@nocobase/plugin-idp-oauth 2.1.0-alpha.10

package/dist/node_modules/jose/dist/webapi/lib/jwt_claims_set.js

@@ -0,0 +1,238 @@
+import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';
+import { encoder, decoder } from './buffer_utils.js';
+import { isObject } from './type_checks.js';
+const epoch = (date) => Math.floor(date.getTime() / 1000);
+const minute = 60;
+const hour = minute * 60;
+const day = hour * 24;
+const week = day * 7;
+const year = day * 365.25;
+const REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
+export function secs(str) {
+    const matched = REGEX.exec(str);
+    if (!matched || (matched[4] && matched[1])) {
+        throw new TypeError('Invalid time period format');
+    }
+    const value = parseFloat(matched[2]);
+    const unit = matched[3].toLowerCase();
+    let numericDate;
+    switch (unit) {
+        case 'sec':
+        case 'secs':
+        case 'second':
+        case 'seconds':
+        case 's':
+            numericDate = Math.round(value);
+            break;
+        case 'minute':
+        case 'minutes':
+        case 'min':
+        case 'mins':
+        case 'm':
+            numericDate = Math.round(value * minute);
+            break;
+        case 'hour':
+        case 'hours':
+        case 'hr':
+        case 'hrs':
+        case 'h':
+            numericDate = Math.round(value * hour);
+            break;
+        case 'day':
+        case 'days':
+        case 'd':
+            numericDate = Math.round(value * day);
+            break;
+        case 'week':
+        case 'weeks':
+        case 'w':
+            numericDate = Math.round(value * week);
+            break;
+        default:
+            numericDate = Math.round(value * year);
+            break;
+    }
+    if (matched[1] === '-' || matched[4] === 'ago') {
+        return -numericDate;
+    }
+    return numericDate;
+}
+function validateInput(label, input) {
+    if (!Number.isFinite(input)) {
+        throw new TypeError(`Invalid ${label} input`);
+    }
+    return input;
+}
+const normalizeTyp = (value) => {
+    if (value.includes('/')) {
+        return value.toLowerCase();
+    }
+    return `application/${value.toLowerCase()}`;
+};
+const checkAudiencePresence = (audPayload, audOption) => {
+    if (typeof audPayload === 'string') {
+        return audOption.includes(audPayload);
+    }
+    if (Array.isArray(audPayload)) {
+        return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
+    }
+    return false;
+};
+export function validateClaimsSet(protectedHeader, encodedPayload, options = {}) {
+    let payload;
+    try {
+        payload = JSON.parse(decoder.decode(encodedPayload));
+    }
+    catch {
+    }
+    if (!isObject(payload)) {
+        throw new JWTInvalid('JWT Claims Set must be a top-level JSON object');
+    }
+    const { typ } = options;
+    if (typ &&
+        (typeof protectedHeader.typ !== 'string' ||
+            normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
+        throw new JWTClaimValidationFailed('unexpected "typ" JWT header value', payload, 'typ', 'check_failed');
+    }
+    const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
+    const presenceCheck = [...requiredClaims];
+    if (maxTokenAge !== undefined)
+        presenceCheck.push('iat');
+    if (audience !== undefined)
+        presenceCheck.push('aud');
+    if (subject !== undefined)
+        presenceCheck.push('sub');
+    if (issuer !== undefined)
+        presenceCheck.push('iss');
+    for (const claim of new Set(presenceCheck.reverse())) {
+        if (!(claim in payload)) {
+            throw new JWTClaimValidationFailed(`missing required "${claim}" claim`, payload, claim, 'missing');
+        }
+    }
+    if (issuer &&
+        !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {
+        throw new JWTClaimValidationFailed('unexpected "iss" claim value', payload, 'iss', 'check_failed');
+    }
+    if (subject && payload.sub !== subject) {
+        throw new JWTClaimValidationFailed('unexpected "sub" claim value', payload, 'sub', 'check_failed');
+    }
+    if (audience &&
+        !checkAudiencePresence(payload.aud, typeof audience === 'string' ? [audience] : audience)) {
+        throw new JWTClaimValidationFailed('unexpected "aud" claim value', payload, 'aud', 'check_failed');
+    }
+    let tolerance;
+    switch (typeof options.clockTolerance) {
+        case 'string':
+            tolerance = secs(options.clockTolerance);
+            break;
+        case 'number':
+            tolerance = options.clockTolerance;
+            break;
+        case 'undefined':
+            tolerance = 0;
+            break;
+        default:
+            throw new TypeError('Invalid clockTolerance option type');
+    }
+    const { currentDate } = options;
+    const now = epoch(currentDate || new Date());
+    if ((payload.iat !== undefined || maxTokenAge) && typeof payload.iat !== 'number') {
+        throw new JWTClaimValidationFailed('"iat" claim must be a number', payload, 'iat', 'invalid');
+    }
+    if (payload.nbf !== undefined) {
+        if (typeof payload.nbf !== 'number') {
+            throw new JWTClaimValidationFailed('"nbf" claim must be a number', payload, 'nbf', 'invalid');
+        }
+        if (payload.nbf > now + tolerance) {
+            throw new JWTClaimValidationFailed('"nbf" claim timestamp check failed', payload, 'nbf', 'check_failed');
+        }
+    }
+    if (payload.exp !== undefined) {
+        if (typeof payload.exp !== 'number') {
+            throw new JWTClaimValidationFailed('"exp" claim must be a number', payload, 'exp', 'invalid');
+        }
+        if (payload.exp <= now - tolerance) {
+            throw new JWTExpired('"exp" claim timestamp check failed', payload, 'exp', 'check_failed');
+        }
+    }
+    if (maxTokenAge) {
+        const age = now - payload.iat;
+        const max = typeof maxTokenAge === 'number' ? maxTokenAge : secs(maxTokenAge);
+        if (age - tolerance > max) {
+            throw new JWTExpired('"iat" claim timestamp check failed (too far in the past)', payload, 'iat', 'check_failed');
+        }
+        if (age < 0 - tolerance) {
+            throw new JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', payload, 'iat', 'check_failed');
+        }
+    }
+    return payload;
+}
+export class JWTClaimsBuilder {
+    #payload;
+    constructor(payload) {
+        if (!isObject(payload)) {
+            throw new TypeError('JWT Claims Set MUST be an object');
+        }
+        this.#payload = structuredClone(payload);
+    }
+    data() {
+        return encoder.encode(JSON.stringify(this.#payload));
+    }
+    get iss() {
+        return this.#payload.iss;
+    }
+    set iss(value) {
+        this.#payload.iss = value;
+    }
+    get sub() {
+        return this.#payload.sub;
+    }
+    set sub(value) {
+        this.#payload.sub = value;
+    }
+    get aud() {
+        return this.#payload.aud;
+    }
+    set aud(value) {
+        this.#payload.aud = value;
+    }
+    set jti(value) {
+        this.#payload.jti = value;
+    }
+    set nbf(value) {
+        if (typeof value === 'number') {
+            this.#payload.nbf = validateInput('setNotBefore', value);
+        }
+        else if (value instanceof Date) {
+            this.#payload.nbf = validateInput('setNotBefore', epoch(value));
+        }
+        else {
+            this.#payload.nbf = epoch(new Date()) + secs(value);
+        }
+    }
+    set exp(value) {
+        if (typeof value === 'number') {
+            this.#payload.exp = validateInput('setExpirationTime', value);
+        }
+        else if (value instanceof Date) {
+            this.#payload.exp = validateInput('setExpirationTime', epoch(value));
+        }
+        else {
+            this.#payload.exp = epoch(new Date()) + secs(value);
+        }
+    }
+    set iat(value) {
+        if (value === undefined) {
+            this.#payload.iat = epoch(new Date());
+        }
+        else if (value instanceof Date) {
+            this.#payload.iat = validateInput('setIssuedAt', epoch(value));
+        }
+        else if (typeof value === 'string') {
+            this.#payload.iat = validateInput('setIssuedAt', epoch(new Date()) + secs(value));
+        }
+        else {
+            this.#payload.iat = validateInput('setIssuedAt', value);
+        }
+    }
+}

package/dist/node_modules/jose/dist/webapi/lib/key_management.js

@@ -0,0 +1,186 @@
+import * as aeskw from './aeskw.js';
+import * as ecdhes from './ecdhes.js';
+import * as pbes2kw from './pbes2kw.js';
+import * as rsaes from './rsaes.js';
+import { encode as b64u } from '../util/base64url.js';
+import { normalizeKey } from './normalize_key.js';
+import { JOSENotSupported, JWEInvalid } from '../util/errors.js';
+import { decodeBase64url } from './helpers.js';
+import { generateCek, cekLength } from './content_encryption.js';
+import { importJWK } from '../key/import.js';
+import { exportJWK } from '../key/export.js';
+import { isObject } from './type_checks.js';
+import { wrap as aesGcmKwWrap, unwrap as aesGcmKwUnwrap } from './aesgcmkw.js';
+import { assertCryptoKey } from './is_key_like.js';
+const unsupportedAlgHeader = 'Invalid or unsupported "alg" (JWE Algorithm) header value';
+function assertEncryptedKey(encryptedKey) {
+    if (encryptedKey === undefined)
+        throw new JWEInvalid('JWE Encrypted Key missing');
+}
+export async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
+    switch (alg) {
+        case 'dir': {
+            if (encryptedKey !== undefined)
+                throw new JWEInvalid('Encountered unexpected JWE Encrypted Key');
+            return key;
+        }
+        case 'ECDH-ES':
+            if (encryptedKey !== undefined)
+                throw new JWEInvalid('Encountered unexpected JWE Encrypted Key');
+        case 'ECDH-ES+A128KW':
+        case 'ECDH-ES+A192KW':
+        case 'ECDH-ES+A256KW': {
+            if (!isObject(joseHeader.epk))
+                throw new JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
+            assertCryptoKey(key);
+            if (!ecdhes.allowed(key))
+                throw new JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');
+            const epk = await importJWK(joseHeader.epk, alg);
+            assertCryptoKey(epk);
+            let partyUInfo;
+            let partyVInfo;
+            if (joseHeader.apu !== undefined) {
+                if (typeof joseHeader.apu !== 'string')
+                    throw new JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
+                partyUInfo = decodeBase64url(joseHeader.apu, 'apu', JWEInvalid);
+            }
+            if (joseHeader.apv !== undefined) {
+                if (typeof joseHeader.apv !== 'string')
+                    throw new JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
+                partyVInfo = decodeBase64url(joseHeader.apv, 'apv', JWEInvalid);
+            }
+            const sharedSecret = await ecdhes.deriveKey(epk, key, alg === 'ECDH-ES' ? joseHeader.enc : alg, alg === 'ECDH-ES' ? cekLength(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);
+            if (alg === 'ECDH-ES')
+                return sharedSecret;
+            assertEncryptedKey(encryptedKey);
+            return aeskw.unwrap(alg.slice(-6), sharedSecret, encryptedKey);
+        }
+        case 'RSA-OAEP':
+        case 'RSA-OAEP-256':
+        case 'RSA-OAEP-384':
+        case 'RSA-OAEP-512': {
+            assertEncryptedKey(encryptedKey);
+            assertCryptoKey(key);
+            return rsaes.decrypt(alg, key, encryptedKey);
+        }
+        case 'PBES2-HS256+A128KW':
+        case 'PBES2-HS384+A192KW':
+        case 'PBES2-HS512+A256KW': {
+            assertEncryptedKey(encryptedKey);
+            if (typeof joseHeader.p2c !== 'number')
+                throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+            const p2cLimit = options?.maxPBES2Count || 10_000;
+            if (joseHeader.p2c > p2cLimit)
+                throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
+            if (typeof joseHeader.p2s !== 'string')
+                throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
+            let p2s;
+            p2s = decodeBase64url(joseHeader.p2s, 'p2s', JWEInvalid);
+            return pbes2kw.unwrap(alg, key, encryptedKey, joseHeader.p2c, p2s);
+        }
+        case 'A128KW':
+        case 'A192KW':
+        case 'A256KW': {
+            assertEncryptedKey(encryptedKey);
+            return aeskw.unwrap(alg, key, encryptedKey);
+        }
+        case 'A128GCMKW':
+        case 'A192GCMKW':
+        case 'A256GCMKW': {
+            assertEncryptedKey(encryptedKey);
+            if (typeof joseHeader.iv !== 'string')
+                throw new JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
+            if (typeof joseHeader.tag !== 'string')
+                throw new JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
+            let iv;
+            iv = decodeBase64url(joseHeader.iv, 'iv', JWEInvalid);
+            let tag;
+            tag = decodeBase64url(joseHeader.tag, 'tag', JWEInvalid);
+            return aesGcmKwUnwrap(alg, key, encryptedKey, iv, tag);
+        }
+        default: {
+            throw new JOSENotSupported(unsupportedAlgHeader);
+        }
+    }
+}
+export async function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {
+    let encryptedKey;
+    let parameters;
+    let cek;
+    switch (alg) {
+        case 'dir': {
+            cek = key;
+            break;
+        }
+        case 'ECDH-ES':
+        case 'ECDH-ES+A128KW':
+        case 'ECDH-ES+A192KW':
+        case 'ECDH-ES+A256KW': {
+            assertCryptoKey(key);
+            if (!ecdhes.allowed(key)) {
+                throw new JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');
+            }
+            const { apu, apv } = providedParameters;
+            let ephemeralKey;
+            if (providedParameters.epk) {
+                ephemeralKey = (await normalizeKey(providedParameters.epk, alg));
+            }
+            else {
+                ephemeralKey = (await crypto.subtle.generateKey(key.algorithm, true, ['deriveBits'])).privateKey;
+            }
+            const { x, y, crv, kty } = await exportJWK(ephemeralKey);
+            const sharedSecret = await ecdhes.deriveKey(key, ephemeralKey, alg === 'ECDH-ES' ? enc : alg, alg === 'ECDH-ES' ? cekLength(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv);
+            parameters = { epk: { x, crv, kty } };
+            if (kty === 'EC')
+                parameters.epk.y = y;
+            if (apu)
+                parameters.apu = b64u(apu);
+            if (apv)
+                parameters.apv = b64u(apv);
+            if (alg === 'ECDH-ES') {
+                cek = sharedSecret;
+                break;
+            }
+            cek = providedCek || generateCek(enc);
+            const kwAlg = alg.slice(-6);
+            encryptedKey = await aeskw.wrap(kwAlg, sharedSecret, cek);
+            break;
+        }
+        case 'RSA-OAEP':
+        case 'RSA-OAEP-256':
+        case 'RSA-OAEP-384':
+        case 'RSA-OAEP-512': {
+            cek = providedCek || generateCek(enc);
+            assertCryptoKey(key);
+            encryptedKey = await rsaes.encrypt(alg, key, cek);
+            break;
+        }
+        case 'PBES2-HS256+A128KW':
+        case 'PBES2-HS384+A192KW':
+        case 'PBES2-HS512+A256KW': {
+            cek = providedCek || generateCek(enc);
+            const { p2c, p2s } = providedParameters;
+            ({ encryptedKey, ...parameters } = await pbes2kw.wrap(alg, key, cek, p2c, p2s));
+            break;
+        }
+        case 'A128KW':
+        case 'A192KW':
+        case 'A256KW': {
+            cek = providedCek || generateCek(enc);
+            encryptedKey = await aeskw.wrap(alg, key, cek);
+            break;
+        }
+        case 'A128GCMKW':
+        case 'A192GCMKW':
+        case 'A256GCMKW': {
+            cek = providedCek || generateCek(enc);
+            const { iv } = providedParameters;
+            ({ encryptedKey, ...parameters } = await aesGcmKwWrap(alg, key, cek, iv));
+            break;
+        }
+        default: {
+            throw new JOSENotSupported(unsupportedAlgHeader);
+        }
+    }
+    return { cek, encryptedKey, parameters };
+}

package/dist/node_modules/jose/dist/webapi/lib/key_to_jwk.js

@@ -0,0 +1,31 @@
+import { invalidKeyInput } from './invalid_key_input.js';
+import { encode as b64u } from '../util/base64url.js';
+import { isCryptoKey, isKeyObject } from './is_key_like.js';
+export async function keyToJWK(key) {
+    if (isKeyObject(key)) {
+        if (key.type === 'secret') {
+            key = key.export();
+        }
+        else {
+            return key.export({ format: 'jwk' });
+        }
+    }
+    if (key instanceof Uint8Array) {
+        return {
+            kty: 'oct',
+            k: b64u(key),
+        };
+    }
+    if (!isCryptoKey(key)) {
+        throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'Uint8Array'));
+    }
+    if (!key.extractable) {
+        throw new TypeError('non-extractable CryptoKey cannot be exported as a JWK');
+    }
+    const { ext, key_ops, alg, use, ...jwk } = await crypto.subtle.exportKey('jwk', key);
+    if (jwk.kty === 'AKP') {
+        ;
+        jwk.alg = alg;
+    }
+    return jwk;
+}

package/dist/node_modules/jose/dist/webapi/lib/normalize_key.js

@@ -0,0 +1,166 @@
+import { isJWK } from './type_checks.js';
+import { decode } from '../util/base64url.js';
+import { jwkToKey } from './jwk_to_key.js';
+import { isCryptoKey, isKeyObject } from './is_key_like.js';
+const unusableForAlg = 'given KeyObject instance cannot be used for this algorithm';
+let cache;
+const handleJWK = async (key, jwk, alg, freeze = false) => {
+    cache ||= new WeakMap();
+    let cached = cache.get(key);
+    if (cached?.[alg]) {
+        return cached[alg];
+    }
+    const cryptoKey = await jwkToKey({ ...jwk, alg });
+    if (freeze)
+        Object.freeze(key);
+    if (!cached) {
+        cache.set(key, { [alg]: cryptoKey });
+    }
+    else {
+        cached[alg] = cryptoKey;
+    }
+    return cryptoKey;
+};
+const handleKeyObject = (keyObject, alg) => {
+    cache ||= new WeakMap();
+    let cached = cache.get(keyObject);
+    if (cached?.[alg]) {
+        return cached[alg];
+    }
+    const isPublic = keyObject.type === 'public';
+    const extractable = isPublic ? true : false;
+    let cryptoKey;
+    if (keyObject.asymmetricKeyType === 'x25519') {
+        switch (alg) {
+            case 'ECDH-ES':
+            case 'ECDH-ES+A128KW':
+            case 'ECDH-ES+A192KW':
+            case 'ECDH-ES+A256KW':
+                break;
+            default:
+                throw new TypeError(unusableForAlg);
+        }
+        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);
+    }
+    if (keyObject.asymmetricKeyType === 'ed25519') {
+        if (alg !== 'EdDSA' && alg !== 'Ed25519') {
+            throw new TypeError(unusableForAlg);
+        }
+        cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+            isPublic ? 'verify' : 'sign',
+        ]);
+    }
+    switch (keyObject.asymmetricKeyType) {
+        case 'ml-dsa-44':
+        case 'ml-dsa-65':
+        case 'ml-dsa-87': {
+            if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
+                throw new TypeError(unusableForAlg);
+            }
+            cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
+                isPublic ? 'verify' : 'sign',
+            ]);
+        }
+    }
+    if (keyObject.asymmetricKeyType === 'rsa') {
+        let hash;
+        switch (alg) {
+            case 'RSA-OAEP':
+                hash = 'SHA-1';
+                break;
+            case 'RS256':
+            case 'PS256':
+            case 'RSA-OAEP-256':
+                hash = 'SHA-256';
+                break;
+            case 'RS384':
+            case 'PS384':
+            case 'RSA-OAEP-384':
+                hash = 'SHA-384';
+                break;
+            case 'RS512':
+            case 'PS512':
+            case 'RSA-OAEP-512':
+                hash = 'SHA-512';
+                break;
+            default:
+                throw new TypeError(unusableForAlg);
+        }
+        if (alg.startsWith('RSA-OAEP')) {
+            return keyObject.toCryptoKey({
+                name: 'RSA-OAEP',
+                hash,
+            }, extractable, isPublic ? ['encrypt'] : ['decrypt']);
+        }
+        cryptoKey = keyObject.toCryptoKey({
+            name: alg.startsWith('PS') ? 'RSA-PSS' : 'RSASSA-PKCS1-v1_5',
+            hash,
+        }, extractable, [isPublic ? 'verify' : 'sign']);
+    }
+    if (keyObject.asymmetricKeyType === 'ec') {
+        const nist = new Map([
+            ['prime256v1', 'P-256'],
+            ['secp384r1', 'P-384'],
+            ['secp521r1', 'P-521'],
+        ]);
+        const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
+        if (!namedCurve) {
+            throw new TypeError(unusableForAlg);
+        }
+        const expectedCurve = { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' };
+        if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
+            cryptoKey = keyObject.toCryptoKey({
+                name: 'ECDSA',
+                namedCurve,
+            }, extractable, [isPublic ? 'verify' : 'sign']);
+        }
+        if (alg.startsWith('ECDH-ES')) {
+            cryptoKey = keyObject.toCryptoKey({
+                name: 'ECDH',
+                namedCurve,
+            }, extractable, isPublic ? [] : ['deriveBits']);
+        }
+    }
+    if (!cryptoKey) {
+        throw new TypeError(unusableForAlg);
+    }
+    if (!cached) {
+        cache.set(keyObject, { [alg]: cryptoKey });
+    }
+    else {
+        cached[alg] = cryptoKey;
+    }
+    return cryptoKey;
+};
+export async function normalizeKey(key, alg) {
+    if (key instanceof Uint8Array) {
+        return key;
+    }
+    if (isCryptoKey(key)) {
+        return key;
+    }
+    if (isKeyObject(key)) {
+        if (key.type === 'secret') {
+            return key.export();
+        }
+        if ('toCryptoKey' in key && typeof key.toCryptoKey === 'function') {
+            try {
+                return handleKeyObject(key, alg);
+            }
+            catch (err) {
+                if (err instanceof TypeError) {
+                    throw err;
+                }
+            }
+        }
+        let jwk = key.export({ format: 'jwk' });
+        return handleJWK(key, jwk, alg);
+    }
+    if (isJWK(key)) {
+        if (key.k) {
+            return decode(key.k);
+        }
+        return handleJWK(key, key, alg, true);
+    }
+    throw new Error('unreachable');
+}

package/dist/node_modules/jose/dist/webapi/lib/pbes2kw.js

@@ -0,0 +1,39 @@
+import { encode as b64u } from '../util/base64url.js';
+import * as aeskw from './aeskw.js';
+import { checkEncCryptoKey } from './crypto_key.js';
+import { concat, encode } from './buffer_utils.js';
+import { JWEInvalid } from '../util/errors.js';
+function getCryptoKey(key, alg) {
+    if (key instanceof Uint8Array) {
+        return crypto.subtle.importKey('raw', key, 'PBKDF2', false, [
+            'deriveBits',
+        ]);
+    }
+    checkEncCryptoKey(key, alg, 'deriveBits');
+    return key;
+}
+const concatSalt = (alg, p2sInput) => concat(encode(alg), Uint8Array.of(0x00), p2sInput);
+async function deriveKey(p2s, alg, p2c, key) {
+    if (!(p2s instanceof Uint8Array) || p2s.length < 8) {
+        throw new JWEInvalid('PBES2 Salt Input must be 8 or more octets');
+    }
+    const salt = concatSalt(alg, p2s);
+    const keylen = parseInt(alg.slice(13, 16), 10);
+    const subtleAlg = {
+        hash: `SHA-${alg.slice(8, 11)}`,
+        iterations: p2c,
+        name: 'PBKDF2',
+        salt,
+    };
+    const cryptoKey = await getCryptoKey(key, alg);
+    return new Uint8Array(await crypto.subtle.deriveBits(subtleAlg, cryptoKey, keylen));
+}
+export async function wrap(alg, key, cek, p2c = 2048, p2s = crypto.getRandomValues(new Uint8Array(16))) {
+    const derived = await deriveKey(p2s, alg, p2c, key);
+    const encryptedKey = await aeskw.wrap(alg.slice(-6), derived, cek);
+    return { encryptedKey, p2c, p2s: b64u(p2s) };
+}
+export async function unwrap(alg, key, encryptedKey, p2c, p2s) {
+    const derived = await deriveKey(p2s, alg, p2c, key);
+    return aeskw.unwrap(alg.slice(-6), derived, encryptedKey);
+}

package/dist/node_modules/jose/dist/webapi/lib/rsaes.js

@@ -0,0 +1,24 @@
+import { checkEncCryptoKey } from './crypto_key.js';
+import { checkKeyLength } from './signing.js';
+import { JOSENotSupported } from '../util/errors.js';
+const subtleAlgorithm = (alg) => {
+    switch (alg) {
+        case 'RSA-OAEP':
+        case 'RSA-OAEP-256':
+        case 'RSA-OAEP-384':
+        case 'RSA-OAEP-512':
+            return 'RSA-OAEP';
+        default:
+            throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
+    }
+};
+export async function encrypt(alg, key, cek) {
+    checkEncCryptoKey(key, alg, 'encrypt');
+    checkKeyLength(alg, key);
+    return new Uint8Array(await crypto.subtle.encrypt(subtleAlgorithm(alg), key, cek));
+}
+export async function decrypt(alg, key, encryptedKey) {
+    checkEncCryptoKey(key, alg, 'decrypt');
+    checkKeyLength(alg, key);
+    return new Uint8Array(await crypto.subtle.decrypt(subtleAlgorithm(alg), key, encryptedKey));
+}