@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/jose/dist/webapi/jws/flattened/sign.js

@@ -0,0 +1,89 @@
+import { encode as b64u } from '../../util/base64url.js';
+import { sign } from '../../lib/signing.js';
+import { isDisjoint } from '../../lib/type_checks.js';
+import { JWSInvalid } from '../../util/errors.js';
+import { concat, encode } from '../../lib/buffer_utils.js';
+import { checkKeyType } from '../../lib/check_key_type.js';
+import { validateCrit } from '../../lib/validate_crit.js';
+import { normalizeKey } from '../../lib/normalize_key.js';
+import { assertNotSet } from '../../lib/helpers.js';
+export class FlattenedSign {
+    #payload;
+    #protectedHeader;
+    #unprotectedHeader;
+    constructor(payload) {
+        if (!(payload instanceof Uint8Array)) {
+            throw new TypeError('payload must be an instance of Uint8Array');
+        }
+        this.#payload = payload;
+    }
+    setProtectedHeader(protectedHeader) {
+        assertNotSet(this.#protectedHeader, 'setProtectedHeader');
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    setUnprotectedHeader(unprotectedHeader) {
+        assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader');
+        this.#unprotectedHeader = unprotectedHeader;
+        return this;
+    }
+    async sign(key, options) {
+        if (!this.#protectedHeader && !this.#unprotectedHeader) {
+            throw new JWSInvalid('either setProtectedHeader or setUnprotectedHeader must be called before #sign()');
+        }
+        if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader)) {
+            throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');
+        }
+        const joseHeader = {
+            ...this.#protectedHeader,
+            ...this.#unprotectedHeader,
+        };
+        const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, this.#protectedHeader, joseHeader);
+        let b64 = true;
+        if (extensions.has('b64')) {
+            b64 = this.#protectedHeader.b64;
+            if (typeof b64 !== 'boolean') {
+                throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+            }
+        }
+        const { alg } = joseHeader;
+        if (typeof alg !== 'string' || !alg) {
+            throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+        }
+        checkKeyType(alg, key, 'sign');
+        let payloadS;
+        let payloadB;
+        if (b64) {
+            payloadS = b64u(this.#payload);
+            payloadB = encode(payloadS);
+        }
+        else {
+            payloadB = this.#payload;
+            payloadS = '';
+        }
+        let protectedHeaderString;
+        let protectedHeaderBytes;
+        if (this.#protectedHeader) {
+            protectedHeaderString = b64u(JSON.stringify(this.#protectedHeader));
+            protectedHeaderBytes = encode(protectedHeaderString);
+        }
+        else {
+            protectedHeaderString = '';
+            protectedHeaderBytes = new Uint8Array();
+        }
+        const data = concat(protectedHeaderBytes, encode('.'), payloadB);
+        const k = await normalizeKey(key, alg);
+        const signature = await sign(alg, k, data);
+        const jws = {
+            signature: b64u(signature),
+            payload: payloadS,
+        };
+        if (this.#unprotectedHeader) {
+            jws.header = this.#unprotectedHeader;
+        }
+        if (this.#protectedHeader) {
+            jws.protected = protectedHeaderString;
+        }
+        return jws;
+    }
+}

package/dist/node_modules/jose/dist/webapi/jws/flattened/verify.js

@@ -0,0 +1,110 @@
+import { decode as b64u } from '../../util/base64url.js';
+import { verify } from '../../lib/signing.js';
+import { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';
+import { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js';
+import { decodeBase64url } from '../../lib/helpers.js';
+import { isDisjoint } from '../../lib/type_checks.js';
+import { isObject } from '../../lib/type_checks.js';
+import { checkKeyType } from '../../lib/check_key_type.js';
+import { validateCrit } from '../../lib/validate_crit.js';
+import { validateAlgorithms } from '../../lib/validate_algorithms.js';
+import { normalizeKey } from '../../lib/normalize_key.js';
+export async function flattenedVerify(jws, key, options) {
+    if (!isObject(jws)) {
+        throw new JWSInvalid('Flattened JWS must be an object');
+    }
+    if (jws.protected === undefined && jws.header === undefined) {
+        throw new JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
+    }
+    if (jws.protected !== undefined && typeof jws.protected !== 'string') {
+        throw new JWSInvalid('JWS Protected Header incorrect type');
+    }
+    if (jws.payload === undefined) {
+        throw new JWSInvalid('JWS Payload missing');
+    }
+    if (typeof jws.signature !== 'string') {
+        throw new JWSInvalid('JWS Signature missing or incorrect type');
+    }
+    if (jws.header !== undefined && !isObject(jws.header)) {
+        throw new JWSInvalid('JWS Unprotected Header incorrect type');
+    }
+    let parsedProt = {};
+    if (jws.protected) {
+        try {
+            const protectedHeader = b64u(jws.protected);
+            parsedProt = JSON.parse(decoder.decode(protectedHeader));
+        }
+        catch {
+            throw new JWSInvalid('JWS Protected Header is invalid');
+        }
+    }
+    if (!isDisjoint(parsedProt, jws.header)) {
+        throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint');
+    }
+    const joseHeader = {
+        ...parsedProt,
+        ...jws.header,
+    };
+    const extensions = validateCrit(JWSInvalid, new Map([['b64', true]]), options?.crit, parsedProt, joseHeader);
+    let b64 = true;
+    if (extensions.has('b64')) {
+        b64 = parsedProt.b64;
+        if (typeof b64 !== 'boolean') {
+            throw new JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
+        }
+    }
+    const { alg } = joseHeader;
+    if (typeof alg !== 'string' || !alg) {
+        throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
+    }
+    const algorithms = options && validateAlgorithms('algorithms', options.algorithms);
+    if (algorithms && !algorithms.has(alg)) {
+        throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+    }
+    if (b64) {
+        if (typeof jws.payload !== 'string') {
+            throw new JWSInvalid('JWS Payload must be a string');
+        }
+    }
+    else if (typeof jws.payload !== 'string' && !(jws.payload instanceof Uint8Array)) {
+        throw new JWSInvalid('JWS Payload must be a string or an Uint8Array instance');
+    }
+    let resolvedKey = false;
+    if (typeof key === 'function') {
+        key = await key(parsedProt, jws);
+        resolvedKey = true;
+    }
+    checkKeyType(alg, key, 'verify');
+    const data = concat(jws.protected !== undefined ? encode(jws.protected) : new Uint8Array(), encode('.'), typeof jws.payload === 'string'
+        ? b64
+            ? encode(jws.payload)
+            : encoder.encode(jws.payload)
+        : jws.payload);
+    const signature = decodeBase64url(jws.signature, 'signature', JWSInvalid);
+    const k = await normalizeKey(key, alg);
+    const verified = await verify(alg, k, signature, data);
+    if (!verified) {
+        throw new JWSSignatureVerificationFailed();
+    }
+    let payload;
+    if (b64) {
+        payload = decodeBase64url(jws.payload, 'payload', JWSInvalid);
+    }
+    else if (typeof jws.payload === 'string') {
+        payload = encoder.encode(jws.payload);
+    }
+    else {
+        payload = jws.payload;
+    }
+    const result = { payload };
+    if (jws.protected !== undefined) {
+        result.protectedHeader = parsedProt;
+    }
+    if (jws.header !== undefined) {
+        result.unprotectedHeader = jws.header;
+    }
+    if (resolvedKey) {
+        return { ...result, key: k };
+    }
+    return result;
+}

package/dist/node_modules/jose/dist/webapi/jws/general/sign.js

@@ -0,0 +1,70 @@
+import { FlattenedSign } from '../flattened/sign.js';
+import { JWSInvalid } from '../../util/errors.js';
+import { assertNotSet } from '../../lib/helpers.js';
+class IndividualSignature {
+    #parent;
+    protectedHeader;
+    unprotectedHeader;
+    options;
+    key;
+    constructor(sig, key, options) {
+        this.#parent = sig;
+        this.key = key;
+        this.options = options;
+    }
+    setProtectedHeader(protectedHeader) {
+        assertNotSet(this.protectedHeader, 'setProtectedHeader');
+        this.protectedHeader = protectedHeader;
+        return this;
+    }
+    setUnprotectedHeader(unprotectedHeader) {
+        assertNotSet(this.unprotectedHeader, 'setUnprotectedHeader');
+        this.unprotectedHeader = unprotectedHeader;
+        return this;
+    }
+    addSignature(...args) {
+        return this.#parent.addSignature(...args);
+    }
+    sign(...args) {
+        return this.#parent.sign(...args);
+    }
+    done() {
+        return this.#parent;
+    }
+}
+export class GeneralSign {
+    #payload;
+    #signatures = [];
+    constructor(payload) {
+        this.#payload = payload;
+    }
+    addSignature(key, options) {
+        const signature = new IndividualSignature(this, key, options);
+        this.#signatures.push(signature);
+        return signature;
+    }
+    async sign() {
+        if (!this.#signatures.length) {
+            throw new JWSInvalid('at least one signature must be added');
+        }
+        const jws = {
+            signatures: [],
+            payload: '',
+        };
+        for (let i = 0; i < this.#signatures.length; i++) {
+            const signature = this.#signatures[i];
+            const flattened = new FlattenedSign(this.#payload);
+            flattened.setProtectedHeader(signature.protectedHeader);
+            flattened.setUnprotectedHeader(signature.unprotectedHeader);
+            const { payload, ...rest } = await flattened.sign(signature.key, signature.options);
+            if (i === 0) {
+                jws.payload = payload;
+            }
+            else if (jws.payload !== payload) {
+                throw new JWSInvalid('inconsistent use of JWS Unencoded Payload (RFC7797)');
+            }
+            jws.signatures.push(rest);
+        }
+        return jws;
+    }
+}

package/dist/node_modules/jose/dist/webapi/jws/general/verify.js

@@ -0,0 +1,24 @@
+import { flattenedVerify } from '../flattened/verify.js';
+import { JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';
+import { isObject } from '../../lib/type_checks.js';
+export async function generalVerify(jws, key, options) {
+    if (!isObject(jws)) {
+        throw new JWSInvalid('General JWS must be an object');
+    }
+    if (!Array.isArray(jws.signatures) || !jws.signatures.every(isObject)) {
+        throw new JWSInvalid('JWS Signatures missing or incorrect type');
+    }
+    for (const signature of jws.signatures) {
+        try {
+            return await flattenedVerify({
+                header: signature.header,
+                payload: jws.payload,
+                protected: signature.protected,
+                signature: signature.signature,
+            }, key, options);
+        }
+        catch {
+        }
+    }
+    throw new JWSSignatureVerificationFailed();
+}

package/dist/node_modules/jose/dist/webapi/jwt/decrypt.js

@@ -0,0 +1,23 @@
+import { compactDecrypt } from '../jwe/compact/decrypt.js';
+import { validateClaimsSet } from '../lib/jwt_claims_set.js';
+import { JWTClaimValidationFailed } from '../util/errors.js';
+export async function jwtDecrypt(jwt, key, options) {
+    const decrypted = await compactDecrypt(jwt, key, options);
+    const payload = validateClaimsSet(decrypted.protectedHeader, decrypted.plaintext, options);
+    const { protectedHeader } = decrypted;
+    if (protectedHeader.iss !== undefined && protectedHeader.iss !== payload.iss) {
+        throw new JWTClaimValidationFailed('replicated "iss" claim header parameter mismatch', payload, 'iss', 'mismatch');
+    }
+    if (protectedHeader.sub !== undefined && protectedHeader.sub !== payload.sub) {
+        throw new JWTClaimValidationFailed('replicated "sub" claim header parameter mismatch', payload, 'sub', 'mismatch');
+    }
+    if (protectedHeader.aud !== undefined &&
+        JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)) {
+        throw new JWTClaimValidationFailed('replicated "aud" claim header parameter mismatch', payload, 'aud', 'mismatch');
+    }
+    const result = { payload, protectedHeader };
+    if (typeof key === 'function') {
+        return { ...result, key: decrypted.key };
+    }
+    return result;
+}

package/dist/node_modules/jose/dist/webapi/jwt/encrypt.js

@@ -0,0 +1,101 @@
+import { CompactEncrypt } from '../jwe/compact/encrypt.js';
+import { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';
+import { assertNotSet } from '../lib/helpers.js';
+export class EncryptJWT {
+    #cek;
+    #iv;
+    #keyManagementParameters;
+    #protectedHeader;
+    #replicateIssuerAsHeader;
+    #replicateSubjectAsHeader;
+    #replicateAudienceAsHeader;
+    #jwt;
+    constructor(payload = {}) {
+        this.#jwt = new JWTClaimsBuilder(payload);
+    }
+    setIssuer(issuer) {
+        this.#jwt.iss = issuer;
+        return this;
+    }
+    setSubject(subject) {
+        this.#jwt.sub = subject;
+        return this;
+    }
+    setAudience(audience) {
+        this.#jwt.aud = audience;
+        return this;
+    }
+    setJti(jwtId) {
+        this.#jwt.jti = jwtId;
+        return this;
+    }
+    setNotBefore(input) {
+        this.#jwt.nbf = input;
+        return this;
+    }
+    setExpirationTime(input) {
+        this.#jwt.exp = input;
+        return this;
+    }
+    setIssuedAt(input) {
+        this.#jwt.iat = input;
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        assertNotSet(this.#protectedHeader, 'setProtectedHeader');
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    setKeyManagementParameters(parameters) {
+        assertNotSet(this.#keyManagementParameters, 'setKeyManagementParameters');
+        this.#keyManagementParameters = parameters;
+        return this;
+    }
+    setContentEncryptionKey(cek) {
+        assertNotSet(this.#cek, 'setContentEncryptionKey');
+        this.#cek = cek;
+        return this;
+    }
+    setInitializationVector(iv) {
+        assertNotSet(this.#iv, 'setInitializationVector');
+        this.#iv = iv;
+        return this;
+    }
+    replicateIssuerAsHeader() {
+        this.#replicateIssuerAsHeader = true;
+        return this;
+    }
+    replicateSubjectAsHeader() {
+        this.#replicateSubjectAsHeader = true;
+        return this;
+    }
+    replicateAudienceAsHeader() {
+        this.#replicateAudienceAsHeader = true;
+        return this;
+    }
+    async encrypt(key, options) {
+        const enc = new CompactEncrypt(this.#jwt.data());
+        if (this.#protectedHeader &&
+            (this.#replicateIssuerAsHeader ||
+                this.#replicateSubjectAsHeader ||
+                this.#replicateAudienceAsHeader)) {
+            this.#protectedHeader = {
+                ...this.#protectedHeader,
+                iss: this.#replicateIssuerAsHeader ? this.#jwt.iss : undefined,
+                sub: this.#replicateSubjectAsHeader ? this.#jwt.sub : undefined,
+                aud: this.#replicateAudienceAsHeader ? this.#jwt.aud : undefined,
+            };
+        }
+        enc.setProtectedHeader(this.#protectedHeader);
+        if (this.#iv) {
+            enc.setInitializationVector(this.#iv);
+        }
+        if (this.#cek) {
+            enc.setContentEncryptionKey(this.#cek);
+        }
+        if (this.#keyManagementParameters) {
+            enc.setKeyManagementParameters(this.#keyManagementParameters);
+        }
+        return enc.encrypt(key, options);
+    }
+}

package/dist/node_modules/jose/dist/webapi/jwt/sign.js

@@ -0,0 +1,52 @@
+import { CompactSign } from '../jws/compact/sign.js';
+import { JWTInvalid } from '../util/errors.js';
+import { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';
+export class SignJWT {
+    #protectedHeader;
+    #jwt;
+    constructor(payload = {}) {
+        this.#jwt = new JWTClaimsBuilder(payload);
+    }
+    setIssuer(issuer) {
+        this.#jwt.iss = issuer;
+        return this;
+    }
+    setSubject(subject) {
+        this.#jwt.sub = subject;
+        return this;
+    }
+    setAudience(audience) {
+        this.#jwt.aud = audience;
+        return this;
+    }
+    setJti(jwtId) {
+        this.#jwt.jti = jwtId;
+        return this;
+    }
+    setNotBefore(input) {
+        this.#jwt.nbf = input;
+        return this;
+    }
+    setExpirationTime(input) {
+        this.#jwt.exp = input;
+        return this;
+    }
+    setIssuedAt(input) {
+        this.#jwt.iat = input;
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    async sign(key, options) {
+        const sig = new CompactSign(this.#jwt.data());
+        sig.setProtectedHeader(this.#protectedHeader);
+        if (Array.isArray(this.#protectedHeader?.crit) &&
+            this.#protectedHeader.crit.includes('b64') &&
+            this.#protectedHeader.b64 === false) {
+            throw new JWTInvalid('JWTs MUST NOT use unencoded payload');
+        }
+        return sig.sign(key, options);
+    }
+}

package/dist/node_modules/jose/dist/webapi/jwt/unsecured.js

@@ -0,0 +1,63 @@
+import * as b64u from '../util/base64url.js';
+import { decoder } from '../lib/buffer_utils.js';
+import { JWTInvalid } from '../util/errors.js';
+import { validateClaimsSet, JWTClaimsBuilder } from '../lib/jwt_claims_set.js';
+export class UnsecuredJWT {
+    #jwt;
+    constructor(payload = {}) {
+        this.#jwt = new JWTClaimsBuilder(payload);
+    }
+    encode() {
+        const header = b64u.encode(JSON.stringify({ alg: 'none' }));
+        const payload = b64u.encode(this.#jwt.data());
+        return `${header}.${payload}.`;
+    }
+    setIssuer(issuer) {
+        this.#jwt.iss = issuer;
+        return this;
+    }
+    setSubject(subject) {
+        this.#jwt.sub = subject;
+        return this;
+    }
+    setAudience(audience) {
+        this.#jwt.aud = audience;
+        return this;
+    }
+    setJti(jwtId) {
+        this.#jwt.jti = jwtId;
+        return this;
+    }
+    setNotBefore(input) {
+        this.#jwt.nbf = input;
+        return this;
+    }
+    setExpirationTime(input) {
+        this.#jwt.exp = input;
+        return this;
+    }
+    setIssuedAt(input) {
+        this.#jwt.iat = input;
+        return this;
+    }
+    static decode(jwt, options) {
+        if (typeof jwt !== 'string') {
+            throw new JWTInvalid('Unsecured JWT must be a string');
+        }
+        const { 0: encodedHeader, 1: encodedPayload, 2: signature, length } = jwt.split('.');
+        if (length !== 3 || signature !== '') {
+            throw new JWTInvalid('Invalid Unsecured JWT');
+        }
+        let header;
+        try {
+            header = JSON.parse(decoder.decode(b64u.decode(encodedHeader)));
+            if (header.alg !== 'none')
+                throw new Error();
+        }
+        catch {
+            throw new JWTInvalid('Invalid Unsecured JWT');
+        }
+        const payload = validateClaimsSet(header, b64u.decode(encodedPayload), options);
+        return { payload, header };
+    }
+}

package/dist/node_modules/jose/dist/webapi/jwt/verify.js

@@ -0,0 +1,15 @@
+import { compactVerify } from '../jws/compact/verify.js';
+import { validateClaimsSet } from '../lib/jwt_claims_set.js';
+import { JWTInvalid } from '../util/errors.js';
+export async function jwtVerify(jwt, key, options) {
+    const verified = await compactVerify(jwt, key, options);
+    if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {
+        throw new JWTInvalid('JWTs MUST NOT use unencoded payload');
+    }
+    const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);
+    const result = { payload, protectedHeader: verified.protectedHeader };
+    if (typeof key === 'function') {
+        return { ...result, key: verified.key };
+    }
+    return result;
+}

package/dist/node_modules/jose/dist/webapi/key/export.js

@@ -0,0 +1,11 @@
+import { toSPKI as exportPublic, toPKCS8 as exportPrivate } from '../lib/asn1.js';
+import { keyToJWK } from '../lib/key_to_jwk.js';
+export async function exportSPKI(key) {
+    return exportPublic(key);
+}
+export async function exportPKCS8(key) {
+    return exportPrivate(key);
+}
+export async function exportJWK(key) {
+    return keyToJWK(key);
+}

package/dist/node_modules/jose/dist/webapi/key/generate_key_pair.js

@@ -0,0 +1,97 @@
+import { JOSENotSupported } from '../util/errors.js';
+function getModulusLengthOption(options) {
+    const modulusLength = options?.modulusLength ?? 2048;
+    if (typeof modulusLength !== 'number' || modulusLength < 2048) {
+        throw new JOSENotSupported('Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used');
+    }
+    return modulusLength;
+}
+export async function generateKeyPair(alg, options) {
+    let algorithm;
+    let keyUsages;
+    switch (alg) {
+        case 'PS256':
+        case 'PS384':
+        case 'PS512':
+            algorithm = {
+                name: 'RSA-PSS',
+                hash: `SHA-${alg.slice(-3)}`,
+                publicExponent: Uint8Array.of(0x01, 0x00, 0x01),
+                modulusLength: getModulusLengthOption(options),
+            };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'RS256':
+        case 'RS384':
+        case 'RS512':
+            algorithm = {
+                name: 'RSASSA-PKCS1-v1_5',
+                hash: `SHA-${alg.slice(-3)}`,
+                publicExponent: Uint8Array.of(0x01, 0x00, 0x01),
+                modulusLength: getModulusLengthOption(options),
+            };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'RSA-OAEP':
+        case 'RSA-OAEP-256':
+        case 'RSA-OAEP-384':
+        case 'RSA-OAEP-512':
+            algorithm = {
+                name: 'RSA-OAEP',
+                hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,
+                publicExponent: Uint8Array.of(0x01, 0x00, 0x01),
+                modulusLength: getModulusLengthOption(options),
+            };
+            keyUsages = ['decrypt', 'unwrapKey', 'encrypt', 'wrapKey'];
+            break;
+        case 'ES256':
+            algorithm = { name: 'ECDSA', namedCurve: 'P-256' };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'ES384':
+            algorithm = { name: 'ECDSA', namedCurve: 'P-384' };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'ES512':
+            algorithm = { name: 'ECDSA', namedCurve: 'P-521' };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'Ed25519':
+        case 'EdDSA': {
+            keyUsages = ['sign', 'verify'];
+            algorithm = { name: 'Ed25519' };
+            break;
+        }
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87': {
+            keyUsages = ['sign', 'verify'];
+            algorithm = { name: alg };
+            break;
+        }
+        case 'ECDH-ES':
+        case 'ECDH-ES+A128KW':
+        case 'ECDH-ES+A192KW':
+        case 'ECDH-ES+A256KW': {
+            keyUsages = ['deriveBits'];
+            const crv = options?.crv ?? 'P-256';
+            switch (crv) {
+                case 'P-256':
+                case 'P-384':
+                case 'P-521': {
+                    algorithm = { name: 'ECDH', namedCurve: crv };
+                    break;
+                }
+                case 'X25519':
+                    algorithm = { name: 'X25519' };
+                    break;
+                default:
+                    throw new JOSENotSupported('Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519');
+            }
+            break;
+        }
+        default:
+            throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+    }
+    return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, keyUsages);
+}