JOSE v6 ECDH-ES Encryption Fails with APU/APV Parameters

[huckle-panda]

Hi, I'm finding when apu and apv are included in the protected header, decryption fails with:

JWEDecryptionFailed: decryption operation failed
    at gcmDecrypt (jose/dist/webapi/lib/decrypt.js:76:15)

2. Encrypt with apu/apv parameters as per ISO 18013-7:

// According to ISO 18013-7 B.4.3.3.2:
const mdocGeneratedNonce = crypto.randomBytes(32).toString('hex'); // Generated by wallet
const verifierNonce = 'nonce-from-authorization-request'; // From verifier's request

const jwe = await new jose.CompactEncrypt(
  new TextEncoder().encode(JSON.stringify(payload))
)
  .setProtectedHeader({
    alg: 'ECDH-ES',
    enc: 'A256GCM',
    apu: Buffer.from(mdocGeneratedNonce).toString('base64url'), // mdocGeneratedNonce
    apv: Buffer.from(verifierNonce).toString('base64url'),      // verifier's nonce
    kid: recipientKey.kid
  })
  .encrypt(recipientPublicKey);

3. Attempt to decrypt:

const decrypted = await jose.compactDecrypt(jwe, recipientKeyPair.privateKey);
// Throws: JWEDecryptionFailed

jose v6.0.11
Node.js: v18

[panva]

This is not well explained, you have to pass apu and apv like so.

import * as crypto from "crypto";
import * as jose from "jose";

const recipient = crypto.generateKeyPairSync("x25519");

const data = Buffer.from(
  "You can trust us to stick with you through thick and thin–to the bitter end. And you can trust us to keep any secret of yours–closer than you keep it yourself. But you cannot trust us to let you face trouble alone, and go off without a word. We are your friends, Frodo."
);

const jwe = await new jose.CompactEncrypt(data)
  .setProtectedHeader({
    alg: "ECDH-ES",
    enc: "A256GCM",
  })
  .setKeyManagementParameters({
    apu: Buffer.from("apu value"),
    apv: Buffer.from("apv value"),
  })
  .encrypt(recipient.publicKey);

const plaintext = await jose.compactDecrypt(jwe, recipient.privateKey);

console.log(plaintext);

[huckle-panda]

Thank you. Donated.