@lindorm/aegis 0.4.3 → 0.5.0

package/dist/classes/JweKit.js

@@ -4,11 +4,18 @@ exports.JweKit = void 0;
 const aes_1 = require("@lindorm/aes");
 const b64_1 = require("@lindorm/b64");
 const is_1 = require("@lindorm/is");
-const crypto_1 = require("crypto");
-const private_1 = require("../constants/private");
+const format_1 = require("#internal/constants/format");
 const errors_1 = require("../errors");
-const private_2 = require("../utils/private");
+const compute_typ_header_1 = require("#internal/utils/compute-typ-header");
+const jose_header_1 = require("#internal/utils/jose-header");
+const token_header_1 = require("#internal/utils/token-header");
+const resolve_cert_binding_1 = require("#internal/utils/resolve-cert-binding");
+const verify_cert_binding_1 = require("#internal/utils/verify-cert-binding");
+const validate_crit_1 = require("#internal/utils/validate-crit");
+const JwsKit_1 = require("./JwsKit");
+const JwtKit_1 = require("./JwtKit");
 class JweKit {
+    certBindingMode;
     encryption;
     kryptos;
     logger;
@@ -16,11 +23,12 @@ class JweKit {
         this.logger = options.logger.child(["JweKit"]);
         this.kryptos = options.kryptos;
         this.encryption = options.encryption ?? options.kryptos.encryption ?? "A256GCM";
+        this.certBindingMode = options.certBindingMode ?? "strict";
     }
     encrypt(data, options = {}) {
         const kit = new aes_1.AesKit({ encryption: this.encryption, kryptos: this.kryptos });
         this.logger.debug("Encrypting token", { options });
-        const objectId = options.objectId ?? (0, crypto_1.randomUUID)();
+        const objectId = options.objectId;
         const prepared = kit.prepareEncryption();
         const critical = [];
         const headerOptions = {
@@ -29,7 +37,7 @@ class JweKit {
             contentType: this.contentType(data),
             ...(critical.length ? { critical } : {}),
             encryption: this.encryption,
-            headerType: "JWE",
+            headerType: (0, compute_typ_header_1.computeTypHeader)(options.tokenType, "jwe"),
             initialisationVector: prepared.headerParams.publicEncryptionIv,
             jwksUri: this.kryptos.jwksUri ?? undefined,
             keyId: this.kryptos.id,
@@ -39,7 +47,8 @@ class JweKit {
             publicEncryptionJwk: prepared.headerParams.publicEncryptionJwk,
             publicEncryptionTag: prepared.headerParams.publicEncryptionTag,
         };
-        const header = (0, private_2.encodeJoseHeader)(headerOptions);
+        const cert = (0, resolve_cert_binding_1.resolveCertBinding)(this.kryptos, options.bindCertificate);
+        const header = (0, jose_header_1.encodeJoseHeader)(headerOptions, cert);
         const aad = Buffer.from(header, "ascii");
         const { authTag, content, initialisationVector } = prepared.encrypt(data, { aad });
         if (!authTag) {
@@ -47,10 +56,10 @@ class JweKit {
         }
         const token = [
             header,
-            prepared.publicEncryptionKey ? b64_1.B64.encode(prepared.publicEncryptionKey, private_1.B64U) : "",
-            b64_1.B64.encode(initialisationVector, private_1.B64U),
-            b64_1.B64.encode(content, private_1.B64U),
-            b64_1.B64.encode(authTag, private_1.B64U),
+            prepared.publicEncryptionKey ? b64_1.B64.encode(prepared.publicEncryptionKey, format_1.B64U) : "",
+            b64_1.B64.encode(initialisationVector, format_1.B64U),
+            b64_1.B64.encode(content, format_1.B64U),
+            b64_1.B64.encode(authTag, format_1.B64U),
         ].join(".");
         this.logger.debug("Token encrypted", { token });
         return { token };
@@ -59,9 +68,21 @@ class JweKit {
         const kit = new aes_1.AesKit({ encryption: this.encryption, kryptos: this.kryptos });
         this.logger.debug("Decrypting token", { token });
         const decoded = JweKit.decode(token);
-        if (decoded.header.typ !== "JWE") {
+        const typ = decoded.header.typ;
+        if (typ !== "JWE" && !(typeof typ === "string" && typ.endsWith("+jwe"))) {
             throw new errors_1.JweError("Invalid token", {
-                data: { typ: decoded.header.typ },
+                data: { typ },
+            });
+        }
+        if (decoded.header.zip !== undefined) {
+            throw new errors_1.JweError("Compressed JWE payloads are not supported", {
+                data: { zip: decoded.header.zip },
+            });
+        }
+        const critError = (0, validate_crit_1.validateCrit)(decoded.header);
+        if (critError) {
+            throw new errors_1.JweError(`Invalid crit header: ${critError}`, {
+                data: { crit: decoded.header.crit },
             });
         }
         if (this.kryptos.algorithm !== decoded.header.alg) {
@@ -70,7 +91,8 @@ class JweKit {
                 debug: { expected: this.kryptos.algorithm },
             });
         }
-        const header = (0, private_2.parseTokenHeader)(decoded.header);
+        const header = (0, token_header_1.parseTokenHeader)(decoded.header);
+        header.tokenType = (0, compute_typ_header_1.decodeTokenTypeFromTyp)(typ, "jwe");
         if (header.encryption !== this.encryption) {
             throw new errors_1.JweError("Unexpected encryption", {
                 debug: { actual: header.encryption, encryption: this.encryption },
@@ -87,7 +109,7 @@ class JweKit {
         const content = b64_1.B64.toBuffer(decoded.content);
         const initialisationVector = b64_1.B64.toBuffer(decoded.initialisationVector);
         const pbkdfIterations = header.pbkdfIterations;
-        const pbkdfSalt = header.pbkdfSalt ? b64_1.B64.toBuffer(header.pbkdfSalt, private_1.B64U) : undefined;
+        const pbkdfSalt = header.pbkdfSalt ? b64_1.B64.toBuffer(header.pbkdfSalt, format_1.B64U) : undefined;
         const publicEncryptionIv = header.initialisationVector
             ? b64_1.B64.toBuffer(header.initialisationVector)
             : undefined;
@@ -99,22 +121,48 @@ class JweKit {
             ? b64_1.B64.toBuffer(header.publicEncryptionTag)
             : undefined;
         const payload = kit.decrypt({
+            algorithm: header.algorithm,
             authTag,
             content,
+            contentType: "text/plain",
             encryption: this.encryption,
             initialisationVector,
+            keyId: header.keyId ?? this.kryptos.id,
             pbkdfIterations,
             pbkdfSalt,
             publicEncryptionIv,
             publicEncryptionJwk,
             publicEncryptionKey,
             publicEncryptionTag,
+            version: "1.0",
         }, { aad });
+        (0, verify_cert_binding_1.verifyCertBinding)({
+            header: {
+                x5tS256: header.x5tS256,
+            },
+            kryptos: this.kryptos,
+            logger: this.logger,
+            mode: this.certBindingMode,
+        });
         this.logger.debug("Token decrypted");
         return { header, payload, decoded, token };
     }
     static isJwe(jwe) {
-        return (0, is_1.isJwe)(jwe);
+        if (typeof jwe !== "string")
+            return false;
+        const parts = jwe.split(".");
+        if (parts.length !== 5)
+            return false;
+        try {
+            const header = (0, jose_header_1.decodeJoseHeader)(parts[0]);
+            if (typeof header.alg !== "string")
+                return false;
+            const typ = header.typ;
+            return typ === "JWE" || (typeof typ === "string" && typ.endsWith("+jwe"));
+        }
+        catch {
+            return false;
+        }
     }
     static decode(jwe) {
         const parts = jwe.split(".");
@@ -123,7 +171,7 @@ class JweKit {
         }
         const [header, publicEncryptionKey, initialisationVector, content, authTag] = parts;
         return {
-            header: (0, private_2.decodeJoseHeader)(header),
+            header: (0, jose_header_1.decodeJoseHeader)(header),
             publicEncryptionKey: publicEncryptionKey?.length ? publicEncryptionKey : undefined,
             initialisationVector,
             content,
@@ -131,10 +179,10 @@ class JweKit {
         };
     }
     contentType(input) {
-        if ((0, is_1.isJws)(input)) {
+        if (JwsKit_1.JwsKit.isJws(input)) {
             return "application/jws";
         }
-        if ((0, is_1.isJwt)(input)) {
+        if (JwtKit_1.JwtKit.isJwt(input)) {
             return "application/jwt";
         }
         if (input.startsWith("{") && input.endsWith("}")) {

package/dist/classes/JweKit.js.map

@@ -1 +1 @@
-{"version":3,"file":"JweKit.js","sourceRoot":"","sources":["../../src/classes/JweKit.ts"],"names":[],"mappings":";;;AAAA,sCAAsC;AACtC,sCAAmC;AACnC,oCAA4D;AAG5D,mCAAoC;AACpC,kDAA4C;AAC5C,sCAAqC;AAWrC,8CAAwF;AAExF,MAAa,MAAM;IACA,UAAU,CAAoB;IAC9B,OAAO,CAAW;IAClB,MAAM,CAAU;IAEjC,YAAmB,OAAsB;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC,UAAU,IAAI,SAAS,CAAC;IAClF,CAAC;IAEM,OAAO,CAAC,IAAY,EAAE,UAA6B,EAAE;QAC1D,MAAM,GAAG,GAAG,IAAI,YAAM,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAE/E,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAA,mBAAU,GAAE,CAAC;QAGlD,MAAM,QAAQ,GAAG,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAOzC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QAEnC,MAAM,aAAa,GAAuB;YACxC,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;YACzB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;YACnC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACxC,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,UAAU,EAAE,KAAK;YACjB,oBAAoB,EAAE,QAAQ,CAAC,YAAY,CAAC,kBAAkB;YAC9D,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,SAAS;YAC1C,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE;YACtB,QAAQ;YACR,eAAe,EAAE,QAAQ,CAAC,YAAY,CAAC,eAAe;YACtD,SAAS,EAAE,QAAQ,CAAC,YAAY,CAAC,SAAS;YAC1C,mBAAmB,EAAE,QAAQ,CAAC,YAAY,CAAC,mBAAmB;YAC9D,mBAAmB,EAAE,QAAQ,CAAC,YAAY,CAAC,mBAAmB;SAC/D,CAAC;QAGF,MAAM,MAAM,GAAG,IAAA,0BAAgB,EAAC,aAAa,CAAC,CAAC;QAG/C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAGzC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,oBAAoB,EAAE,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QAEnF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,iBAAQ,CAAC,kBAAkB,CAAC,CAAC;QACzC,CAAC;QAGD,MAAM,KAAK,GAAG;YACZ,MAAM;YACN,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,EAAE,cAAI,CAAC,CAAC,CAAC,CAAC,EAAE;YAClF,SAAG,CAAC,MAAM,CAAC,oBAAoB,EAAE,cAAI,CAAC;YACtC,SAAG,CAAC,MAAM,CAAC,OAAO,EAAE,cAAI,CAAC;YACzB,SAAG,CAAC,MAAM,CAAC,OAAO,EAAE,cAAI,CAAC;SAC1B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAEhD,OAAO,EAAE,KAAK,EAAE,CAAC;IACnB,CAAC;IAEM,OAAO,CAAC,KAAa;QAC1B,MAAM,GAAG,GAAG,IAAI,YAAM,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAE/E,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAEjD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAErC,IAAI,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,KAAK,EAAE,CAAC;YACjC,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE;aAClC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAClD,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE;gBACjC,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,0BAAgB,EAAqB,OAAO,CAAC,MAAM,CAAC,CAAC;QAEpE,IAAI,MAAM,CAAC,UAAU,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;YAC1C,MAAM,IAAI,iBAAQ,CAAC,uBAAuB,EAAE;gBAC1C,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE;aAClE,CAAC,CAAC;QACL,CAAC;QAGD,IAAI,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;YAC5B,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpC,MAAM,IAAI,iBAAQ,CAAC,0CAA0C,KAAK,EAAE,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QAGD,MAAM,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAE5C,MAAM,OAAO,GAAG,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,oBAAoB,GAAG,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACxE,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,cAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACtF,MAAM,kBAAkB,GAAG,MAAM,CAAC,oBAAoB;YACpD,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,oBAAoB,CAAC;YAC3C,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,mBAAmB,GAAG,OAAO,CAAC,mBAAmB;YACrD,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,mBAAmB,CAAC;YAC3C,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,CAAC;QACvD,MAAM,mBAAmB,GAAG,MAAM,CAAC,mBAAmB;YACpD,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,mBAAmB,CAAC;YAC1C,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CACzB;YACE,OAAO;YACP,OAAO;YACP,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,oBAAoB;YACpB,eAAe;YACf,SAAS;YACT,kBAAkB;YAClB,mBAAmB;YACnB,mBAAmB;YACnB,mBAAmB;SACpB,EACD,EAAE,GAAG,EAAE,CACR,CAAC;QAEF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAErC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC7C,CAAC;IAIM,MAAM,CAAC,KAAK,CAAC,GAAW;QAC7B,OAAO,IAAA,UAAK,EAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IAEM,MAAM,CAAC,MAAM,CAAC,GAAW;QAC9B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAQ,CAAC,sCAAsC,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,CAAC,MAAM,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;QAEpF,OAAO;YACL,MAAM,EAAE,IAAA,0BAAgB,EAAC,MAAM,CAAC;YAChC,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAS;YAClF,oBAAoB;YACpB,OAAO;YACP,OAAO;SACR,CAAC;IACJ,CAAC;IAIO,WAAW,CAAC,KAAa;QAC/B,IAAI,IAAA,UAAK,EAAC,KAAK,CAAC,EAAE,CAAC;YACjB,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,IAAI,IAAA,UAAK,EAAC,KAAK,CAAC,EAAE,CAAC;YACjB,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACjD,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACjD,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,IAAI,IAAA,aAAQ,EAAC,KAAK,CAAC,EAAE,CAAC;YACpB,OAAO,2BAA2B,CAAC;QACrC,CAAC;QAED,OAAO,qBAAqB,CAAC;IAC/B,CAAC;CACF;AApMD,wBAoMC"}
+{"version":3,"file":"JweKit.js","sourceRoot":"","sources":["../../src/classes/JweKit.ts"],"names":[],"mappings":";;;AAAA,sCAAsC;AACtC,sCAAmC;AACnC,oCAAuC;AAGvC,uDAAkD;AAClD,sCAAqC;AAYrC,2EAG4C;AAC5C,6DAAiF;AACjF,+DAAgE;AAChE,+EAA0E;AAC1E,6EAAwE;AACxE,iEAA6D;AAC7D,qCAAkC;AAClC,qCAAkC;AAElC,MAAa,MAAM;IACA,eAAe,CAAkB;IACjC,UAAU,CAAoB;IAC9B,OAAO,CAAW;IAClB,MAAM,CAAU;IAEjC,YAAmB,OAAsB;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,UAAU,GAAG,OAAO,CAAC,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC,UAAU,IAAI,SAAS,CAAC;QAChF,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC7D,CAAC;IAEM,OAAO,CAAC,IAAY,EAAE,UAA6B,EAAE;QAC1D,MAAM,GAAG,GAAG,IAAI,YAAM,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAE/E,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAEnD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAGlC,MAAM,QAAQ,GAAG,GAAG,CAAC,iBAAiB,EAAE,CAAC;QAOzC,MAAM,QAAQ,GAAkB,EAAE,CAAC;QAEnC,MAAM,aAAa,GAAuB;YACxC,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;YACzB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,WAAW,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC;YACnC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;YACxC,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,UAAU,EAAE,IAAA,qCAAgB,EAAC,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC;YACtD,oBAAoB,EAAE,QAAQ,CAAC,YAAY,CAAC,kBAAkB;YAC9D,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,SAAS;YAC1C,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE;YACtB,QAAQ;YACR,eAAe,EAAE,QAAQ,CAAC,YAAY,CAAC,eAAe;YACtD,SAAS,EAAE,QAAQ,CAAC,YAAY,CAAC,SAAS;YAC1C,mBAAmB,EAAE,QAAQ,CAAC,YAAY,CAAC,mBAAmB;YAC9D,mBAAmB,EAAE,QAAQ,CAAC,YAAY,CAAC,mBAAmB;SAC/D,CAAC;QAEF,MAAM,IAAI,GAAG,IAAA,yCAAkB,EAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QAGvE,MAAM,MAAM,GAAG,IAAA,8BAAgB,EAAC,aAAa,EAAE,IAAI,CAAC,CAAC;QAGrD,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;QAGzC,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,oBAAoB,EAAE,GAAG,QAAQ,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QAEnF,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,IAAI,iBAAQ,CAAC,kBAAkB,CAAC,CAAC;QACzC,CAAC;QAGD,MAAM,KAAK,GAAG;YACZ,MAAM;YACN,QAAQ,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,mBAAmB,EAAE,aAAI,CAAC,CAAC,CAAC,CAAC,EAAE;YAClF,SAAG,CAAC,MAAM,CAAC,oBAAoB,EAAE,aAAI,CAAC;YACtC,SAAG,CAAC,MAAM,CAAC,OAAO,EAAE,aAAI,CAAC;YACzB,SAAG,CAAC,MAAM,CAAC,OAAO,EAAE,aAAI,CAAC;SAC1B,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAEhD,OAAO,EAAE,KAAK,EAAE,CAAC;IACnB,CAAC;IAEM,OAAO,CAAC,KAAa;QAC1B,MAAM,GAAG,GAAG,IAAI,YAAM,CAAC,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;QAE/E,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,kBAAkB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAEjD,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAErC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;QAC/B,IAAI,GAAG,KAAK,KAAK,IAAI,CAAC,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC;YACxE,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,GAAG,EAAE;aACd,CAAC,CAAC;QACL,CAAC;QAKD,IAAK,OAAO,CAAC,MAA4B,CAAC,GAAG,KAAK,SAAS,EAAE,CAAC;YAC5D,MAAM,IAAI,iBAAQ,CAAC,2CAA2C,EAAE;gBAC9D,IAAI,EAAE,EAAE,GAAG,EAAG,OAAO,CAAC,MAA4B,CAAC,GAAG,EAAE;aACzD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,SAAS,GAAG,IAAA,4BAAY,EAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC/C,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,IAAI,iBAAQ,CAAC,wBAAwB,SAAS,EAAE,EAAE;gBACtD,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE;aACpC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,KAAK,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC;YAClD,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE;gBACjC,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAqB,OAAO,CAAC,MAAM,CAAC,CAAC;QACpE,MAAM,CAAC,SAAS,GAAG,IAAA,2CAAsB,EAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QAEtD,IAAI,MAAM,CAAC,UAAU,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;YAC1C,MAAM,IAAI,iBAAQ,CAAC,uBAAuB,EAAE;gBAC1C,KAAK,EAAE,EAAE,MAAM,EAAE,MAAM,CAAC,UAAU,EAAE,UAAU,EAAE,IAAI,CAAC,UAAU,EAAE;aAClE,CAAC,CAAC;QACL,CAAC;QAGD,IAAI,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;YAC5B,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACpC,MAAM,IAAI,iBAAQ,CAAC,0CAA0C,KAAK,EAAE,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QAGD,MAAM,CAAC,SAAS,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC;QAE5C,MAAM,OAAO,GAAG,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,OAAO,GAAG,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QAC9C,MAAM,oBAAoB,GAAG,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,oBAAoB,CAAC,CAAC;QACxE,MAAM,eAAe,GAAG,MAAM,CAAC,eAAe,CAAC;QAC/C,MAAM,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,SAAS,EAAE,aAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QACtF,MAAM,kBAAkB,GAAG,MAAM,CAAC,oBAAoB;YACpD,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,oBAAoB,CAAC;YAC3C,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,mBAAmB,GAAG,OAAO,CAAC,mBAAmB;YACrD,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,mBAAmB,CAAC;YAC3C,CAAC,CAAC,SAAS,CAAC;QACd,MAAM,mBAAmB,GAAG,MAAM,CAAC,mBAAmB,CAAC;QACvD,MAAM,mBAAmB,GAAG,MAAM,CAAC,mBAAmB;YACpD,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,mBAAmB,CAAC;YAC1C,CAAC,CAAC,SAAS,CAAC;QAEd,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,CACzB;YACE,SAAS,EAAE,MAAM,CAAC,SAAS;YAC3B,OAAO;YACP,OAAO;YACP,WAAW,EAAE,YAAY;YACzB,UAAU,EAAE,IAAI,CAAC,UAAU;YAC3B,oBAAoB;YACpB,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE;YACtC,eAAe;YACf,SAAS;YACT,kBAAkB;YAClB,mBAAmB;YACnB,mBAAmB;YACnB,mBAAmB;YACnB,OAAO,EAAE,KAAK;SACf,EACD,EAAE,GAAG,EAAE,CACR,CAAC;QAMF,IAAA,uCAAiB,EAAC;YAChB,MAAM,EAAE;gBACN,OAAO,EAAE,MAAM,CAAC,OAAO;aACxB;YACD,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,eAAe;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;QAErC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC7C,CAAC;IAIM,MAAM,CAAC,KAAK,CAAC,GAAW;QAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,8BAAgB,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1C,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;gBAAE,OAAO,KAAK,CAAC;YACjD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;YACvB,OAAO,GAAG,KAAK,KAAK,IAAI,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAC5E,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEM,MAAM,CAAC,MAAM,CAAC,GAAW;QAC9B,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,MAAM,IAAI,iBAAQ,CAAC,sCAAsC,CAAC,CAAC;QAC7D,CAAC;QAED,MAAM,CAAC,MAAM,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,OAAO,EAAE,OAAO,CAAC,GAAG,KAAK,CAAC;QAEpF,OAAO;YACL,MAAM,EAAE,IAAA,8BAAgB,EAAC,MAAM,CAAC;YAChC,mBAAmB,EAAE,mBAAmB,EAAE,MAAM,CAAC,CAAC,CAAC,mBAAmB,CAAC,CAAC,CAAC,SAAS;YAClF,oBAAoB;YACpB,OAAO;YACP,OAAO;SACR,CAAC;IACJ,CAAC;IAIO,WAAW,CAAC,KAAa;QAC/B,IAAI,eAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,IAAI,eAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACxB,OAAO,iBAAiB,CAAC;QAC3B,CAAC;QAED,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACjD,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,IAAI,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACjD,OAAO,kBAAkB,CAAC;QAC5B,CAAC;QAED,IAAI,IAAA,aAAQ,EAAC,KAAK,CAAC,EAAE,CAAC;YACpB,OAAO,2BAA2B,CAAC;QACrC,CAAC;QAED,OAAO,qBAAqB,CAAC;IAC/B,CAAC;CACF;AArPD,wBAqPC"}

package/dist/classes/JwsKit.d.ts

@@ -1,6 +1,7 @@
 import { IJwsKit } from "../interfaces";
 import { DecodedJws, JwsKitOptions, ParsedJws, SignJwsOptions, SignedJws } from "../types";
 export declare class JwsKit implements IJwsKit {
+    private readonly certBindingMode;
     private readonly logger;
     private readonly kryptos;
     constructor(options: JwsKitOptions);

package/dist/classes/JwsKit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"JwsKit.d.ts","sourceRoot":"","sources":["../../src/classes/JwsKit.ts"],"names":[],"mappings":"AAOA,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EACL,UAAU,EACV,aAAa,EACb,SAAS,EAET,cAAc,EACd,SAAS,EAEV,MAAM,UAAU,CAAC;AASlB,qBAAa,MAAO,YAAW,OAAO;IACpC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAW;gBAEhB,OAAO,EAAE,aAAa;IAKlC,IAAI,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EACnC,IAAI,EAAE,CAAC,EACP,OAAO,GAAE,cAAmB,GAC3B,SAAS;IAoCL,MAAM,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;WAkCvD,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAI3B,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;WAc/B,KAAK,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;CAuB5E"}
+{"version":3,"file":"JwsKit.d.ts","sourceRoot":"","sources":["../../src/classes/JwsKit.ts"],"names":[],"mappings":"AAMA,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAEL,UAAU,EACV,aAAa,EACb,SAAS,EAET,cAAc,EACd,SAAS,EAEV,MAAM,UAAU,CAAC;AAYlB,qBAAa,MAAO,YAAW,OAAO;IACpC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAClD,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAW;gBAEhB,OAAO,EAAE,aAAa;IAMlC,IAAI,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EACnC,IAAI,EAAE,CAAC,EACP,OAAO,GAAE,cAAmB,GAC3B,SAAS;IAsCL,MAAM,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;WA+CvD,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAkB3B,MAAM,CAAC,GAAG,EAAE,MAAM,GAAG,UAAU;WAc/B,KAAK,CAAC,CAAC,SAAS,MAAM,GAAG,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;CAkC5E"}

package/dist/classes/JwsKit.js

@@ -3,20 +3,27 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.JwsKit = void 0;
 const b64_1 = require("@lindorm/b64");
 const is_1 = require("@lindorm/is");
-const crypto_1 = require("crypto");
-const private_1 = require("../constants/private");
+const format_1 = require("#internal/constants/format");
 const errors_1 = require("../errors");
-const private_2 = require("../utils/private");
+const compute_typ_header_1 = require("#internal/utils/compute-typ-header");
+const jose_header_1 = require("#internal/utils/jose-header");
+const jose_signature_1 = require("#internal/utils/jose-signature");
+const token_header_1 = require("#internal/utils/token-header");
+const resolve_cert_binding_1 = require("#internal/utils/resolve-cert-binding");
+const verify_cert_binding_1 = require("#internal/utils/verify-cert-binding");
+const validate_crit_1 = require("#internal/utils/validate-crit");
 class JwsKit {
+    certBindingMode;
     logger;
     kryptos;
     constructor(options) {
         this.logger = options.logger.child(["JwsKit"]);
         this.kryptos = options.kryptos;
+        this.certBindingMode = options.certBindingMode ?? "strict";
     }
     sign(data, options = {}) {
         this.logger.debug("Signing token", { options });
-        const objectId = options.objectId ?? (0, crypto_1.randomUUID)();
+        const objectId = options.objectId;
         const headerOptions = {
             ...(options.header ?? {}),
             algorithm: this.kryptos.algorithm,
@@ -25,14 +32,15 @@ class JwsKit {
                 : (0, is_1.isString)(data)
                     ? "text/plain; charset=utf-8"
                     : "application/octet-stream",
-            headerType: "JWS",
+            headerType: (0, compute_typ_header_1.computeTypHeader)(options.tokenType, "jws"),
             jwksUri: this.kryptos.jwksUri ?? undefined,
             keyId: this.kryptos.id,
             objectId,
         };
-        const header = (0, private_2.encodeJoseHeader)(headerOptions);
-        const payload = (0, is_1.isBuffer)(data) ? data.toString(private_1.B64U) : b64_1.B64.encode(data, private_1.B64U);
-        const signature = (0, private_2.createJoseSignature)({
+        const cert = (0, resolve_cert_binding_1.resolveCertBinding)(this.kryptos, options.bindCertificate);
+        const header = (0, jose_header_1.encodeJoseHeader)(headerOptions, cert);
+        const payload = (0, is_1.isBuffer)(data) ? data.toString(format_1.B64U) : b64_1.B64.encode(data, format_1.B64U);
+        const signature = (0, jose_signature_1.createJoseSignature)({
             header,
             payload,
             kryptos: this.kryptos,
@@ -55,21 +63,45 @@ class JwsKit {
                 debug: { expected: this.kryptos.algorithm },
             });
         }
-        const verified = (0, private_2.verifyJoseSignature)(this.kryptos, token);
+        const verified = (0, jose_signature_1.verifyJoseSignature)(this.kryptos, token);
         if (!verified) {
             throw new errors_1.JwsError("Invalid token", {
                 data: { verified, token: token },
             });
         }
+        (0, verify_cert_binding_1.verifyCertBinding)({
+            header: {
+                x5tS256: parsed.header.x5tS256,
+            },
+            kryptos: this.kryptos,
+            logger: this.logger,
+            mode: this.certBindingMode,
+        });
         this.logger.debug("Token verified");
         return parsed;
     }
     static isJws(jws) {
-        return (0, is_1.isJws)(jws);
+        if (typeof jws !== "string")
+            return false;
+        const parts = jws.split(".");
+        if (parts.length !== 3)
+            return false;
+        try {
+            const header = (0, jose_header_1.decodeJoseHeader)(parts[0]);
+            if (typeof header.alg !== "string")
+                return false;
+            const typ = header.typ;
+            return (typ === "JWS" ||
+                typ === "JOSE" ||
+                (typeof typ === "string" && typ.endsWith("+jws")));
+        }
+        catch {
+            return false;
+        }
     }
     static decode(jws) {
         const [header, payload, signature] = jws.split(".");
-        const decodedHeader = (0, private_2.decodeJoseHeader)(header);
+        const decodedHeader = (0, jose_header_1.decodeJoseHeader)(header);
         return {
             header: decodedHeader,
             payload: decodedHeader.cty === "text/plain; charset=utf-8"
@@ -80,18 +112,28 @@ class JwsKit {
     }
     static parse(token) {
         const decoded = JwsKit.decode(token);
-        if (decoded.header.typ !== undefined &&
-            decoded.header.typ !== "JWS" &&
-            decoded.header.typ !== "JOSE") {
+        const typ = decoded.header.typ;
+        if (typ !== undefined &&
+            typ !== "JWS" &&
+            typ !== "JOSE" &&
+            !(typeof typ === "string" && typ.endsWith("+jws"))) {
             throw new errors_1.JwsError("Invalid token", {
-                data: { typ: decoded.header.typ },
-                details: "Header type must be JWS, JOSE, or undefined",
+                data: { typ },
+                details: "Header type must be JWS, JOSE, <type>+jws, or undefined",
+            });
+        }
+        const critError = (0, validate_crit_1.validateCrit)(decoded.header);
+        if (critError) {
+            throw new errors_1.JwsError(`Invalid crit header: ${critError}`, {
+                data: { crit: decoded.header.crit },
             });
         }
-        const header = (0, private_2.parseTokenHeader)(decoded.header);
+        const header = (0, token_header_1.parseTokenHeader)(decoded.header);
+        header.tokenType = (0, compute_typ_header_1.decodeTokenTypeFromTyp)(typ, "jws");
+        header.baseFormat = "JWS";
         const payload = header.contentType === "text/plain; charset=utf-8"
             ? decoded.payload
-            : b64_1.B64.toBuffer(decoded.payload, private_1.B64U);
+            : b64_1.B64.toBuffer(decoded.payload, format_1.B64U);
         return { decoded, header, payload, token };
     }
 }

package/dist/classes/JwsKit.js.map

@@ -1 +1 @@
-{"version":3,"file":"JwsKit.js","sourceRoot":"","sources":["../../src/classes/JwsKit.ts"],"names":[],"mappings":";;;AAAA,sCAAmC;AACnC,oCAAwD;AAGxD,mCAAoC;AACpC,kDAA4C;AAC5C,sCAAqC;AAWrC,8CAM0B;AAE1B,MAAa,MAAM;IACA,MAAM,CAAU;IAChB,OAAO,CAAW;IAEnC,YAAmB,OAAsB;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACjC,CAAC;IAEM,IAAI,CACT,IAAO,EACP,UAA0B,EAAE;QAE5B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAEhD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,IAAA,mBAAU,GAAE,CAAC;QAElD,MAAM,aAAa,GAAuB;YACxC,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;YACzB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,WAAW,EAAE,OAAO,CAAC,WAAW;gBAC9B,CAAC,CAAC,OAAO,CAAC,WAAW;gBACrB,CAAC,CAAC,IAAA,aAAQ,EAAC,IAAI,CAAC;oBACd,CAAC,CAAC,2BAA2B;oBAC7B,CAAC,CAAC,0BAA0B;YAChC,UAAU,EAAE,KAAK;YACjB,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,SAAS;YAC1C,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE;YACtB,QAAQ;SACT,CAAC;QAEF,MAAM,MAAM,GAAG,IAAA,0BAAgB,EAAC,aAAa,CAAC,CAAC;QAE/C,MAAM,OAAO,GAAG,IAAA,aAAQ,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,cAAI,CAAC,CAAC,CAAC,CAAC,SAAG,CAAC,MAAM,CAAC,IAAI,EAAE,cAAI,CAAC,CAAC;QAE9E,MAAM,SAAS,GAAG,IAAA,6BAAmB,EAAC;YACpC,MAAM;YACN,OAAO;YACP,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,GAAG,MAAM,IAAI,OAAO,IAAI,SAAS,EAAE,CAAC;QAElD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAE7C,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;IAEM,MAAM,CAA4B,KAAa;QACpD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAEhD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAI,KAAK,CAAC,CAAC;QAGtC,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;YACnC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC3C,MAAM,IAAI,iBAAQ,CAAC,0CAA0C,KAAK,EAAE,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACvD,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE;gBAC5C,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC;QAED,MAAM,QAAQ,GAAG,IAAA,6BAAmB,EAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAE1D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE;aACjC,CAAC,CAAC;QACL,CAAC;QAED,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEpC,OAAO,MAAM,CAAC;IAChB,CAAC;IAIM,MAAM,CAAC,KAAK,CAAC,GAAW;QAC7B,OAAO,IAAA,UAAK,EAAC,GAAG,CAAC,CAAC;IACpB,CAAC;IAEM,MAAM,CAAC,MAAM,CAAC,GAAW;QAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpD,MAAM,aAAa,GAAG,IAAA,0BAAgB,EAAC,MAAM,CAAC,CAAC;QAE/C,OAAO;YACL,MAAM,EAAE,aAAa;YACrB,OAAO,EACL,aAAa,CAAC,GAAG,KAAK,2BAA2B;gBAC/C,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC;gBACvB,CAAC,CAAC,OAAO;YACb,SAAS;SACV,CAAC;IACJ,CAAC;IAEM,MAAM,CAAC,KAAK,CAA4B,KAAa;QAC1D,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAErC,IACE,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,SAAS;YAChC,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,KAAK;YAC5B,OAAO,CAAC,MAAM,CAAC,GAAG,KAAK,MAAM,EAC7B,CAAC;YACD,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,GAAG,EAAE,OAAO,CAAC,MAAM,CAAC,GAAG,EAAE;gBACjC,OAAO,EAAE,6CAA6C;aACvD,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,0BAAgB,EAAkB,OAAO,CAAC,MAAM,CAAC,CAAC;QAEjE,MAAM,OAAO,GACX,MAAM,CAAC,WAAW,KAAK,2BAA2B;YAChD,CAAC,CAAE,OAAO,CAAC,OAAa;YACxB,CAAC,CAAE,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,cAAI,CAAO,CAAC;QAEjD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC7C,CAAC;CACF;AA3HD,wBA2HC"}
+{"version":3,"file":"JwsKit.js","sourceRoot":"","sources":["../../src/classes/JwsKit.ts"],"names":[],"mappings":";;;AAAA,sCAAmC;AACnC,oCAAiD;AAGjD,uDAAkD;AAClD,sCAAqC;AAYrC,2EAG4C;AAC5C,6DAAiF;AACjF,mEAA0F;AAC1F,+DAAgE;AAChE,+EAA0E;AAC1E,6EAAwE;AACxE,iEAA6D;AAE7D,MAAa,MAAM;IACA,eAAe,CAAkB;IACjC,MAAM,CAAU;IAChB,OAAO,CAAW;IAEnC,YAAmB,OAAsB;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;QAC/C,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;QAC/B,IAAI,CAAC,eAAe,GAAG,OAAO,CAAC,eAAe,IAAI,QAAQ,CAAC;IAC7D,CAAC;IAEM,IAAI,CACT,IAAO,EACP,UAA0B,EAAE;QAE5B,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,EAAE,EAAE,OAAO,EAAE,CAAC,CAAC;QAEhD,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC;QAElC,MAAM,aAAa,GAAuB;YACxC,GAAG,CAAC,OAAO,CAAC,MAAM,IAAI,EAAE,CAAC;YACzB,SAAS,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS;YACjC,WAAW,EAAE,OAAO,CAAC,WAAW;gBAC9B,CAAC,CAAC,OAAO,CAAC,WAAW;gBACrB,CAAC,CAAC,IAAA,aAAQ,EAAC,IAAI,CAAC;oBACd,CAAC,CAAC,2BAA2B;oBAC7B,CAAC,CAAC,0BAA0B;YAChC,UAAU,EAAE,IAAA,qCAAgB,EAAC,OAAO,CAAC,SAAS,EAAE,KAAK,CAAC;YACtD,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,OAAO,IAAI,SAAS;YAC1C,KAAK,EAAE,IAAI,CAAC,OAAO,CAAC,EAAE;YACtB,QAAQ;SACT,CAAC;QAEF,MAAM,IAAI,GAAG,IAAA,yCAAkB,EAAC,IAAI,CAAC,OAAO,EAAE,OAAO,CAAC,eAAe,CAAC,CAAC;QAEvE,MAAM,MAAM,GAAG,IAAA,8BAAgB,EAAC,aAAa,EAAE,IAAI,CAAC,CAAC;QAErD,MAAM,OAAO,GAAG,IAAA,aAAQ,EAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,aAAI,CAAC,CAAC,CAAC,CAAC,SAAG,CAAC,MAAM,CAAC,IAAI,EAAE,aAAI,CAAC,CAAC;QAE9E,MAAM,SAAS,GAAG,IAAA,oCAAmB,EAAC;YACpC,MAAM;YACN,OAAO;YACP,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;QAEH,MAAM,KAAK,GAAG,GAAG,MAAM,IAAI,OAAO,IAAI,SAAS,EAAE,CAAC;QAElD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,cAAc,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAE7C,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;IAC7B,CAAC;IAEM,MAAM,CAA4B,KAAa;QACpD,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC;QAEhD,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAI,KAAK,CAAC,CAAC;QAGtC,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,CAAC;YACnC,KAAK,MAAM,KAAK,IAAI,MAAM,CAAC,MAAM,CAAC,QAAQ,EAAE,CAAC;gBAC3C,MAAM,IAAI,iBAAQ,CAAC,0CAA0C,KAAK,EAAE,CAAC,CAAC;YACxE,CAAC;QACH,CAAC;QAED,IAAI,IAAI,CAAC,OAAO,CAAC,SAAS,KAAK,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;YACvD,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,SAAS,EAAE,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE;gBAC5C,KAAK,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,SAAS,EAAE;aAC5C,CAAC,CAAC;QACL,CAAC;QAED,MAAM,QAAQ,GAAG,IAAA,oCAAmB,EAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;QAE1D,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,KAAK,EAAE;aACjC,CAAC,CAAC;QACL,CAAC;QAMD,IAAA,uCAAiB,EAAC;YAChB,MAAM,EAAE;gBACN,OAAO,EAAE,MAAM,CAAC,MAAM,CAAC,OAAO;aAC/B;YACD,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,eAAe;SAC3B,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,gBAAgB,CAAC,CAAC;QAEpC,OAAO,MAAM,CAAC;IAChB,CAAC;IAIM,MAAM,CAAC,KAAK,CAAC,GAAW;QAC7B,IAAI,OAAO,GAAG,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAC1C,MAAM,KAAK,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAC7B,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;YAAE,OAAO,KAAK,CAAC;QACrC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAA,8BAAgB,EAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;YAC1C,IAAI,OAAO,MAAM,CAAC,GAAG,KAAK,QAAQ;gBAAE,OAAO,KAAK,CAAC;YACjD,MAAM,GAAG,GAAG,MAAM,CAAC,GAAG,CAAC;YACvB,OAAO,CACL,GAAG,KAAK,KAAK;gBACb,GAAG,KAAK,MAAM;gBACd,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAClD,CAAC;QACJ,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAEM,MAAM,CAAC,MAAM,CAAC,GAAW;QAC9B,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,SAAS,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpD,MAAM,aAAa,GAAG,IAAA,8BAAgB,EAAC,MAAM,CAAC,CAAC;QAE/C,OAAO;YACL,MAAM,EAAE,aAAa;YACrB,OAAO,EACL,aAAa,CAAC,GAAG,KAAK,2BAA2B;gBAC/C,CAAC,CAAC,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC;gBACvB,CAAC,CAAC,OAAO;YACb,SAAS;SACV,CAAC;IACJ,CAAC;IAEM,MAAM,CAAC,KAAK,CAA4B,KAAa;QAC1D,MAAM,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QAErC,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,CAAC;QAC/B,IACE,GAAG,KAAK,SAAS;YACjB,GAAG,KAAK,KAAK;YACb,GAAG,KAAK,MAAM;YACd,CAAC,CAAC,OAAO,GAAG,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,EAClD,CAAC;YACD,MAAM,IAAI,iBAAQ,CAAC,eAAe,EAAE;gBAClC,IAAI,EAAE,EAAE,GAAG,EAAE;gBACb,OAAO,EAAE,yDAAyD;aACnE,CAAC,CAAC;QACL,CAAC;QAED,MAAM,SAAS,GAAG,IAAA,4BAAY,EAAC,OAAO,CAAC,MAAM,CAAC,CAAC;QAC/C,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,IAAI,iBAAQ,CAAC,wBAAwB,SAAS,EAAE,EAAE;gBACtD,IAAI,EAAE,EAAE,IAAI,EAAE,OAAO,CAAC,MAAM,CAAC,IAAI,EAAE;aACpC,CAAC,CAAC;QACL,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,+BAAgB,EAAkB,OAAO,CAAC,MAAM,CAAC,CAAC;QACjE,MAAM,CAAC,SAAS,GAAG,IAAA,2CAAsB,EAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACtD,MAAM,CAAC,UAAU,GAAG,KAAK,CAAC;QAE1B,MAAM,OAAO,GACX,MAAM,CAAC,WAAW,KAAK,2BAA2B;YAChD,CAAC,CAAE,OAAO,CAAC,OAAa;YACxB,CAAC,CAAE,SAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,EAAE,aAAI,CAAO,CAAC;QAEjD,OAAO,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC;IAC7C,CAAC;CACF;AArKD,wBAqKC"}

package/dist/classes/JwtKit.d.ts

@@ -2,7 +2,9 @@ import { Dict } from "@lindorm/types";
 import { IJwtKit } from "../interfaces";
 import { DecodedJwt, JwtKitOptions, ParsedJwt, ParsedJwtPayload, SignJwtContent, SignJwtOptions, SignedJwt, ValidateJwtOptions, VerifyJwtOptions } from "../types";
 export declare class JwtKit implements IJwtKit {
+    private readonly certBindingMode;
     private readonly clockTolerance;
+    private readonly dpopMaxSkew;
     private readonly issuer;
     private readonly logger;
     private readonly kryptos;

package/dist/classes/JwtKit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"JwtKit.d.ts","sourceRoot":"","sources":["../../src/classes/JwtKit.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAGtC,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EACL,UAAU,EACV,aAAa,EACb,SAAS,EAET,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,SAAS,EAET,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,UAAU,CAAC;AAelB,qBAAa,MAAO,YAAW,OAAO;IACpC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAW;gBAEhB,OAAO,EAAE,aAAa;IAQlC,IAAI,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EAC/B,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,EAC1B,OAAO,GAAE,cAAmB,GAC3B,SAAS;IAwCL,MAAM,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EACjC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAAqB,GAC5B,SAAS,CAAC,CAAC,CAAC;WA0DD,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAI3B,MAAM,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EAAE,GAAG,EAAE,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC;WAUzD,KAAK,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EAAE,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;WAwBzD,QAAQ,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EAC1C,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAC5B,OAAO,EAAE,kBAAkB,GAC1B,IAAI;CAKR"}
+{"version":3,"file":"JwtKit.d.ts","sourceRoot":"","sources":["../../src/classes/JwtKit.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,IAAI,EAAE,MAAM,gBAAgB,CAAC;AAUtC,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,EAEL,UAAU,EACV,aAAa,EACb,SAAS,EAET,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,SAAS,EAET,kBAAkB,EAClB,gBAAgB,EACjB,MAAM,UAAU,CAAC;AAiBlB,qBAAa,MAAO,YAAW,OAAO;IACpC,OAAO,CAAC,QAAQ,CAAC,eAAe,CAAkB;IAClD,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAS;IACxC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;IACrC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAgB;IACvC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAU;IACjC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAW;gBAEhB,OAAO,EAAE,aAAa;IAUlC,IAAI,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EAC/B,OAAO,EAAE,cAAc,CAAC,CAAC,CAAC,EAC1B,OAAO,GAAE,cAAmB,GAC3B,SAAS;IA0CL,MAAM,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EACjC,KAAK,EAAE,MAAM,EACb,MAAM,GAAE,gBAAqB,GAC5B,SAAS,CAAC,CAAC,CAAC;WA0GD,KAAK,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO;WAc3B,MAAM,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EAAE,GAAG,EAAE,MAAM,GAAG,UAAU,CAAC,CAAC,CAAC;WAUzD,KAAK,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EAAE,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC;WAoCzD,QAAQ,CAAC,CAAC,SAAS,IAAI,GAAG,IAAI,EAC1C,OAAO,EAAE,gBAAgB,CAAC,CAAC,CAAC,EAC5B,OAAO,EAAE,kBAAkB,GAC1B,IAAI;CAKR"}

package/dist/classes/JwtKit.js

@@ -1,12 +1,26 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.JwtKit = void 0;
-const is_1 = require("@lindorm/is");
-const crypto_1 = require("crypto");
 const errors_1 = require("../errors");
-const private_1 = require("../utils/private");
+const compute_typ_header_1 = require("#internal/utils/compute-typ-header");
+const extract_token_delegation_1 = require("#internal/utils/extract-token-delegation");
+const validate_actor_1 = require("#internal/utils/validate-actor");
+const validate_crit_1 = require("#internal/utils/validate-crit");
+const verify_dpop_proof_1 = require("#internal/utils/verify-dpop-proof");
+const jose_header_1 = require("#internal/utils/jose-header");
+const jose_signature_1 = require("#internal/utils/jose-signature");
+const jwt_validate_1 = require("#internal/utils/jwt-validate");
+const jwt_payload_1 = require("#internal/utils/jwt-payload");
+const jwt_verify_1 = require("#internal/utils/jwt-verify");
+const token_header_1 = require("#internal/utils/token-header");
+const resolve_cert_binding_1 = require("#internal/utils/resolve-cert-binding");
+const verify_cert_binding_1 = require("#internal/utils/verify-cert-binding");
+const validate_1 = require("#internal/utils/validate");
+const DEFAULT_DPOP_MAX_SKEW = 60;
 class JwtKit {
+    certBindingMode;
     clockTolerance;
+    dpopMaxSkew;
     issuer;
     logger;
     kryptos;
@@ -14,26 +28,29 @@ class JwtKit {
         this.logger = options.logger.child(["JwtKit"]);
         this.kryptos = options.kryptos;
         this.issuer = options.issuer ?? null;
+        this.certBindingMode = options.certBindingMode ?? "strict";
         this.clockTolerance = options.clockTolerance ?? 0;
+        this.dpopMaxSkew = options.dpopMaxSkew ?? DEFAULT_DPOP_MAX_SKEW;
     }
     sign(content, options = {}) {
         this.logger.debug("Signing token", { content, options });
         if (!this.issuer) {
             throw new errors_1.JwtError("Issuer is required to sign JWT");
         }
-        const objectId = options.objectId ?? content.subject ?? (0, crypto_1.randomUUID)();
+        const objectId = options.objectId;
         const headerOptions = {
             ...(options.header ?? {}),
             algorithm: this.kryptos.algorithm,
             contentType: "application/json",
-            headerType: "JWT",
+            headerType: (0, compute_typ_header_1.computeTypHeader)(content.tokenType, "jwt"),
             jwksUri: this.kryptos.jwksUri ?? undefined,
             keyId: this.kryptos.id,
             objectId,
         };
-        const header = (0, private_1.encodeJoseHeader)(headerOptions);
-        const { expiresAt, expiresIn, expiresOn, payload, tokenId } = (0, private_1.encodeJwtPayload)({ algorithm: this.kryptos.algorithm, issuer: this.issuer }, content, options);
-        const signature = (0, private_1.createJoseSignature)({
+        const cert = (0, resolve_cert_binding_1.resolveCertBinding)(this.kryptos, options.bindCertificate);
+        const header = (0, jose_header_1.encodeJoseHeader)(headerOptions, cert);
+        const { expiresAt, expiresIn, expiresOn, payload, tokenId } = (0, jwt_payload_1.encodeJwtPayload)({ algorithm: this.kryptos.algorithm, issuer: this.issuer }, content, options);
+        const signature = (0, jose_signature_1.createJoseSignature)({
             header,
             payload,
             kryptos: this.kryptos,
@@ -56,13 +73,30 @@ class JwtKit {
                 debug: { expected: this.kryptos.algorithm },
             });
         }
-        const verified = (0, private_1.verifyJoseSignature)(this.kryptos, token);
+        if (verify.tokenType !== undefined) {
+            const expectedTyp = (0, compute_typ_header_1.computeTypHeader)(verify.tokenType, "jwt");
+            if (parsed.decoded.header.typ !== expectedTyp) {
+                throw new errors_1.JwtError("Invalid token", {
+                    data: { typ: parsed.decoded.header.typ },
+                    debug: { expected: expectedTyp },
+                });
+            }
+        }
+        const verified = (0, jose_signature_1.verifyJoseSignature)(this.kryptos, token);
         if (!verified) {
             throw new errors_1.JwtError("Invalid token", {
                 data: { verified, token: token },
             });
         }
-        const predicate = (0, private_1.createJwtVerify)(this.kryptos.algorithm, verify, this.clockTolerance);
+        (0, verify_cert_binding_1.verifyCertBinding)({
+            header: {
+                x5tS256: parsed.header.x5tS256,
+            },
+            kryptos: this.kryptos,
+            logger: this.logger,
+            mode: this.certBindingMode,
+        });
+        const predicate = (0, jwt_verify_1.createJwtVerify)(this.kryptos.algorithm, verify, this.clockTolerance);
         const { decoded: { payload }, } = parsed;
         const withDates = {
             ...payload,
@@ -72,31 +106,73 @@ class JwtKit {
             auth_time: payload.auth_time ? new Date(payload.auth_time * 1000) : undefined,
         };
         try {
-            (0, private_1.validate)(withDates, predicate);
+            (0, validate_1.validate)(withDates, predicate);
         }
         catch (err) {
             throw new errors_1.JwtError("Invalid token", { data: err.data });
         }
+        const actorError = (0, validate_actor_1.validateActor)(parsed.delegation, verify.actor);
+        if (actorError) {
+            throw new errors_1.JwtError(actorError);
+        }
+        const boundThumbprint = parsed.payload.confirmation?.thumbprint;
+        if (verify.dpopProof !== undefined) {
+            if (!boundThumbprint) {
+                throw new errors_1.JwtError("Invalid token: DPoP proof provided but token is not bound", {
+                    debug: { confirmation: parsed.payload.confirmation },
+                });
+            }
+            parsed.dpop = (0, verify_dpop_proof_1.verifyDpopProof)({
+                proof: verify.dpopProof,
+                accessToken: token,
+                expectedThumbprint: boundThumbprint,
+                dpopMaxSkew: this.dpopMaxSkew,
+            });
+        }
+        else if (boundThumbprint && !verify.trustBoundThumbprint) {
+            throw new errors_1.JwtError("Invalid token: token is DPoP-bound but no DPoP proof was provided");
+        }
         this.logger.debug("Token verified");
         return parsed;
     }
     static isJwt(jwt) {
-        return (0, is_1.isJwt)(jwt);
+        if (typeof jwt !== "string")
+            return false;
+        const parts = jwt.split(".");
+        if (parts.length !== 3)
+            return false;
+        try {
+            const header = (0, jose_header_1.decodeJoseHeader)(parts[0]);
+            if (typeof header.alg !== "string")
+                return false;
+            const typ = header.typ;
+            return typ === "JWT" || (typeof typ === "string" && typ.endsWith("+jwt"));
+        }
+        catch {
+            return false;
+        }
     }
     static decode(jwt) {
         const [header, payload, signature] = jwt.split(".");
         return {
-            header: (0, private_1.decodeJoseHeader)(header),
-            payload: (0, private_1.decodeJwtPayload)(payload),
+            header: (0, jose_header_1.decodeJoseHeader)(header),
+            payload: (0, jwt_payload_1.decodeJwtPayload)(payload),
             signature,
         };
     }
     static parse(token) {
         const decoded = JwtKit.decode(token);
-        if (decoded.header.typ !== "JWT") {
+        const typ = decoded.header.typ;
+        if (typ !== "JWT" && !(typeof typ === "string" && typ.endsWith("+jwt"))) {
             throw new errors_1.JwtError("Invalid token", {
-                data: { typ: decoded.header.typ },
-                details: "Header type must be JWT",
+                data: { typ },
+                details: "Header type must be JWT or <type>+jwt",
+            });
+        }
+        const critError = (0, validate_crit_1.validateCrit)(decoded.header);
+        if (critError) {
+            throw new errors_1.JwtError(`Invalid crit header: ${critError}`, {
+                data: { crit: decoded.header.crit },
             });
         }
         if (!decoded.payload.iss) {
@@ -105,13 +181,16 @@ class JwtKit {
                 details: "Issuer is required to decode JWT",
             });
         }
-        const header = (0, private_1.parseTokenHeader)(decoded.header);
-        const payload = (0, private_1.parseTokenPayload)(decoded.payload);
-        return { decoded, header, payload, token };
+        const header = (0, token_header_1.parseTokenHeader)(decoded.header);
+        header.tokenType = (0, compute_typ_header_1.decodeTokenTypeFromTyp)(typ, "jwt");
+        header.baseFormat = "JWT";
+        const payload = (0, jwt_payload_1.parseTokenPayload)(decoded.payload);
+        const delegation = (0, extract_token_delegation_1.extractTokenDelegation)(decoded.payload);
+        return { decoded, delegation, header, payload, token };
     }
     static validate(payload, options) {
-        const operators = (0, private_1.createJwtValidate)(options);
-        (0, private_1.validate)(payload, operators);
+        const operators = (0, jwt_validate_1.createJwtValidate)(options);
+        (0, validate_1.validate)(payload, operators);
     }
 }
 exports.JwtKit = JwtKit;