@enbox/crypto 0.0.1

package/dist/types/jose/jwk.d.ts

@@ -0,0 +1,439 @@
+/**
+ * Constant defining the prefix for JSON Web Keys (JWK) key URIs in this library.
+ *
+ * The prefix 'urn:jwk:' makes it explicit that a string represents a JWK, referenced by a
+ * {@link https://datatracker.ietf.org/doc/html/rfc3986 | URI} (Uniform Resource Identifier),
+ * which ensures consistent key referencing across all Web5 Key Management System (KMS)
+ * implementations.
+ *
+ * These key URIs take the form `urn:jwk:<JWK thumbprint>`, where the
+ * {@link https://datatracker.ietf.org/doc/html/rfc7638 | JWK thumbprint}, derived from the JWK, is
+ * unique to the key's material, unaffected by the order or optional properties in the JWK.
+ */
+export declare const KEY_URI_PREFIX_JWK = "urn:jwk:";
+/**
+ * JSON Web Key Operations
+ *
+ * The "key_ops" (key operations) parameter identifies the operation(s)
+ * for which the key is intended to be used.  The "key_ops" parameter is
+ * intended for use cases in which public, private, or symmetric keys
+ * may be present.
+ *
+ * Its value is an array of key operation values.  Values defined by
+ * {@link https://www.rfc-editor.org/rfc/rfc7517.html#section-4.3 | RFC 7517 Section 4.3} are:
+ *
+ * - "decrypt"    : Decrypt content and validate decryption, if applicable
+ * - "deriveBits" : Derive bits not to be used as a key
+ * - "deriveKey"  : Derive key
+ * - "encrypt"    : Encrypt content
+ * - "sign"       : Compute digital signature or MAC
+ * - "unwrapKey"  : Decrypt key and validate decryption, if applicable
+ * - "verify"     : Verify digital signature or MAC
+ * - "wrapKey"    : Encrypt key
+ *
+ * Other values MAY be used.  The key operation values are case-
+ * sensitive strings.  Duplicate key operation values MUST NOT be
+ * present in the array.  Use of the "key_ops" member is OPTIONAL,
+ * unless the application requires its presence.
+ *
+ * The "use" and "key_ops" JWK members SHOULD NOT be used together;
+ * however, if both are used, the information they convey MUST be
+ * consistent.  Applications should specify which of these members they
+ * use, if either is to be used by the application.
+ */
+export type JwkOperation = 'encrypt' | 'decrypt' | 'sign' | 'verify' | 'deriveKey' | 'deriveBits' | 'wrapKey' | 'unwrapKey';
+/**
+ * JSON Web Key Use
+ *
+ * The "use" (public key use) parameter identifies the intended use of
+ * the public key.  The "use" parameter is employed to indicate whether
+ * a public key is used for encrypting data or verifying the signature
+ * on data.
+ *
+ * Values defined by {@link https://datatracker.ietf.org/doc/html/rfc7517#section-4.2 | RFC 7517 Section 4.2} are:
+ *
+ * - "sig" (signature)
+ * - "enc" (encryption)
+ *
+ * Other values MAY be used.  The "use" value is a case-sensitive
+ * string.  Use of the "use" member is OPTIONAL, unless the application
+ * requires its presence.
+ *
+ * The "use" and "key_ops" JWK members SHOULD NOT be used together;
+ * however, if both are used, the information they convey MUST be
+ * consistent.  Applications should specify which of these members they
+ * use, if either is to be used by the application.
+ *
+ * When a key is used to wrap another key and a public key use
+ * designation for the first key is desired, the "enc" (encryption) key
+ * use value is used, since key wrapping is a kind of encryption.  The
+ * "enc" value is also to be used for public keys used for key agreement
+ * operations.
+ */
+export type JwkUse = 'sig' | 'enc' | string;
+/**
+ * JSON Web Key Types
+ */
+export type JwkType = 
+/**
+ * Elliptic Curve
+ * Used with Elliptic Curve Digital Signature Algorithm (ECDSA) and Elliptic
+ * Curve Diffie-Hellman (ECDH), including secp256k1, P-256, P-384, and P-521.
+ */
+'EC'
+/**
+ * RSA
+ * Widely used for encryption and digital signatures. RSA keys are used in
+ * various algorithms like RS256, RS384, RS512, etc.
+ */
+ | 'RSA'
+/**
+ * Octet sequence
+ * Used with symmetric signing (e.g., HMAC HS256, HS512, etc.) and
+ * symmetric encryption (e.g., A256CBC-HS512, A256GCM, etc.) algorithms.
+ */
+ | 'oct'
+/**
+ * Octet string key pairs (OKP)
+ * A type of public key that is used with algorithms such as EdDSA (Ed25519 and
+ * Ed448 curves) and ECDH (X25519 and X448 curves).
+ */
+ | 'OKP';
+/**
+ * JSON Web Key Elliptic Curve
+ */
+export type JwkNamedCurves = 'P-256' | 'P-384' | 'P-521' | 'Ed25519' | 'Ed448' | 'X25519' | 'X448' | 'secp256k1';
+/**
+ * JSON Web Key Parameters
+ */
+/** Parameters used with any "kty" (key type) value. */
+export type JwkParamsAnyKeyType = {
+    /** JWK Algorithm Parameter. The algorithm intended for use with the key. */
+    alg?: string;
+    /** JWK Extractable Parameter */
+    ext?: 'true' | 'false';
+    /** JWK Key Operations Parameter */
+    key_ops?: JwkOperation[];
+    /** JWK Key ID Parameter */
+    kid?: string;
+    /** JWK Key Type Parameter */
+    kty: JwkType;
+    /** JWK Public Key Use Parameter */
+    use?: JwkUse;
+    /** JWK X.509 Certificate Chain Parameter */
+    x5c?: string;
+    /** JWK X.509 Certificate SHA-1 Thumbprint Parameter */
+    x5t?: string;
+    /** JWK X.509 Certificate SHA-256 Thumbprint Parameter */
+    'x5t#S256'?: string;
+    /** JWK X.509 URL Parameter */
+    x5u?: string;
+};
+/** Parameters used with "EC" (elliptic curve) public keys. */
+export type JwkParamsEcPublic = Omit<JwkParamsAnyKeyType, 'alg' | 'kty'> & {
+    /**
+     * The algorithm intended for use with the key.
+     * ES256  : ECDSA using P-256 and SHA-256
+     * ES256K : ECDSA using secp256k1 curve and SHA-256
+     * ES384  : ECDSA using P-384 and SHA-384
+     * ES512  : ECDSA using P-521 and SHA-512
+     */
+    alg?: 'ES256' | 'ES256K' | 'ES384' | 'ES512';
+    /**
+     * Elliptic Curve key pair.
+     */
+    kty: 'EC';
+    /**
+     * The cryptographic curve used with the key.
+     * MUST be present for all EC public keys.
+     */
+    crv: 'secp256k1' | 'P-256' | 'P-384' | 'P-521';
+    /**
+     * The x-coordinate for the Elliptic Curve point.
+     * Represented as the base64url encoding of the octet string
+     * representation of the coordinate.
+     * MUST be present for all EC public keys
+     */
+    x: string;
+    /**
+     * The y-coordinate for the Elliptic Curve point.
+     * Represented as the base64url encoding of the octet string
+     * representation of the coordinate.
+     * MUST be present only for secp256k1 public keys.
+     */
+    y?: string;
+};
+/** Parameters used with "EC" (elliptic curve) private keys. */
+export type JwkParamsEcPrivate = JwkParamsEcPublic & {
+    /**
+     * The d-coordinate for the Elliptic Curve point.
+     * Represented as the base64url encoding of the octet string
+     * representation of the coordinate.
+     * MUST be present for all EC private keys.
+     */
+    d: string;
+};
+/** Parameters used with "OKP" (octet key pair) public keys. */
+export type JwkParamsOkpPublic = Omit<JwkParamsAnyKeyType, 'kty' | 'alg' | 'crv'> & Pick<JwkParamsEcPublic, 'x'> & {
+    /**
+     * The algorithm intended for use with the key.
+     * EdDSA: Edwards Curve Digital Signature Algorithm
+     */
+    alg?: 'EdDSA';
+    /**
+     * The cryptographic curve used with the key.
+     * MUST be present for all OKP public keys.
+     */
+    crv: 'Ed25519' | 'Ed448' | 'X25519' | 'X448';
+    /**
+     * Key type
+     * OKP (Octet Key Pair) is defined for public key algorithms that use octet
+     * strings as private and public keys.
+     */
+    kty: 'OKP';
+};
+/** Parameters used with "OKP" (octet key pair) private keys. */
+export type JwkParamsOkpPrivate = JwkParamsOkpPublic & {
+    /**
+     * The d-coordinate for the Edwards Curve point.
+     * Represented as the base64url encoding of the octet string
+     * representation of the coordinate.
+     * MUST be present for all EC private keys.
+     */
+    d: string;
+};
+/** Parameters used with "oct" (octet sequence) private keys. */
+export type JwkParamsOctPrivate = Omit<JwkParamsAnyKeyType, 'alg' | 'kty'> & {
+    /**
+     * The algorithm intended for use with the key.
+     * Used with symmetric signing (e.g., HMAC HS256, etc.) and
+     * symmetric encryption (e.g., A256GCM, etc.) algorithms.
+     */
+    alg?: 'A128CBC' | 'A192CBC' | 'A256CBC' | 'A128CTR' | 'A192CTR' | 'A256CTR' | 'A128GCM' | 'A192GCM' | 'A256GCM' | 'HS256' | 'HS384' | 'HS512';
+    /**
+     * The "k" (key value) parameter contains the value of the symmetric
+     * (or other single-valued) key.  It is represented as the base64url
+     * encoding of the octet sequence containing the key value.
+     */
+    k: string;
+    /**
+     * Key type
+     * oct (Octet Sequence) is defined for symmetric encryption and
+     * symmetric signature algorithms.
+     */
+    kty: 'oct';
+};
+/** Parameters Used with "RSA" public keys. */
+export type JwkParamsRsaPublic = Omit<JwkParamsAnyKeyType, 'kty'> & {
+    /** Public exponent for RSA */
+    e: string;
+    /**
+     * Key type
+     * RSA is widely used for encryption and digital signatures.
+     */
+    kty: 'RSA';
+    /** Modulus for RSA */
+    n: string;
+};
+/** Parameters used with "RSA" private keys. */
+export type JwkParamsRsaPrivate = JwkParamsRsaPublic & {
+    /** Private exponent for RSA */
+    d: string;
+    /** First prime factor for RSA */
+    p?: string;
+    /** Second prime factor for RSA */
+    q?: string;
+    /** First factor's CRT exponent for RSA */
+    dp?: string;
+    /** Second factor's CRT exponent for RSA */
+    dq?: string;
+    /** First CRT coefficient for RSA */
+    qi?: string;
+    /** Other primes information (optional in RFC 7518) */
+    oth?: {
+        /** Other primes' factor */
+        r: string;
+        /** Other primes' CRT exponent */
+        d: string;
+        /** Other primes' CRT coefficient */
+        t: string;
+    }[];
+};
+/** Parameters used with public keys in JWK format. */
+export type PublicKeyJwk = JwkParamsEcPublic | JwkParamsOkpPublic | JwkParamsRsaPublic;
+/** Parameters used with private keys in JWK format. */
+export type PrivateKeyJwk = JwkParamsEcPrivate | JwkParamsOkpPrivate | JwkParamsOctPrivate | JwkParamsRsaPrivate;
+/**
+ * JSON Web Key ({@link https://datatracker.ietf.org/doc/html/rfc7517 | JWK}).
+ * "RSA", "EC", "OKP", and "oct" key types are supported.
+ */
+export interface Jwk {
+    /** JWK Algorithm Parameter. The algorithm intended for use with the key. */
+    alg?: string;
+    /** JWK Extractable Parameter */
+    ext?: 'true' | 'false';
+    /** JWK Key Operations Parameter */
+    key_ops?: JwkOperation[];
+    /** JWK Key ID Parameter */
+    kid?: string;
+    /** JWK Key Type Parameter */
+    kty: JwkType;
+    /** JWK Public Key Use Parameter */
+    use?: JwkUse;
+    /** JWK X.509 Certificate Chain Parameter */
+    x5c?: string;
+    /** JWK X.509 Certificate SHA-1 Thumbprint Parameter */
+    x5t?: string;
+    /** JWK X.509 Certificate SHA-256 Thumbprint Parameter */
+    'x5t#S256'?: string;
+    /** JWK X.509 URL Parameter */
+    x5u?: string;
+    /** The cryptographic curve used with the key. */
+    crv?: string;
+    /** The x-coordinate for the Elliptic Curve point. */
+    x?: string;
+    /** The y-coordinate for the Elliptic Curve point. */
+    y?: string;
+    /** The "k" (key value) parameter contains the value of the symmetric (or other single-valued) key. */
+    k?: string;
+    /** Public exponent for RSA */
+    e?: string;
+    /** Modulus for RSA */
+    n?: string;
+    /** First prime factor for RSA */
+    p?: string;
+    /** Second prime factor for RSA */
+    q?: string;
+    /** First factor's CRT exponent for RSA */
+    dp?: string;
+    /** Second factor's CRT exponent for RSA */
+    dq?: string;
+    /** First CRT coefficient for RSA */
+    qi?: string;
+    /** Other primes information (optional in RFC 7518) */
+    oth?: {
+        /** Other primes' factor */
+        r: string;
+        /** Other primes' CRT exponent */
+        d: string;
+        /** Other primes' CRT coefficient */
+        t: string;
+    }[];
+    /** Private key component for EC, OKP, or RSA keys. */
+    d?: string;
+    [key: string]: unknown;
+}
+/**
+ * JSON Web Key Set ({@link https://datatracker.ietf.org/doc/html/rfc7517 | JWK Set})
+ *
+ * @remarks
+ * A JWK Set is a JSON object that represents a set of JWKs. The JSON object MUST have a "keys"
+ * member, with its value being an array of JWKs.
+ *
+ * Additional members can be present in the JWK Set but member names MUST be unique. If not
+ * understood by implementations encountering them, they MUST be ignored. Parameters for
+ * representing additional properties of JWK Sets should either be registered in the IANA
+ * "JSON Web Key Set Parameters" registry or be a value that contains a Collision-Resistant Name.
+ */
+export interface JwkSet {
+    /** Array of JWKs */
+    keys: Jwk[];
+}
+/**
+ * Computes the thumbprint of a JSON Web Key (JWK) using the method
+ * specified in RFC 7638. This function accepts RSA, EC, OKP, and oct keys
+ * and returns the thumbprint as a base64url encoded SHA-256 hash of the
+ * JWK's required members, serialized and sorted lexicographically.
+ *
+ * Purpose:
+ * - Uniquely Identifying Keys: The thumbprint allows the unique
+ *   identification of a specific JWK within a set of JWKs. It provides a
+ *   deterministic way to generate a value that can be used as a key
+ *   identifier (kid) or to match a specific key.
+ *
+ * - Simplifying Key Management: In systems where multiple keys are used,
+ *   managing and identifying individual keys can become complex. The
+ *   thumbprint method simplifies this by creating a standardized, unique
+ *   identifier for each key.
+ *
+ * - Enabling Interoperability: By standardizing the method to compute a
+ *   thumbprint, different systems can compute the same thumbprint value for
+ *   a given JWK. This enables interoperability among systems that use JWKs.
+ *
+ * - Secure Comparison: The thumbprint provides a way to securely compare
+ *   JWKs to determine if they are equivalent.
+ *
+ * @example
+ * ```ts
+ * const jwk: PublicKeyJwk = {
+ *   'kty': 'EC',
+ *   'crv': 'secp256k1',
+ *   'x': '61iPYuGefxotzBdQZtDvv6cWHZmXrTTscY-u7Y2pFZc',
+ *   'y': '88nPCVLfrAY9i-wg5ORcwVbHWC_tbeAd1JE2e0co0lU'
+ * };
+ *
+ * const thumbprint = jwkThumbprint(jwk);
+ * console.log(`JWK thumbprint: ${thumbprint}`);
+ * ```
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7638 | RFC7638} for
+ * the specification of JWK thumbprint computation.
+ *
+ * @param jwk - The JSON Web Key for which the thumbprint will be computed.
+ *              This must be an RSA, EC, OKP, or oct key.
+ * @returns The thumbprint as a base64url encoded string.
+ * @throws Throws an `Error` if the provided key type is unsupported.
+ */
+export declare function computeJwkThumbprint({ jwk }: {
+    jwk: Jwk;
+}): Promise<string>;
+/**
+ * Checks if the provided object is a valid elliptic curve private key in JWK format.
+ *
+ * @param obj - The object to check.
+ * @returns True if the object is a valid EC private JWK; otherwise, false.
+ */
+export declare function isEcPrivateJwk(obj: unknown): obj is JwkParamsEcPrivate;
+/**
+ * Checks if the provided object is a valid elliptic curve public key in JWK format.
+ *
+ * @param obj - The object to check.
+ * @returns True if the object is a valid EC public JWK; otherwise, false.
+ */
+export declare function isEcPublicJwk(obj: unknown): obj is JwkParamsEcPublic;
+/**
+ * Checks if the provided object is a valid octet sequence (symmetric key) in JWK format.
+ *
+ * @param obj - The object to check.
+ * @returns True if the object is a valid oct private JWK; otherwise, false.
+ */
+export declare function isOctPrivateJwk(obj: unknown): obj is JwkParamsOctPrivate;
+/**
+ * Checks if the provided object is a valid octet key pair private key in JWK format.
+ *
+ * @param obj - The object to check.
+ * @returns True if the object is a valid OKP private JWK; otherwise, false.
+ */
+export declare function isOkpPrivateJwk(obj: unknown): obj is JwkParamsOkpPrivate;
+/**
+ * Checks if the provided object is a valid octet key pair public key in JWK format.
+ *
+ * @param obj - The object to check.
+ * @returns True if the object is a valid OKP public JWK; otherwise, false.
+ */
+export declare function isOkpPublicJwk(obj: unknown): obj is JwkParamsOkpPublic;
+/**
+ * Checks if the provided object is a valid private key in JWK format of any supported type.
+ *
+ * @param obj - The object to check.
+ * @returns True if the object is a valid private JWK; otherwise, false.
+ */
+export declare function isPrivateJwk(obj: unknown): obj is PrivateKeyJwk;
+/**
+ * Checks if the provided object is a valid public key in JWK format of any supported type.
+ *
+ * @param obj - The object to check.
+ * @returns True if the object is a valid public JWK; otherwise, false.
+ */
+export declare function isPublicJwk(obj: unknown): obj is PublicKeyJwk;
+//# sourceMappingURL=jwk.d.ts.map

package/dist/types/jose/jwk.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwk.d.ts","sourceRoot":"","sources":["../../../src/jose/jwk.ts"],"names":[],"mappings":"AAKA;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,kBAAkB,aAAa,CAAC;AAE7C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,MAAM,YAAY,GAAG,SAAS,GAAG,SAAS,GAAG,MAAM,GAAG,QAAQ,GAAG,WAAW,GAAG,YAAY,GAAG,SAAS,GAAG,WAAW,CAAC;AAE5H;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,MAAM,MAAM,MAAM,GAAG,KAAK,GAAG,KAAK,GAAG,MAAM,CAAC;AAE5C;;GAEG;AACH,MAAM,MAAM,OAAO;AACjB;;;;GAIG;AACD,IAAI;AACN;;;;GAIG;GACD,KAAK;AACP;;;;GAIG;GACD,KAAK;AACP;;;;GAIG;GACD,KAAK,CAAA;AAET;;GAEG;AACH,MAAM,MAAM,cAAc,GAEtB,OAAO,GAEP,OAAO,GAEP,OAAO,GAEP,SAAS,GAET,OAAO,GAEP,QAAQ,GAER,MAAM,GAEN,WAAW,CAAC;AAEhB;;GAEG;AAEH,uDAAuD;AACvD,MAAM,MAAM,mBAAmB,GAAG;IAChC,4EAA4E;IAC5E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,mCAAmC;IACnC,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB,2BAA2B;IAC3B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,GAAG,EAAE,OAAO,CAAC;IACb,mCAAmC;IACnC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uDAAuD;IACvD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;CACd,CAAA;AAED,8DAA8D;AAC9D,MAAM,MAAM,iBAAiB,GAAG,IAAI,CAAC,mBAAmB,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG;IACzE;;;;;;OAMG;IACH,GAAG,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,OAAO,GAAG,OAAO,CAAC;IAE7C;;OAEG;IACH,GAAG,EAAE,IAAI,CAAC;IAEV;;;OAGG;IACH,GAAG,EAAE,WAAW,GAAG,OAAO,GAAG,OAAO,GAAG,OAAO,CAAC;IAE/C;;;;;OAKG;IACH,CAAC,EAAE,MAAM,CAAC;IAEV;;;;;OAKG;IACH,CAAC,CAAC,EAAE,MAAM,CAAC;CACZ,CAAA;AAED,+DAA+D;AAC/D,MAAM,MAAM,kBAAkB,GAAG,iBAAiB,GAAG;IACnD;;;;;OAKG;IACH,CAAC,EAAE,MAAM,CAAC;CACX,CAAA;AAED,+DAA+D;AAC/D,MAAM,MAAM,kBAAkB,GAC5B,IAAI,CAAC,mBAAmB,EAAE,KAAK,GAAG,KAAK,GAAG,KAAK,CAAC,GAChD,IAAI,CAAC,iBAAiB,EAAE,GAAG,CAAC,GAAG;IAC/B;;;OAGG;IACH,GAAG,CAAC,EAAE,OAAO,CAAC;IAEd;;;OAGG;IACH,GAAG,EAAE,SAAS,GAAG,OAAO,GAAG,QAAQ,GAAG,MAAM,CAAC;IAE7C;;;;OAIG;IACH,GAAG,EAAE,KAAK,CAAC;CACZ,CAAA;AAED,gEAAgE;AAChE,MAAM,MAAM,mBAAmB,GAAG,kBAAkB,GAAG;IACrD;;;;;OAKG;IACH,CAAC,EAAE,MAAM,CAAC;CACX,CAAC;AAEF,gEAAgE;AAChE,MAAM,MAAM,mBAAmB,GAAG,IAAI,CAAC,mBAAmB,EAAE,KAAK,GAAG,KAAK,CAAC,GAAG;IAC3E;;;;OAIG;IACH,GAAG,CAAC,EAEA,SAAS,GAET,SAAS,GAET,SAAS,GAET,SAAS,GAET,SAAS,GAET,SAAS,GAET,SAAS,GAET,SAAS,GAET,SAAS,GAET,OAAO,GAEP,OAAO,GAEP,OAAO,CAAA;IAEX;;;;OAIG;IACH,CAAC,EAAE,MAAM,CAAC;IAEV;;;;OAIG;IACH,GAAG,EAAE,KAAK,CAAC;CACZ,CAAA;AAED,8CAA8C;AAC9C,MAAM,MAAM,kBAAkB,GAAG,IAAI,CAAC,mBAAmB,EAAE,KAAK,CAAC,GAAG;IAClE,8BAA8B;IAC9B,CAAC,EAAE,MAAM,CAAC;IAEV;;;OAGG;IACH,GAAG,EAAE,KAAK,CAAC;IAEX,sBAAsB;IACtB,CAAC,EAAE,MAAM,CAAC;CACX,CAAC;AAEF,+CAA+C;AAC/C,MAAM,MAAM,mBAAmB,GAAG,kBAAkB,GAAG;IACrD,+BAA+B;IAC/B,CAAC,EAAE,MAAM,CAAC;IACV,iCAAiC;IACjC,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,kCAAkC;IAClC,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,0CAA0C;IAC1C,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,2CAA2C;IAC3C,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,GAAG,CAAC,EAAE;QACJ,2BAA2B;QAC3B,CAAC,EAAE,MAAM,CAAC;QACV,iCAAiC;QACjC,CAAC,EAAE,MAAM,CAAC;QACV,oCAAoC;QACpC,CAAC,EAAE,MAAM,CAAC;KACX,EAAE,CAAC;CACL,CAAC;AAEF,sDAAsD;AACtD,MAAM,MAAM,YAAY,GAAG,iBAAiB,GAAG,kBAAkB,GAAG,kBAAkB,CAAC;AAEvF,uDAAuD;AACvD,MAAM,MAAM,aAAa,GAAG,kBAAkB,GAAG,mBAAmB,GAAG,mBAAmB,GAAG,mBAAmB,CAAC;AAEjH;;;GAGG;AACH,MAAM,WAAW,GAAG;IAGlB,4EAA4E;IAC5E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,mCAAmC;IACnC,OAAO,CAAC,EAAE,YAAY,EAAE,CAAC;IACzB,2BAA2B;IAC3B,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,6BAA6B;IAC7B,GAAG,EAAE,OAAO,CAAC;IACb,mCAAmC;IACnC,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,uDAAuD;IACvD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,yDAAyD;IACzD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IAIb,iDAAiD;IACjD,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,qDAAqD;IACrD,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,qDAAqD;IACrD,CAAC,CAAC,EAAE,MAAM,CAAC;IAIX,sGAAsG;IACtG,CAAC,CAAC,EAAE,MAAM,CAAC;IAIX,8BAA8B;IAC9B,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,sBAAsB;IACtB,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,iCAAiC;IACjC,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,kCAAkC;IAClC,CAAC,CAAC,EAAE,MAAM,CAAC;IACX,0CAA0C;IAC1C,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,2CAA2C;IAC3C,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,oCAAoC;IACpC,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,sDAAsD;IACtD,GAAG,CAAC,EAAE;QACJ,2BAA2B;QAC3B,CAAC,EAAE,MAAM,CAAC;QACV,iCAAiC;QACjC,CAAC,EAAE,MAAM,CAAC;QACV,oCAAoC;QACpC,CAAC,EAAE,MAAM,CAAC;KACX,EAAE,CAAC;IAIJ,sDAAsD;IACtD,CAAC,CAAC,EAAE,MAAM,CAAC;IAGX,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,MAAM;IACrB,oBAAoB;IACpB,IAAI,EAAE,GAAG,EAAE,CAAA;CACZ;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AACH,wBAAsB,oBAAoB,CAAC,EAAE,GAAG,EAAE,EAAE;IAClD,GAAG,EAAE,GAAG,CAAA;CACT,GAAG,OAAO,CAAC,MAAM,CAAC,CAiClB;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,kBAAkB,CAOtE;AAED;;;;;GAKG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,iBAAiB,CAOpE;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,mBAAmB,CAMxE;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,mBAAmB,CAOxE;AAED;;;;;GAKG;AACH,wBAAgB,cAAc,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,kBAAkB,CAOtE;AAED;;;;;GAKG;AACH,wBAAgB,YAAY,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,aAAa,CAe/D;AAED;;;;;GAKG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,YAAY,CAc7D"}

package/dist/types/jose/jws.d.ts

@@ -0,0 +1,67 @@
+import type { Jwk } from './jwk.js';
+/**
+ * JSON Object Signing and Encryption (JOSE) Header Parameters
+ *
+ * The Header Parameter names for use in both JWSs and JWEs are registered in the IANA "JSON Web
+ * Signature and Encryption Header Parameters" registry.
+ *
+ * As indicated by the common registry, JWSs and JWEs share a common Header Parameter space; when a
+ * parameter is used by both specifications, its usage must be compatible between the
+ * specifications.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7515#section-4.1 | RFC 7515, Section 4.1}
+ */
+export interface JoseHeaderParams {
+    /** Content Type Header Parameter */
+    cty?: string;
+    /** JWK Set URL Header Parameter */
+    jku?: string;
+    /** JSON Web Key Header Parameter */
+    jwk?: Jwk;
+    /** Key ID Header Parameter */
+    kid?: string;
+    /** Type Header Parameter */
+    typ?: string;
+    /** X.509 Certificate Chain Header Parameter */
+    x5c?: string[];
+    /** X.509 Certificate SHA-1 Thumbprint Header Parameter */
+    x5t?: string;
+    /** X.509 URL Header Parameter */
+    x5u?: string;
+}
+/**
+ * JSON Web Signature (JWS) Header Parameters
+ *
+ * The Header Parameter names for use in JWSs are registered in the IANA "JSON Web Signature and
+ * Encryption Header Parameters" registry.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7515#section-4.1 | RFC 7515, Section 4.1}
+ */
+export interface JwsHeaderParams extends JoseHeaderParams {
+    /**
+     * Algorithm Header Parameter
+     *
+     * Identifies the cryptographic algorithm used to secure the JWS. The JWS Signature value is not
+     * valid if the "alg" value does not represent a supported algorithm or if there is not a key for
+     * use with that algorithm associated with the party that digitally signed or MACed the content.
+     *
+     * "alg" values should either be registered in the IANA "JSON Web Signature and Encryption
+     * Algorithms" registry or be a value that contains a Collision-Resistant Name. The "alg" value is
+     * a case-sensitive ASCII string.  This Header Parameter MUST be present and MUST be understood
+     * and processed by implementations.
+     *
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1 | RFC 7515, Section 4.1.1}
+     */
+    alg: 'EdDSA' | 'ES256' | 'ES256K' | 'ES384' | 'ES512' | 'HS256' | 'HS384' | 'HS512' | string;
+    /**
+     * Critical Header Parameter
+     *
+     * Indicates that extensions to JOSE RFCs are being used that MUST be understood and processed.
+     */
+    crit?: string[];
+    /**
+     * Additional Public or Private Header Parameter names.
+     */
+    [key: string]: unknown;
+}
+//# sourceMappingURL=jws.d.ts.map

package/dist/types/jose/jws.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jws.d.ts","sourceRoot":"","sources":["../../../src/jose/jws.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,UAAU,CAAC;AAEpC;;;;;;;;;;;GAWG;AACH,MAAM,WAAW,gBAAgB;IAC/B,oCAAoC;IACpC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,mCAAmC;IACnC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,oCAAoC;IACpC,GAAG,CAAC,EAAE,GAAG,CAAC;IAEV,8BAA8B;IAC9B,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,4BAA4B;IAC5B,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,+CAA+C;IAC/C,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC;IAEf,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAgB,SAAQ,gBAAgB;IACvD;;;;;;;;;;;;;OAaG;IACH,GAAG,EAEC,OAAO,GAEP,OAAO,GAEP,QAAQ,GAER,OAAO,GAEP,OAAO,GAEP,OAAO,GAEP,OAAO,GAEP,OAAO,GAEP,MAAM,CAAC;IAEX;;;;OAIG;IACH,IAAI,CAAC,EAAE,MAAM,EAAE,CAAA;IAEf;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB"}

package/dist/types/jose/jwt.d.ts

@@ -0,0 +1,139 @@
+import type { JweHeaderParams } from './jwe.js';
+import type { JwsHeaderParams } from './jws.js';
+/**
+ * JSON Web Token (JWT) Header
+ *
+ * For a JWT object, the members of the JSON object represented by the JOSE Header describe the
+ * cryptographic operations applied to the JWT and optionally, additional properties of the JWT.
+ * Depending upon whether the JWT is a JWS or JWE, the corresponding rules for the JOSE Header
+ * values apply.
+ *
+ * The {@link https://datatracker.ietf.org/doc/html/rfc7519#section-5 | RFC 7519} specification
+ * further specifies the use of the following Header Parameters in both the cases where the JWT is a
+ * JWS and where it is a JWE:
+ *
+ * - "typ" (type) Header Parameter: This Header Parameter is OPTIONAL. When used, this Header
+ *   Parameter MUST be used to declare the MIME Media Type of this complete JWT. This parameter is
+ *   ignored by JWT implementations; any processing of this parameter is performed by the JWT
+ *   application.  If present, it is RECOMMENDED that its value be "JWT" to indicate that this
+ *   object is a JWT.  While media type names are not case sensitive, it is RECOMMENDED that "JWT"
+ *   always be spelled using uppercase characters for compatibility with legacy implementations.
+ *
+ * - "cty" (content type) Header Parameter: This Header Parameter is OPTIONAL. When used, this
+ *   Header Parameter MUST be used to declare the MIME Media Type of the secured content (the
+ *   payload). In the normal case in which nested signing or encryption operations are not employed,
+ *   the use of this Header Parameter is NOT RECOMMENDED.  In the case that nested signing or
+ *   encryption is employed, this Header Parameter MUST be present; in this case, the value MUST be
+ *   "JWT", to indicate that a Nested JWT is carried in this JWT.  While media type names are not
+ *   case sensitive, it is RECOMMENDED that "JWT" always be spelled using uppercase characters
+ *   for compatibility with legacy implementations.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-5 | RFC 7519, Section 5}
+ */
+export type JwtHeaderParams = JwsHeaderParams | JweHeaderParams;
+/**
+ * JSON Web Token Payload
+ *
+ * The JWT Claims Set represents a JSON object whose members are the claims conveyed by the JWT.
+ * The Claim Names within a JWT Claims Set MUST be unique; JWT parsers MUST either reject JWTs
+ * with duplicate Claim Names or use a JSON parser that returns only the lexically last duplicate
+ * member name.
+ *
+ * The set of claims that a JWT must contain to be considered valid is context dependent and is
+ * undefined by RFC 7519. Specific applications of JWTs will require implementations to understand
+ * and process some claims in particular ways.
+ *
+ * There are three classes of JWT Claim Names:
+ *
+ * - Registered Claim Names: Claim names registered in the IANA "JSON Web Token Claims" registry.
+ *   None of the claims defined below are intended to be mandatory to use or implement in all cases,
+ *   but rather they provide a starting point for a set of useful, interoperable claims
+ *   Applications using JWTs should define which specific claims they use and when they are required
+ *   or optional.
+ *
+ * - Public Claim Names: Claim Names can be defined at will by those using JWTs. However, in order
+ *   prevent collisions, any new Claim Name should either be registered in the IANA "JSON Web Token
+ *   Claims" registry or be a Public Name: a value that contains a Collision-Resistant Name. In each
+ *   case, the definer of the name or value needs to take reasonable precautions to make sure they
+ *   are in control of the part of the namespace they use to define the Claim Name.
+ *
+ * - Private Claim Names: A producer and consumer of a JWT MAY agree to use Claim Names that are
+ *   Private Names: names that are not Registered Claim Names or Public Claim Names. Unlike Public
+ *   Claim Names, Private Claim Names are subject to collision and should be used with caution.
+ *
+ * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4 | RFC 7519, Section 4}
+ */
+export interface JwtPayload {
+    /**
+     * Issuer
+     * Identifies the principal that issued the JWT. The "iss" value is a case-sensitive string
+     * containing a string or URI value.  Use of this claim is OPTIONAL.
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1 | RFC 7519, Section 4.1.1}
+     */
+    iss?: string;
+    /**
+     * Subject
+     * Identifies the principal that is the subject of the JWT. The claims in a JWT are normally
+     * statements about the subject. The subject value MUST either be scoped to be locally unique in
+     * the context of the issuer or be globally unique. The "sub" value is a case-sensitive string
+     * containing a string or URI value. Use of this claim is OPTIONAL.
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2 | RFC 7519, Section 4.1.2}
+     */
+    sub?: string;
+    /**
+     * Audience
+     * Identifies the recipients that the JWT is intended for. Each principal intended to process
+     * the JWT MUST identify itself with a value in the audience claim. If the principal processing
+     * the claim does not identify itself with a value in the "aud" claim when this claim is present,
+     * then the JWT MUST be rejected. In the general case, the "aud" value is an array of case-
+     * sensitive strings, each containing a string or URI value. In the special case when the JWT has
+     * one audience, the "aud" value MAY be a single case-sensitive string containing a string or URI
+     * value. Use of this claim is OPTIONAL.
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3 | RFC 7519, Section 4.1.3}
+     */
+    aud?: string | string[];
+    /**
+     * Expiration Time
+     * Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
+     * The processing of the "exp" claim requires that the current date/time MUST be before the
+     * expiration date/time listed in the "exp" claim. Implementers MAY provide for some small leeway,
+     * usually no more than a few minutes, to account for clock skew. Its value MUST be a number
+     * containing a numeric date value. Use of this claim is OPTIONAL.
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4 | RFC 7519, Section 4.1.4}
+     */
+    exp?: number;
+    /**
+     * Not Before
+     * Identifies the time before which the JWT MUST NOT be accepted for processing. The processing
+     * of the "nbf" claim requires that the current date/time MUST be after or equal to the not-before
+     * date/time listed in the "nbf" claim. Implementers MAY provide for some small leeway, usually no
+     * more than a few minutes, to account for clock skew. Its value MUST be a number containing a
+     * numeric date value. Use of this claim is OPTIONAL.
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5 | RFC 7519, Section 4.1.5}
+     */
+    nbf?: number;
+    /**
+     * Issued At
+     * Identifies the time at which the JWT was issued. This claim can be used to determine the age
+     * of the JWT. Its value MUST be a number containing a numeric date value. Use of this claim is
+     * OPTIONAL.
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6 | RFC 7519, Section 4.1.6}
+     */
+    iat?: number;
+    /**
+     * JWT ID
+     * Provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner
+     * that ensures that there is a negligible probability that the same value will be accidentally
+     * assigned to a different data object; if the application uses multiple issuers, collisions
+     * MUST be prevented among values produced by different issuers as well. The "jti" claim can be
+     * used to prevent the JWT from being replayed. The "jti" value is a case-sensitive string.
+     * Use of this claim is OPTIONAL.
+     * @see {@link https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7 | RFC 7519, Section 4.1.7}
+     */
+    jti?: string;
+    /**
+     * Additional Public or Private Claim names.
+     */
+    [key: string]: unknown;
+}
+//# sourceMappingURL=jwt.d.ts.map

package/dist/types/jose/jwt.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt.d.ts","sourceRoot":"","sources":["../../../src/jose/jwt.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAChD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,UAAU,CAAC;AAEhD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,MAAM,eAAe,GAAG,eAAe,GAAG,eAAe,CAAC;AAEhE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,MAAM,WAAW,UAAU;IACzB;;;;;OAKG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;;;OAOG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;;;;;;OAUG;IACH,GAAG,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB;;;;;;;;OAQG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;;;;OAQG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;;OAMG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;;;;;;;;OASG;IACH,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB"}