC_HS256 is equivalent to ENCRYPT_AES128 + CHAIN_CBC in DBMS_CRYPTO, but could very well be something different.

That said, you can load Java into the database. So if you have a working Java decryption class, it may be easier to to use that. The docs contain examples of how to do this:

https://docs.oracle.com/en/database/oracle/oracle-database/23/jjdev/invoking-Java-methods.html#GUID-21F89FA2-D947-42C1-B16A-6722A219EBDA