@atproto/jwk 0.5.0 → 0.7.0-next.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +30 -0
- package/LICENSE.txt +1 -1
- package/dist/alg.d.ts +2 -2
- package/dist/alg.d.ts.map +1 -1
- package/dist/alg.js +19 -16
- package/dist/alg.js.map +1 -1
- package/dist/errors.js +15 -36
- package/dist/errors.js.map +1 -1
- package/dist/index.js +10 -28
- package/dist/index.js.map +1 -1
- package/dist/jwk.d.ts +3725 -1143
- package/dist/jwk.d.ts.map +1 -1
- package/dist/jwk.js +178 -96
- package/dist/jwk.js.map +1 -1
- package/dist/jwks.d.ts +212 -1523
- package/dist/jwks.d.ts.map +1 -1
- package/dist/jwks.js +25 -11
- package/dist/jwks.js.map +1 -1
- package/dist/jwt-decode.js +8 -11
- package/dist/jwt-decode.js.map +1 -1
- package/dist/jwt-verify.js +1 -2
- package/dist/jwt-verify.js.map +1 -1
- package/dist/jwt.d.ts +3937 -1186
- package/dist/jwt.d.ts.map +1 -1
- package/dist/jwt.js +97 -102
- package/dist/jwt.js.map +1 -1
- package/dist/key.d.ts +22 -9
- package/dist/key.d.ts.map +1 -1
- package/dist/key.js +159 -88
- package/dist/key.js.map +1 -1
- package/dist/keyset.d.ts +382 -15
- package/dist/keyset.d.ts.map +1 -1
- package/dist/keyset.js +153 -183
- package/dist/keyset.js.map +1 -1
- package/dist/util.d.ts +1 -6
- package/dist/util.d.ts.map +1 -1
- package/dist/util.js +21 -26
- package/dist/util.js.map +1 -1
- package/package.json +8 -7
- package/src/alg.ts +22 -10
- package/src/jwk.ts +163 -51
- package/src/jwks.ts +23 -6
- package/src/key.ts +137 -27
- package/src/keyset.ts +60 -60
- package/src/util.ts +8 -19
- package/tsconfig.build.tsbuildinfo +1 -1
package/dist/key.js
CHANGED
|
@@ -1,4 +1,3 @@
|
|
|
1
|
-
"use strict";
|
|
2
1
|
var __runInitializers = (this && this.__runInitializers) || function (thisArg, initializers, value) {
|
|
3
2
|
var useValue = arguments.length > 2;
|
|
4
3
|
for (var i = 0; i < initializers.length; i++) {
|
|
@@ -33,102 +32,174 @@ var __esDecorate = (this && this.__esDecorate) || function (ctor, descriptorIn,
|
|
|
33
32
|
if (target) Object.defineProperty(target, contextIn.name, descriptor);
|
|
34
33
|
done = true;
|
|
35
34
|
};
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
const errors_js_1 = require("./errors.js");
|
|
40
|
-
const jwk_js_1 = require("./jwk.js");
|
|
41
|
-
const util_js_1 = require("./util.js");
|
|
42
|
-
const jwkSchemaReadonly = jwk_js_1.jwkSchema.readonly();
|
|
35
|
+
import { jwkAlgorithms } from './alg.js';
|
|
36
|
+
import { PUBLIC_KEY_USAGE, hasSharedSecretJwk, isEncKeyUsage, isPrivateJwk, isPublicKeyUsage, isSigKeyUsage, jwkPubSchema, jwkSchema, } from './jwk.js';
|
|
37
|
+
import { cachedGetter } from './util.js';
|
|
43
38
|
let Key = (() => {
|
|
44
|
-
var _a;
|
|
45
39
|
let _instanceExtraInitializers = [];
|
|
40
|
+
let _get_isPrivate_decorators;
|
|
41
|
+
let _get_isSymetric_decorators;
|
|
46
42
|
let _get_publicJwk_decorators;
|
|
47
43
|
let _get_bareJwk_decorators;
|
|
48
44
|
let _get_algorithms_decorators;
|
|
49
|
-
return
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
}
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
45
|
+
return class Key {
|
|
46
|
+
static {
|
|
47
|
+
const _metadata = typeof Symbol === "function" && Symbol.metadata ? Object.create(null) : void 0;
|
|
48
|
+
_get_isPrivate_decorators = [cachedGetter];
|
|
49
|
+
_get_isSymetric_decorators = [cachedGetter];
|
|
50
|
+
_get_publicJwk_decorators = [cachedGetter];
|
|
51
|
+
_get_bareJwk_decorators = [cachedGetter];
|
|
52
|
+
_get_algorithms_decorators = [cachedGetter];
|
|
53
|
+
__esDecorate(this, null, _get_isPrivate_decorators, { kind: "getter", name: "isPrivate", static: false, private: false, access: { has: obj => "isPrivate" in obj, get: obj => obj.isPrivate }, metadata: _metadata }, null, _instanceExtraInitializers);
|
|
54
|
+
__esDecorate(this, null, _get_isSymetric_decorators, { kind: "getter", name: "isSymetric", static: false, private: false, access: { has: obj => "isSymetric" in obj, get: obj => obj.isSymetric }, metadata: _metadata }, null, _instanceExtraInitializers);
|
|
55
|
+
__esDecorate(this, null, _get_publicJwk_decorators, { kind: "getter", name: "publicJwk", static: false, private: false, access: { has: obj => "publicJwk" in obj, get: obj => obj.publicJwk }, metadata: _metadata }, null, _instanceExtraInitializers);
|
|
56
|
+
__esDecorate(this, null, _get_bareJwk_decorators, { kind: "getter", name: "bareJwk", static: false, private: false, access: { has: obj => "bareJwk" in obj, get: obj => obj.bareJwk }, metadata: _metadata }, null, _instanceExtraInitializers);
|
|
57
|
+
__esDecorate(this, null, _get_algorithms_decorators, { kind: "getter", name: "algorithms", static: false, private: false, access: { has: obj => "algorithms" in obj, get: obj => obj.algorithms }, metadata: _metadata }, null, _instanceExtraInitializers);
|
|
58
|
+
if (_metadata) Object.defineProperty(this, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
|
|
59
|
+
}
|
|
60
|
+
constructor(jwk) {
|
|
61
|
+
this.jwk = (__runInitializers(this, _instanceExtraInitializers), jwk);
|
|
62
|
+
}
|
|
63
|
+
get isPrivate() {
|
|
64
|
+
return isPrivateJwk(this.jwk);
|
|
65
|
+
}
|
|
66
|
+
get isSymetric() {
|
|
67
|
+
return hasSharedSecretJwk(this.jwk);
|
|
68
|
+
}
|
|
69
|
+
get privateJwk() {
|
|
70
|
+
if (!this.isPrivate)
|
|
71
|
+
return undefined;
|
|
72
|
+
return this.jwk;
|
|
73
|
+
}
|
|
74
|
+
get publicJwk() {
|
|
75
|
+
if (this.isSymetric)
|
|
76
|
+
return undefined;
|
|
77
|
+
if (!this.isPrivate)
|
|
78
|
+
return this.jwk;
|
|
79
|
+
const validated = jwkPubSchema.safeParse({
|
|
80
|
+
...this.jwk,
|
|
81
|
+
d: undefined,
|
|
82
|
+
k: undefined,
|
|
83
|
+
use: undefined,
|
|
84
|
+
key_ops: buildPublicKeyOps(this.keyOps) ?? PUBLIC_KEY_USAGE,
|
|
85
|
+
});
|
|
86
|
+
// One reason why the parsing might fail is if key_ops is empty. This check
|
|
87
|
+
// also allows to future proof the code (e.g if another type of private key
|
|
88
|
+
// is added that uses a different property than "d" or "k" to store its
|
|
89
|
+
// private value).
|
|
90
|
+
if (!validated.success)
|
|
91
|
+
return undefined;
|
|
92
|
+
return Object.freeze(validated.data);
|
|
93
|
+
}
|
|
94
|
+
get bareJwk() {
|
|
95
|
+
if (this.isSymetric)
|
|
96
|
+
return undefined;
|
|
97
|
+
const { kty, crv, e, n, x, y } = this.jwk;
|
|
98
|
+
return Object.freeze(jwkSchema.parse({ crv, e, kty, n, x, y }));
|
|
99
|
+
}
|
|
100
|
+
/**
|
|
101
|
+
* @note Only defined on public keys
|
|
102
|
+
*/
|
|
103
|
+
get use() {
|
|
104
|
+
return this.jwk.use;
|
|
105
|
+
}
|
|
106
|
+
get keyOps() {
|
|
107
|
+
return this.jwk.key_ops;
|
|
108
|
+
}
|
|
109
|
+
/**
|
|
110
|
+
* The (forced) algorithm to use. If not provided, the key will be usable with
|
|
111
|
+
* any of the algorithms in {@link algorithms}.
|
|
112
|
+
*
|
|
113
|
+
* @see {@link https://datatracker.ietf.org/doc/html/rfc7518#section-3.1 | "alg" (Algorithm) Header Parameter Values for JWS}
|
|
114
|
+
*/
|
|
115
|
+
get alg() {
|
|
116
|
+
return this.jwk.alg;
|
|
117
|
+
}
|
|
118
|
+
get kid() {
|
|
119
|
+
return this.jwk.kid;
|
|
120
|
+
}
|
|
121
|
+
get crv() {
|
|
122
|
+
return this.jwk.crv;
|
|
123
|
+
}
|
|
124
|
+
/**
|
|
125
|
+
* All the algorithms that this key can be used with. If `alg` is provided,
|
|
126
|
+
* this set will only contain that algorithm.
|
|
127
|
+
*/
|
|
128
|
+
get algorithms() {
|
|
129
|
+
return Object.freeze(Array.from(jwkAlgorithms(this.jwk)));
|
|
130
|
+
}
|
|
131
|
+
get isRevoked() {
|
|
132
|
+
return this.jwk.revoked != null;
|
|
133
|
+
}
|
|
134
|
+
isActive(options) {
|
|
135
|
+
if (!options?.allowRevoked && this.isRevoked)
|
|
75
136
|
return false;
|
|
137
|
+
const tolerance = options?.clockTolerance ?? 0;
|
|
138
|
+
if (tolerance !== Infinity) {
|
|
139
|
+
const now = options?.currentDate?.getTime() ?? Date.now();
|
|
140
|
+
const { exp, nbf } = this.jwk;
|
|
141
|
+
if (nbf != null && !(now >= nbf * 1e3 - tolerance))
|
|
142
|
+
return false;
|
|
143
|
+
if (exp != null && !(now < exp * 1e3 + tolerance))
|
|
144
|
+
return false;
|
|
76
145
|
}
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
k: undefined,
|
|
87
|
-
});
|
|
88
|
-
}
|
|
89
|
-
get bareJwk() {
|
|
90
|
-
if (this.isSymetric)
|
|
91
|
-
return undefined;
|
|
92
|
-
const { kty, crv, e, n, x, y } = this.jwk;
|
|
93
|
-
return jwkSchemaReadonly.parse({ crv, e, kty, n, x, y });
|
|
94
|
-
}
|
|
95
|
-
get use() {
|
|
96
|
-
return this.jwk.use;
|
|
97
|
-
}
|
|
98
|
-
/**
|
|
99
|
-
* The (forced) algorithm to use. If not provided, the key will be usable with
|
|
100
|
-
* any of the algorithms in {@link algorithms}.
|
|
101
|
-
*
|
|
102
|
-
* @see {@link https://datatracker.ietf.org/doc/html/rfc7518#section-3.1 | "alg" (Algorithm) Header Parameter Values for JWS}
|
|
103
|
-
*/
|
|
104
|
-
get alg() {
|
|
105
|
-
return this.jwk.alg;
|
|
106
|
-
}
|
|
107
|
-
get kid() {
|
|
108
|
-
return this.jwk.kid;
|
|
146
|
+
return true;
|
|
147
|
+
}
|
|
148
|
+
matches(opts) {
|
|
149
|
+
if (opts.kid != null) {
|
|
150
|
+
const matchesKid = Array.isArray(opts.kid)
|
|
151
|
+
? this.kid != null && opts.kid.includes(this.kid)
|
|
152
|
+
: this.kid === opts.kid;
|
|
153
|
+
if (!matchesKid)
|
|
154
|
+
return false;
|
|
109
155
|
}
|
|
110
|
-
|
|
111
|
-
|
|
156
|
+
if (opts.alg != null) {
|
|
157
|
+
const matchesAlg = Array.isArray(opts.alg)
|
|
158
|
+
? opts.alg.some((a) => this.algorithms.includes(a))
|
|
159
|
+
: this.algorithms.includes(opts.alg);
|
|
160
|
+
if (!matchesAlg)
|
|
161
|
+
return false;
|
|
112
162
|
}
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
163
|
+
if (opts.usage != null) {
|
|
164
|
+
const matchesOps = this.keyOps == null ||
|
|
165
|
+
this.keyOps.includes(opts.usage) ||
|
|
166
|
+
// @NOTE Because this.jwk represents the private key (typically used for
|
|
167
|
+
// private operations), the public counterpart operations are allowed.
|
|
168
|
+
(opts.usage === 'verify' && this.keyOps.includes('sign')) ||
|
|
169
|
+
(opts.usage === 'encrypt' && this.keyOps.includes('decrypt')) ||
|
|
170
|
+
(opts.usage === 'wrapKey' && this.keyOps.includes('unwrapKey'));
|
|
171
|
+
if (!matchesOps)
|
|
172
|
+
return false;
|
|
173
|
+
const matchesUse = this.use == null ||
|
|
174
|
+
(this.use === 'sig' && isSigKeyUsage(opts.usage)) ||
|
|
175
|
+
(this.use === 'enc' && isEncKeyUsage(opts.usage));
|
|
176
|
+
if (!matchesUse)
|
|
177
|
+
return false;
|
|
178
|
+
// @NOTE This is only relevant when "key_ops" and "use" are undefined.
|
|
179
|
+
// This line also ensures that when "opts.usage" is a private key usage
|
|
180
|
+
// (e.g. "sign"), the key is indeed a private key.
|
|
181
|
+
const matchesKeyType = this.isPrivate || isPublicKeyUsage(opts.usage);
|
|
182
|
+
if (!matchesKeyType)
|
|
183
|
+
return false;
|
|
119
184
|
}
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
_get_publicJwk_decorators = [util_js_1.cachedGetter];
|
|
124
|
-
_get_bareJwk_decorators = [util_js_1.cachedGetter];
|
|
125
|
-
_get_algorithms_decorators = [util_js_1.cachedGetter];
|
|
126
|
-
__esDecorate(_a, null, _get_publicJwk_decorators, { kind: "getter", name: "publicJwk", static: false, private: false, access: { has: obj => "publicJwk" in obj, get: obj => obj.publicJwk }, metadata: _metadata }, null, _instanceExtraInitializers);
|
|
127
|
-
__esDecorate(_a, null, _get_bareJwk_decorators, { kind: "getter", name: "bareJwk", static: false, private: false, access: { has: obj => "bareJwk" in obj, get: obj => obj.bareJwk }, metadata: _metadata }, null, _instanceExtraInitializers);
|
|
128
|
-
__esDecorate(_a, null, _get_algorithms_decorators, { kind: "getter", name: "algorithms", static: false, private: false, access: { has: obj => "algorithms" in obj, get: obj => obj.algorithms }, metadata: _metadata }, null, _instanceExtraInitializers);
|
|
129
|
-
if (_metadata) Object.defineProperty(_a, Symbol.metadata, { enumerable: true, configurable: true, writable: true, value: _metadata });
|
|
130
|
-
})(),
|
|
131
|
-
_a;
|
|
185
|
+
return true;
|
|
186
|
+
}
|
|
187
|
+
};
|
|
132
188
|
})();
|
|
133
|
-
|
|
189
|
+
export { Key };
|
|
190
|
+
function buildPublicKeyOps(keyUsages) {
|
|
191
|
+
if (keyUsages == null)
|
|
192
|
+
return undefined;
|
|
193
|
+
// https://datatracker.ietf.org/doc/html/rfc7517#section-4.3
|
|
194
|
+
// > Duplicate key operation values MUST NOT be present in the array.
|
|
195
|
+
const publicOps = new Set(keyUsages.filter(isPublicKeyUsage));
|
|
196
|
+
// @NOTE Translating private key usage into public key usage
|
|
197
|
+
if (keyUsages.includes('sign'))
|
|
198
|
+
publicOps.add('verify');
|
|
199
|
+
if (keyUsages.includes('decrypt'))
|
|
200
|
+
publicOps.add('encrypt');
|
|
201
|
+
if (keyUsages.includes('unwrapKey'))
|
|
202
|
+
publicOps.add('wrapKey');
|
|
203
|
+
return Array.from(publicOps);
|
|
204
|
+
}
|
|
134
205
|
//# sourceMappingURL=key.js.map
|
package/dist/key.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"key.js","sourceRoot":"","sources":["../src/key.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,qCAAwC;AACxC,2CAAsC;AACtC,qCAAyC;AAGzC,uCAAwC;AAExC,MAAM,iBAAiB,GAAG,kBAAS,CAAC,QAAQ,EAAE,CAAA;IAExB,GAAG;;;;;;sBAAH,GAAG;YACvB,YAA+B,GAAgB;gBAC7C,wEAAwE;gBACxE,iEAAiE;gBAFvD;;;;4BADQ,mDAAG,EACQ,GAAG;mBAAa;gBAI7C,gEAAgE;gBAChE,IAAI,CAAC,GAAG,CAAC,GAAG;oBAAE,MAAM,IAAI,oBAAQ,CAAC,+BAA+B,CAAC,CAAA;YACnE,CAAC;YAED,IAAI,SAAS;gBACX,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;gBACpB,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,SAAS;oBAAE,OAAO,IAAI,CAAA;gBAClD,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,SAAS;oBAAE,OAAO,IAAI,CAAA;gBAClD,OAAO,KAAK,CAAA;YACd,CAAC;YAED,IAAI,UAAU;gBACZ,MAAM,EAAE,GAAG,EAAE,GAAG,IAAI,CAAA;gBACpB,IAAI,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,SAAS;oBAAE,OAAO,IAAI,CAAA;gBAClD,OAAO,KAAK,CAAA;YACd,CAAC;YAED,IAAI,UAAU;gBACZ,OAAO,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;YAC9C,CAAC;YAGD,IAAI,SAAS;gBAGX,IAAI,IAAI,CAAC,UAAU;oBAAE,OAAO,SAAS,CAAA;gBAErC,OAAO,iBAAiB,CAAC,KAAK,CAAC;oBAC7B,GAAG,IAAI,CAAC,GAAG;oBACX,CAAC,EAAE,SAAS;oBACZ,CAAC,EAAE,SAAS;iBACb,CAA+C,CAAA;YAClD,CAAC;YAGD,IAAI,OAAO;gBACT,IAAI,IAAI,CAAC,UAAU;oBAAE,OAAO,SAAS,CAAA;gBACrC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,IAAI,CAAC,GAAU,CAAA;gBAChD,OAAO,iBAAiB,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAA;YAC1D,CAAC;YAED,IAAI,GAAG;gBACL,OAAO,IAAI,CAAC,GAAG,CAAC,GAAI,CAAA;YACtB,CAAC;YAED;;;;;eAKG;YACH,IAAI,GAAG;gBACL,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;YACrB,CAAC;YAED,IAAI,GAAG;gBACL,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;YACrB,CAAC;YAED,IAAI,GAAG;gBACL,OAAQ,IAAI,CAAC,GAAyD,CAAC,GAAG,CAAA;YAC5E,CAAC;YAED;;;eAGG;YAEH,IAAI,UAAU;gBACZ,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,IAAA,sBAAa,EAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;YAC3D,CAAC;;;;yCAjDA,sBAAY;uCAaZ,sBAAY;0CAiCZ,sBAAY;YA7Cb,gLAAI,SAAS,6DAUZ;YAGD,0KAAI,OAAO,6DAIV;YA6BD,mLAAI,UAAU,6DAEb;;;;;AA3EmB,kBAAG"}
|
|
1
|
+
{"version":3,"file":"key.js","sourceRoot":"","sources":["../src/key.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AACxC,OAAO,EAGL,gBAAgB,EAIhB,kBAAkB,EAClB,aAAa,EACb,YAAY,EACZ,gBAAgB,EAChB,aAAa,EACb,YAAY,EACZ,SAAS,GACV,MAAM,UAAU,CAAA;AAGjB,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAA;IAclB,GAAG;;;;;;;iBAAH,GAAG;;;yCAGtB,YAAY;0CAKZ,YAAY;yCAWZ,YAAY;uCAsBZ,YAAY;0CAwCZ,YAAY;YA7Eb,kLAAI,SAAS,6DAEZ;YAGD,qLAAI,UAAU,6DAEb;YASD,kLAAI,SAAS,6DAmBZ;YAGD,4KAAI,OAAO,6DAIV;YAoCD,qLAAI,UAAU,6DAEb;;;QAnFD,YAAqB,GAAgB;YAAhB,QAAG,IADJ,mDAAG,EACF,GAAG,EAAa;QAAG,CAAC;QAGzC,IAAI,SAAS;YACX,OAAO,YAAY,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QAC/B,CAAC;QAGD,IAAI,UAAU;YACZ,OAAO,kBAAkB,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;QACrC,CAAC;QAED,IAAI,UAAU;YACZ,IAAI,CAAC,IAAI,CAAC,SAAS;gBAAE,OAAO,SAAS,CAAA;YAErC,OAAO,IAAI,CAAC,GAA2B,CAAA;QACzC,CAAC;QAGD,IAAI,SAAS;YACX,IAAI,IAAI,CAAC,UAAU;gBAAE,OAAO,SAAS,CAAA;YACrC,IAAI,CAAC,IAAI,CAAC,SAAS;gBAAE,OAAO,IAAI,CAAC,GAA0B,CAAA;YAE3D,MAAM,SAAS,GAAG,YAAY,CAAC,SAAS,CAAC;gBACvC,GAAG,IAAI,CAAC,GAAG;gBACX,CAAC,EAAE,SAAS;gBACZ,CAAC,EAAE,SAAS;gBACZ,GAAG,EAAE,SAAS;gBACd,OAAO,EAAE,iBAAiB,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,gBAAgB;aAC5D,CAAC,CAAA;YAEF,2EAA2E;YAC3E,2EAA2E;YAC3E,uEAAuE;YACvE,kBAAkB;YAClB,IAAI,CAAC,SAAS,CAAC,OAAO;gBAAE,OAAO,SAAS,CAAA;YAExC,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAA;QACtC,CAAC;QAGD,IAAI,OAAO;YACT,IAAI,IAAI,CAAC,UAAU;gBAAE,OAAO,SAAS,CAAA;YACrC,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,IAAI,CAAC,GAAU,CAAA;YAChD,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAA;QACjE,CAAC;QAED;;WAEG;QACH,IAAI,GAAG;YACL,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;QACrB,CAAC;QAED,IAAI,MAAM;YACR,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,CAAA;QACzB,CAAC;QAED;;;;;WAKG;QACH,IAAI,GAAG;YACL,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;QACrB,CAAC;QAED,IAAI,GAAG;YACL,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,CAAA;QACrB,CAAC;QAED,IAAI,GAAG;YACL,OAAQ,IAAI,CAAC,GAAyD,CAAC,GAAG,CAAA;QAC5E,CAAC;QAED;;;WAGG;QAEH,IAAI,UAAU;YACZ,OAAO,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAA;QAC3D,CAAC;QAED,IAAI,SAAS;YACX,OAAO,IAAI,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,CAAA;QACjC,CAAC;QAED,QAAQ,CAAC,OAA8B;YACrC,IAAI,CAAC,OAAO,EAAE,YAAY,IAAI,IAAI,CAAC,SAAS;gBAAE,OAAO,KAAK,CAAA;YAE1D,MAAM,SAAS,GAAG,OAAO,EAAE,cAAc,IAAI,CAAC,CAAA;YAC9C,IAAI,SAAS,KAAK,QAAQ,EAAE,CAAC;gBAC3B,MAAM,GAAG,GAAG,OAAO,EAAE,WAAW,EAAE,OAAO,EAAE,IAAI,IAAI,CAAC,GAAG,EAAE,CAAA;gBACzD,MAAM,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,GAAG,CAAA;gBAE7B,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,CAAC,GAAG,IAAI,GAAG,GAAG,GAAG,GAAG,SAAS,CAAC;oBAAE,OAAO,KAAK,CAAA;gBAChE,IAAI,GAAG,IAAI,IAAI,IAAI,CAAC,CAAC,GAAG,GAAG,GAAG,GAAG,GAAG,GAAG,SAAS,CAAC;oBAAE,OAAO,KAAK,CAAA;YACjE,CAAC;YAED,OAAO,IAAI,CAAA;QACb,CAAC;QAED,OAAO,CAAC,IAAqB;YAC3B,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;gBACrB,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;oBACxC,CAAC,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,IAAI,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;oBACjD,CAAC,CAAC,IAAI,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,CAAA;gBACzB,IAAI,CAAC,UAAU;oBAAE,OAAO,KAAK,CAAA;YAC/B,CAAC;YAED,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,EAAE,CAAC;gBACrB,MAAM,UAAU,GAAG,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC;oBACxC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;oBACnD,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;gBACtC,IAAI,CAAC,UAAU;oBAAE,OAAO,KAAK,CAAA;YAC/B,CAAC;YAED,IAAI,IAAI,CAAC,KAAK,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,UAAU,GACd,IAAI,CAAC,MAAM,IAAI,IAAI;oBACnB,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC;oBAChC,wEAAwE;oBACxE,sEAAsE;oBACtE,CAAC,IAAI,CAAC,KAAK,KAAK,QAAQ,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;oBACzD,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;oBAC7D,CAAC,IAAI,CAAC,KAAK,KAAK,SAAS,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAA;gBACjE,IAAI,CAAC,UAAU;oBAAE,OAAO,KAAK,CAAA;gBAE7B,MAAM,UAAU,GACd,IAAI,CAAC,GAAG,IAAI,IAAI;oBAChB,CAAC,IAAI,CAAC,GAAG,KAAK,KAAK,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;oBACjD,CAAC,IAAI,CAAC,GAAG,KAAK,KAAK,IAAI,aAAa,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAA;gBACnD,IAAI,CAAC,UAAU;oBAAE,OAAO,KAAK,CAAA;gBAE7B,sEAAsE;gBACtE,uEAAuE;gBACvE,kDAAkD;gBAClD,MAAM,cAAc,GAAG,IAAI,CAAC,SAAS,IAAI,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;gBACrE,IAAI,CAAC,cAAc;oBAAE,OAAO,KAAK,CAAA;YACnC,CAAC;YAED,OAAO,IAAI,CAAA;QACb,CAAC;;;SAjJmB,GAAG;AAmKzB,SAAS,iBAAiB,CACxB,SAA+B;IAE/B,IAAI,SAAS,IAAI,IAAI;QAAE,OAAO,SAAS,CAAA;IAEvC,4DAA4D;IAC5D,qEAAqE;IACrE,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAA;IAE7D,4DAA4D;IAC5D,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACvD,IAAI,SAAS,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IAC3D,IAAI,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,SAAS,CAAC,GAAG,CAAC,SAAS,CAAC,CAAA;IAE7D,OAAO,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAC9B,CAAC","sourcesContent":["import { jwkAlgorithms } from './alg.js'\nimport {\n Jwk,\n KeyUsage,\n PUBLIC_KEY_USAGE,\n PrivateJwk,\n PublicJwk,\n PublicKeyUsage,\n hasSharedSecretJwk,\n isEncKeyUsage,\n isPrivateJwk,\n isPublicKeyUsage,\n isSigKeyUsage,\n jwkPubSchema,\n jwkSchema,\n} from './jwk.js'\nimport { VerifyOptions, VerifyResult } from './jwt-verify.js'\nimport { JwtHeader, JwtPayload, SignedJwt } from './jwt.js'\nimport { cachedGetter } from './util.js'\n\nexport type KeyMatchOptions = {\n usage?: KeyUsage\n kid?: string | string[]\n alg?: string | string[]\n}\n\nexport type ActivityCheckOptions = {\n allowRevoked?: boolean\n clockTolerance?: number\n currentDate?: Date\n}\n\nexport abstract class Key<J extends Jwk = Jwk> {\n constructor(readonly jwk: Readonly<J>) {}\n\n @cachedGetter\n get isPrivate(): boolean {\n return isPrivateJwk(this.jwk)\n }\n\n @cachedGetter\n get isSymetric(): boolean {\n return hasSharedSecretJwk(this.jwk)\n }\n\n get privateJwk(): Readonly<PrivateJwk> | undefined {\n if (!this.isPrivate) return undefined\n\n return this.jwk as Readonly<PrivateJwk>\n }\n\n @cachedGetter\n get publicJwk(): Readonly<PublicJwk> | undefined {\n if (this.isSymetric) return undefined\n if (!this.isPrivate) return this.jwk as Readonly<PublicJwk>\n\n const validated = jwkPubSchema.safeParse({\n ...this.jwk,\n d: undefined,\n k: undefined,\n use: undefined,\n key_ops: buildPublicKeyOps(this.keyOps) ?? PUBLIC_KEY_USAGE,\n })\n\n // One reason why the parsing might fail is if key_ops is empty. This check\n // also allows to future proof the code (e.g if another type of private key\n // is added that uses a different property than \"d\" or \"k\" to store its\n // private value).\n if (!validated.success) return undefined\n\n return Object.freeze(validated.data)\n }\n\n @cachedGetter\n get bareJwk(): Readonly<Jwk> | undefined {\n if (this.isSymetric) return undefined\n const { kty, crv, e, n, x, y } = this.jwk as any\n return Object.freeze(jwkSchema.parse({ crv, e, kty, n, x, y }))\n }\n\n /**\n * @note Only defined on public keys\n */\n get use(): 'sig' | 'enc' | undefined {\n return this.jwk.use\n }\n\n get keyOps(): readonly KeyUsage[] | undefined {\n return this.jwk.key_ops\n }\n\n /**\n * The (forced) algorithm to use. If not provided, the key will be usable with\n * any of the algorithms in {@link algorithms}.\n *\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7518#section-3.1 | \"alg\" (Algorithm) Header Parameter Values for JWS}\n */\n get alg() {\n return this.jwk.alg\n }\n\n get kid() {\n return this.jwk.kid\n }\n\n get crv() {\n return (this.jwk as { crv: undefined } | Extract<J, { crv: unknown }>).crv\n }\n\n /**\n * All the algorithms that this key can be used with. If `alg` is provided,\n * this set will only contain that algorithm.\n */\n @cachedGetter\n get algorithms(): readonly string[] {\n return Object.freeze(Array.from(jwkAlgorithms(this.jwk)))\n }\n\n get isRevoked() {\n return this.jwk.revoked != null\n }\n\n isActive(options?: ActivityCheckOptions) {\n if (!options?.allowRevoked && this.isRevoked) return false\n\n const tolerance = options?.clockTolerance ?? 0\n if (tolerance !== Infinity) {\n const now = options?.currentDate?.getTime() ?? Date.now()\n const { exp, nbf } = this.jwk\n\n if (nbf != null && !(now >= nbf * 1e3 - tolerance)) return false\n if (exp != null && !(now < exp * 1e3 + tolerance)) return false\n }\n\n return true\n }\n\n matches(opts: KeyMatchOptions): boolean {\n if (opts.kid != null) {\n const matchesKid = Array.isArray(opts.kid)\n ? this.kid != null && opts.kid.includes(this.kid)\n : this.kid === opts.kid\n if (!matchesKid) return false\n }\n\n if (opts.alg != null) {\n const matchesAlg = Array.isArray(opts.alg)\n ? opts.alg.some((a) => this.algorithms.includes(a))\n : this.algorithms.includes(opts.alg)\n if (!matchesAlg) return false\n }\n\n if (opts.usage != null) {\n const matchesOps =\n this.keyOps == null ||\n this.keyOps.includes(opts.usage) ||\n // @NOTE Because this.jwk represents the private key (typically used for\n // private operations), the public counterpart operations are allowed.\n (opts.usage === 'verify' && this.keyOps.includes('sign')) ||\n (opts.usage === 'encrypt' && this.keyOps.includes('decrypt')) ||\n (opts.usage === 'wrapKey' && this.keyOps.includes('unwrapKey'))\n if (!matchesOps) return false\n\n const matchesUse =\n this.use == null ||\n (this.use === 'sig' && isSigKeyUsage(opts.usage)) ||\n (this.use === 'enc' && isEncKeyUsage(opts.usage))\n if (!matchesUse) return false\n\n // @NOTE This is only relevant when \"key_ops\" and \"use\" are undefined.\n // This line also ensures that when \"opts.usage\" is a private key usage\n // (e.g. \"sign\"), the key is indeed a private key.\n const matchesKeyType = this.isPrivate || isPublicKeyUsage(opts.usage)\n if (!matchesKeyType) return false\n }\n\n return true\n }\n\n /**\n * Create a signed JWT\n */\n abstract createJwt(header: JwtHeader, payload: JwtPayload): Promise<SignedJwt>\n\n /**\n * Verify the signature, headers and payload of a JWT\n *\n * @throws {JwtVerifyError} if the JWT is invalid\n */\n abstract verifyJwt<C extends string = never>(\n token: SignedJwt,\n options?: VerifyOptions<C>,\n ): Promise<VerifyResult<C>>\n}\n\nfunction buildPublicKeyOps(\n keyUsages?: readonly KeyUsage[],\n): PublicKeyUsage[] | undefined {\n if (keyUsages == null) return undefined\n\n // https://datatracker.ietf.org/doc/html/rfc7517#section-4.3\n // > Duplicate key operation values MUST NOT be present in the array.\n const publicOps = new Set(keyUsages.filter(isPublicKeyUsage))\n\n // @NOTE Translating private key usage into public key usage\n if (keyUsages.includes('sign')) publicOps.add('verify')\n if (keyUsages.includes('decrypt')) publicOps.add('encrypt')\n if (keyUsages.includes('unwrapKey')) publicOps.add('wrapKey')\n\n return Array.from(publicOps)\n}\n"]}
|