[cifs-protocol] [MS-OAPXBC] Incorrect session key instructions

David Mulder dmulder at samba.org
Wed Jan 17 20:50:16 UTC 2024


On 1/17/24 1:29 PM, David Mulder via cifs-protocol wrote:
> In [MS-OAPXBC] section 3.2.5.1.2.2, it says to obtain the session key, 
> to decrypt the base64 encoded JWE called `session_key_jwe` in the json 
> response object. There are a couple of issues with this.
>
> First, the `session_key_jwe` is not base64 encoded.
Well, technically each field of a JWE is base64 encoded prior to 
parsing. Perhaps this is what the [MS-OAPXBC] spec is referring to? If 
so, that wording is a bit confusing.
> Is there some kind of padding in the CEK field of a JWE response from 
> MS? We've tried truncating the field to decrypt it, but to no avail. 
> We also thought that perhaps the CEK itself was base64 encoded (which 
> FYI would not obey the [RFC7516] spec), but that doesn't allow 
> decryption of the field either.
Here I meant we attempted to base64 decode the field a second time, 
which seems odd, but [MS-OAPXBC] isn't clear what it means.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com




More information about the cifs-protocol mailing list