@lindorm/rsa 0.2.5 → 0.2.6

package/CHANGELOG.md

@@ -3,6 +3,12 @@
 All notable changes to this project will be documented in this file.
 See [Conventional Commits](https://conventionalcommits.org) for commit guidelines.
 
+## [0.2.6](https://github.com/lindorm-io/monorepo/compare/@lindorm/rsa@0.2.5...@lindorm/rsa@0.2.6) (2026-02-17)
+
+### Bug Fixes
+
+- **ec,oct,okp,rsa:** harden signing kits with validation and security fixes ([910f016](https://github.com/lindorm-io/monorepo/commit/910f01669aefcb4e6eb69c0297291fe2404232f8))
+
 ## [0.2.5](https://github.com/lindorm-io/monorepo/compare/@lindorm/rsa@0.2.4...@lindorm/rsa@0.2.5) (2025-09-18)
 
 **Note:** Version bump only for package @lindorm/rsa

package/README.md

@@ -1,82 +1,79 @@
 # @lindorm/rsa
 
-Lightweight **RSA signing / verification kit** that wraps a `RSxxx` key from
-[`@lindorm/kryptos`](../kryptos).  Provides a convenient `RsaKit` class that fulfils the `IKeyKit`
-contract used by the Lindorm crypto packages.
-
----
+RSA signature kit built on Node's `crypto` module and [`@lindorm/kryptos`](../kryptos). Provides an `RsaKit` class that implements the `IKeyKit` contract used across the Lindorm cryptography packages.
 
 ## Installation
 
 ```bash
 npm install @lindorm/rsa
-# or
-yarn add @lindorm/rsa
-```
-
-Generate or import a key via Kryptos:
-
-```ts
-import { KryptosKit } from '@lindorm/kryptos';
-
-const RS256 = KryptosKit.generate.rsa({ alg: 'RS256', use: 'sig', modulusLength: 2048 });
 ```
 
----
+## Quick Start
 
-## Example
+```typescript
+import { RsaKit } from "@lindorm/rsa";
+import { KryptosKit } from "@lindorm/kryptos";
 
-```ts
-import { RsaKit } from '@lindorm/rsa';
+const kryptos = KryptosKit.generate.sig.rsa({ algorithm: "PS256" });
+const kit = new RsaKit({ kryptos });
 
-const kit = new RsaKit({ kryptos: RS256, encoding: 'base64url' });
+// Sign
+const signature = kit.sign("hello world");
 
-const signature = kit.sign('hello');
+// Verify
+kit.verify("hello world", signature); // true
 
-kit.assert('hello', signature); // throws RsaError if invalid
+// Assert (throws RsaError if invalid)
+kit.assert("hello world", signature);
 
-console.log(kit.format(signature)); // string representation
+// Format Buffer to string
+kit.format(signature); // base64 string
 ```
 
-### DSA encoding
+## Constructor Options
 
-Set `dsa: 'ieee-p1363'` when you need raw concatenated r||s encoding instead of DER:
-
-```ts
-const kit = new RsaKit({ kryptos: RS256, dsa: 'ieee-p1363' });
+```typescript
+new RsaKit({
+  kryptos, // IKryptos — must be an RSA key with a signing algorithm
+  dsa: "der", // DsaEncoding — "der" | "ieee-p1363" (default: "der")
+  encoding: "base64", // BufferEncoding — output encoding (default: "base64")
+});
 ```
 
----
+The constructor validates that the key is an RSA type with a supported signing algorithm (RS256, RS384, RS512, PS256, PS384, PS512). Encryption keys (RSA-OAEP etc.) are rejected with an `RsaError`.
 
 ## API
 
-```ts
+```typescript
 class RsaKit implements IKeyKit {
-  constructor(options: {
-    kryptos: IKryptosRsa;
-    dsa?: DsaEncoding;          // 'der' | 'ieee-p1363' (default 'der')
-    encoding?: BufferEncoding;  // default 'base64'
-  });
-
   sign(data: KeyData): Buffer;
   verify(data: KeyData, signature: KeyData): boolean;
   assert(data: KeyData, signature: KeyData): void; // throws RsaError
-  format(buf: Buffer): string;                      // encode Buffer → string
+  format(data: Buffer): string;
 }
 ```
 
-`KeyData` accepts `Buffer`, `string` or `Uint8Array`.
+`KeyData` is `Buffer | string`.
 
----
+## Supported Algorithms
 
-## TypeScript
+| Algorithm | Padding     | Hash    |
+| --------- | ----------- | ------- |
+| RS256     | PKCS#1 v1.5 | SHA-256 |
+| RS384     | PKCS#1 v1.5 | SHA-384 |
+| RS512     | PKCS#1 v1.5 | SHA-512 |
+| PS256     | PSS         | SHA-256 |
+| PS384     | PSS         | SHA-384 |
+| PS512     | PSS         | SHA-512 |
 
-Written in TS; declaration files included. Runtime dependencies are limited to Node’s `crypto`
-module plus Lindorm utilities.
+## Error Handling
 
----
+All errors are `RsaError` instances:
 
-## License
+```typescript
+import { RsaError } from "@lindorm/rsa";
+```
 
-AGPL-3.0-or-later – see the root [`LICENSE`](../../LICENSE).
+## License
 
+AGPL-3.0-or-later

package/dist/classes/RsaKit.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"RsaKit.d.ts","sourceRoot":"","sources":["../../src/classes/RsaKit.ts"],"names":[],"mappings":"AACA,OAAO,EAAe,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAE/D,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAOzC,qBAAa,MAAO,YAAW,OAAO;IACpC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAc;IAClC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;gBAEnB,OAAO,EAAE,aAAa;IAWlC,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM;IAQ3B,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,OAAO;IAUlD,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,IAAI;IAU/C,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;CAGpC"}
+{"version":3,"file":"RsaKit.d.ts","sourceRoot":"","sources":["../../src/classes/RsaKit.ts"],"names":[],"mappings":"AAMA,OAAO,EAAe,OAAO,EAAE,OAAO,EAAE,MAAM,gBAAgB,CAAC;AAE/D,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AAOzC,qBAAa,MAAO,YAAW,OAAO;IACpC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAc;IAClC,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAiB;IAC1C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAc;gBAEnB,OAAO,EAAE,aAAa;IAiBlC,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,MAAM;IAQ3B,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,OAAO;IAUlD,MAAM,CAAC,IAAI,EAAE,OAAO,EAAE,SAAS,EAAE,OAAO,GAAG,IAAI;IAU/C,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM;CAGpC"}

package/dist/classes/RsaKit.js

@@ -14,6 +14,9 @@ class RsaKit {
         if (!kryptos_1.KryptosKit.isRsa(options.kryptos)) {
             throw new errors_1.RsaError("Invalid Kryptos instance");
         }
+        if (!kryptos_1.RSA_SIG_ALGORITHMS.includes(options.kryptos.algorithm)) {
+            throw new errors_1.RsaError("RsaKit only supports signing algorithms (RS256, RS384, RS512, PS256, PS384, PS512)");
+        }
         this.kryptos = options.kryptos;
     }
     sign(data) {

package/dist/classes/RsaKit.js.map

@@ -1 +1 @@
-{"version":3,"file":"RsaKit.js","sourceRoot":"","sources":["../../src/classes/RsaKit.ts"],"names":[],"mappings":";;;AAAA,8CAA2D;AAE3D,sCAAqC;AAErC,8CAI0B;AAE1B,MAAa,MAAM;IACA,GAAG,CAAc;IACjB,QAAQ,CAAiB;IACzB,OAAO,CAAc;IAEtC,YAAmB,OAAsB;QACvC,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,KAAK,CAAC;QAChC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,QAAQ,CAAC;QAE7C,IAAI,CAAC,oBAAU,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,iBAAQ,CAAC,0BAA0B,CAAC,CAAC;QACjD,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACjC,CAAC;IAEM,IAAI,CAAC,IAAa;QACvB,OAAO,IAAA,4BAAkB,EAAC;YACxB,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,GAAG;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;IACL,CAAC;IAEM,MAAM,CAAC,IAAa,EAAE,SAAkB;QAC7C,OAAO,IAAA,4BAAkB,EAAC;YACxB,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,GAAG;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAEM,MAAM,CAAC,IAAa,EAAE,SAAkB;QAC7C,OAAO,IAAA,4BAAkB,EAAC;YACxB,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,GAAG;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAEM,MAAM,CAAC,IAAY;QACxB,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;CACF;AA/CD,wBA+CC"}
+{"version":3,"file":"RsaKit.js","sourceRoot":"","sources":["../../src/classes/RsaKit.ts"],"names":[],"mappings":";;;AAAA,8CAK0B;AAE1B,sCAAqC;AAErC,8CAI0B;AAE1B,MAAa,MAAM;IACA,GAAG,CAAc;IACjB,QAAQ,CAAiB;IACzB,OAAO,CAAc;IAEtC,YAAmB,OAAsB;QACvC,IAAI,CAAC,GAAG,GAAG,OAAO,CAAC,GAAG,IAAI,KAAK,CAAC;QAChC,IAAI,CAAC,QAAQ,GAAG,OAAO,CAAC,QAAQ,IAAI,QAAQ,CAAC;QAE7C,IAAI,CAAC,oBAAU,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YACvC,MAAM,IAAI,iBAAQ,CAAC,0BAA0B,CAAC,CAAC;QACjD,CAAC;QAED,IAAI,CAAC,4BAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,OAAO,CAAC,SAA4B,CAAC,EAAE,CAAC;YAC/E,MAAM,IAAI,iBAAQ,CAChB,oFAAoF,CACrF,CAAC;QACJ,CAAC;QAED,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC;IACjC,CAAC;IAEM,IAAI,CAAC,IAAa;QACvB,OAAO,IAAA,4BAAkB,EAAC;YACxB,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,GAAG;YACrB,OAAO,EAAE,IAAI,CAAC,OAAO;SACtB,CAAC,CAAC;IACL,CAAC;IAEM,MAAM,CAAC,IAAa,EAAE,SAAkB;QAC7C,OAAO,IAAA,4BAAkB,EAAC;YACxB,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,GAAG;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAEM,MAAM,CAAC,IAAa,EAAE,SAAkB;QAC7C,OAAO,IAAA,4BAAkB,EAAC;YACxB,IAAI;YACJ,WAAW,EAAE,IAAI,CAAC,GAAG;YACrB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAEM,MAAM,CAAC,IAAY;QACxB,OAAO,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;CACF;AArDD,wBAqDC"}

package/dist/utils/private/map-algorithm.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"map-algorithm.d.ts","sourceRoot":"","sources":["../../../src/utils/private/map-algorithm.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,kBAAkB,CAAC;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAG9C,eAAO,MAAM,eAAe,GAAI,SAAS,WAAW,KAAG,YAMtD,CAAC"}
+{"version":3,"file":"map-algorithm.d.ts","sourceRoot":"","sources":["../../../src/utils/private/map-algorithm.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAuC,MAAM,kBAAkB,CAAC;AACpF,OAAO,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAY9C,eAAO,MAAM,eAAe,GAAI,SAAS,WAAW,KAAG,YAQtD,CAAC"}

package/dist/utils/private/map-algorithm.js

@@ -1,15 +1,23 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.mapRsaAlgorithm = void 0;
+const kryptos_1 = require("@lindorm/kryptos");
 const errors_1 = require("../../errors");
+const RSA_SIG_ALGORITHM_MAP = {
+    RS256: "SHA256",
+    RS384: "SHA384",
+    RS512: "SHA512",
+    PS256: "SHA256",
+    PS384: "SHA384",
+    PS512: "SHA512",
+};
 const mapRsaAlgorithm = (kryptos) => {
-    if (kryptos.algorithm.endsWith("256"))
-        return "SHA256";
-    if (kryptos.algorithm.endsWith("384"))
-        return "SHA384";
-    if (kryptos.algorithm.endsWith("512"))
-        return "SHA512";
-    throw new errors_1.RsaError("Unsupported RSA algorithm", { debug: { kryptos } });
+    if (!kryptos_1.RSA_SIG_ALGORITHMS.includes(kryptos.algorithm)) {
+        throw new errors_1.RsaError("Unsupported RSA algorithm for signing", {
+            debug: { algorithm: kryptos.algorithm },
+        });
+    }
+    return RSA_SIG_ALGORITHM_MAP[kryptos.algorithm];
 };
 exports.mapRsaAlgorithm = mapRsaAlgorithm;
 //# sourceMappingURL=map-algorithm.js.map

package/dist/utils/private/map-algorithm.js.map

@@ -1 +1 @@
-{"version":3,"file":"map-algorithm.js","sourceRoot":"","sources":["../../../src/utils/private/map-algorithm.ts"],"names":[],"mappings":";;;AAEA,yCAAwC;AAEjC,MAAM,eAAe,GAAG,CAAC,OAAoB,EAAgB,EAAE;IACpE,IAAI,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvD,IAAI,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IACvD,IAAI,OAAO,CAAC,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC;QAAE,OAAO,QAAQ,CAAC;IAEvD,MAAM,IAAI,iBAAQ,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAE,EAAE,OAAO,EAAE,EAAE,CAAC,CAAC;AAC1E,CAAC,CAAC;AANW,QAAA,eAAe,mBAM1B"}
+{"version":3,"file":"map-algorithm.js","sourceRoot":"","sources":["../../../src/utils/private/map-algorithm.ts"],"names":[],"mappings":";;;AAAA,8CAAoF;AAEpF,yCAAwC;AAExC,MAAM,qBAAqB,GAA0C;IACnE,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;IACf,KAAK,EAAE,QAAQ;CAChB,CAAC;AAEK,MAAM,eAAe,GAAG,CAAC,OAAoB,EAAgB,EAAE;IACpE,IAAI,CAAC,4BAAkB,CAAC,QAAQ,CAAC,OAAO,CAAC,SAA4B,CAAC,EAAE,CAAC;QACvE,MAAM,IAAI,iBAAQ,CAAC,uCAAuC,EAAE;YAC1D,KAAK,EAAE,EAAE,SAAS,EAAE,OAAO,CAAC,SAAS,EAAE;SACxC,CAAC,CAAC;IACL,CAAC;IAED,OAAO,qBAAqB,CAAC,OAAO,CAAC,SAA4B,CAAC,CAAC;AACrE,CAAC,CAAC;AARW,QAAA,eAAe,mBAQ1B"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lindorm/rsa",
-  "version": "0.2.5",
+  "version": "0.2.6",
   "license": "AGPL-3.0-or-later",
   "author": "Jonn Nilsson",
   "repository": {
@@ -16,25 +16,22 @@
   "scripts": {
     "build": "rimraf dist && tsc -b ./tsconfig.build.json",
     "example": "ts-node example",
-    "integration": "compd --file docker-compose.yml jest --config jest.config.integration.js --watch",
-    "integration:focus": "compd --file docker-compose.yml jest --config jest.config.integration.js --watch $1",
     "prettier": "prettier --write ./src/*",
-    "test": "jest --watch --",
-    "test:ci": "npm run test:unit",
-    "test:integration": "jest --config jest.config.integration.js --",
-    "test:unit": "jest --config jest.config.js --",
-    "typecheck": "tsc --watch",
-    "typecheck:ci": "tsc",
+    "test": "jest --",
+    "test:ci": "jest",
+    "test:watch": "jest --watch --",
+    "typecheck": "tsc",
+    "typecheck:watch": "tsc --watch --",
     "update": "ncu -i",
     "update:auto": "ncu -u"
   },
   "dependencies": {
-    "@lindorm/errors": "^0.1.12",
-    "@lindorm/is": "^0.1.11",
-    "@lindorm/kryptos": "^0.4.5"
+    "@lindorm/errors": "^0.1.13",
+    "@lindorm/is": "^0.1.12",
+    "@lindorm/kryptos": "^0.5.0"
   },
   "devDependencies": {
-    "@lindorm/types": "^0.3.3"
+    "@lindorm/types": "^0.3.4"
   },
-  "gitHead": "3302fa2c4d75f2832959018d9e089d11af4a35fc"
+  "gitHead": "4b8579886ad8a24c22a8bf260dd0bb5dc45afc08"
 }