@atcute/oauth-crypto 0.1.0

package/dist/dpop/verify.js

@@ -0,0 +1,124 @@
+import { fromBase64Url } from '@atcute/multibase';
+import { decodeUtf8From } from '@atcute/uint8array';
+import * as v from '@badrap/valita';
+import { getImportAlgorithm } from '../internal/crypto.js';
+import { computeJktFromJwk } from '../jwk/compute-jkt.js';
+import { verifyJwt } from '../jwt/index.js';
+const dpopJwkSchema = v.union(v.object({
+    kty: v.literal('EC'),
+    crv: v.union(v.literal('P-256'), v.literal('P-384'), v.literal('P-521')),
+    x: v.string(),
+    y: v.string(),
+}), v.object({
+    kty: v.literal('RSA'),
+    e: v.string(),
+    n: v.string(),
+}));
+const dpopHeaderSchema = v.object({
+    typ: v.literal('dpop+jwt'),
+    alg: v.string().assert((alg) => alg !== 'none', 'alg must not be "none"'),
+    jwk: dpopJwkSchema,
+});
+const dpopPayloadSchema = v.object({
+    htm: v.string(),
+    htu: v.string(),
+    iat: v.number(),
+    jti: v.string(),
+    nonce: v.string().optional(),
+});
+/**
+ * error thrown when dpop verification fails.
+ */
+export class DpopVerifyError extends Error {
+    code;
+    constructor(message, code) {
+        super(message);
+        this.code = code;
+        this.name = 'DpopVerifyError';
+    }
+}
+/**
+ * verifies a dpop proof from a request header.
+ *
+ * @param dpopHeader dpop header value
+ * @param options verification options
+ * @returns verification result with claims and jwk thumbprint
+ * @throws {DpopVerifyError} if verification fails
+ */
+export const verifyDpopProof = async (dpopHeader, options) => {
+    if (!dpopHeader) {
+        throw new DpopVerifyError(`missing dpop header`, 'missing');
+    }
+    const { method, url, nonce: dpopNonce, maxClockSkew = 60 } = options;
+    const parts = dpopHeader.split('.');
+    if (parts.length !== 3) {
+        throw new DpopVerifyError(`invalid dpop proof format`, 'invalid');
+    }
+    let header;
+    try {
+        header = dpopHeaderSchema.parse(decodeSegment(parts[0]), { mode: 'passthrough' });
+    }
+    catch {
+        throw new DpopVerifyError(`invalid dpop header`, 'invalid');
+    }
+    const { jwk, alg } = header;
+    if (!isSigningAlgorithm(alg)) {
+        throw new DpopVerifyError(`unsupported dpop alg`, 'invalid');
+    }
+    let payload;
+    try {
+        const key = await importPublicKey(jwk, alg);
+        const raw = await verifyJwt(dpopHeader, { key, alg, typ: 'dpop+jwt' });
+        payload = dpopPayloadSchema.parse(raw, { mode: 'passthrough' });
+    }
+    catch (err) {
+        if (err instanceof v.ValitaError) {
+            throw new DpopVerifyError(`invalid dpop payload`, 'invalid');
+        }
+        throw new DpopVerifyError(`dpop signature verification failed`, 'invalid');
+    }
+    if (payload.htm !== method) {
+        throw new DpopVerifyError(`dpop htm mismatch: expected ${method}, got ${payload.htm}`, 'invalid');
+    }
+    if (payload.htu !== url) {
+        throw new DpopVerifyError(`dpop htu mismatch: expected ${url}, got ${payload.htu}`, 'invalid');
+    }
+    const now = Math.floor(Date.now() / 1000);
+    if (payload.iat > now + maxClockSkew) {
+        throw new DpopVerifyError(`dpop proof issued in the future`, 'invalid');
+    }
+    if (payload.iat < now - maxClockSkew) {
+        throw new DpopVerifyError(`dpop proof expired`, 'expired');
+    }
+    if (dpopNonce) {
+        if (!payload.nonce || !(await dpopNonce.check(payload.nonce))) {
+            throw new DpopVerifyError(`invalid or missing dpop nonce`, 'nonce_required');
+        }
+    }
+    const jkt = await computeJktFromJwk(jwk);
+    return { claims: payload, jwk: jwk, jkt };
+};
+const importPublicKey = async (jwk, alg) => {
+    const algorithm = getImportAlgorithm(alg, jwk.kty === 'EC' ? jwk.crv : undefined);
+    const key = await crypto.subtle.importKey('jwk', jwk, algorithm, true, ['verify']);
+    if (!(key instanceof CryptoKey)) {
+        throw new Error(`expected asymmetric key, got symmetric`);
+    }
+    return key;
+};
+const isSigningAlgorithm = (alg) => {
+    return (alg === 'ES256' ||
+        alg === 'ES384' ||
+        alg === 'ES512' ||
+        alg === 'PS256' ||
+        alg === 'PS384' ||
+        alg === 'PS512' ||
+        alg === 'RS256' ||
+        alg === 'RS384' ||
+        alg === 'RS512');
+};
+const decodeSegment = (segment) => {
+    const bytes = fromBase64Url(segment);
+    return JSON.parse(decodeUtf8From(bytes));
+};
+//# sourceMappingURL=verify.js.map

package/dist/dpop/verify.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"verify.js","sourceRoot":"","sources":["../../lib/dpop/verify.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AAEpD,OAAO,KAAK,CAAC,MAAM,gBAAgB,CAAC;AAEpC,OAAO,EAAE,kBAAkB,EAAE,MAAM,uBAAuB,CAAC;AAC3D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAE1D,OAAO,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAI5C,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAC5B,CAAC,CAAC,MAAM,CAAC;IACR,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IACxE,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACb,CAAC,EACF,CAAC,CAAC,MAAM,CAAC;IACR,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;IACb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE;CACb,CAAC,CACF,CAAC;AAEF,MAAM,gBAAgB,GAAG,CAAC,CAAC,MAAM,CAAC;IACjC,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC;IAC1B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,KAAK,MAAM,EAAE,wBAAwB,CAAC;IACzE,GAAG,EAAE,aAAa;CAClB,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAG,CAAC,CAAC,MAAM,CAAC;IAClC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;IACf,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;CAC5B,CAAC,CAAC;AAkBH;;GAEG;AACH,MAAM,OAAO,eAAgB,SAAQ,KAAK;IAGjC,IAAI;IAFZ,YACC,OAAe,EACR,IAA0D,EAChE;QACD,KAAK,CAAC,OAAO,CAAC,CAAC;oBAFR,IAAI;QAGX,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAAA,CAC9B;CACD;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,EACnC,UAAqC,EACrC,OAA0B,EACE,EAAE,CAAC;IAC/B,IAAI,CAAC,UAAU,EAAE,CAAC;QACjB,MAAM,IAAI,eAAe,CAAC,qBAAqB,EAAE,SAAS,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,YAAY,GAAG,EAAE,EAAE,GAAG,OAAO,CAAC;IACrE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,IAAI,eAAe,CAAC,2BAA2B,EAAE,SAAS,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,MAAwC,CAAC;IAC7C,IAAI,CAAC;QACJ,MAAM,GAAG,gBAAgB,CAAC,KAAK,CAAC,aAAa,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IACnF,CAAC;IAAC,MAAM,CAAC;QACR,MAAM,IAAI,eAAe,CAAC,qBAAqB,EAAE,SAAS,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,MAAM,CAAC;IAC5B,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,MAAM,IAAI,eAAe,CAAC,sBAAsB,EAAE,SAAS,CAAC,CAAC;IAC9D,CAAC;IAED,IAAI,OAAmB,CAAC;IACxB,IAAI,CAAC;QACJ,MAAM,GAAG,GAAG,MAAM,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;QAC5C,MAAM,GAAG,GAAG,MAAM,SAAS,CAAC,UAAU,EAAE,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,UAAU,EAAE,CAAC,CAAC;QACvE,OAAO,GAAG,iBAAiB,CAAC,KAAK,CAAC,GAAG,EAAE,EAAE,IAAI,EAAE,aAAa,EAAE,CAAC,CAAC;IACjE,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACd,IAAI,GAAG,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;YAClC,MAAM,IAAI,eAAe,CAAC,sBAAsB,EAAE,SAAS,CAAC,CAAC;QAC9D,CAAC;QACD,MAAM,IAAI,eAAe,CAAC,oCAAoC,EAAE,SAAS,CAAC,CAAC;IAC5E,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,KAAK,MAAM,EAAE,CAAC;QAC5B,MAAM,IAAI,eAAe,CAAC,+BAA+B,MAAM,SAAS,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IACnG,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,KAAK,GAAG,EAAE,CAAC;QACzB,MAAM,IAAI,eAAe,CAAC,+BAA+B,GAAG,SAAS,OAAO,CAAC,GAAG,EAAE,EAAE,SAAS,CAAC,CAAC;IAChG,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;QACtC,MAAM,IAAI,eAAe,CAAC,iCAAiC,EAAE,SAAS,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,OAAO,CAAC,GAAG,GAAG,GAAG,GAAG,YAAY,EAAE,CAAC;QACtC,MAAM,IAAI,eAAe,CAAC,oBAAoB,EAAE,SAAS,CAAC,CAAC;IAC5D,CAAC;IAED,IAAI,SAAS,EAAE,CAAC;QACf,IAAI,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC,MAAM,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC;YAC/D,MAAM,IAAI,eAAe,CAAC,+BAA+B,EAAE,gBAAgB,CAAC,CAAC;QAC9E,CAAC;IACF,CAAC;IAED,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC,GAAgB,CAAC,CAAC;IAEtD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,EAAE,GAAc,EAAE,GAAG,EAAE,CAAC;AAAA,CACrD,CAAC;AAEF,MAAM,eAAe,GAAG,KAAK,EAAE,GAAc,EAAE,GAAqB,EAAsB,EAAE,CAAC;IAC5F,MAAM,SAAS,GAAG,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAClF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,QAAQ,CAAC,CAAC,CAAC;IACnF,IAAI,CAAC,CAAC,GAAG,YAAY,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO,GAAG,CAAC;AAAA,CACX,CAAC;AAEF,MAAM,kBAAkB,GAAG,CAAC,GAAW,EAA2B,EAAE,CAAC;IACpE,OAAO,CACN,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,OAAO;QACf,GAAG,KAAK,OAAO,CACf,CAAC;AAAA,CACF,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,OAAe,EAAW,EAAE,CAAC;IACnD,MAAM,KAAK,GAAG,aAAa,CAAC,OAAO,CAAC,CAAC;IACrC,OAAO,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,KAAK,CAAC,CAAC,CAAC;AAAA,CACzC,CAAC"}

package/dist/hash/index.d.ts

@@ -0,0 +1,3 @@
+export { generatePkce } from './pkce.js';
+export { sha256Base64Url } from './sha256.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/hash/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/hash/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC"}

package/dist/hash/index.js

@@ -0,0 +1,3 @@
+export { generatePkce } from './pkce.js';
+export { sha256Base64Url } from './sha256.js';
+//# sourceMappingURL=index.js.map

package/dist/hash/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/hash/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC"}

package/dist/hash/pkce.d.ts

@@ -0,0 +1,12 @@
+/**
+ * generates pkce verifier and challenge (s256).
+ *
+ * @param length verifier length (43-128 per rfc 7636)
+ * @returns pkce values
+ */
+export declare const generatePkce: (length?: number) => Promise<{
+    verifier: string;
+    challenge: string;
+    method: "S256";
+}>;
+//# sourceMappingURL=pkce.d.ts.map

package/dist/hash/pkce.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.d.ts","sourceRoot":"","sources":["../../lib/hash/pkce.ts"],"names":[],"mappings":"AAIA;;;;;GAKG;AACH,eAAO,MAAM,YAAY;;;;EAOxB,CAAC"}

package/dist/hash/pkce.js

@@ -0,0 +1,14 @@
+import { nanoid } from 'nanoid';
+import { sha256Base64Url } from './sha256.js';
+/**
+ * generates pkce verifier and challenge (s256).
+ *
+ * @param length verifier length (43-128 per rfc 7636)
+ * @returns pkce values
+ */
+export const generatePkce = async (length = 64) => {
+    const verifier = nanoid(length);
+    const challenge = await sha256Base64Url(verifier);
+    return { verifier, challenge, method: 'S256' };
+};
+//# sourceMappingURL=pkce.js.map

package/dist/hash/pkce.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pkce.js","sourceRoot":"","sources":["../../lib/hash/pkce.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAEhC,OAAO,EAAE,eAAe,EAAE,MAAM,aAAa,CAAC;AAE9C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG,KAAK,EAChC,MAAM,GAAG,EAAE,EACwD,EAAE,CAAC;IACtE,MAAM,QAAQ,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC;IAChC,MAAM,SAAS,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,CAAC;IAElD,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC;AAAA,CAC/C,CAAC"}

package/dist/hash/sha256.d.ts

@@ -0,0 +1,8 @@
+/**
+ * computes sha-256 hash and returns base64url-encoded result.
+ *
+ * @param input string to hash
+ * @returns base64url-encoded sha-256 hash
+ */
+export declare const sha256Base64Url: (input: string) => Promise<string>;
+//# sourceMappingURL=sha256.d.ts.map

package/dist/hash/sha256.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sha256.d.ts","sourceRoot":"","sources":["../../lib/hash/sha256.ts"],"names":[],"mappings":"AAGA;;;;;GAKG;AACH,eAAO,MAAM,eAAe,oCAI3B,CAAC"}

package/dist/hash/sha256.js

@@ -0,0 +1,14 @@
+import { toBase64Url } from '@atcute/multibase';
+import { encodeUtf8, toSha256 } from '@atcute/uint8array';
+/**
+ * computes sha-256 hash and returns base64url-encoded result.
+ *
+ * @param input string to hash
+ * @returns base64url-encoded sha-256 hash
+ */
+export const sha256Base64Url = async (input) => {
+    const bytes = encodeUtf8(input);
+    const digest = await toSha256(bytes);
+    return toBase64Url(digest);
+};
+//# sourceMappingURL=sha256.js.map

package/dist/hash/sha256.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sha256.js","sourceRoot":"","sources":["../../lib/hash/sha256.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE1D;;;;;GAKG;AACH,MAAM,CAAC,MAAM,eAAe,GAAG,KAAK,EAAE,KAAa,EAAmB,EAAE,CAAC;IACxE,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC;IAChC,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,KAAK,CAAC,CAAC;IACrC,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;AAAA,CAC3B,CAAC"}

package/dist/index.d.ts

@@ -0,0 +1,6 @@
+export * from './client-assertion/index.js';
+export * from './dpop/index.js';
+export * from './hash/index.js';
+export * from './jwk/index.js';
+export * from './jwt/index.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gBAAgB,CAAC"}

package/dist/index.js

@@ -0,0 +1,6 @@
+export * from './client-assertion/index.js';
+export * from './dpop/index.js';
+export * from './hash/index.js';
+export * from './jwk/index.js';
+export * from './jwt/index.js';
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../lib/index.ts"],"names":[],"mappings":"AAAA,cAAc,6BAA6B,CAAC;AAC5C,cAAc,iBAAiB,CAAC;AAChC,cAAc,iBAAiB,CAAC;AAChC,cAAc,gBAAgB,CAAC;AAC/B,cAAc,gBAAgB,CAAC"}

package/dist/internal/crypto.d.ts

@@ -0,0 +1,7 @@
+import type { SigningAlgorithm } from '../jwk/types.js';
+export declare const getHashName: (alg: SigningAlgorithm) => "SHA-256" | "SHA-384" | "SHA-512";
+export declare const getNamedCurve: (alg: SigningAlgorithm) => "P-256" | "P-384" | "P-521" | null;
+export declare const getSignAlgorithm: (alg: SigningAlgorithm) => EcdsaParams | RsaPssParams | AlgorithmIdentifier;
+export declare const getImportAlgorithm: (alg: SigningAlgorithm, curve?: "P-256" | "P-384" | "P-521" | undefined) => EcKeyImportParams | RsaHashedImportParams;
+export declare const getGenerateAlgorithm: (alg: SigningAlgorithm) => EcKeyGenParams | RsaHashedKeyGenParams;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/internal/crypto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../lib/internal/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AA0BxD,eAAO,MAAM,WAAW,8DAEvB,CAAC;AAEF,eAAO,MAAM,aAAa,+DAEzB,CAAC;AAEF,eAAO,MAAM,gBAAgB,6EAY5B,CAAC;AAEF,eAAO,MAAM,kBAAkB,uHAiB9B,CAAC;AAEF,eAAO,MAAM,oBAAoB,mEAahC,CAAC"}

package/dist/internal/crypto.js

@@ -0,0 +1,78 @@
+const HASH_BY_ALG = {
+    ES256: 'SHA-256',
+    ES384: 'SHA-384',
+    ES512: 'SHA-512',
+    PS256: 'SHA-256',
+    PS384: 'SHA-384',
+    PS512: 'SHA-512',
+    RS256: 'SHA-256',
+    RS384: 'SHA-384',
+    RS512: 'SHA-512',
+};
+const CURVE_BY_ALG = {
+    ES256: 'P-256',
+    ES384: 'P-384',
+    ES512: 'P-521',
+    PS256: null,
+    PS384: null,
+    PS512: null,
+    RS256: null,
+    RS384: null,
+    RS512: null,
+};
+export const getHashName = (alg) => {
+    return HASH_BY_ALG[alg];
+};
+export const getNamedCurve = (alg) => {
+    return CURVE_BY_ALG[alg];
+};
+export const getSignAlgorithm = (alg) => {
+    if (alg.startsWith('ES')) {
+        return { name: 'ECDSA', hash: { name: getHashName(alg) } };
+    }
+    if (alg.startsWith('PS')) {
+        return {
+            name: 'RSA-PSS',
+            hash: { name: getHashName(alg) },
+            saltLength: getHashLength(getHashName(alg)),
+        };
+    }
+    return { name: 'RSASSA-PKCS1-v1_5' };
+};
+export const getImportAlgorithm = (alg, curve) => {
+    if (alg.startsWith('ES')) {
+        const namedCurve = curve ?? getNamedCurve(alg);
+        if (!namedCurve) {
+            throw new Error(`unable to determine curve for ${alg}`);
+        }
+        return { name: 'ECDSA', namedCurve };
+    }
+    if (alg.startsWith('PS')) {
+        return { name: 'RSA-PSS', hash: { name: getHashName(alg) } };
+    }
+    return { name: 'RSASSA-PKCS1-v1_5', hash: { name: getHashName(alg) } };
+};
+export const getGenerateAlgorithm = (alg) => {
+    const curve = getNamedCurve(alg);
+    if (curve) {
+        return { name: 'ECDSA', namedCurve: curve };
+    }
+    const hash = { name: getHashName(alg) };
+    return {
+        name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',
+        hash,
+        modulusLength: 2048,
+        publicExponent: new Uint8Array([0x01, 0x00, 0x01]),
+    };
+};
+const getHashLength = (hash) => {
+    switch (hash) {
+        case 'SHA-256':
+            return 32;
+        case 'SHA-384':
+            return 48;
+        case 'SHA-512':
+            return 64;
+    }
+};
+//# sourceMappingURL=crypto.js.map

package/dist/internal/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../lib/internal/crypto.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,GAAgE;IAChF,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,SAAS;IAChB,KAAK,EAAE,SAAS;CAChB,CAAC;AAEF,MAAM,YAAY,GAAiE;IAClF,KAAK,EAAE,OAAO;IACd,KAAK,EAAE,OAAO;IACd,KAAK,EAAE,OAAO;IACd,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;IACX,KAAK,EAAE,IAAI;CACX,CAAC;AAEF,MAAM,CAAC,MAAM,WAAW,GAAG,CAAC,GAAqB,EAAqC,EAAE,CAAC;IACxF,OAAO,WAAW,CAAC,GAAG,CAAC,CAAC;AAAA,CACxB,CAAC;AAEF,MAAM,CAAC,MAAM,aAAa,GAAG,CAAC,GAAqB,EAAsC,EAAE,CAAC;IAC3F,OAAO,YAAY,CAAC,GAAG,CAAC,CAAC;AAAA,CACzB,CAAC;AAEF,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,GAAqB,EAAoD,EAAE,CAAC;IAC5G,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;IAC5D,CAAC;IACD,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,OAAO;YACN,IAAI,EAAE,SAAS;YACf,IAAI,EAAE,EAAE,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE;YAChC,UAAU,EAAE,aAAa,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC;SAC3C,CAAC;IACH,CAAC;IACD,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,CAAC;AAAA,CACrC,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CACjC,GAAqB,EACrB,KAAmC,EACS,EAAE,CAAC;IAC/C,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,MAAM,UAAU,GAAG,KAAK,IAAI,aAAa,CAAC,GAAG,CAAC,CAAC;QAC/C,IAAI,CAAC,UAAU,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,iCAAiC,GAAG,EAAE,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,CAAC;IACtC,CAAC;IAED,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1B,OAAO,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;IAC9D,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,mBAAmB,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;AAAA,CACvE,CAAC;AAEF,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,GAAqB,EAA0C,EAAE,CAAC;IACtG,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,KAAK,EAAE,CAAC;QACX,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC;IAC7C,CAAC;IAED,MAAM,IAAI,GAAG,EAAE,IAAI,EAAE,WAAW,CAAC,GAAG,CAAC,EAAE,CAAC;IACxC,OAAO;QACN,IAAI,EAAE,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,mBAAmB;QAC5D,IAAI;QACJ,aAAa,EAAE,IAAI;QACnB,cAAc,EAAE,IAAI,UAAU,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;KAClD,CAAC;AAAA,CACF,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,IAAuC,EAAU,EAAE,CAAC;IAC1E,QAAQ,IAAI,EAAE,CAAC;QACd,KAAK,SAAS;YACb,OAAO,EAAE,CAAC;QACX,KAAK,SAAS;YACb,OAAO,EAAE,CAAC;QACX,KAAK,SAAS;YACb,OAAO,EAAE,CAAC;IACZ,CAAC;AAAA,CACD,CAAC"}

package/dist/internal/jwk.d.ts

@@ -0,0 +1,10 @@
+import type { PrivateJwk, PublicJwk, SigningAlgorithm } from '../jwk/types.js';
+export declare const isSigningAlgorithm: (alg: string) => alg is SigningAlgorithm;
+export declare const parsePrivateJwkInput: (input: string | PrivateJwk) => PrivateJwk;
+export declare const resolveSigningAlgorithm: (jwk: PrivateJwk, override?: SigningAlgorithm | undefined) => SigningAlgorithm | undefined;
+export declare const derivePublicJwk: (privateJwk: PrivateJwk, kid?: string | undefined, alg?: SigningAlgorithm | undefined) => PublicJwk;
+export declare const importPrivateKeyFromJwk: (jwk: PrivateJwk, alg: SigningAlgorithm) => Promise<CryptoKey>;
+export declare const exportPrivateJwkFromKey: (key: CryptoKey, alg: SigningAlgorithm, kid?: string | undefined) => Promise<PrivateJwk>;
+export declare const importPkcs8PrivateKey: (pem: string, alg: SigningAlgorithm) => Promise<CryptoKey>;
+export declare const exportPkcs8PrivateKey: (key: CryptoKey) => Promise<string>;
+//# sourceMappingURL=jwk.d.ts.map

package/dist/internal/jwk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwk.d.ts","sourceRoot":"","sources":["../../lib/internal/jwk.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,gBAAgB,EAAE,MAAM,iBAAiB,CAAC;AAsB/E,eAAO,MAAM,kBAAkB,0CAE9B,CAAC;AAEF,eAAO,MAAM,oBAAoB,4CAehC,CAAC;AAEF,eAAO,MAAM,uBAAuB,4FAqBnC,CAAC;AAEF,eAAO,MAAM,eAAe,qGAY3B,CAAC;AAEF,eAAO,MAAM,uBAAuB,gEAoBnC,CAAC;AAEF,eAAO,MAAM,uBAAuB,0FAWnC,CAAC;AAEF,eAAO,MAAM,qBAAqB,4DAWjC,CAAC;AAEF,eAAO,MAAM,qBAAqB,qCAMjC,CAAC"}

package/dist/internal/jwk.js

@@ -0,0 +1,121 @@
+import { fromBase64Pad, toBase64Pad } from '@atcute/multibase';
+import { getImportAlgorithm } from './crypto.js';
+const SIGNING_ALGORITHMS = [
+    'ES256',
+    'ES384',
+    'ES512',
+    'PS256',
+    'PS384',
+    'PS512',
+    'RS256',
+    'RS384',
+    'RS512',
+];
+const CURVE_TO_ALG = {
+    'P-256': 'ES256',
+    'P-384': 'ES384',
+    'P-521': 'ES512',
+};
+export const isSigningAlgorithm = (alg) => {
+    return SIGNING_ALGORITHMS.includes(alg);
+};
+export const parsePrivateJwkInput = (input) => {
+    if (typeof input === 'string') {
+        try {
+            const jwk = JSON.parse(input);
+            return jwk;
+        }
+        catch {
+            throw new Error(`invalid JSON string`);
+        }
+    }
+    if (typeof input === 'object' && input !== null && 'kty' in input) {
+        return input;
+    }
+    throw new Error(`invalid input: expected JWK object or JSON string`);
+};
+export const resolveSigningAlgorithm = (jwk, override) => {
+    if (override) {
+        return override;
+    }
+    const alg = jwk.alg;
+    if (alg && isSigningAlgorithm(alg)) {
+        return alg;
+    }
+    if (jwk.kty === 'EC') {
+        const inferred = CURVE_TO_ALG[jwk.crv];
+        if (inferred) {
+            return inferred;
+        }
+    }
+    return undefined;
+};
+export const derivePublicJwk = (privateJwk, kid, alg) => {
+    if (privateJwk.kty === 'EC') {
+        const { crv, x, y } = privateJwk;
+        return { kty: 'EC', crv, x, y, kid, alg, use: 'sig' };
+    }
+    if (privateJwk.kty === 'RSA') {
+        const { n, e } = privateJwk;
+        return { kty: 'RSA', n, e, kid, alg, use: 'sig' };
+    }
+    throw new Error(`unsupported key type`);
+};
+export const importPrivateKeyFromJwk = async (jwk, alg) => {
+    if (!('d' in jwk) || !jwk.d) {
+        throw new Error(`expected a private key (missing 'd' parameter)`);
+    }
+    if (jwk.kty === 'EC' && !alg.startsWith('ES')) {
+        throw new Error(`algorithm ${alg} does not match ec key`);
+    }
+    if (jwk.kty === 'RSA' && alg.startsWith('ES')) {
+        throw new Error(`algorithm ${alg} does not match rsa key`);
+    }
+    const algorithm = getImportAlgorithm(alg, jwk.kty === 'EC' ? jwk.crv : undefined);
+    const key = await crypto.subtle.importKey('jwk', jwk, algorithm, true, ['sign']);
+    if (!(key instanceof CryptoKey)) {
+        throw new Error(`expected asymmetric key, got symmetric`);
+    }
+    return key;
+};
+export const exportPrivateJwkFromKey = async (key, alg, kid) => {
+    const jwk = (await crypto.subtle.exportKey('jwk', key));
+    jwk.alg = alg;
+    if (kid) {
+        jwk.kid = kid;
+    }
+    return jwk;
+};
+export const importPkcs8PrivateKey = async (pem, alg) => {
+    const bytes = parsePkcs8Pem(pem);
+    const algorithm = getImportAlgorithm(alg);
+    const key = await crypto.subtle.importKey('pkcs8', bytes, algorithm, true, ['sign']);
+    if (!(key instanceof CryptoKey)) {
+        throw new Error(`expected asymmetric key, got symmetric`);
+    }
+    return key;
+};
+export const exportPkcs8PrivateKey = async (key) => {
+    const pkcs8 = await crypto.subtle.exportKey('pkcs8', key);
+    const bytes = new Uint8Array(pkcs8);
+    const base64 = toBase64Pad(bytes);
+    return ['-----BEGIN PRIVATE KEY-----', ...chunk64(base64), '-----END PRIVATE KEY-----', ''].join('\n');
+};
+const parsePkcs8Pem = (pem) => {
+    const match = pem.match(/-----BEGIN PRIVATE KEY-----([\s\S]*?)-----END PRIVATE KEY-----/);
+    if (!match) {
+        throw new Error(`invalid pkcs8 pem`);
+    }
+    const base64 = match[1].replace(/\s+/g, '');
+    const bytes = fromBase64Pad(base64);
+    const buffer = bytes.buffer.slice(bytes.byteOffset, bytes.byteOffset + bytes.byteLength);
+    return buffer;
+};
+const chunk64 = (input) => {
+    const chunks = [];
+    for (let i = 0; i < input.length; i += 64) {
+        chunks.push(input.slice(i, i + 64));
+    }
+    return chunks;
+};
+//# sourceMappingURL=jwk.js.map

package/dist/internal/jwk.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwk.js","sourceRoot":"","sources":["../../lib/internal/jwk.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAI/D,OAAO,EAAE,kBAAkB,EAAE,MAAM,aAAa,CAAC;AAEjD,MAAM,kBAAkB,GAAgC;IACvD,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;IACP,OAAO;CACP,CAAC;AAEF,MAAM,YAAY,GAAqC;IACtD,OAAO,EAAE,OAAO;IAChB,OAAO,EAAE,OAAO;IAChB,OAAO,EAAE,OAAO;CAChB,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAG,CAAC,GAAW,EAA2B,EAAE,CAAC;IAC3E,OAAQ,kBAAwC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;AAAA,CAC/D,CAAC;AAEF,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,KAA0B,EAAc,EAAE,CAAC;IAC/E,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC/B,IAAI,CAAC;YACJ,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAe,CAAC;YAC5C,OAAO,GAAG,CAAC;QACZ,CAAC;QAAC,MAAM,CAAC;YACR,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,CAAC;QACxC,CAAC;IACF,CAAC;IAED,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,IAAI,IAAI,KAAK,IAAI,KAAK,EAAE,CAAC;QACnE,OAAO,KAAK,CAAC;IACd,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,mDAAmD,CAAC,CAAC;AAAA,CACrE,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAG,CACtC,GAAe,EACf,QAA2B,EACI,EAAE,CAAC;IAClC,IAAI,QAAQ,EAAE,CAAC;QACd,OAAO,QAAQ,CAAC;IACjB,CAAC;IAED,MAAM,GAAG,GAAG,GAAG,CAAC,GAAG,CAAC;IACpB,IAAI,GAAG,IAAI,kBAAkB,CAAC,GAAG,CAAC,EAAE,CAAC;QACpC,OAAO,GAAG,CAAC;IACZ,CAAC;IAED,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACvC,IAAI,QAAQ,EAAE,CAAC;YACd,OAAO,QAAQ,CAAC;QACjB,CAAC;IACF,CAAC;IAED,OAAO,SAAS,CAAC;AAAA,CACjB,CAAC;AAEF,MAAM,CAAC,MAAM,eAAe,GAAG,CAAC,UAAsB,EAAE,GAAY,EAAE,GAAsB,EAAa,EAAE,CAAC;IAC3G,IAAI,UAAU,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QAC7B,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,UAAU,CAAC;QACjC,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IACvD,CAAC;IAED,IAAI,UAAU,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;QAC9B,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,UAAU,CAAC;QAC5B,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IACnD,CAAC;IAED,MAAM,IAAI,KAAK,CAAC,sBAAsB,CAAC,CAAC;AAAA,CACxC,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAG,KAAK,EAAE,GAAe,EAAE,GAAqB,EAAsB,EAAE,CAAC;IAC5G,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;QAC7B,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAC;IACnE,CAAC;IAED,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,wBAAwB,CAAC,CAAC;IAC3D,CAAC;IACD,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,IAAI,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/C,MAAM,IAAI,KAAK,CAAC,aAAa,GAAG,yBAAyB,CAAC,CAAC;IAC5D,CAAC;IAED,MAAM,SAAS,GAAG,kBAAkB,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,KAAK,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAClF,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IAEjF,IAAI,CAAC,CAAC,GAAG,YAAY,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO,GAAG,CAAC;AAAA,CACX,CAAC;AAEF,MAAM,CAAC,MAAM,uBAAuB,GAAG,KAAK,EAC3C,GAAc,EACd,GAAqB,EACrB,GAAY,EACU,EAAE,CAAC;IACzB,MAAM,GAAG,GAAG,CAAC,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,CAAC,CAAe,CAAC;IACtE,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC;IACd,IAAI,GAAG,EAAE,CAAC;QACT,GAAG,CAAC,GAAG,GAAG,GAAG,CAAC;IACf,CAAC;IACD,OAAO,GAAG,CAAC;AAAA,CACX,CAAC;AAEF,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAK,EAAE,GAAW,EAAE,GAAqB,EAAsB,EAAE,CAAC;IACtG,MAAM,KAAK,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;IACjC,MAAM,SAAS,GAAG,kBAAkB,CAAC,GAAG,CAAC,CAAC;IAE1C,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC;IAErF,IAAI,CAAC,CAAC,GAAG,YAAY,SAAS,CAAC,EAAE,CAAC;QACjC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO,GAAG,CAAC;AAAA,CACX,CAAC;AAEF,MAAM,CAAC,MAAM,qBAAqB,GAAG,KAAK,EAAE,GAAc,EAAmB,EAAE,CAAC;IAC/E,MAAM,KAAK,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;IAC1D,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC;IAElC,OAAO,CAAC,6BAA6B,EAAE,GAAG,OAAO,CAAC,MAAM,CAAC,EAAE,2BAA2B,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAAA,CACvG,CAAC;AAEF,MAAM,aAAa,GAAG,CAAC,GAAW,EAAe,EAAE,CAAC;IACnD,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,gEAAgE,CAAC,CAAC;IAC1F,IAAI,CAAC,KAAK,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACtC,CAAC;IAED,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC5C,MAAM,KAAK,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,UAAU,EAAE,KAAK,CAAC,UAAU,GAAG,KAAK,CAAC,UAAU,CAAC,CAAC;IACzF,OAAO,MAAM,CAAC;AAAA,CACd,CAAC;AAEF,MAAM,OAAO,GAAG,CAAC,KAAa,EAAY,EAAE,CAAC;IAC5C,MAAM,MAAM,GAAa,EAAE,CAAC;IAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,MAAM,CAAC;AAAA,CACd,CAAC"}

package/dist/internal/key-cache.d.ts

@@ -0,0 +1,24 @@
+import type { PrivateJwk, PublicJwk } from '../jwk/types.js';
+/**
+ * cached key material for a JWK.
+ */
+export interface CachedKeyMaterial {
+    cryptoKey: CryptoKey;
+    publicJwk: PublicJwk;
+}
+/**
+ * retrieves or creates cached key material for a JWK.
+ *
+ * @param jwk private JWK to get material for
+ * @returns cached key material (CryptoKey and derived public JWK)
+ */
+export declare const getCachedKeyMaterial: (jwk: PrivateJwk) => Promise<CachedKeyMaterial>;
+/**
+ * pre-populates the cache with already-imported key material.
+ * useful for PKCS8 imports where we already have the CryptoKey.
+ *
+ * @param jwk private JWK to cache for
+ * @param cryptoKey already-imported CryptoKey
+ */
+export declare const setCachedKeyMaterial: (jwk: PrivateJwk, cryptoKey: CryptoKey) => void;
+//# sourceMappingURL=key-cache.d.ts.map

package/dist/internal/key-cache.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-cache.d.ts","sourceRoot":"","sources":["../../lib/internal/key-cache.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,iBAAiB,CAAC;AAI7D;;GAEG;AACH,MAAM,WAAW,iBAAiB;IACjC,SAAS,EAAE,SAAS,CAAC;IACrB,SAAS,EAAE,SAAS,CAAC;CACrB;AAQD;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,iDAchC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,iDAGhC,CAAC"}

package/dist/internal/key-cache.js

@@ -0,0 +1,36 @@
+import { derivePublicJwk, importPrivateKeyFromJwk } from './jwk.js';
+/**
+ * cache for imported keys.
+ * uses WeakMap so entries are garbage collected when JWK objects are no longer referenced.
+ */
+const keyCache = new WeakMap();
+/**
+ * retrieves or creates cached key material for a JWK.
+ *
+ * @param jwk private JWK to get material for
+ * @returns cached key material (CryptoKey and derived public JWK)
+ */
+export const getCachedKeyMaterial = async (jwk) => {
+    const cached = keyCache.get(jwk);
+    if (cached) {
+        return cached;
+    }
+    const { alg } = jwk;
+    const cryptoKey = await importPrivateKeyFromJwk(jwk, alg);
+    const publicJwk = derivePublicJwk(jwk, jwk.kid, alg);
+    const material = { cryptoKey, publicJwk };
+    keyCache.set(jwk, material);
+    return material;
+};
+/**
+ * pre-populates the cache with already-imported key material.
+ * useful for PKCS8 imports where we already have the CryptoKey.
+ *
+ * @param jwk private JWK to cache for
+ * @param cryptoKey already-imported CryptoKey
+ */
+export const setCachedKeyMaterial = (jwk, cryptoKey) => {
+    const publicJwk = derivePublicJwk(jwk, jwk.kid, jwk.alg);
+    keyCache.set(jwk, { cryptoKey, publicJwk });
+};
+//# sourceMappingURL=key-cache.js.map

package/dist/internal/key-cache.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"key-cache.js","sourceRoot":"","sources":["../../lib/internal/key-cache.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,eAAe,EAAE,uBAAuB,EAAE,MAAM,UAAU,CAAC;AAUpE;;;GAGG;AACH,MAAM,QAAQ,GAAG,IAAI,OAAO,EAAiC,CAAC;AAE9D;;;;;GAKG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,KAAK,EAAE,GAAe,EAA8B,EAAE,CAAC;IAC1F,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;IACjC,IAAI,MAAM,EAAE,CAAC;QACZ,OAAO,MAAM,CAAC;IACf,CAAC;IAED,MAAM,EAAE,GAAG,EAAE,GAAG,GAAG,CAAC;IACpB,MAAM,SAAS,GAAG,MAAM,uBAAuB,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IAC1D,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,CAAC;IACrD,MAAM,QAAQ,GAAsB,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC;IAE7D,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAE5B,OAAO,QAAQ,CAAC;AAAA,CAChB,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,GAAe,EAAE,SAAoB,EAAQ,EAAE,CAAC;IACpF,MAAM,SAAS,GAAG,eAAe,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,GAAG,CAAC,CAAC;IACzD,QAAQ,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,SAAS,EAAE,CAAC,CAAC;AAAA,CAC5C,CAAC"}

package/dist/jwk/compute-jkt.d.ts

@@ -0,0 +1,9 @@
+import type { PublicJwk } from './types.js';
+/**
+ * computes the jwk thumbprint (rfc 7638) for a public key.
+ *
+ * @param jwk public jwk
+ * @returns base64url-encoded sha-256 thumbprint
+ */
+export declare const computeJktFromJwk: (jwk: PublicJwk) => Promise<string>;
+//# sourceMappingURL=compute-jkt.d.ts.map

package/dist/jwk/compute-jkt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"compute-jkt.d.ts","sourceRoot":"","sources":["../../lib/jwk/compute-jkt.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAE5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,qCAe7B,CAAC"}

package/dist/jwk/compute-jkt.js

@@ -0,0 +1,23 @@
+import { toBase64Url } from '@atcute/multibase';
+import { encodeUtf8, toSha256 } from '@atcute/uint8array';
+/**
+ * computes the jwk thumbprint (rfc 7638) for a public key.
+ *
+ * @param jwk public jwk
+ * @returns base64url-encoded sha-256 thumbprint
+ */
+export const computeJktFromJwk = async (jwk) => {
+    let canonical;
+    if (jwk.kty === 'EC') {
+        const { crv, x, y } = jwk;
+        canonical = { crv, kty: jwk.kty, x, y };
+    }
+    else {
+        const { e, n } = jwk;
+        canonical = { e, kty: jwk.kty, n };
+    }
+    const serialized = JSON.stringify(canonical);
+    const hash = await toSha256(encodeUtf8(serialized));
+    return toBase64Url(hash);
+};
+//# sourceMappingURL=compute-jkt.js.map

package/dist/jwk/compute-jkt.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"compute-jkt.js","sourceRoot":"","sources":["../../lib/jwk/compute-jkt.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAC;AAChD,OAAO,EAAE,UAAU,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAI1D;;;;;GAKG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG,KAAK,EAAE,GAAc,EAAmB,EAAE,CAAC;IAC3E,IAAI,SAAiC,CAAC;IAEtC,IAAI,GAAG,CAAC,GAAG,KAAK,IAAI,EAAE,CAAC;QACtB,MAAM,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,GAAG,CAAC;QAC1B,SAAS,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC;IACzC,CAAC;SAAM,CAAC;QACP,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,GAAG,CAAC;QACrB,SAAS,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,GAAG,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC;IACpC,CAAC;IAED,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC;IAEpD,OAAO,WAAW,CAAC,IAAI,CAAC,CAAC;AAAA,CACzB,CAAC"}

package/dist/jwk/index.d.ts

@@ -0,0 +1,5 @@
+export { computeJktFromJwk } from './compute-jkt.js';
+export { derivePublicJwk } from '../internal/jwk.js';
+export { exportPkcs8PrivateKey } from './keys.js';
+export type { EcPrivateJwk, EcPublicJwk, PrivateJwk, PublicJwk, RsaPrivateJwk, RsaPublicJwk, SigningAlgorithm, } from './types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/jwk/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../lib/jwk/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC;AAClD,YAAY,EACX,YAAY,EACZ,WAAW,EACX,UAAU,EACV,SAAS,EACT,aAAa,EACb,YAAY,EACZ,gBAAgB,GAChB,MAAM,YAAY,CAAC"}

package/dist/jwk/index.js

@@ -0,0 +1,4 @@
+export { computeJktFromJwk } from './compute-jkt.js';
+export { derivePublicJwk } from '../internal/jwk.js';
+export { exportPkcs8PrivateKey } from './keys.js';
+//# sourceMappingURL=index.js.map

package/dist/jwk/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../lib/jwk/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,oBAAoB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,MAAM,WAAW,CAAC"}

package/dist/jwk/keys.d.ts

@@ -0,0 +1,9 @@
+import type { PrivateJwk } from './types.js';
+/**
+ * exports a private JWK to PKCS8 PEM format.
+ *
+ * @param jwk private JWK to export
+ * @returns PKCS8 PEM string
+ */
+export declare const exportPkcs8PrivateKey: (jwk: PrivateJwk) => Promise<string>;
+//# sourceMappingURL=keys.d.ts.map

package/dist/jwk/keys.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"keys.d.ts","sourceRoot":"","sources":["../../lib/jwk/keys.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAE7C;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,sCAGjC,CAAC"}