Fix uvf spec.version.

Author: chenkins

cryptomator/src/main/java/ch/cyberduck/core/cryptomator/impl/uvf/CryptoVault.java

@@ -56,19 +56,25 @@
 
 import java.nio.charset.StandardCharsets;
 import java.text.ParseException;
+import java.util.Collections;
 import java.util.EnumSet;
 import java.util.Objects;
 import java.util.regex.Pattern;
 
+import com.fasterxml.jackson.core.JsonProcessingException;
 import com.google.auto.service.AutoService;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.JWEObjectJSON;
+import com.nimbusds.jose.Payload;
 import com.nimbusds.jose.crypto.MultiDecrypter;
+import com.nimbusds.jose.jwk.JWK;
 
 @AutoService(Vault.class)
 public class CryptoVault extends AbstractVault {
     private static final Logger log = LogManager.getLogger(CryptoVault.class);
 
+    private static final String UVF_SPEC_VERSION_KEY_PARAM = "uvf.spec.version";
+
     private static final String REGULAR_FILE_EXTENSION = ".uvf";
     private static final String FILENAME_DIRECTORYID = "dir";
     private static final String DIRECTORY_METADATA_FILENAME = String.format("%s%s", FILENAME_DIRECTORYID, REGULAR_FILE_EXTENSION);
@@ -128,20 +134,40 @@ public AbstractVault create(final Session<?> session, final String region, final
         return this;
     }
 
+    public static String decryptWithJWK(final String jwe, final JWK jwk) throws ParseException, JOSEException, JsonProcessingException, VaultException {
+        final JWEObjectJSON jweObject = JWEObjectJSON.parse(jwe);
+        jweObject.decrypt(new MultiDecrypter(jwk, Collections.singleton(UVF_SPEC_VERSION_KEY_PARAM)));
+
+        // https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.11
+        // Recipients MAY consider the JWS to be invalid if the critical
+        // list contains any Header Parameter names defined by this
+        // specification or [JWA] for use with JWS or if any other constraints on its use are violated.
+        final Object uvfSpecVersion = jweObject.getHeader().getCustomParams().get(UVF_SPEC_VERSION_KEY_PARAM);
+        if(uvfSpecVersion.equals(1)) {
+            throw new VaultException(String.format("Unexpected value for critical header %s: found %s, expected \"1\"", UVF_SPEC_VERSION_KEY_PARAM, uvfSpecVersion));
+        }
+
+        final Payload payload = jweObject.getPayload();
+        return payload.toString();
+    }
+
+
     // load -> unlock -> open
     @Override
     public CryptoVault load(final Session<?> session, final PasswordCallback callback, final VaultMetadataProvider metadata) throws BackgroundException {
-        final JWKCallback jwk = JWKCallback.cast(callback);
+        final JWKCallback jwkCallback = JWKCallback.cast(callback);
         final VaultMetadataUVFProvider metadataProvider = VaultMetadataUVFProvider.cast(metadata);
-        final JWEObjectJSON jweObject;
+        final String uvfMetadata;
         try {
-            jweObject = JWEObjectJSON.parse(new String(metadataProvider.getMetadata(), StandardCharsets.US_ASCII));
-            jweObject.decrypt(new MultiDecrypter(jwk.prompt(session.getHost(), StringUtils.EMPTY, StringUtils.EMPTY, new LoginOptions()).getKey()));
+            final String jwe = new String(metadataProvider.getMetadata(), StandardCharsets.US_ASCII);
+            final JWK jwk = jwkCallback.prompt(session.getHost(), StringUtils.EMPTY, StringUtils.EMPTY, new LoginOptions()).getKey();
+            uvfMetadata = decryptWithJWK(jwe, jwk);
         }
-        catch(ParseException | JOSEException e) {
+        catch(ParseException | JOSEException | JsonProcessingException e) {
             throw new VaultException("Failure retrieving key material", e);
         }
-        masterKey = UVFMasterkey.fromDecryptedPayload(jweObject.getPayload().toString());
+
+        masterKey = UVFMasterkey.fromDecryptedPayload(uvfMetadata);
         final CryptorProvider provider = CryptorProvider.forScheme(CryptorProvider.Scheme.UVF_DRAFT);
         log.debug("Initialized crypto provider {}", provider);
         this.cryptor = provider.provide(masterKey, FastSecureRandomProvider.get().provide());