@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/jose/dist/types/util/base64url.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Base64URL encoding and decoding utilities
+ *
+ * @module
+ */
+/** Decodes a Base64URL encoded input. */
+export declare function decode(input: Uint8Array | string): Uint8Array;
+/** Encodes an input using Base64URL with no padding. */
+export declare function encode(input: Uint8Array | string): string;

package/dist/node_modules/jose/dist/types/util/decode_jwt.d.ts

@@ -0,0 +1,18 @@
+/**
+ * JSON Web Token (JWT) Claims Set Decoding (no validation, no signature checking)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * Decodes a signed JSON Web Token payload. This does not validate the JWT Claims Set types or
+ * values. This does not validate the JWS Signature. For a proper Signed JWT Claims Set validation
+ * and JWS signature verification use `jose.jwtVerify()`. For an encrypted JWT Claims Set validation
+ * and JWE decryption use `jose.jwtDecrypt()`.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwt/decode'`.
+ *
+ * @param jwt JWT token in compact JWS serialization.
+ */
+export declare function decodeJwt<PayloadType = types.JWTPayload>(jwt: string): PayloadType & types.JWTPayload;

package/dist/node_modules/jose/dist/types/util/decode_protected_header.d.ts

@@ -0,0 +1,17 @@
+/**
+ * JOSE Protected Header Decoding (JWE, JWS, all serialization syntaxes)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/** JWE and JWS Header Parameters */
+export type ProtectedHeaderParameters = types.JWSHeaderParameters & types.JWEHeaderParameters;
+/**
+ * Decodes the Protected Header of a JWE/JWS/JWT token utilizing any JOSE serialization.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/decode/protected_header'`.
+ *
+ * @param token JWE/JWS/JWT token in any JOSE serialization.
+ */
+export declare function decodeProtectedHeader(token: string | object): ProtectedHeaderParameters;

package/dist/node_modules/jose/dist/types/util/errors.d.ts

@@ -0,0 +1,213 @@
+/**
+ * JOSE module errors and error codes
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * A generic Error that all other JOSE specific Error subclasses extend.
+ *
+ */
+export declare class JOSEError extends Error {
+    /**
+     * A unique error code for the particular error subclass.
+     *
+     * @ignore
+     */
+    static code: string;
+    /** A unique error code for {@link JOSEError}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * An error subclass thrown when a JWT Claim Set member validation fails.
+ *
+ */
+export declare class JWTClaimValidationFailed extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWTClaimValidationFailed}. */
+    code: string;
+    /** The Claim for which the validation failed. */
+    claim: string;
+    /** Reason code for the validation failure. */
+    reason: string;
+    /**
+     * The parsed JWT Claims Set (aka payload). Other JWT claims may or may not have been verified at
+     * this point. The JSON Web Signature (JWS) or a JSON Web Encryption (JWE) structures' integrity
+     * has however been verified. Claims Set verification happens after the JWS Signature or JWE
+     * Decryption processes.
+     */
+    payload: types.JWTPayload;
+    /** @ignore */
+    constructor(message: string, payload: types.JWTPayload, claim?: string, reason?: string);
+}
+/**
+ * An error subclass thrown when a JWT is expired.
+ *
+ */
+export declare class JWTExpired extends JOSEError implements JWTClaimValidationFailed {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWTExpired}. */
+    code: string;
+    /** The Claim for which the validation failed. */
+    claim: string;
+    /** Reason code for the validation failure. */
+    reason: string;
+    /**
+     * The parsed JWT Claims Set (aka payload). Other JWT claims may or may not have been verified at
+     * this point. The JSON Web Signature (JWS) or a JSON Web Encryption (JWE) structures' integrity
+     * has however been verified. Claims Set verification happens after the JWS Signature or JWE
+     * Decryption processes.
+     */
+    payload: types.JWTPayload;
+    /** @ignore */
+    constructor(message: string, payload: types.JWTPayload, claim?: string, reason?: string);
+}
+/**
+ * An error subclass thrown when a JOSE Algorithm is not allowed per developer preference.
+ *
+ */
+export declare class JOSEAlgNotAllowed extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JOSEAlgNotAllowed}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a particular feature or algorithm is not supported by this
+ * implementation or JOSE in general.
+ *
+ */
+export declare class JOSENotSupported extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JOSENotSupported}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWE ciphertext decryption fails.
+ *
+ */
+export declare class JWEDecryptionFailed extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWEDecryptionFailed}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * An error subclass thrown when a JWE is invalid.
+ *
+ */
+export declare class JWEInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWEInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWS is invalid.
+ *
+ */
+export declare class JWSInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWSInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWT is invalid.
+ *
+ */
+export declare class JWTInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWTInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWK is invalid.
+ *
+ */
+export declare class JWKInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWKS is invalid.
+ *
+ */
+export declare class JWKSInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKSInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when no keys match from a JWKS.
+ *
+ */
+export declare class JWKSNoMatchingKey extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKSNoMatchingKey}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * An error subclass thrown when multiple keys match from a JWKS.
+ *
+ */
+export declare class JWKSMultipleMatchingKeys extends JOSEError {
+    /** @ignore */
+    [Symbol.asyncIterator]: () => AsyncIterableIterator<types.CryptoKey>;
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKSMultipleMatchingKeys}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * Timeout was reached when retrieving the JWKS response.
+ *
+ */
+export declare class JWKSTimeout extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKSTimeout}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * An error subclass thrown when JWS signature verification fails.
+ *
+ */
+export declare class JWSSignatureVerificationFailed extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWSSignatureVerificationFailed}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}

package/dist/node_modules/jose/dist/webapi/index.js

@@ -0,0 +1,32 @@
+export { compactDecrypt } from './jwe/compact/decrypt.js';
+export { flattenedDecrypt } from './jwe/flattened/decrypt.js';
+export { generalDecrypt } from './jwe/general/decrypt.js';
+export { GeneralEncrypt } from './jwe/general/encrypt.js';
+export { compactVerify } from './jws/compact/verify.js';
+export { flattenedVerify } from './jws/flattened/verify.js';
+export { generalVerify } from './jws/general/verify.js';
+export { jwtVerify } from './jwt/verify.js';
+export { jwtDecrypt } from './jwt/decrypt.js';
+export { CompactEncrypt } from './jwe/compact/encrypt.js';
+export { FlattenedEncrypt } from './jwe/flattened/encrypt.js';
+export { CompactSign } from './jws/compact/sign.js';
+export { FlattenedSign } from './jws/flattened/sign.js';
+export { GeneralSign } from './jws/general/sign.js';
+export { SignJWT } from './jwt/sign.js';
+export { EncryptJWT } from './jwt/encrypt.js';
+export { calculateJwkThumbprint, calculateJwkThumbprintUri } from './jwk/thumbprint.js';
+export { EmbeddedJWK } from './jwk/embedded.js';
+export { createLocalJWKSet } from './jwks/local.js';
+export { createRemoteJWKSet, jwksCache, customFetch } from './jwks/remote.js';
+export { UnsecuredJWT } from './jwt/unsecured.js';
+export { exportPKCS8, exportSPKI, exportJWK } from './key/export.js';
+export { importSPKI, importPKCS8, importX509, importJWK } from './key/import.js';
+export { decodeProtectedHeader } from './util/decode_protected_header.js';
+export { decodeJwt } from './util/decode_jwt.js';
+import * as errors from './util/errors.js';
+export { errors };
+export { generateKeyPair } from './key/generate_key_pair.js';
+export { generateSecret } from './key/generate_secret.js';
+import * as base64url from './util/base64url.js';
+export { base64url };
+export const cryptoRuntime = 'WebCryptoAPI';

package/dist/node_modules/jose/dist/webapi/jwe/compact/decrypt.js

@@ -0,0 +1,27 @@
+import { flattenedDecrypt } from '../flattened/decrypt.js';
+import { JWEInvalid } from '../../util/errors.js';
+import { decoder } from '../../lib/buffer_utils.js';
+export async function compactDecrypt(jwe, key, options) {
+    if (jwe instanceof Uint8Array) {
+        jwe = decoder.decode(jwe);
+    }
+    if (typeof jwe !== 'string') {
+        throw new JWEInvalid('Compact JWE must be a string or Uint8Array');
+    }
+    const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length, } = jwe.split('.');
+    if (length !== 5) {
+        throw new JWEInvalid('Invalid Compact JWE');
+    }
+    const decrypted = await flattenedDecrypt({
+        ciphertext,
+        iv: iv || undefined,
+        protected: protectedHeader,
+        tag: tag || undefined,
+        encrypted_key: encryptedKey || undefined,
+    }, key, options);
+    const result = { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader };
+    if (typeof key === 'function') {
+        return { ...result, key: decrypted.key };
+    }
+    return result;
+}

package/dist/node_modules/jose/dist/webapi/jwe/compact/encrypt.js

@@ -0,0 +1,27 @@
+import { FlattenedEncrypt } from '../flattened/encrypt.js';
+export class CompactEncrypt {
+    #flattened;
+    constructor(plaintext) {
+        this.#flattened = new FlattenedEncrypt(plaintext);
+    }
+    setContentEncryptionKey(cek) {
+        this.#flattened.setContentEncryptionKey(cek);
+        return this;
+    }
+    setInitializationVector(iv) {
+        this.#flattened.setInitializationVector(iv);
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        this.#flattened.setProtectedHeader(protectedHeader);
+        return this;
+    }
+    setKeyManagementParameters(parameters) {
+        this.#flattened.setKeyManagementParameters(parameters);
+        return this;
+    }
+    async encrypt(key, options) {
+        const jwe = await this.#flattened.encrypt(key, options);
+        return [jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join('.');
+    }
+}

package/dist/node_modules/jose/dist/webapi/jwe/flattened/decrypt.js

@@ -0,0 +1,155 @@
+import { decode as b64u } from '../../util/base64url.js';
+import { decrypt } from '../../lib/content_encryption.js';
+import { decodeBase64url } from '../../lib/helpers.js';
+import { JOSEAlgNotAllowed, JOSENotSupported, JWEInvalid } from '../../util/errors.js';
+import { isDisjoint } from '../../lib/type_checks.js';
+import { isObject } from '../../lib/type_checks.js';
+import { decryptKeyManagement } from '../../lib/key_management.js';
+import { decoder, concat, encode } from '../../lib/buffer_utils.js';
+import { generateCek } from '../../lib/content_encryption.js';
+import { validateCrit } from '../../lib/validate_crit.js';
+import { validateAlgorithms } from '../../lib/validate_algorithms.js';
+import { normalizeKey } from '../../lib/normalize_key.js';
+import { checkKeyType } from '../../lib/check_key_type.js';
+import { decompress } from '../../lib/deflate.js';
+export async function flattenedDecrypt(jwe, key, options) {
+    if (!isObject(jwe)) {
+        throw new JWEInvalid('Flattened JWE must be an object');
+    }
+    if (jwe.protected === undefined && jwe.header === undefined && jwe.unprotected === undefined) {
+        throw new JWEInvalid('JOSE Header missing');
+    }
+    if (jwe.iv !== undefined && typeof jwe.iv !== 'string') {
+        throw new JWEInvalid('JWE Initialization Vector incorrect type');
+    }
+    if (typeof jwe.ciphertext !== 'string') {
+        throw new JWEInvalid('JWE Ciphertext missing or incorrect type');
+    }
+    if (jwe.tag !== undefined && typeof jwe.tag !== 'string') {
+        throw new JWEInvalid('JWE Authentication Tag incorrect type');
+    }
+    if (jwe.protected !== undefined && typeof jwe.protected !== 'string') {
+        throw new JWEInvalid('JWE Protected Header incorrect type');
+    }
+    if (jwe.encrypted_key !== undefined && typeof jwe.encrypted_key !== 'string') {
+        throw new JWEInvalid('JWE Encrypted Key incorrect type');
+    }
+    if (jwe.aad !== undefined && typeof jwe.aad !== 'string') {
+        throw new JWEInvalid('JWE AAD incorrect type');
+    }
+    if (jwe.header !== undefined && !isObject(jwe.header)) {
+        throw new JWEInvalid('JWE Shared Unprotected Header incorrect type');
+    }
+    if (jwe.unprotected !== undefined && !isObject(jwe.unprotected)) {
+        throw new JWEInvalid('JWE Per-Recipient Unprotected Header incorrect type');
+    }
+    let parsedProt;
+    if (jwe.protected) {
+        try {
+            const protectedHeader = b64u(jwe.protected);
+            parsedProt = JSON.parse(decoder.decode(protectedHeader));
+        }
+        catch {
+            throw new JWEInvalid('JWE Protected Header is invalid');
+        }
+    }
+    if (!isDisjoint(parsedProt, jwe.header, jwe.unprotected)) {
+        throw new JWEInvalid('JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint');
+    }
+    const joseHeader = {
+        ...parsedProt,
+        ...jwe.header,
+        ...jwe.unprotected,
+    };
+    validateCrit(JWEInvalid, new Map(), options?.crit, parsedProt, joseHeader);
+    if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
+        throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+    }
+    if (joseHeader.zip !== undefined && !parsedProt?.zip) {
+        throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+    }
+    const { alg, enc } = joseHeader;
+    if (typeof alg !== 'string' || !alg) {
+        throw new JWEInvalid('missing JWE Algorithm (alg) in JWE Header');
+    }
+    if (typeof enc !== 'string' || !enc) {
+        throw new JWEInvalid('missing JWE Encryption Algorithm (enc) in JWE Header');
+    }
+    const keyManagementAlgorithms = options && validateAlgorithms('keyManagementAlgorithms', options.keyManagementAlgorithms);
+    const contentEncryptionAlgorithms = options &&
+        validateAlgorithms('contentEncryptionAlgorithms', options.contentEncryptionAlgorithms);
+    if ((keyManagementAlgorithms && !keyManagementAlgorithms.has(alg)) ||
+        (!keyManagementAlgorithms && alg.startsWith('PBES2'))) {
+        throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+    }
+    if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) {
+        throw new JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter value not allowed');
+    }
+    let encryptedKey;
+    if (jwe.encrypted_key !== undefined) {
+        encryptedKey = decodeBase64url(jwe.encrypted_key, 'encrypted_key', JWEInvalid);
+    }
+    let resolvedKey = false;
+    if (typeof key === 'function') {
+        key = await key(parsedProt, jwe);
+        resolvedKey = true;
+    }
+    checkKeyType(alg === 'dir' ? enc : alg, key, 'decrypt');
+    const k = await normalizeKey(key, alg);
+    let cek;
+    try {
+        cek = await decryptKeyManagement(alg, k, encryptedKey, joseHeader, options);
+    }
+    catch (err) {
+        if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
+            throw err;
+        }
+        cek = generateCek(enc);
+    }
+    let iv;
+    let tag;
+    if (jwe.iv !== undefined) {
+        iv = decodeBase64url(jwe.iv, 'iv', JWEInvalid);
+    }
+    if (jwe.tag !== undefined) {
+        tag = decodeBase64url(jwe.tag, 'tag', JWEInvalid);
+    }
+    const protectedHeader = jwe.protected !== undefined ? encode(jwe.protected) : new Uint8Array();
+    let additionalData;
+    if (jwe.aad !== undefined) {
+        additionalData = concat(protectedHeader, encode('.'), encode(jwe.aad));
+    }
+    else {
+        additionalData = protectedHeader;
+    }
+    const ciphertext = decodeBase64url(jwe.ciphertext, 'ciphertext', JWEInvalid);
+    const plaintext = await decrypt(enc, cek, ciphertext, iv, tag, additionalData);
+    const result = { plaintext };
+    if (joseHeader.zip === 'DEF') {
+        const maxDecompressedLength = options?.maxDecompressedLength ?? 250_000;
+        if (maxDecompressedLength === 0) {
+            throw new JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
+        }
+        if (maxDecompressedLength !== Infinity &&
+            (!Number.isSafeInteger(maxDecompressedLength) || maxDecompressedLength < 1)) {
+            throw new TypeError('maxDecompressedLength must be 0, a positive safe integer, or Infinity');
+        }
+        result.plaintext = await decompress(plaintext, maxDecompressedLength);
+    }
+    if (jwe.protected !== undefined) {
+        result.protectedHeader = parsedProt;
+    }
+    if (jwe.aad !== undefined) {
+        result.additionalAuthenticatedData = decodeBase64url(jwe.aad, 'aad', JWEInvalid);
+    }
+    if (jwe.unprotected !== undefined) {
+        result.sharedUnprotectedHeader = jwe.unprotected;
+    }
+    if (jwe.header !== undefined) {
+        result.unprotectedHeader = jwe.header;
+    }
+    if (resolvedKey) {
+        return { ...result, key: k };
+    }
+    return result;
+}

package/dist/node_modules/jose/dist/webapi/jwe/flattened/encrypt.js

@@ -0,0 +1,165 @@
+import { encode as b64u } from '../../util/base64url.js';
+import { unprotected, assertNotSet } from '../../lib/helpers.js';
+import { encrypt } from '../../lib/content_encryption.js';
+import { encryptKeyManagement } from '../../lib/key_management.js';
+import { JOSENotSupported, JWEInvalid } from '../../util/errors.js';
+import { isDisjoint } from '../../lib/type_checks.js';
+import { concat, encode } from '../../lib/buffer_utils.js';
+import { validateCrit } from '../../lib/validate_crit.js';
+import { normalizeKey } from '../../lib/normalize_key.js';
+import { checkKeyType } from '../../lib/check_key_type.js';
+import { compress } from '../../lib/deflate.js';
+export class FlattenedEncrypt {
+    #plaintext;
+    #protectedHeader;
+    #sharedUnprotectedHeader;
+    #unprotectedHeader;
+    #aad;
+    #cek;
+    #iv;
+    #keyManagementParameters;
+    constructor(plaintext) {
+        if (!(plaintext instanceof Uint8Array)) {
+            throw new TypeError('plaintext must be an instance of Uint8Array');
+        }
+        this.#plaintext = plaintext;
+    }
+    setKeyManagementParameters(parameters) {
+        assertNotSet(this.#keyManagementParameters, 'setKeyManagementParameters');
+        this.#keyManagementParameters = parameters;
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        assertNotSet(this.#protectedHeader, 'setProtectedHeader');
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    setSharedUnprotectedHeader(sharedUnprotectedHeader) {
+        assertNotSet(this.#sharedUnprotectedHeader, 'setSharedUnprotectedHeader');
+        this.#sharedUnprotectedHeader = sharedUnprotectedHeader;
+        return this;
+    }
+    setUnprotectedHeader(unprotectedHeader) {
+        assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader');
+        this.#unprotectedHeader = unprotectedHeader;
+        return this;
+    }
+    setAdditionalAuthenticatedData(aad) {
+        this.#aad = aad;
+        return this;
+    }
+    setContentEncryptionKey(cek) {
+        assertNotSet(this.#cek, 'setContentEncryptionKey');
+        this.#cek = cek;
+        return this;
+    }
+    setInitializationVector(iv) {
+        assertNotSet(this.#iv, 'setInitializationVector');
+        this.#iv = iv;
+        return this;
+    }
+    async encrypt(key, options) {
+        if (!this.#protectedHeader && !this.#unprotectedHeader && !this.#sharedUnprotectedHeader) {
+            throw new JWEInvalid('either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()');
+        }
+        if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, this.#sharedUnprotectedHeader)) {
+            throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');
+        }
+        const joseHeader = {
+            ...this.#protectedHeader,
+            ...this.#unprotectedHeader,
+            ...this.#sharedUnprotectedHeader,
+        };
+        validateCrit(JWEInvalid, new Map(), options?.crit, this.#protectedHeader, joseHeader);
+        if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
+            throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+        }
+        if (joseHeader.zip !== undefined && !this.#protectedHeader?.zip) {
+            throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+        }
+        const { alg, enc } = joseHeader;
+        if (typeof alg !== 'string' || !alg) {
+            throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
+        }
+        if (typeof enc !== 'string' || !enc) {
+            throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
+        }
+        let encryptedKey;
+        if (this.#cek && (alg === 'dir' || alg === 'ECDH-ES')) {
+            throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${alg}`);
+        }
+        checkKeyType(alg === 'dir' ? enc : alg, key, 'encrypt');
+        let cek;
+        {
+            let parameters;
+            const k = await normalizeKey(key, alg);
+            ({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, this.#cek, this.#keyManagementParameters));
+            if (parameters) {
+                if (options && unprotected in options) {
+                    if (!this.#unprotectedHeader) {
+                        this.setUnprotectedHeader(parameters);
+                    }
+                    else {
+                        this.#unprotectedHeader = { ...this.#unprotectedHeader, ...parameters };
+                    }
+                }
+                else if (!this.#protectedHeader) {
+                    this.setProtectedHeader(parameters);
+                }
+                else {
+                    this.#protectedHeader = { ...this.#protectedHeader, ...parameters };
+                }
+            }
+        }
+        let additionalData;
+        let protectedHeaderS;
+        let protectedHeaderB;
+        let aadMember;
+        if (this.#protectedHeader) {
+            protectedHeaderS = b64u(JSON.stringify(this.#protectedHeader));
+            protectedHeaderB = encode(protectedHeaderS);
+        }
+        else {
+            protectedHeaderS = '';
+            protectedHeaderB = new Uint8Array();
+        }
+        if (this.#aad) {
+            aadMember = b64u(this.#aad);
+            const aadMemberBytes = encode(aadMember);
+            additionalData = concat(protectedHeaderB, encode('.'), aadMemberBytes);
+        }
+        else {
+            additionalData = protectedHeaderB;
+        }
+        let plaintext = this.#plaintext;
+        if (joseHeader.zip === 'DEF') {
+            plaintext = await compress(plaintext);
+        }
+        const { ciphertext, tag, iv } = await encrypt(enc, plaintext, cek, this.#iv, additionalData);
+        const jwe = {
+            ciphertext: b64u(ciphertext),
+        };
+        if (iv) {
+            jwe.iv = b64u(iv);
+        }
+        if (tag) {
+            jwe.tag = b64u(tag);
+        }
+        if (encryptedKey) {
+            jwe.encrypted_key = b64u(encryptedKey);
+        }
+        if (aadMember) {
+            jwe.aad = aadMember;
+        }
+        if (this.#protectedHeader) {
+            jwe.protected = protectedHeaderS;
+        }
+        if (this.#sharedUnprotectedHeader) {
+            jwe.unprotected = this.#sharedUnprotectedHeader;
+        }
+        if (this.#unprotectedHeader) {
+            jwe.header = this.#unprotectedHeader;
+        }
+        return jwe;
+    }
+}