Hi All, When I tried to setup a POC for multiple recipients for JWE by following the example under section "JWE JSON", I went quite a journey and could not make it working.
The first thing that I found was that the example itself never works for the second recipient for below reasons: · it generates different unencrypted CEK for each recipient. However, i think the CEK should be shared across different recipients. · it didn't have per-recipient headers that allows decryption side to locate to the right "encrypted_key". (https://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-40#appendix-A.4.7) After realize that, I created a shared unencrypted CEK to both recipients with method: JweUtils.getContentEncryptionProvider(CONTENT_KEY, ContentAlgorithm.A128GCM); , and try to set per-recipient headers to identify the recipients (like using "kid") with method: p.encryptWith(jweList, jweheadersList); //jweheadersList contains per-recipient headers. However, it didn’t allow me to do so. The code that I found prevent me from doing so is in class: JweJsonProducer, line 116-117: jsonHeaders = new JweHeaders(unionHeaders.asMap()); jsonHeaders.asMap().putAll(perRecipientUnprotected.asMap()); These lines obtain a reference to the map of unionHeaders, and when add the current recipient's headers to jsonHeaders, as a side effect, unionHeaders is changed as well. And when it try to check the uniqueness of headers for the second recipient, it failed. Could anybody please advise whether it is the expected behavior? If it is, what is the correct way to make multiple recipients working? If it is not, when can we expect multiple recipients works? Cheers, Ella
