@atproto/jwk 0.6.0 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md CHANGED
@@ -1,5 +1,17 @@
1
1
  # @atproto/jwk
2
2
 
3
+ ## 0.7.0
4
+
5
+ ### Minor Changes
6
+
7
+ - [#4929](https://github.com/bluesky-social/atproto/pull/4929) [`f01c59f`](https://github.com/bluesky-social/atproto/commit/f01c59f5bd3f75fb8b47a9eecd4858b84033fb7c) Thanks [@devinivy](https://github.com/devinivy)! - **BREAKING:** Drop support for Node.js 18 and 20. Node.js 22 is now the minimum supported version. Docker images now use Node.js 24.
8
+
9
+ - [#4943](https://github.com/bluesky-social/atproto/pull/4943) [`c459153`](https://github.com/bluesky-social/atproto/commit/c459153395a30ce89e050892c8fab7dc98e019b9) Thanks [@devinivy](https://github.com/devinivy)! - **BREAKING:** Convert to pure ESM. All packages now ship `"type": "module"` with ES module output and Node16 module resolution.
10
+
11
+ Node.js 22's `require()` compatibility layer can still load these packages in CommonJS code.
12
+
13
+ - [#4930](https://github.com/bluesky-social/atproto/pull/4930) [`908bece`](https://github.com/bluesky-social/atproto/commit/908bece169258bff5ad121e5eec157d6ded6f705) Thanks [@devinivy](https://github.com/devinivy)! - Build with TypeScript 6.0.
14
+
3
15
  ## 0.6.0
4
16
 
5
17
  ### Minor Changes
package/LICENSE.txt CHANGED
@@ -1,6 +1,6 @@
1
1
  Dual MIT/Apache-2.0 License
2
2
 
3
- Copyright (c) 2022-2025 Bluesky Social PBC, and Contributors
3
+ Copyright (c) 2022-2026 Bluesky Social PBC, and Contributors
4
4
 
5
5
  Except as otherwise noted in individual files, this software is licensed under the MIT license (<http://opensource.org/licenses/MIT>), or the Apache License, Version 2.0 (<http://www.apache.org/licenses/LICENSE-2.0>).
6
6
 
package/dist/alg.js CHANGED
@@ -1,12 +1,9 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.jwkAlgorithms = jwkAlgorithms;
4
- const errors_js_1 = require("./errors.js");
5
- const jwk_js_1 = require("./jwk.js");
1
+ import { JwkError } from './errors.js';
2
+ import { isEncKeyUsage, isSigKeyUsage } from './jwk.js';
6
3
  // Copy variable to prevent bundlers from automatically polyfilling "process" (e.g. parcel)
7
4
  const { process } = globalThis;
8
5
  const IS_NODE_RUNTIME = typeof process !== 'undefined' && typeof process?.versions?.node === 'string';
9
- function* jwkAlgorithms(jwk) {
6
+ export function* jwkAlgorithms(jwk) {
10
7
  // Ed25519, Ed448, and secp256k1 always have "alg"
11
8
  if (typeof jwk.alg === 'string') {
12
9
  yield jwk.alg;
@@ -35,14 +32,14 @@ function* jwkAlgorithms(jwk) {
35
32
  yield 'ES256K';
36
33
  break;
37
34
  default:
38
- throw new errors_js_1.JwkError(`Unsupported crv "${crv}"`);
35
+ throw new JwkError(`Unsupported crv "${crv}"`);
39
36
  }
40
37
  }
41
38
  return;
42
39
  }
43
40
  case 'OKP': {
44
41
  if (!jwk.use)
45
- throw new errors_js_1.JwkError('Missing "use" Parameter value');
42
+ throw new JwkError('Missing "use" Parameter value');
46
43
  yield 'ECDH-ES';
47
44
  yield 'ECDH-ES+A128KW';
48
45
  yield 'ECDH-ES+A192KW';
@@ -85,13 +82,13 @@ function* jwkAlgorithms(jwk) {
85
82
  return;
86
83
  }
87
84
  default:
88
- throw new errors_js_1.JwkError(`Unsupported kty "${jwk.kty}"`);
85
+ throw new JwkError(`Unsupported kty "${jwk.kty}"`);
89
86
  }
90
87
  }
91
88
  function jwkSupportsEnc(jwk) {
92
- return (jwk.key_ops?.some(jwk_js_1.isEncKeyUsage) ?? (jwk.use == null || jwk.use === 'enc'));
89
+ return (jwk.key_ops?.some(isEncKeyUsage) ?? (jwk.use == null || jwk.use === 'enc'));
93
90
  }
94
91
  function jwkSupportsSig(jwk) {
95
- return (jwk.key_ops?.some(jwk_js_1.isSigKeyUsage) ?? (jwk.use == null || jwk.use === 'sig'));
92
+ return (jwk.key_ops?.some(isSigKeyUsage) ?? (jwk.use == null || jwk.use === 'sig'));
96
93
  }
97
94
  //# sourceMappingURL=alg.js.map
package/dist/alg.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"alg.js","sourceRoot":"","sources":["../src/alg.ts"],"names":[],"mappings":";;AAQA,sCA0FC;AAlGD,2CAAsC;AACtC,qCAAgE;AAEhE,2FAA2F;AAC3F,MAAM,EAAE,OAAO,EAAE,GAAG,UAAU,CAAA;AAC9B,MAAM,eAAe,GACnB,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,OAAO,EAAE,QAAQ,EAAE,IAAI,KAAK,QAAQ,CAAA;AAE/E,QAAe,CAAC,CAAC,aAAa,CAAC,GAAY;IACzC,kDAAkD;IAElD,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,GAAG,CAAC,GAAG,CAAA;QACb,OAAM;IACR,CAAC;IAED,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,CAAC,CAAC;YACV,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,SAAS,CAAA;gBACf,MAAM,gBAAgB,CAAA;gBACtB,MAAM,gBAAgB,CAAA;gBACtB,MAAM,gBAAgB,CAAA;YACxB,CAAC;YAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,GAAG,GAAG,KAAK,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,QAAQ,GAAG,EAAE,CAAC;oBACZ,KAAK,OAAO,CAAC;oBACb,KAAK,OAAO;wBACV,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;wBAC1B,MAAK;oBACP,KAAK,OAAO;wBACV,MAAM,OAAO,CAAA;wBACb,MAAK;oBACP,KAAK,WAAW;wBACd,IAAI,eAAe;4BAAE,MAAM,QAAQ,CAAA;wBACnC,MAAK;oBACP;wBACE,MAAM,IAAI,oBAAQ,CAAC,oBAAoB,GAAG,GAAG,CAAC,CAAA;gBAClD,CAAC;YACH,CAAC;YAED,OAAM;QACR,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,IAAI,CAAC,GAAG,CAAC,GAAG;gBAAE,MAAM,IAAI,oBAAQ,CAAC,+BAA+B,CAAC,CAAA;YACjE,MAAM,SAAS,CAAA;YACf,MAAM,gBAAgB,CAAA;YACtB,MAAM,gBAAgB,CAAA;YACtB,MAAM,gBAAgB,CAAA;YACtB,OAAM;QACR,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,UAAU,CAAA;gBAChB,MAAM,cAAc,CAAA;gBACpB,MAAM,cAAc,CAAA;gBACpB,MAAM,cAAc,CAAA;gBACpB,IAAI,eAAe;oBAAE,MAAM,QAAQ,CAAA;YACrC,CAAC;YAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;YACf,CAAC;YAED,OAAM;QACR,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,WAAW,CAAA;gBACjB,MAAM,WAAW,CAAA;gBACjB,MAAM,WAAW,CAAA;gBACjB,MAAM,QAAQ,CAAA;gBACd,MAAM,QAAQ,CAAA;gBACd,MAAM,QAAQ,CAAA;YAChB,CAAC;YAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;YACf,CAAC;YAED,OAAM;QACR,CAAC;QAED;YACE,MAAM,IAAI,oBAAQ,CAAC,oBAAoB,GAAG,CAAC,GAAG,GAAG,CAAC,CAAA;IACtD,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,OAAO,CACL,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,sBAAa,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC,CAC3E,CAAA;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,OAAO,CACL,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,sBAAa,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC,CAC3E,CAAA;AACH,CAAC","sourcesContent":["import { JwkError } from './errors.js'\nimport { JwkBase, isEncKeyUsage, isSigKeyUsage } from './jwk.js'\n\n// Copy variable to prevent bundlers from automatically polyfilling \"process\" (e.g. parcel)\nconst { process } = globalThis\nconst IS_NODE_RUNTIME =\n typeof process !== 'undefined' && typeof process?.versions?.node === 'string'\n\nexport function* jwkAlgorithms(jwk: JwkBase): Generator<string, void, unknown> {\n // Ed25519, Ed448, and secp256k1 always have \"alg\"\n\n if (typeof jwk.alg === 'string') {\n yield jwk.alg\n return\n }\n\n switch (jwk.kty) {\n case 'EC': {\n if (jwkSupportsEnc(jwk)) {\n yield 'ECDH-ES'\n yield 'ECDH-ES+A128KW'\n yield 'ECDH-ES+A192KW'\n yield 'ECDH-ES+A256KW'\n }\n\n if (jwkSupportsSig(jwk)) {\n const crv = 'crv' in jwk ? jwk.crv : undefined\n switch (crv) {\n case 'P-256':\n case 'P-384':\n yield `ES${crv.slice(-3)}`\n break\n case 'P-521':\n yield 'ES512'\n break\n case 'secp256k1':\n if (IS_NODE_RUNTIME) yield 'ES256K'\n break\n default:\n throw new JwkError(`Unsupported crv \"${crv}\"`)\n }\n }\n\n return\n }\n\n case 'OKP': {\n if (!jwk.use) throw new JwkError('Missing \"use\" Parameter value')\n yield 'ECDH-ES'\n yield 'ECDH-ES+A128KW'\n yield 'ECDH-ES+A192KW'\n yield 'ECDH-ES+A256KW'\n return\n }\n\n case 'RSA': {\n if (jwkSupportsEnc(jwk)) {\n yield 'RSA-OAEP'\n yield 'RSA-OAEP-256'\n yield 'RSA-OAEP-384'\n yield 'RSA-OAEP-512'\n if (IS_NODE_RUNTIME) yield 'RSA1_5'\n }\n\n if (jwkSupportsSig(jwk)) {\n yield 'PS256'\n yield 'PS384'\n yield 'PS512'\n yield 'RS256'\n yield 'RS384'\n yield 'RS512'\n }\n\n return\n }\n\n case 'oct': {\n if (jwkSupportsEnc(jwk)) {\n yield 'A128GCMKW'\n yield 'A192GCMKW'\n yield 'A256GCMKW'\n yield 'A128KW'\n yield 'A192KW'\n yield 'A256KW'\n }\n\n if (jwkSupportsSig(jwk)) {\n yield 'HS256'\n yield 'HS384'\n yield 'HS512'\n }\n\n return\n }\n\n default:\n throw new JwkError(`Unsupported kty \"${jwk.kty}\"`)\n }\n}\n\nfunction jwkSupportsEnc(jwk: JwkBase): boolean {\n return (\n jwk.key_ops?.some(isEncKeyUsage) ?? (jwk.use == null || jwk.use === 'enc')\n )\n}\n\nfunction jwkSupportsSig(jwk: JwkBase): boolean {\n return (\n jwk.key_ops?.some(isSigKeyUsage) ?? (jwk.use == null || jwk.use === 'sig')\n )\n}\n"]}
1
+ {"version":3,"file":"alg.js","sourceRoot":"","sources":["../src/alg.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAA;AACtC,OAAO,EAAW,aAAa,EAAE,aAAa,EAAE,MAAM,UAAU,CAAA;AAEhE,2FAA2F;AAC3F,MAAM,EAAE,OAAO,EAAE,GAAG,UAAU,CAAA;AAC9B,MAAM,eAAe,GACnB,OAAO,OAAO,KAAK,WAAW,IAAI,OAAO,OAAO,EAAE,QAAQ,EAAE,IAAI,KAAK,QAAQ,CAAA;AAE/E,MAAM,SAAS,CAAC,CAAC,aAAa,CAAC,GAAY;IACzC,kDAAkD;IAElD,IAAI,OAAO,GAAG,CAAC,GAAG,KAAK,QAAQ,EAAE,CAAC;QAChC,MAAM,GAAG,CAAC,GAAG,CAAA;QACb,OAAM;IACR,CAAC;IAED,QAAQ,GAAG,CAAC,GAAG,EAAE,CAAC;QAChB,KAAK,IAAI,CAAC,CAAC,CAAC;YACV,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,SAAS,CAAA;gBACf,MAAM,gBAAgB,CAAA;gBACtB,MAAM,gBAAgB,CAAA;gBACtB,MAAM,gBAAgB,CAAA;YACxB,CAAC;YAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,GAAG,GAAG,KAAK,IAAI,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAA;gBAC9C,QAAQ,GAAG,EAAE,CAAC;oBACZ,KAAK,OAAO,CAAC;oBACb,KAAK,OAAO;wBACV,MAAM,KAAK,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAA;wBAC1B,MAAK;oBACP,KAAK,OAAO;wBACV,MAAM,OAAO,CAAA;wBACb,MAAK;oBACP,KAAK,WAAW;wBACd,IAAI,eAAe;4BAAE,MAAM,QAAQ,CAAA;wBACnC,MAAK;oBACP;wBACE,MAAM,IAAI,QAAQ,CAAC,oBAAoB,GAAG,GAAG,CAAC,CAAA;gBAClD,CAAC;YACH,CAAC;YAED,OAAM;QACR,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,IAAI,CAAC,GAAG,CAAC,GAAG;gBAAE,MAAM,IAAI,QAAQ,CAAC,+BAA+B,CAAC,CAAA;YACjE,MAAM,SAAS,CAAA;YACf,MAAM,gBAAgB,CAAA;YACtB,MAAM,gBAAgB,CAAA;YACtB,MAAM,gBAAgB,CAAA;YACtB,OAAM;QACR,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,UAAU,CAAA;gBAChB,MAAM,cAAc,CAAA;gBACpB,MAAM,cAAc,CAAA;gBACpB,MAAM,cAAc,CAAA;gBACpB,IAAI,eAAe;oBAAE,MAAM,QAAQ,CAAA;YACrC,CAAC;YAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;YACf,CAAC;YAED,OAAM;QACR,CAAC;QAED,KAAK,KAAK,CAAC,CAAC,CAAC;YACX,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,WAAW,CAAA;gBACjB,MAAM,WAAW,CAAA;gBACjB,MAAM,WAAW,CAAA;gBACjB,MAAM,QAAQ,CAAA;gBACd,MAAM,QAAQ,CAAA;gBACd,MAAM,QAAQ,CAAA;YAChB,CAAC;YAED,IAAI,cAAc,CAAC,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;gBACb,MAAM,OAAO,CAAA;YACf,CAAC;YAED,OAAM;QACR,CAAC;QAED;YACE,MAAM,IAAI,QAAQ,CAAC,oBAAoB,GAAG,CAAC,GAAG,GAAG,CAAC,CAAA;IACtD,CAAC;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,OAAO,CACL,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC,CAC3E,CAAA;AACH,CAAC;AAED,SAAS,cAAc,CAAC,GAAY;IAClC,OAAO,CACL,GAAG,CAAC,OAAO,EAAE,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,IAAI,IAAI,IAAI,GAAG,CAAC,GAAG,KAAK,KAAK,CAAC,CAC3E,CAAA;AACH,CAAC","sourcesContent":["import { JwkError } from './errors.js'\nimport { JwkBase, isEncKeyUsage, isSigKeyUsage } from './jwk.js'\n\n// Copy variable to prevent bundlers from automatically polyfilling \"process\" (e.g. parcel)\nconst { process } = globalThis\nconst IS_NODE_RUNTIME =\n typeof process !== 'undefined' && typeof process?.versions?.node === 'string'\n\nexport function* jwkAlgorithms(jwk: JwkBase): Generator<string, void, unknown> {\n // Ed25519, Ed448, and secp256k1 always have \"alg\"\n\n if (typeof jwk.alg === 'string') {\n yield jwk.alg\n return\n }\n\n switch (jwk.kty) {\n case 'EC': {\n if (jwkSupportsEnc(jwk)) {\n yield 'ECDH-ES'\n yield 'ECDH-ES+A128KW'\n yield 'ECDH-ES+A192KW'\n yield 'ECDH-ES+A256KW'\n }\n\n if (jwkSupportsSig(jwk)) {\n const crv = 'crv' in jwk ? jwk.crv : undefined\n switch (crv) {\n case 'P-256':\n case 'P-384':\n yield `ES${crv.slice(-3)}`\n break\n case 'P-521':\n yield 'ES512'\n break\n case 'secp256k1':\n if (IS_NODE_RUNTIME) yield 'ES256K'\n break\n default:\n throw new JwkError(`Unsupported crv \"${crv}\"`)\n }\n }\n\n return\n }\n\n case 'OKP': {\n if (!jwk.use) throw new JwkError('Missing \"use\" Parameter value')\n yield 'ECDH-ES'\n yield 'ECDH-ES+A128KW'\n yield 'ECDH-ES+A192KW'\n yield 'ECDH-ES+A256KW'\n return\n }\n\n case 'RSA': {\n if (jwkSupportsEnc(jwk)) {\n yield 'RSA-OAEP'\n yield 'RSA-OAEP-256'\n yield 'RSA-OAEP-384'\n yield 'RSA-OAEP-512'\n if (IS_NODE_RUNTIME) yield 'RSA1_5'\n }\n\n if (jwkSupportsSig(jwk)) {\n yield 'PS256'\n yield 'PS384'\n yield 'PS512'\n yield 'RS256'\n yield 'RS384'\n yield 'RS512'\n }\n\n return\n }\n\n case 'oct': {\n if (jwkSupportsEnc(jwk)) {\n yield 'A128GCMKW'\n yield 'A192GCMKW'\n yield 'A256GCMKW'\n yield 'A128KW'\n yield 'A192KW'\n yield 'A256KW'\n }\n\n if (jwkSupportsSig(jwk)) {\n yield 'HS256'\n yield 'HS384'\n yield 'HS512'\n }\n\n return\n }\n\n default:\n throw new JwkError(`Unsupported kty \"${jwk.kty}\"`)\n }\n}\n\nfunction jwkSupportsEnc(jwk: JwkBase): boolean {\n return (\n jwk.key_ops?.some(isEncKeyUsage) ?? (jwk.use == null || jwk.use === 'enc')\n )\n}\n\nfunction jwkSupportsSig(jwk: JwkBase): boolean {\n return (\n jwk.key_ops?.some(isSigKeyUsage) ?? (jwk.use == null || jwk.use === 'sig')\n )\n}\n"]}
package/dist/errors.js CHANGED
@@ -1,33 +1,19 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.JwtVerifyError = exports.JwtCreateError = exports.JwkError = exports.ERR_JWT_VERIFY = exports.ERR_JWT_CREATE = exports.ERR_JWT_INVALID = exports.ERR_JWK_NOT_FOUND = exports.ERR_JWK_INVALID = exports.ERR_JWKS_NO_MATCHING_KEY = void 0;
4
- exports.ERR_JWKS_NO_MATCHING_KEY = 'ERR_JWKS_NO_MATCHING_KEY';
5
- exports.ERR_JWK_INVALID = 'ERR_JWK_INVALID';
6
- exports.ERR_JWK_NOT_FOUND = 'ERR_JWK_NOT_FOUND';
7
- exports.ERR_JWT_INVALID = 'ERR_JWT_INVALID';
8
- exports.ERR_JWT_CREATE = 'ERR_JWT_CREATE';
9
- exports.ERR_JWT_VERIFY = 'ERR_JWT_VERIFY';
10
- class JwkError extends TypeError {
11
- constructor(message = 'JWK error', code = exports.ERR_JWK_INVALID, options) {
1
+ export const ERR_JWKS_NO_MATCHING_KEY = 'ERR_JWKS_NO_MATCHING_KEY';
2
+ export const ERR_JWK_INVALID = 'ERR_JWK_INVALID';
3
+ export const ERR_JWK_NOT_FOUND = 'ERR_JWK_NOT_FOUND';
4
+ export const ERR_JWT_INVALID = 'ERR_JWT_INVALID';
5
+ export const ERR_JWT_CREATE = 'ERR_JWT_CREATE';
6
+ export const ERR_JWT_VERIFY = 'ERR_JWT_VERIFY';
7
+ export class JwkError extends TypeError {
8
+ constructor(message = 'JWK error', code = ERR_JWK_INVALID, options) {
12
9
  super(message, options);
13
- Object.defineProperty(this, "code", {
14
- enumerable: true,
15
- configurable: true,
16
- writable: true,
17
- value: code
18
- });
10
+ this.code = code;
19
11
  }
20
12
  }
21
- exports.JwkError = JwkError;
22
- class JwtCreateError extends Error {
23
- constructor(message = 'Unable to create JWT', code = exports.ERR_JWT_CREATE, options) {
13
+ export class JwtCreateError extends Error {
14
+ constructor(message = 'Unable to create JWT', code = ERR_JWT_CREATE, options) {
24
15
  super(message, options);
25
- Object.defineProperty(this, "code", {
26
- enumerable: true,
27
- configurable: true,
28
- writable: true,
29
- value: code
30
- });
16
+ this.code = code;
31
17
  }
32
18
  static from(cause, code, message) {
33
19
  if (cause instanceof JwtCreateError)
@@ -38,16 +24,10 @@ class JwtCreateError extends Error {
38
24
  return new JwtCreateError(message, code, { cause });
39
25
  }
40
26
  }
41
- exports.JwtCreateError = JwtCreateError;
42
- class JwtVerifyError extends Error {
43
- constructor(message = 'Invalid JWT', code = exports.ERR_JWT_VERIFY, options) {
27
+ export class JwtVerifyError extends Error {
28
+ constructor(message = 'Invalid JWT', code = ERR_JWT_VERIFY, options) {
44
29
  super(message, options);
45
- Object.defineProperty(this, "code", {
46
- enumerable: true,
47
- configurable: true,
48
- writable: true,
49
- value: code
50
- });
30
+ this.code = code;
51
31
  }
52
32
  static from(cause, code, message) {
53
33
  if (cause instanceof JwtVerifyError)
@@ -58,5 +38,4 @@ class JwtVerifyError extends Error {
58
38
  return new JwtVerifyError(message, code, { cause });
59
39
  }
60
40
  }
61
- exports.JwtVerifyError = JwtVerifyError;
62
41
  //# sourceMappingURL=errors.js.map
@@ -1 +1 @@
1
- {"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":";;;AAEa,QAAA,wBAAwB,GAAG,0BAA0B,CAAA;AACrD,QAAA,eAAe,GAAG,iBAAiB,CAAA;AACnC,QAAA,iBAAiB,GAAG,mBAAmB,CAAA;AACvC,QAAA,eAAe,GAAG,iBAAiB,CAAA;AACnC,QAAA,cAAc,GAAG,gBAAgB,CAAA;AACjC,QAAA,cAAc,GAAG,gBAAgB,CAAA;AAE9C,MAAa,QAAS,SAAQ,SAAS;IACrC,YACE,OAAO,GAAG,WAAW,EACL,OAAO,uBAAe,EACtC,OAAsB;QAEtB,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAHvB;;;;mBAAgB,IAAI;WAAkB;IAIxC,CAAC;CACF;AARD,4BAQC;AAED,MAAa,cAAe,SAAQ,KAAK;IACvC,YACE,OAAO,GAAG,sBAAsB,EAChB,OAAO,sBAAc,EACrC,OAAsB;QAEtB,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAHvB;;;;mBAAgB,IAAI;WAAiB;IAIvC,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAc,EAAE,IAAa,EAAE,OAAgB;QACzD,IAAI,KAAK,YAAY,cAAc;YAAE,OAAO,KAAK,CAAA;QACjD,IAAI,KAAK,YAAY,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAC3D,CAAC;QAED,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IACrD,CAAC;CACF;AAjBD,wCAiBC;AAED,MAAa,cAAe,SAAQ,KAAK;IACvC,YACE,OAAO,GAAG,aAAa,EACP,OAAO,sBAAc,EACrC,OAAsB;QAEtB,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAHvB;;;;mBAAgB,IAAI;WAAiB;IAIvC,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAc,EAAE,IAAa,EAAE,OAAgB;QACzD,IAAI,KAAK,YAAY,cAAc;YAAE,OAAO,KAAK,CAAA;QACjD,IAAI,KAAK,YAAY,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAC3D,CAAC;QAED,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IACrD,CAAC;CACF;AAjBD,wCAiBC","sourcesContent":["export type ErrorOptions = { cause?: unknown }\n\nexport const ERR_JWKS_NO_MATCHING_KEY = 'ERR_JWKS_NO_MATCHING_KEY'\nexport const ERR_JWK_INVALID = 'ERR_JWK_INVALID'\nexport const ERR_JWK_NOT_FOUND = 'ERR_JWK_NOT_FOUND'\nexport const ERR_JWT_INVALID = 'ERR_JWT_INVALID'\nexport const ERR_JWT_CREATE = 'ERR_JWT_CREATE'\nexport const ERR_JWT_VERIFY = 'ERR_JWT_VERIFY'\n\nexport class JwkError extends TypeError {\n constructor(\n message = 'JWK error',\n public readonly code = ERR_JWK_INVALID,\n options?: ErrorOptions,\n ) {\n super(message, options)\n }\n}\n\nexport class JwtCreateError extends Error {\n constructor(\n message = 'Unable to create JWT',\n public readonly code = ERR_JWT_CREATE,\n options?: ErrorOptions,\n ) {\n super(message, options)\n }\n\n static from(cause: unknown, code?: string, message?: string): JwtCreateError {\n if (cause instanceof JwtCreateError) return cause\n if (cause instanceof JwkError) {\n return new JwtCreateError(message, cause.code, { cause })\n }\n\n return new JwtCreateError(message, code, { cause })\n }\n}\n\nexport class JwtVerifyError extends Error {\n constructor(\n message = 'Invalid JWT',\n public readonly code = ERR_JWT_VERIFY,\n options?: ErrorOptions,\n ) {\n super(message, options)\n }\n\n static from(cause: unknown, code?: string, message?: string): JwtVerifyError {\n if (cause instanceof JwtVerifyError) return cause\n if (cause instanceof JwkError) {\n return new JwtVerifyError(message, cause.code, { cause })\n }\n\n return new JwtVerifyError(message, code, { cause })\n }\n}\n"]}
1
+ {"version":3,"file":"errors.js","sourceRoot":"","sources":["../src/errors.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,wBAAwB,GAAG,0BAA0B,CAAA;AAClE,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,CAAA;AAChD,MAAM,CAAC,MAAM,iBAAiB,GAAG,mBAAmB,CAAA;AACpD,MAAM,CAAC,MAAM,eAAe,GAAG,iBAAiB,CAAA;AAChD,MAAM,CAAC,MAAM,cAAc,GAAG,gBAAgB,CAAA;AAC9C,MAAM,CAAC,MAAM,cAAc,GAAG,gBAAgB,CAAA;AAE9C,MAAM,OAAO,QAAS,SAAQ,SAAS;IACrC,YACE,OAAO,GAAG,WAAW,EACL,OAAO,eAAe,EACtC,OAAsB;QAEtB,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAHP,SAAI,GAAJ,IAAI,CAAkB;IAIxC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC,YACE,OAAO,GAAG,sBAAsB,EAChB,OAAO,cAAc,EACrC,OAAsB;QAEtB,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAHP,SAAI,GAAJ,IAAI,CAAiB;IAIvC,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAc,EAAE,IAAa,EAAE,OAAgB;QACzD,IAAI,KAAK,YAAY,cAAc;YAAE,OAAO,KAAK,CAAA;QACjD,IAAI,KAAK,YAAY,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAC3D,CAAC;QAED,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IACrD,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC,YACE,OAAO,GAAG,aAAa,EACP,OAAO,cAAc,EACrC,OAAsB;QAEtB,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAA;QAHP,SAAI,GAAJ,IAAI,CAAiB;IAIvC,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,KAAc,EAAE,IAAa,EAAE,OAAgB;QACzD,IAAI,KAAK,YAAY,cAAc;YAAE,OAAO,KAAK,CAAA;QACjD,IAAI,KAAK,YAAY,QAAQ,EAAE,CAAC;YAC9B,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,KAAK,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;QAC3D,CAAC;QAED,OAAO,IAAI,cAAc,CAAC,OAAO,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,CAAC,CAAA;IACrD,CAAC;CACF","sourcesContent":["export type ErrorOptions = { cause?: unknown }\n\nexport const ERR_JWKS_NO_MATCHING_KEY = 'ERR_JWKS_NO_MATCHING_KEY'\nexport const ERR_JWK_INVALID = 'ERR_JWK_INVALID'\nexport const ERR_JWK_NOT_FOUND = 'ERR_JWK_NOT_FOUND'\nexport const ERR_JWT_INVALID = 'ERR_JWT_INVALID'\nexport const ERR_JWT_CREATE = 'ERR_JWT_CREATE'\nexport const ERR_JWT_VERIFY = 'ERR_JWT_VERIFY'\n\nexport class JwkError extends TypeError {\n constructor(\n message = 'JWK error',\n public readonly code = ERR_JWK_INVALID,\n options?: ErrorOptions,\n ) {\n super(message, options)\n }\n}\n\nexport class JwtCreateError extends Error {\n constructor(\n message = 'Unable to create JWT',\n public readonly code = ERR_JWT_CREATE,\n options?: ErrorOptions,\n ) {\n super(message, options)\n }\n\n static from(cause: unknown, code?: string, message?: string): JwtCreateError {\n if (cause instanceof JwtCreateError) return cause\n if (cause instanceof JwkError) {\n return new JwtCreateError(message, cause.code, { cause })\n }\n\n return new JwtCreateError(message, code, { cause })\n }\n}\n\nexport class JwtVerifyError extends Error {\n constructor(\n message = 'Invalid JWT',\n public readonly code = ERR_JWT_VERIFY,\n options?: ErrorOptions,\n ) {\n super(message, options)\n }\n\n static from(cause: unknown, code?: string, message?: string): JwtVerifyError {\n if (cause instanceof JwtVerifyError) return cause\n if (cause instanceof JwkError) {\n return new JwtVerifyError(message, cause.code, { cause })\n }\n\n return new JwtVerifyError(message, code, { cause })\n }\n}\n"]}
package/dist/index.js CHANGED
@@ -1,32 +1,14 @@
1
- "use strict";
2
- var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
- if (k2 === undefined) k2 = k;
4
- var desc = Object.getOwnPropertyDescriptor(m, k);
5
- if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
- desc = { enumerable: true, get: function() { return m[k]; } };
7
- }
8
- Object.defineProperty(o, k2, desc);
9
- }) : (function(o, m, k, k2) {
10
- if (k2 === undefined) k2 = k;
11
- o[k2] = m[k];
12
- }));
13
- var __exportStar = (this && this.__exportStar) || function(m, exports) {
14
- for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
15
- };
16
- Object.defineProperty(exports, "__esModule", { value: true });
17
- exports.ValidationError = void 0;
18
1
  // Since we expose zod schemas, let's expose ZodError (under a generic name) so
19
2
  // that dependents can catch schema parsing errors without requiring an explicit
20
3
  // dependency on zod, or risking a conflict in case of mismatching zob versions.
21
- var zod_1 = require("zod");
22
- Object.defineProperty(exports, "ValidationError", { enumerable: true, get: function () { return zod_1.ZodError; } });
23
- __exportStar(require("./alg.js"), exports);
24
- __exportStar(require("./errors.js"), exports);
25
- __exportStar(require("./jwk.js"), exports);
26
- __exportStar(require("./jwks.js"), exports);
27
- __exportStar(require("./jwt-decode.js"), exports);
28
- __exportStar(require("./jwt-verify.js"), exports);
29
- __exportStar(require("./jwt.js"), exports);
30
- __exportStar(require("./key.js"), exports);
31
- __exportStar(require("./keyset.js"), exports);
4
+ export { ZodError as ValidationError } from 'zod';
5
+ export * from './alg.js';
6
+ export * from './errors.js';
7
+ export * from './jwk.js';
8
+ export * from './jwks.js';
9
+ export * from './jwt-decode.js';
10
+ export * from './jwt-verify.js';
11
+ export * from './jwt.js';
12
+ export * from './key.js';
13
+ export * from './keyset.js';
32
14
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;AAAA,+EAA+E;AAC/E,gFAAgF;AAChF,gFAAgF;AAChF,2BAAiD;AAAxC,sGAAA,QAAQ,OAAmB;AAEpC,2CAAwB;AACxB,8CAA2B;AAC3B,2CAAwB;AACxB,4CAAyB;AACzB,kDAA+B;AAC/B,kDAA+B;AAC/B,2CAAwB;AACxB,2CAAwB;AACxB,8CAA2B","sourcesContent":["// Since we expose zod schemas, let's expose ZodError (under a generic name) so\n// that dependents can catch schema parsing errors without requiring an explicit\n// dependency on zod, or risking a conflict in case of mismatching zob versions.\nexport { ZodError as ValidationError } from 'zod'\n\nexport * from './alg.js'\nexport * from './errors.js'\nexport * from './jwk.js'\nexport * from './jwks.js'\nexport * from './jwt-decode.js'\nexport * from './jwt-verify.js'\nexport * from './jwt.js'\nexport * from './key.js'\nexport * from './keyset.js'\n"]}
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+EAA+E;AAC/E,gFAAgF;AAChF,gFAAgF;AAChF,OAAO,EAAE,QAAQ,IAAI,eAAe,EAAE,MAAM,KAAK,CAAA;AAEjD,cAAc,UAAU,CAAA;AACxB,cAAc,aAAa,CAAA;AAC3B,cAAc,UAAU,CAAA;AACxB,cAAc,WAAW,CAAA;AACzB,cAAc,iBAAiB,CAAA;AAC/B,cAAc,iBAAiB,CAAA;AAC/B,cAAc,UAAU,CAAA;AACxB,cAAc,UAAU,CAAA;AACxB,cAAc,aAAa,CAAA","sourcesContent":["// Since we expose zod schemas, let's expose ZodError (under a generic name) so\n// that dependents can catch schema parsing errors without requiring an explicit\n// dependency on zod, or risking a conflict in case of mismatching zob versions.\nexport { ZodError as ValidationError } from 'zod'\n\nexport * from './alg.js'\nexport * from './errors.js'\nexport * from './jwk.js'\nexport * from './jwks.js'\nexport * from './jwt-decode.js'\nexport * from './jwt-verify.js'\nexport * from './jwt.js'\nexport * from './key.js'\nexport * from './keyset.js'\n"]}
package/dist/jwk.js CHANGED
@@ -1,27 +1,15 @@
1
- "use strict";
2
- Object.defineProperty(exports, "__esModule", { value: true });
3
- exports.jwkPrivateSchema = exports.jwkPubSchema = exports.jwkValidator = exports.jwkSchema = exports.keyUsageSchema = exports.KEY_USAGE = exports.privateKeyUsageSchema = exports.PRIVATE_KEY_USAGE = exports.publicKeyUsageSchema = exports.PUBLIC_KEY_USAGE = void 0;
4
- exports.isPublicKeyUsage = isPublicKeyUsage;
5
- exports.isSigKeyUsage = isSigKeyUsage;
6
- exports.isEncKeyUsage = isEncKeyUsage;
7
- exports.isPrivateKeyUsage = isPrivateKeyUsage;
8
- exports.hasKid = hasKid;
9
- exports.hasSharedSecretJwk = hasSharedSecretJwk;
10
- exports.hasPrivateSecretJwk = hasPrivateSecretJwk;
11
- exports.isPrivateJwk = isPrivateJwk;
12
- exports.isPublicJwk = isPublicJwk;
13
- const zod_1 = require("zod");
14
- const util_1 = require("./util");
15
- exports.PUBLIC_KEY_USAGE = ['verify', 'encrypt', 'wrapKey'];
16
- exports.publicKeyUsageSchema = zod_1.z.enum(exports.PUBLIC_KEY_USAGE);
17
- function isPublicKeyUsage(usage) {
18
- return exports.PUBLIC_KEY_USAGE.includes(usage);
1
+ import { z } from 'zod';
2
+ import { isLastOccurrence } from './util.js';
3
+ export const PUBLIC_KEY_USAGE = ['verify', 'encrypt', 'wrapKey'];
4
+ export const publicKeyUsageSchema = z.enum(PUBLIC_KEY_USAGE);
5
+ export function isPublicKeyUsage(usage) {
6
+ return PUBLIC_KEY_USAGE.includes(usage);
19
7
  }
20
8
  /**
21
9
  * Determines if the given key usage is consistent for "sig" (signature) public
22
10
  * key use.
23
11
  */
24
- function isSigKeyUsage(v) {
12
+ export function isSigKeyUsage(v) {
25
13
  return v === 'verify';
26
14
  }
27
15
  /**
@@ -35,112 +23,112 @@ function isSigKeyUsage(v) {
35
23
  * > agreement operations.
36
24
  * @see {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4.2}
37
25
  */
38
- function isEncKeyUsage(v) {
26
+ export function isEncKeyUsage(v) {
39
27
  return v === 'encrypt' || v === 'wrapKey';
40
28
  }
41
- exports.PRIVATE_KEY_USAGE = [
29
+ export const PRIVATE_KEY_USAGE = [
42
30
  'sign',
43
31
  'decrypt',
44
32
  'unwrapKey',
45
33
  'deriveKey',
46
34
  'deriveBits',
47
35
  ];
48
- exports.privateKeyUsageSchema = zod_1.z.enum(exports.PRIVATE_KEY_USAGE);
49
- function isPrivateKeyUsage(usage) {
50
- return exports.PRIVATE_KEY_USAGE.includes(usage);
36
+ export const privateKeyUsageSchema = z.enum(PRIVATE_KEY_USAGE);
37
+ export function isPrivateKeyUsage(usage) {
38
+ return PRIVATE_KEY_USAGE.includes(usage);
51
39
  }
52
- exports.KEY_USAGE = [...exports.PRIVATE_KEY_USAGE, ...exports.PUBLIC_KEY_USAGE];
53
- exports.keyUsageSchema = zod_1.z.enum(exports.KEY_USAGE);
40
+ export const KEY_USAGE = [...PRIVATE_KEY_USAGE, ...PUBLIC_KEY_USAGE];
41
+ export const keyUsageSchema = z.enum(KEY_USAGE);
54
42
  /**
55
43
  * @see {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4 JSON Web Key (JWK) Format}
56
44
  * @see {@link https://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters IANA "JSON Web Key Parameters" registry}
57
45
  */
58
- const jwkBaseSchema = zod_1.z.object({
59
- kty: zod_1.z.string().min(1),
60
- alg: zod_1.z.string().min(1).optional(),
61
- kid: zod_1.z.string().min(1).optional(),
62
- use: zod_1.z.enum(['sig', 'enc']).optional(),
63
- key_ops: zod_1.z
64
- .array(exports.keyUsageSchema)
46
+ const jwkBaseSchema = z.object({
47
+ kty: z.string().min(1),
48
+ alg: z.string().min(1).optional(),
49
+ kid: z.string().min(1).optional(),
50
+ use: z.enum(['sig', 'enc']).optional(),
51
+ key_ops: z
52
+ .array(keyUsageSchema)
65
53
  .min(1, { message: 'At least one key usage must be specified' })
66
54
  // https://datatracker.ietf.org/doc/html/rfc7517#section-4.3
67
55
  // > Duplicate key operation values MUST NOT be present in the array.
68
- .refine((ops) => ops.every(util_1.isLastOccurrence), {
56
+ .refine((ops) => ops.every(isLastOccurrence), {
69
57
  message: 'key_ops must not contain duplicates',
70
58
  })
71
59
  .optional(),
72
- x5c: zod_1.z.array(zod_1.z.string()).optional(), // X.509 Certificate Chain
73
- x5t: zod_1.z.string().min(1).optional(), // X.509 Certificate SHA-1 Thumbprint
74
- 'x5t#S256': zod_1.z.string().min(1).optional(), // X.509 Certificate SHA-256 Thumbprint
75
- x5u: zod_1.z.string().url().optional(), // X.509 URL
60
+ x5c: z.array(z.string()).optional(), // X.509 Certificate Chain
61
+ x5t: z.string().min(1).optional(), // X.509 Certificate SHA-1 Thumbprint
62
+ 'x5t#S256': z.string().min(1).optional(), // X.509 Certificate SHA-256 Thumbprint
63
+ x5u: z.string().url().optional(), // X.509 URL
76
64
  // https://www.w3.org/TR/webcrypto/
77
- ext: zod_1.z.boolean().optional(), // Extractable
65
+ ext: z.boolean().optional(), // Extractable
78
66
  // Federation Historical Keys Response
79
67
  // https://openid.net/specs/openid-federation-1_0.html#name-federation-historical-keys-res
80
- iat: zod_1.z.number().int().optional(), // Issued At (timestamp)
81
- exp: zod_1.z.number().int().optional(), // Expiration Time (timestamp)
82
- nbf: zod_1.z.number().int().optional(), // Not Before (timestamp)
83
- revoked: zod_1.z // properties of the revocation
68
+ iat: z.number().int().optional(), // Issued At (timestamp)
69
+ exp: z.number().int().optional(), // Expiration Time (timestamp)
70
+ nbf: z.number().int().optional(), // Not Before (timestamp)
71
+ revoked: z // properties of the revocation
84
72
  .object({
85
- revoked_at: zod_1.z.number().int(),
86
- reason: zod_1.z.string().optional(),
73
+ revoked_at: z.number().int(),
74
+ reason: z.string().optional(),
87
75
  })
88
76
  .optional(),
89
77
  });
90
78
  const jwkRsaKeySchema = jwkBaseSchema.extend({
91
- kty: zod_1.z.literal('RSA'),
92
- alg: zod_1.z
79
+ kty: z.literal('RSA'),
80
+ alg: z
93
81
  .enum(['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512'])
94
82
  .optional(),
95
- n: zod_1.z.string().min(1), // Modulus
96
- e: zod_1.z.string().min(1), // Exponent
97
- d: zod_1.z.string().min(1).optional(), // Private Exponent
98
- p: zod_1.z.string().min(1).optional(), // First Prime Factor
99
- q: zod_1.z.string().min(1).optional(), // Second Prime Factor
100
- dp: zod_1.z.string().min(1).optional(), // First Factor CRT Exponent
101
- dq: zod_1.z.string().min(1).optional(), // Second Factor CRT Exponent
102
- qi: zod_1.z.string().min(1).optional(), // First CRT Coefficient
103
- oth: zod_1.z
104
- .array(zod_1.z.object({
105
- r: zod_1.z.string().optional(),
106
- d: zod_1.z.string().optional(),
107
- t: zod_1.z.string().optional(),
83
+ n: z.string().min(1), // Modulus
84
+ e: z.string().min(1), // Exponent
85
+ d: z.string().min(1).optional(), // Private Exponent
86
+ p: z.string().min(1).optional(), // First Prime Factor
87
+ q: z.string().min(1).optional(), // Second Prime Factor
88
+ dp: z.string().min(1).optional(), // First Factor CRT Exponent
89
+ dq: z.string().min(1).optional(), // Second Factor CRT Exponent
90
+ qi: z.string().min(1).optional(), // First CRT Coefficient
91
+ oth: z
92
+ .array(z.object({
93
+ r: z.string().optional(),
94
+ d: z.string().optional(),
95
+ t: z.string().optional(),
108
96
  }))
109
97
  .min(1)
110
98
  .optional(), // Other Primes Info
111
99
  });
112
100
  const jwkEcKeySchema = jwkBaseSchema.extend({
113
- kty: zod_1.z.literal('EC'),
114
- alg: zod_1.z.enum(['ES256', 'ES384', 'ES512']).optional(),
115
- crv: zod_1.z.enum(['P-256', 'P-384', 'P-521']),
116
- x: zod_1.z.string().min(1),
117
- y: zod_1.z.string().min(1),
118
- d: zod_1.z.string().min(1).optional(), // ECC Private Key
101
+ kty: z.literal('EC'),
102
+ alg: z.enum(['ES256', 'ES384', 'ES512']).optional(),
103
+ crv: z.enum(['P-256', 'P-384', 'P-521']),
104
+ x: z.string().min(1),
105
+ y: z.string().min(1),
106
+ d: z.string().min(1).optional(), // ECC Private Key
119
107
  });
120
108
  const jwkEcSecp256k1KeySchema = jwkBaseSchema.extend({
121
- kty: zod_1.z.literal('EC'),
122
- alg: zod_1.z.enum(['ES256K']).optional(),
123
- crv: zod_1.z.enum(['secp256k1']),
124
- x: zod_1.z.string().min(1),
125
- y: zod_1.z.string().min(1),
126
- d: zod_1.z.string().min(1).optional(), // ECC Private Key
109
+ kty: z.literal('EC'),
110
+ alg: z.enum(['ES256K']).optional(),
111
+ crv: z.enum(['secp256k1']),
112
+ x: z.string().min(1),
113
+ y: z.string().min(1),
114
+ d: z.string().min(1).optional(), // ECC Private Key
127
115
  });
128
116
  const jwkOkpKeySchema = jwkBaseSchema.extend({
129
- kty: zod_1.z.literal('OKP'),
130
- alg: zod_1.z.enum(['EdDSA']).optional(),
131
- crv: zod_1.z.enum(['Ed25519', 'Ed448']),
132
- x: zod_1.z.string().min(1),
133
- d: zod_1.z.string().min(1).optional(), // ECC Private Key
117
+ kty: z.literal('OKP'),
118
+ alg: z.enum(['EdDSA']).optional(),
119
+ crv: z.enum(['Ed25519', 'Ed448']),
120
+ x: z.string().min(1),
121
+ d: z.string().min(1).optional(), // ECC Private Key
134
122
  });
135
123
  const jwkSymKeySchema = jwkBaseSchema.extend({
136
- kty: zod_1.z.literal('oct'), // Octet Sequence (used to represent symmetric keys)
137
- alg: zod_1.z.enum(['HS256', 'HS384', 'HS512']).optional(),
138
- k: zod_1.z.string(), // Key Value (base64url encoded)
124
+ kty: z.literal('oct'), // Octet Sequence (used to represent symmetric keys)
125
+ alg: z.enum(['HS256', 'HS384', 'HS512']).optional(),
126
+ k: z.string(), // Key Value (base64url encoded)
139
127
  });
140
128
  /**
141
129
  * Zod parser for known JWK types
142
130
  */
143
- exports.jwkSchema = zod_1.z
131
+ export const jwkSchema = z
144
132
  .union([
145
133
  jwkRsaKeySchema,
146
134
  jwkEcKeySchema,
@@ -176,8 +164,8 @@ exports.jwkSchema = zod_1.z
176
164
  path: ['key_ops'],
177
165
  });
178
166
  /** @deprecated use {@link jwkSchema} instead */
179
- exports.jwkValidator = exports.jwkSchema;
180
- exports.jwkPubSchema = exports.jwkSchema
167
+ export const jwkValidator = jwkSchema;
168
+ export const jwkPubSchema = jwkSchema
181
169
  .refine(hasKid, {
182
170
  message: '"kid" is required',
183
171
  path: ['kid'],
@@ -190,24 +178,24 @@ exports.jwkPubSchema = exports.jwkSchema
190
178
  message: '"key_ops" must not contain private key usage for public keys',
191
179
  path: ['key_ops'],
192
180
  });
193
- exports.jwkPrivateSchema = exports.jwkSchema
181
+ export const jwkPrivateSchema = jwkSchema
194
182
  // @NOTE we don't impose the presence of "kid"
195
183
  .refine(isPrivateJwk, {
196
184
  message: 'private key required',
197
185
  });
198
- function hasKid(jwk) {
186
+ export function hasKid(jwk) {
199
187
  return 'kid' in jwk && jwk.kid != null;
200
188
  }
201
- function hasSharedSecretJwk(jwk) {
189
+ export function hasSharedSecretJwk(jwk) {
202
190
  return 'k' in jwk && jwk.k != null;
203
191
  }
204
- function hasPrivateSecretJwk(jwk) {
192
+ export function hasPrivateSecretJwk(jwk) {
205
193
  return 'd' in jwk && jwk.d != null;
206
194
  }
207
- function isPrivateJwk(jwk) {
195
+ export function isPrivateJwk(jwk) {
208
196
  return hasPrivateSecretJwk(jwk) || hasSharedSecretJwk(jwk);
209
197
  }
210
- function isPublicJwk(jwk) {
198
+ export function isPublicJwk(jwk) {
211
199
  return !hasPrivateSecretJwk(jwk) && !hasSharedSecretJwk(jwk);
212
200
  }
213
201
  //# sourceMappingURL=jwk.js.map
package/dist/jwk.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"jwk.js","sourceRoot":"","sources":["../src/jwk.ts"],"names":[],"mappings":";;;AAMA,4CAEC;AAMD,sCAEC;AAaD,sCAEC;AAWD,8CAEC;AA6LD,wBAIC;AAED,gDAIC;AAED,kDAIC;AAED,oCAEC;AAED,kCAOC;AAtQD,6BAAuB;AACvB,iCAAyC;AAE5B,QAAA,gBAAgB,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAU,CAAA;AAC5D,QAAA,oBAAoB,GAAG,OAAC,CAAC,IAAI,CAAC,wBAAgB,CAAC,CAAA;AAE5D,SAAgB,gBAAgB,CAAC,KAAc;IAC7C,OAAQ,wBAAuC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACjE,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,CAAW;IACvC,OAAO,CAAC,KAAK,QAAQ,CAAA;AACvB,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,aAAa,CAAC,CAAW;IACvC,OAAO,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,SAAS,CAAA;AAC3C,CAAC;AAEY,QAAA,iBAAiB,GAAG;IAC/B,MAAM;IACN,SAAS;IACT,WAAW;IACX,WAAW;IACX,YAAY;CACJ,CAAA;AACG,QAAA,qBAAqB,GAAG,OAAC,CAAC,IAAI,CAAC,yBAAiB,CAAC,CAAA;AAE9D,SAAgB,iBAAiB,CAAC,KAAc;IAC9C,OAAQ,yBAAwC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AAClE,CAAC;AAEY,QAAA,SAAS,GAAG,CAAC,GAAG,yBAAiB,EAAE,GAAG,wBAAgB,CAAU,CAAA;AAChE,QAAA,cAAc,GAAG,OAAC,CAAC,IAAI,CAAC,iBAAS,CAAC,CAAA;AAG/C;;;GAGG;AACH,MAAM,aAAa,GAAG,OAAC,CAAC,MAAM,CAAC;IAC7B,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjC,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjC,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE;IACtC,OAAO,EAAE,OAAC;SACP,KAAK,CAAC,sBAAc,CAAC;SACrB,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;QAChE,4DAA4D;QAC5D,qEAAqE;SACpE,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,uBAAgB,CAAC,EAAE;QAC5C,OAAO,EAAE,qCAAqC;KAC/C,CAAC;SACD,QAAQ,EAAE;IAEb,GAAG,EAAE,OAAC,CAAC,KAAK,CAAC,OAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,EAAE,0BAA0B;IAC/D,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,qCAAqC;IACxE,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,uCAAuC;IACjF,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,YAAY;IAE9C,mCAAmC;IACnC,GAAG,EAAE,OAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,EAAE,cAAc;IAE3C,sCAAsC;IACtC,0FAA0F;IAC1F,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,wBAAwB;IAC1D,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IAChE,GAAG,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,yBAAyB;IAC3D,OAAO,EAAE,OAAC,CAAC,gCAAgC;SACxC,MAAM,CAAC;QACN,UAAU,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;QAC5B,MAAM,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC9B,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAA;AAIF,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC3C,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,OAAC;SACH,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;SAC5D,QAAQ,EAAE;IAEb,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,UAAU;IAChC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW;IAEjC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,mBAAmB;IACpD,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,qBAAqB;IACtD,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,sBAAsB;IACvD,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,4BAA4B;IAC9D,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,6BAA6B;IAC/D,EAAE,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,wBAAwB;IAC1D,GAAG,EAAE,OAAC;SACH,KAAK,CACJ,OAAC,CAAC,MAAM,CAAC;QACP,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACzB,CAAC,CACH;SACA,GAAG,CAAC,CAAC,CAAC;SACN,QAAQ,EAAE,EAAE,oBAAoB;CACpC,CAAC,CAAA;AAEF,MAAM,cAAc,GAAG,aAAa,CAAC,MAAM,CAAC;IAC1C,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnD,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAExC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAEpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,kBAAkB;CACpD,CAAC,CAAA;AAEF,MAAM,uBAAuB,GAAG,aAAa,CAAC,MAAM,CAAC;IACnD,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClC,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC;IAE1B,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAEpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,kBAAkB;CACpD,CAAC,CAAA;AAEF,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC3C,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjC,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAEjC,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,kBAAkB;CACpD,CAAC,CAAA;AAEF,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC3C,GAAG,EAAE,OAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,oDAAoD;IAC3E,GAAG,EAAE,OAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEnD,CAAC,EAAE,OAAC,CAAC,MAAM,EAAE,EAAE,gCAAgC;CAChD,CAAC,CAAA;AAEF;;GAEG;AACU,QAAA,SAAS,GAAG,OAAC;KACvB,KAAK,CAAC;IACL,eAAe;IACf,cAAc;IACd,uBAAuB;IACvB,eAAe;IACf,eAAe;CAChB,CAAC;IACF,0EAA0E;IAC1E,2EAA2E;IAC3E,oBAAoB;KACnB,MAAM;AACL,4DAA4D;AAC5D,4EAA4E;AAC5E,eAAe;AACf,CAAC,CAAC,EAAW,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,WAAW,CAAC,CAAC,CAAC,EAC/C;IACE,OAAO,EAAE,yCAAyC;IAClD,IAAI,EAAE,CAAC,KAAK,CAAC;CACd,CACF;KACA,MAAM,CACL,CAAC,CAAC,EAAW,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,IAAI,CAAC,iBAAiB,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,EACtE;IACE,OAAO,EAAE,+CAA+C;IACxD,IAAI,EAAE,CAAC,SAAS,CAAC;CAClB,CACF;KACA,MAAM;AACL,4DAA4D;AAC5D,qEAAqE;AACrE,mEAAmE;AACnE,gBAAgB;AAChB,CAAC,CAAC,EAAW,EAAE,CACb,CAAC,CAAC,GAAG,IAAI,IAAI;IACb,CAAC,CAAC,OAAO,IAAI,IAAI;IACjB,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,EACrD;IACE,OAAO,EAAE,yCAAyC;IAClD,IAAI,EAAE,CAAC,SAAS,CAAC;CAClB,CACF,CAAA;AAIH,gDAAgD;AACnC,QAAA,YAAY,GAAG,iBAAS,CAAA;AAExB,QAAA,YAAY,GAAG,iBAAS;KAClC,MAAM,CAAC,MAAM,EAAE;IACd,OAAO,EAAE,mBAAmB;IAC5B,IAAI,EAAE,CAAC,KAAK,CAAC;CACd,CAAC;IACF,sFAAsF;KACrF,MAAM,CAAC,WAAW,EAAE;IACnB,OAAO,EAAE,yBAAyB;CACnC,CAAC;KACD,MAAM,CAAC,CAAC,CAAC,EAAW,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE;IACvE,OAAO,EAAE,8DAA8D;IACvE,IAAI,EAAE,CAAC,SAAS,CAAC;CAClB,CAAC,CAAA;AAIS,QAAA,gBAAgB,GAAG,iBAAS;IACvC,8CAA8C;KAC7C,MAAM,CAAC,YAAY,EAAE;IACpB,OAAO,EAAE,sBAAsB;CAChC,CAAC,CAAA;AAIJ,SAAgB,MAAM,CACpB,GAAM;IAEN,OAAO,KAAK,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,IAAI,CAAA;AACxC,CAAC;AAED,SAAgB,kBAAkB,CAChC,GAAM;IAEN,OAAO,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAA;AACpC,CAAC;AAED,SAAgB,mBAAmB,CACjC,GAAM;IAEN,OAAO,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAA;AACpC,CAAC;AAED,SAAgB,YAAY,CAAmB,GAAM;IACnD,OAAO,mBAAmB,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,CAAA;AAC5D,CAAC;AAED,SAAgB,WAAW,CACzB,GAAM;IAKN,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;AAC9D,CAAC","sourcesContent":["import { z } from 'zod'\nimport { isLastOccurrence } from './util'\n\nexport const PUBLIC_KEY_USAGE = ['verify', 'encrypt', 'wrapKey'] as const\nexport const publicKeyUsageSchema = z.enum(PUBLIC_KEY_USAGE)\nexport type PublicKeyUsage = (typeof PUBLIC_KEY_USAGE)[number]\nexport function isPublicKeyUsage(usage: unknown): usage is PublicKeyUsage {\n return (PUBLIC_KEY_USAGE as readonly unknown[]).includes(usage)\n}\n\n/**\n * Determines if the given key usage is consistent for \"sig\" (signature) public\n * key use.\n */\nexport function isSigKeyUsage(v: KeyUsage) {\n return v === 'verify'\n}\n\n/**\n * Determines if the given key usage is consistent for \"enc\" (encryption) public\n * key use.\n *\n * > When a key is used to wrap another key and a public key use\n * > designation for the first key is desired, the \"enc\" (encryption)\n * > key use value is used, since key wrapping is a kind of encryption.\n * > The \"enc\" value is also to be used for public keys used for key\n * > agreement operations.\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4.2}\n */\nexport function isEncKeyUsage(v: KeyUsage) {\n return v === 'encrypt' || v === 'wrapKey'\n}\n\nexport const PRIVATE_KEY_USAGE = [\n 'sign',\n 'decrypt',\n 'unwrapKey',\n 'deriveKey',\n 'deriveBits',\n] as const\nexport const privateKeyUsageSchema = z.enum(PRIVATE_KEY_USAGE)\nexport type PrivateKeyUsage = (typeof PRIVATE_KEY_USAGE)[number]\nexport function isPrivateKeyUsage(usage: unknown): usage is PrivateKeyUsage {\n return (PRIVATE_KEY_USAGE as readonly unknown[]).includes(usage)\n}\n\nexport const KEY_USAGE = [...PRIVATE_KEY_USAGE, ...PUBLIC_KEY_USAGE] as const\nexport const keyUsageSchema = z.enum(KEY_USAGE)\nexport type KeyUsage = (typeof KEY_USAGE)[number]\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4 JSON Web Key (JWK) Format}\n * @see {@link https://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters IANA \"JSON Web Key Parameters\" registry}\n */\nconst jwkBaseSchema = z.object({\n kty: z.string().min(1),\n alg: z.string().min(1).optional(),\n kid: z.string().min(1).optional(),\n use: z.enum(['sig', 'enc']).optional(),\n key_ops: z\n .array(keyUsageSchema)\n .min(1, { message: 'At least one key usage must be specified' })\n // https://datatracker.ietf.org/doc/html/rfc7517#section-4.3\n // > Duplicate key operation values MUST NOT be present in the array.\n .refine((ops) => ops.every(isLastOccurrence), {\n message: 'key_ops must not contain duplicates',\n })\n .optional(),\n\n x5c: z.array(z.string()).optional(), // X.509 Certificate Chain\n x5t: z.string().min(1).optional(), // X.509 Certificate SHA-1 Thumbprint\n 'x5t#S256': z.string().min(1).optional(), // X.509 Certificate SHA-256 Thumbprint\n x5u: z.string().url().optional(), // X.509 URL\n\n // https://www.w3.org/TR/webcrypto/\n ext: z.boolean().optional(), // Extractable\n\n // Federation Historical Keys Response\n // https://openid.net/specs/openid-federation-1_0.html#name-federation-historical-keys-res\n iat: z.number().int().optional(), // Issued At (timestamp)\n exp: z.number().int().optional(), // Expiration Time (timestamp)\n nbf: z.number().int().optional(), // Not Before (timestamp)\n revoked: z // properties of the revocation\n .object({\n revoked_at: z.number().int(),\n reason: z.string().optional(),\n })\n .optional(),\n})\n\nexport type JwkBase = z.infer<typeof jwkBaseSchema>\n\nconst jwkRsaKeySchema = jwkBaseSchema.extend({\n kty: z.literal('RSA'),\n alg: z\n .enum(['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512'])\n .optional(),\n\n n: z.string().min(1), // Modulus\n e: z.string().min(1), // Exponent\n\n d: z.string().min(1).optional(), // Private Exponent\n p: z.string().min(1).optional(), // First Prime Factor\n q: z.string().min(1).optional(), // Second Prime Factor\n dp: z.string().min(1).optional(), // First Factor CRT Exponent\n dq: z.string().min(1).optional(), // Second Factor CRT Exponent\n qi: z.string().min(1).optional(), // First CRT Coefficient\n oth: z\n .array(\n z.object({\n r: z.string().optional(),\n d: z.string().optional(),\n t: z.string().optional(),\n }),\n )\n .min(1)\n .optional(), // Other Primes Info\n})\n\nconst jwkEcKeySchema = jwkBaseSchema.extend({\n kty: z.literal('EC'),\n alg: z.enum(['ES256', 'ES384', 'ES512']).optional(),\n crv: z.enum(['P-256', 'P-384', 'P-521']),\n\n x: z.string().min(1),\n y: z.string().min(1),\n\n d: z.string().min(1).optional(), // ECC Private Key\n})\n\nconst jwkEcSecp256k1KeySchema = jwkBaseSchema.extend({\n kty: z.literal('EC'),\n alg: z.enum(['ES256K']).optional(),\n crv: z.enum(['secp256k1']),\n\n x: z.string().min(1),\n y: z.string().min(1),\n\n d: z.string().min(1).optional(), // ECC Private Key\n})\n\nconst jwkOkpKeySchema = jwkBaseSchema.extend({\n kty: z.literal('OKP'),\n alg: z.enum(['EdDSA']).optional(),\n crv: z.enum(['Ed25519', 'Ed448']),\n\n x: z.string().min(1),\n d: z.string().min(1).optional(), // ECC Private Key\n})\n\nconst jwkSymKeySchema = jwkBaseSchema.extend({\n kty: z.literal('oct'), // Octet Sequence (used to represent symmetric keys)\n alg: z.enum(['HS256', 'HS384', 'HS512']).optional(),\n\n k: z.string(), // Key Value (base64url encoded)\n})\n\n/**\n * Zod parser for known JWK types\n */\nexport const jwkSchema = z\n .union([\n jwkRsaKeySchema,\n jwkEcKeySchema,\n jwkEcSecp256k1KeySchema,\n jwkOkpKeySchema,\n jwkSymKeySchema,\n ])\n // @TODO These rules should be applied to jwkBaseSchema, but Zod 3 doesn't\n // support extending refined schemas. Move these to the base schema when we\n // upgrade to Zod 4.\n .refine(\n // https://datatracker.ietf.org/doc/html/rfc7517#section-4.2\n // > The \"use\" (public key use) parameter identifies the intended use of the\n // > public key\n (k): boolean => k.use == null || isPublicJwk(k),\n {\n message: '\"use\" can only be used with public keys',\n path: ['use'],\n },\n )\n .refine(\n (k): boolean => !k.key_ops?.some(isPrivateKeyUsage) || isPrivateJwk(k),\n {\n message: 'private key usage not allowed for public keys',\n path: ['key_ops'],\n },\n )\n .refine(\n // https://datatracker.ietf.org/doc/html/rfc7517#section-4.3\n // > The \"use\" and \"key_ops\" JWK members SHOULD NOT be used together;\n // > however, if both are used, the information they convey MUST be\n // > consistent.\n (k): boolean =>\n k.use == null ||\n k.key_ops == null ||\n (k.use === 'sig' && k.key_ops.every(isSigKeyUsage)) ||\n (k.use === 'enc' && k.key_ops.every(isEncKeyUsage)),\n {\n message: '\"key_ops\" must be consistent with \"use\"',\n path: ['key_ops'],\n },\n )\n\nexport type Jwk = z.output<typeof jwkSchema>\n\n/** @deprecated use {@link jwkSchema} instead */\nexport const jwkValidator = jwkSchema\n\nexport const jwkPubSchema = jwkSchema\n .refine(hasKid, {\n message: '\"kid\" is required',\n path: ['kid'],\n })\n // @NOTE for legacy reasons, we don't impose the presence of either \"use\" or \"key_ops\"\n .refine(isPublicJwk, {\n message: 'private key not allowed',\n })\n .refine((k): boolean => !k.key_ops || k.key_ops.every(isPublicKeyUsage), {\n message: '\"key_ops\" must not contain private key usage for public keys',\n path: ['key_ops'],\n })\n\nexport type PublicJwk = z.output<typeof jwkPubSchema>\n\nexport const jwkPrivateSchema = jwkSchema\n // @NOTE we don't impose the presence of \"kid\"\n .refine(isPrivateJwk, {\n message: 'private key required',\n })\n\nexport type PrivateJwk = z.output<typeof jwkPrivateSchema>\n\nexport function hasKid<J extends object>(\n jwk: J,\n): jwk is J & { kid: NonNullable<unknown> } {\n return 'kid' in jwk && jwk.kid != null\n}\n\nexport function hasSharedSecretJwk<J extends object>(\n jwk: J,\n): jwk is J & { k: NonNullable<unknown> } {\n return 'k' in jwk && jwk.k != null\n}\n\nexport function hasPrivateSecretJwk<J extends object>(\n jwk: J,\n): jwk is J & { d: NonNullable<unknown> } {\n return 'd' in jwk && jwk.d != null\n}\n\nexport function isPrivateJwk<J extends object>(jwk: J) {\n return hasPrivateSecretJwk(jwk) || hasSharedSecretJwk(jwk)\n}\n\nexport function isPublicJwk<J extends object>(\n jwk: J,\n): jwk is Extract<\n Exclude<J, { k: NonNullable<unknown> }>,\n { d?: NonNullable<unknown> }\n> & { d?: never } {\n return !hasPrivateSecretJwk(jwk) && !hasSharedSecretJwk(jwk)\n}\n"]}
1
+ {"version":3,"file":"jwk.js","sourceRoot":"","sources":["../src/jwk.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AACvB,OAAO,EAAE,gBAAgB,EAAE,MAAM,WAAW,CAAA;AAE5C,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAU,CAAA;AACzE,MAAM,CAAC,MAAM,oBAAoB,GAAG,CAAC,CAAC,IAAI,CAAC,gBAAgB,CAAC,CAAA;AAE5D,MAAM,UAAU,gBAAgB,CAAC,KAAc;IAC7C,OAAQ,gBAAuC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AACjE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,CAAW;IACvC,OAAO,CAAC,KAAK,QAAQ,CAAA;AACvB,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,aAAa,CAAC,CAAW;IACvC,OAAO,CAAC,KAAK,SAAS,IAAI,CAAC,KAAK,SAAS,CAAA;AAC3C,CAAC;AAED,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,MAAM;IACN,SAAS;IACT,WAAW;IACX,WAAW;IACX,YAAY;CACJ,CAAA;AACV,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAA;AAE9D,MAAM,UAAU,iBAAiB,CAAC,KAAc;IAC9C,OAAQ,iBAAwC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;AAClE,CAAC;AAED,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC,GAAG,iBAAiB,EAAE,GAAG,gBAAgB,CAAU,CAAA;AAC7E,MAAM,CAAC,MAAM,cAAc,GAAG,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;AAG/C;;;GAGG;AACH,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACtB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjC,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,EAAE;IACtC,OAAO,EAAE,CAAC;SACP,KAAK,CAAC,cAAc,CAAC;SACrB,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,0CAA0C,EAAE,CAAC;QAChE,4DAA4D;QAC5D,qEAAqE;SACpE,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE;QAC5C,OAAO,EAAE,qCAAqC;KAC/C,CAAC;SACD,QAAQ,EAAE;IAEb,GAAG,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,EAAE,0BAA0B;IAC/D,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,qCAAqC;IACxE,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,uCAAuC;IACjF,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,YAAY;IAE9C,mCAAmC;IACnC,GAAG,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,EAAE,cAAc;IAE3C,sCAAsC;IACtC,0FAA0F;IAC1F,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,wBAAwB;IAC1D,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,8BAA8B;IAChE,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,QAAQ,EAAE,EAAE,yBAAyB;IAC3D,OAAO,EAAE,CAAC,CAAC,gCAAgC;SACxC,MAAM,CAAC;QACN,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE;QAC5B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KAC9B,CAAC;SACD,QAAQ,EAAE;CACd,CAAC,CAAA;AAIF,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC3C,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,CAAC;SACH,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;SAC5D,QAAQ,EAAE;IAEb,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,UAAU;IAChC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,WAAW;IAEjC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,mBAAmB;IACpD,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,qBAAqB;IACtD,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,sBAAsB;IACvD,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,4BAA4B;IAC9D,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,6BAA6B;IAC/D,EAAE,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,wBAAwB;IAC1D,GAAG,EAAE,CAAC;SACH,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;QACP,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;QACxB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,EAAE;KACzB,CAAC,CACH;SACA,GAAG,CAAC,CAAC,CAAC;SACN,QAAQ,EAAE,EAAE,oBAAoB;CACpC,CAAC,CAAA;AAEF,MAAM,cAAc,GAAG,aAAa,CAAC,MAAM,CAAC;IAC1C,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IACnD,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;IAExC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAEpB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,kBAAkB;CACpD,CAAC,CAAA;AAEF,MAAM,uBAAuB,GAAG,aAAa,CAAC,MAAM,CAAC;IACnD,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC;IACpB,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,EAAE;IAClC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,WAAW,CAAC,CAAC;IAE1B,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IAEpB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,kBAAkB;CACpD,CAAC,CAAA;AAEF,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC3C,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;IACrB,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IACjC,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;IAEjC,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC;IACpB,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,EAAE,EAAE,kBAAkB;CACpD,CAAC,CAAA;AAEF,MAAM,eAAe,GAAG,aAAa,CAAC,MAAM,CAAC;IAC3C,GAAG,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,oDAAoD;IAC3E,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC,QAAQ,EAAE;IAEnD,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,gCAAgC;CAChD,CAAC,CAAA;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,SAAS,GAAG,CAAC;KACvB,KAAK,CAAC;IACL,eAAe;IACf,cAAc;IACd,uBAAuB;IACvB,eAAe;IACf,eAAe;CAChB,CAAC;IACF,0EAA0E;IAC1E,2EAA2E;IAC3E,oBAAoB;KACnB,MAAM;AACL,4DAA4D;AAC5D,4EAA4E;AAC5E,eAAe;AACf,CAAC,CAAC,EAAW,EAAE,CAAC,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,WAAW,CAAC,CAAC,CAAC,EAC/C;IACE,OAAO,EAAE,yCAAyC;IAClD,IAAI,EAAE,CAAC,KAAK,CAAC;CACd,CACF;KACA,MAAM,CACL,CAAC,CAAC,EAAW,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,EAAE,IAAI,CAAC,iBAAiB,CAAC,IAAI,YAAY,CAAC,CAAC,CAAC,EACtE;IACE,OAAO,EAAE,+CAA+C;IACxD,IAAI,EAAE,CAAC,SAAS,CAAC;CAClB,CACF;KACA,MAAM;AACL,4DAA4D;AAC5D,qEAAqE;AACrE,mEAAmE;AACnE,gBAAgB;AAChB,CAAC,CAAC,EAAW,EAAE,CACb,CAAC,CAAC,GAAG,IAAI,IAAI;IACb,CAAC,CAAC,OAAO,IAAI,IAAI;IACjB,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,EACrD;IACE,OAAO,EAAE,yCAAyC;IAClD,IAAI,EAAE,CAAC,SAAS,CAAC;CAClB,CACF,CAAA;AAIH,gDAAgD;AAChD,MAAM,CAAC,MAAM,YAAY,GAAG,SAAS,CAAA;AAErC,MAAM,CAAC,MAAM,YAAY,GAAG,SAAS;KAClC,MAAM,CAAC,MAAM,EAAE;IACd,OAAO,EAAE,mBAAmB;IAC5B,IAAI,EAAE,CAAC,KAAK,CAAC;CACd,CAAC;IACF,sFAAsF;KACrF,MAAM,CAAC,WAAW,EAAE;IACnB,OAAO,EAAE,yBAAyB;CACnC,CAAC;KACD,MAAM,CAAC,CAAC,CAAC,EAAW,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE;IACvE,OAAO,EAAE,8DAA8D;IACvE,IAAI,EAAE,CAAC,SAAS,CAAC;CAClB,CAAC,CAAA;AAIJ,MAAM,CAAC,MAAM,gBAAgB,GAAG,SAAS;IACvC,8CAA8C;KAC7C,MAAM,CAAC,YAAY,EAAE;IACpB,OAAO,EAAE,sBAAsB;CAChC,CAAC,CAAA;AAIJ,MAAM,UAAU,MAAM,CACpB,GAAM;IAEN,OAAO,KAAK,IAAI,GAAG,IAAI,GAAG,CAAC,GAAG,IAAI,IAAI,CAAA;AACxC,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,GAAM;IAEN,OAAO,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAA;AACpC,CAAC;AAED,MAAM,UAAU,mBAAmB,CACjC,GAAM;IAEN,OAAO,GAAG,IAAI,GAAG,IAAI,GAAG,CAAC,CAAC,IAAI,IAAI,CAAA;AACpC,CAAC;AAED,MAAM,UAAU,YAAY,CAAmB,GAAM;IACnD,OAAO,mBAAmB,CAAC,GAAG,CAAC,IAAI,kBAAkB,CAAC,GAAG,CAAC,CAAA;AAC5D,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,GAAM;IAKN,OAAO,CAAC,mBAAmB,CAAC,GAAG,CAAC,IAAI,CAAC,kBAAkB,CAAC,GAAG,CAAC,CAAA;AAC9D,CAAC","sourcesContent":["import { z } from 'zod'\nimport { isLastOccurrence } from './util.js'\n\nexport const PUBLIC_KEY_USAGE = ['verify', 'encrypt', 'wrapKey'] as const\nexport const publicKeyUsageSchema = z.enum(PUBLIC_KEY_USAGE)\nexport type PublicKeyUsage = (typeof PUBLIC_KEY_USAGE)[number]\nexport function isPublicKeyUsage(usage: unknown): usage is PublicKeyUsage {\n return (PUBLIC_KEY_USAGE as readonly unknown[]).includes(usage)\n}\n\n/**\n * Determines if the given key usage is consistent for \"sig\" (signature) public\n * key use.\n */\nexport function isSigKeyUsage(v: KeyUsage) {\n return v === 'verify'\n}\n\n/**\n * Determines if the given key usage is consistent for \"enc\" (encryption) public\n * key use.\n *\n * > When a key is used to wrap another key and a public key use\n * > designation for the first key is desired, the \"enc\" (encryption)\n * > key use value is used, since key wrapping is a kind of encryption.\n * > The \"enc\" value is also to be used for public keys used for key\n * > agreement operations.\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4.2}\n */\nexport function isEncKeyUsage(v: KeyUsage) {\n return v === 'encrypt' || v === 'wrapKey'\n}\n\nexport const PRIVATE_KEY_USAGE = [\n 'sign',\n 'decrypt',\n 'unwrapKey',\n 'deriveKey',\n 'deriveBits',\n] as const\nexport const privateKeyUsageSchema = z.enum(PRIVATE_KEY_USAGE)\nexport type PrivateKeyUsage = (typeof PRIVATE_KEY_USAGE)[number]\nexport function isPrivateKeyUsage(usage: unknown): usage is PrivateKeyUsage {\n return (PRIVATE_KEY_USAGE as readonly unknown[]).includes(usage)\n}\n\nexport const KEY_USAGE = [...PRIVATE_KEY_USAGE, ...PUBLIC_KEY_USAGE] as const\nexport const keyUsageSchema = z.enum(KEY_USAGE)\nexport type KeyUsage = (typeof KEY_USAGE)[number]\n\n/**\n * @see {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4 JSON Web Key (JWK) Format}\n * @see {@link https://www.iana.org/assignments/jose/jose.xhtml#web-key-parameters IANA \"JSON Web Key Parameters\" registry}\n */\nconst jwkBaseSchema = z.object({\n kty: z.string().min(1),\n alg: z.string().min(1).optional(),\n kid: z.string().min(1).optional(),\n use: z.enum(['sig', 'enc']).optional(),\n key_ops: z\n .array(keyUsageSchema)\n .min(1, { message: 'At least one key usage must be specified' })\n // https://datatracker.ietf.org/doc/html/rfc7517#section-4.3\n // > Duplicate key operation values MUST NOT be present in the array.\n .refine((ops) => ops.every(isLastOccurrence), {\n message: 'key_ops must not contain duplicates',\n })\n .optional(),\n\n x5c: z.array(z.string()).optional(), // X.509 Certificate Chain\n x5t: z.string().min(1).optional(), // X.509 Certificate SHA-1 Thumbprint\n 'x5t#S256': z.string().min(1).optional(), // X.509 Certificate SHA-256 Thumbprint\n x5u: z.string().url().optional(), // X.509 URL\n\n // https://www.w3.org/TR/webcrypto/\n ext: z.boolean().optional(), // Extractable\n\n // Federation Historical Keys Response\n // https://openid.net/specs/openid-federation-1_0.html#name-federation-historical-keys-res\n iat: z.number().int().optional(), // Issued At (timestamp)\n exp: z.number().int().optional(), // Expiration Time (timestamp)\n nbf: z.number().int().optional(), // Not Before (timestamp)\n revoked: z // properties of the revocation\n .object({\n revoked_at: z.number().int(),\n reason: z.string().optional(),\n })\n .optional(),\n})\n\nexport type JwkBase = z.infer<typeof jwkBaseSchema>\n\nconst jwkRsaKeySchema = jwkBaseSchema.extend({\n kty: z.literal('RSA'),\n alg: z\n .enum(['RS256', 'RS384', 'RS512', 'PS256', 'PS384', 'PS512'])\n .optional(),\n\n n: z.string().min(1), // Modulus\n e: z.string().min(1), // Exponent\n\n d: z.string().min(1).optional(), // Private Exponent\n p: z.string().min(1).optional(), // First Prime Factor\n q: z.string().min(1).optional(), // Second Prime Factor\n dp: z.string().min(1).optional(), // First Factor CRT Exponent\n dq: z.string().min(1).optional(), // Second Factor CRT Exponent\n qi: z.string().min(1).optional(), // First CRT Coefficient\n oth: z\n .array(\n z.object({\n r: z.string().optional(),\n d: z.string().optional(),\n t: z.string().optional(),\n }),\n )\n .min(1)\n .optional(), // Other Primes Info\n})\n\nconst jwkEcKeySchema = jwkBaseSchema.extend({\n kty: z.literal('EC'),\n alg: z.enum(['ES256', 'ES384', 'ES512']).optional(),\n crv: z.enum(['P-256', 'P-384', 'P-521']),\n\n x: z.string().min(1),\n y: z.string().min(1),\n\n d: z.string().min(1).optional(), // ECC Private Key\n})\n\nconst jwkEcSecp256k1KeySchema = jwkBaseSchema.extend({\n kty: z.literal('EC'),\n alg: z.enum(['ES256K']).optional(),\n crv: z.enum(['secp256k1']),\n\n x: z.string().min(1),\n y: z.string().min(1),\n\n d: z.string().min(1).optional(), // ECC Private Key\n})\n\nconst jwkOkpKeySchema = jwkBaseSchema.extend({\n kty: z.literal('OKP'),\n alg: z.enum(['EdDSA']).optional(),\n crv: z.enum(['Ed25519', 'Ed448']),\n\n x: z.string().min(1),\n d: z.string().min(1).optional(), // ECC Private Key\n})\n\nconst jwkSymKeySchema = jwkBaseSchema.extend({\n kty: z.literal('oct'), // Octet Sequence (used to represent symmetric keys)\n alg: z.enum(['HS256', 'HS384', 'HS512']).optional(),\n\n k: z.string(), // Key Value (base64url encoded)\n})\n\n/**\n * Zod parser for known JWK types\n */\nexport const jwkSchema = z\n .union([\n jwkRsaKeySchema,\n jwkEcKeySchema,\n jwkEcSecp256k1KeySchema,\n jwkOkpKeySchema,\n jwkSymKeySchema,\n ])\n // @TODO These rules should be applied to jwkBaseSchema, but Zod 3 doesn't\n // support extending refined schemas. Move these to the base schema when we\n // upgrade to Zod 4.\n .refine(\n // https://datatracker.ietf.org/doc/html/rfc7517#section-4.2\n // > The \"use\" (public key use) parameter identifies the intended use of the\n // > public key\n (k): boolean => k.use == null || isPublicJwk(k),\n {\n message: '\"use\" can only be used with public keys',\n path: ['use'],\n },\n )\n .refine(\n (k): boolean => !k.key_ops?.some(isPrivateKeyUsage) || isPrivateJwk(k),\n {\n message: 'private key usage not allowed for public keys',\n path: ['key_ops'],\n },\n )\n .refine(\n // https://datatracker.ietf.org/doc/html/rfc7517#section-4.3\n // > The \"use\" and \"key_ops\" JWK members SHOULD NOT be used together;\n // > however, if both are used, the information they convey MUST be\n // > consistent.\n (k): boolean =>\n k.use == null ||\n k.key_ops == null ||\n (k.use === 'sig' && k.key_ops.every(isSigKeyUsage)) ||\n (k.use === 'enc' && k.key_ops.every(isEncKeyUsage)),\n {\n message: '\"key_ops\" must be consistent with \"use\"',\n path: ['key_ops'],\n },\n )\n\nexport type Jwk = z.output<typeof jwkSchema>\n\n/** @deprecated use {@link jwkSchema} instead */\nexport const jwkValidator = jwkSchema\n\nexport const jwkPubSchema = jwkSchema\n .refine(hasKid, {\n message: '\"kid\" is required',\n path: ['kid'],\n })\n // @NOTE for legacy reasons, we don't impose the presence of either \"use\" or \"key_ops\"\n .refine(isPublicJwk, {\n message: 'private key not allowed',\n })\n .refine((k): boolean => !k.key_ops || k.key_ops.every(isPublicKeyUsage), {\n message: '\"key_ops\" must not contain private key usage for public keys',\n path: ['key_ops'],\n })\n\nexport type PublicJwk = z.output<typeof jwkPubSchema>\n\nexport const jwkPrivateSchema = jwkSchema\n // @NOTE we don't impose the presence of \"kid\"\n .refine(isPrivateJwk, {\n message: 'private key required',\n })\n\nexport type PrivateJwk = z.output<typeof jwkPrivateSchema>\n\nexport function hasKid<J extends object>(\n jwk: J,\n): jwk is J & { kid: NonNullable<unknown> } {\n return 'kid' in jwk && jwk.kid != null\n}\n\nexport function hasSharedSecretJwk<J extends object>(\n jwk: J,\n): jwk is J & { k: NonNullable<unknown> } {\n return 'k' in jwk && jwk.k != null\n}\n\nexport function hasPrivateSecretJwk<J extends object>(\n jwk: J,\n): jwk is J & { d: NonNullable<unknown> } {\n return 'd' in jwk && jwk.d != null\n}\n\nexport function isPrivateJwk<J extends object>(jwk: J) {\n return hasPrivateSecretJwk(jwk) || hasSharedSecretJwk(jwk)\n}\n\nexport function isPublicJwk<J extends object>(\n jwk: J,\n): jwk is Extract<\n Exclude<J, { k: NonNullable<unknown> }>,\n { d?: NonNullable<unknown> }\n> & { d?: never } {\n return !hasPrivateSecretJwk(jwk) && !hasSharedSecretJwk(jwk)\n}\n"]}