@oari/jose 0.0.0

package/LICENSE.md

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2018 Filip Skokan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,150 @@
+# jose
+
+`jose` is a JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. The module is designed to work across various Web-interoperable runtimes including Node.js, browsers, Cloudflare Workers, Deno, Bun, and others.
+
+## Sponsor
+
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="https://raw.githubusercontent.com/panva/jose/HEAD/sponsor/Auth0byOkta_dark.png">
+  <source media="(prefers-color-scheme: light)" srcset="https://raw.githubusercontent.com/panva/jose/HEAD/sponsor/Auth0byOkta_light.png">
+  <img height="65" align="left" alt="Auth0 by Okta" src="https://raw.githubusercontent.com/panva/jose/HEAD/sponsor/Auth0byOkta_light.png">
+</picture>
+
+If you want to quickly add JWT authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. [Create an Auth0 account; it's free!][sponsor-auth0]<br><br>
+
+## [💗 Help the project](https://github.com/sponsors/panva)
+
+Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by [becoming a sponsor](https://github.com/sponsors/panva).
+
+## Dependencies: 0
+
+`jose` has no dependencies and it exports tree-shakeable ESM[^cjs].
+
+## Documentation
+
+`jose` is distributed via [npmjs.com](https://www.npmjs.com/package/jose), [jsr.io](https://jsr.io/@panva/jose), [jsdelivr.com](https://www.jsdelivr.com/package/npm/jose), and [github.com](https://github.com/panva/jose).
+
+**`example`** ESM import[^cjs]
+
+```js
+import * as jose from 'jose'
+```
+
+### JSON Web Tokens (JWT)
+
+The `jose` module supports JSON Web Tokens (JWT) and provides functionality for signing and verifying tokens, as well as their JWT Claims Set validation.
+
+- [JWT Claims Set Validation & Signature Verification](docs/jwt/verify/functions/jwtVerify.md) using the `jwtVerify` function
+  - [Using a remote JSON Web Key Set (JWKS)](docs/jwks/remote/functions/createRemoteJWKSet.md)
+  - [Using a local JSON Web Key Set (JWKS)](docs/jwks/local/functions/createLocalJWKSet.md)
+- [Signing](docs/jwt/sign/classes/SignJWT.md) using the `SignJWT` class
+- Utility functions
+  - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)
+  - [Decoding JWT Claims Set](docs/util/decode_jwt/functions/decodeJwt.md) prior to its validation
+
+### Encrypted JSON Web Tokens
+
+The `jose` module supports encrypted JSON Web Tokens and provides functionality for encrypting and decrypting tokens, as well as their JWT Claims Set validation.
+
+- [Decryption & JWT Claims Set Validation](docs/jwt/decrypt/functions/jwtDecrypt.md) using the `jwtDecrypt` function
+- [Encryption](docs/jwt/encrypt/classes/EncryptJWT.md) using the `EncryptJWT` class
+- Utility functions
+  - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)
+
+### Key Utilities
+
+The `jose` module supports importing, exporting, and generating keys and secrets in various formats, including PEM formats like SPKI, X.509 certificate, and PKCS #8, as well as JSON Web Key (JWK).
+
+- Key Import Functions
+  - [JWK Import](docs/key/import/functions/importJWK.md)
+  - [Public Key Import (SPKI)](docs/key/import/functions/importSPKI.md)
+  - [Public Key Import (X.509 Certificate)](docs/key/import/functions/importX509.md)
+  - [Private Key Import (PKCS #8)](docs/key/import/functions/importPKCS8.md)
+- Key and Secret Generation Functions
+  - [Asymmetric Key Pair Generation](docs/key/generate_key_pair/functions/generateKeyPair.md)
+  - [Symmetric Secret Generation](docs/key/generate_secret/functions/generateSecret.md)
+- Key Export Functions
+  - [JWK Export](docs/key/export/functions/exportJWK.md)
+  - [Private Key Export](docs/key/export/functions/exportPKCS8.md)
+  - [Public Key Export](docs/key/export/functions/exportSPKI.md)
+
+### JSON Web Signature (JWS)
+
+The `jose` module supports signing and verification of JWS messages with arbitrary payloads in Compact, Flattened JSON, and General JSON serialization syntaxes.
+
+- Signing - [Compact](docs/jws/compact/sign/classes/CompactSign.md), [Flattened JSON](docs/jws/flattened/sign/classes/FlattenedSign.md), [General JSON](docs/jws/general/sign/classes/GeneralSign.md)
+- Verification - [Compact](docs/jws/compact/verify/functions/compactVerify.md), [Flattened JSON](docs/jws/flattened/verify/functions/flattenedVerify.md), [General JSON](docs/jws/general/verify/functions/generalVerify.md)
+  - [Using a remote JSON Web Key Set (JWKS)](docs/jwks/remote/functions/createRemoteJWKSet.md)
+  - [Using a local JSON Web Key Set (JWKS)](docs/jwks/local/functions/createLocalJWKSet.md)
+- Utility functions
+  - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)
+
+### JSON Web Encryption (JWE)
+
+The `jose` module supports encryption and decryption of JWE messages with arbitrary plaintext in Compact, Flattened JSON, and General JSON serialization syntaxes.
+
+- Encryption - [Compact](docs/jwe/compact/encrypt/classes/CompactEncrypt.md), [Flattened JSON](docs/jwe/flattened/encrypt/classes/FlattenedEncrypt.md), [General JSON](docs/jwe/general/encrypt/classes/GeneralEncrypt.md)
+- Decryption - [Compact](docs/jwe/compact/decrypt/functions/compactDecrypt.md), [Flattened JSON](docs/jwe/flattened/decrypt/functions/flattenedDecrypt.md), [General JSON](docs/jwe/general/decrypt/functions/generalDecrypt.md)
+- Utility functions
+  - [Decoding Token's Protected Header](docs/util/decode_protected_header/functions/decodeProtectedHeader.md)
+
+### Other
+
+The following are additional features and utilities provided by the `jose` module:
+
+- [Calculating JWK Thumbprint](docs/jwk/thumbprint/functions/calculateJwkThumbprint.md)
+- [Calculating JWK Thumbprint URI](docs/jwk/thumbprint/functions/calculateJwkThumbprintUri.md)
+- [Verification using a JWK Embedded in a JWS Header](docs/jwk/embedded/functions/EmbeddedJWK.md)
+- [Unsecured JWT](docs/jwt/unsecured/classes/UnsecuredJWT.md)
+- [JOSE Errors](docs/util/errors/README.md)
+
+## Supported Runtimes
+
+The `jose` module is compatible with JavaScript runtimes that support the utilized Web API globals and standard built-in objects or are Node.js.
+
+The following runtimes are supported _(this is not an exhaustive list)_:
+
+- [Bun](https://github.com/panva/jose/issues/471)
+- [Browsers](https://github.com/panva/jose/issues/263)
+- [Cloudflare Workers](https://github.com/panva/jose/issues/265)
+- [Deno](https://github.com/panva/jose/issues/266)
+- [Electron](https://github.com/panva/jose/issues/264)
+- [Node.js](https://github.com/panva/jose/issues/262)
+
+Please note that certain algorithms may not be available depending on the runtime used. You can find a list of available algorithms for each runtime in the specific issue links provided above.
+
+## Supported Versions
+
+| Version                                         | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ | Runtime and Module type         |
+| ----------------------------------------------- | ----------------- | ------------------ | --------------- | ------------------------------- |
+| [v6.x](https://github.com/panva/jose/tree/v6.x) | [Security Policy] | ✅                 | ✅              | Universal[^universal] ESM[^cjs] |
+
+## Specifications
+
+<details>
+<summary>Details</summary>
+
+- JSON Web Signature (JWS) - [RFC7515](https://www.rfc-editor.org/rfc/rfc7515)
+- JSON Web Encryption (JWE) - [RFC7516](https://www.rfc-editor.org/rfc/rfc7516)
+- JSON Web Key (JWK) - [RFC7517](https://www.rfc-editor.org/rfc/rfc7517)
+- JSON Web Algorithms (JWA) - [RFC7518](https://www.rfc-editor.org/rfc/rfc7518)
+- JSON Web Token (JWT) - [RFC7519](https://www.rfc-editor.org/rfc/rfc7519)
+- JSON Web Key Thumbprint - [RFC7638](https://www.rfc-editor.org/rfc/rfc7638)
+- JSON Web Key Thumbprint URI - [RFC9278](https://www.rfc-editor.org/rfc/rfc9278)
+- JWS Unencoded Payload Option - [RFC7797](https://www.rfc-editor.org/rfc/rfc7797)
+- CFRG Elliptic Curve ECDH and Signatures - [RFC8037](https://www.rfc-editor.org/rfc/rfc8037)
+- Fully-Specified Algorithms for JOSE - [RFC9864](https://www.rfc-editor.org/rfc/rfc9864.html)
+- ML-DSA for JOSE - [RFC9964](https://www.rfc-editor.org/rfc/rfc9964.html)
+
+The algorithm implementations in `jose` have been tested using test vectors from their respective specifications as well as [RFC7520](https://www.rfc-editor.org/rfc/rfc7520).
+
+</details>
+
+[sponsor-auth0]: https://a0.to/signup/panva
+[WebCryptoAPI]: https://w3c.github.io/webcrypto/
+[Fetch API]: https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API
+[Security Policy]: https://github.com/panva/jose/security/policy
+
+[^cjs]: CJS style `let jose = require('jose')` is possible in Node.js versions where the `require(esm)` feature is enabled by default (^20.19.0 || ^22.12.0 || >= 23.0.0).
+
+[^universal]: Assumes runtime support of [WebCryptoAPI][] and [Fetch API][]

package/dist/types/index.d.ts

@@ -0,0 +1,55 @@
+export { compactDecrypt } from './jwe/compact/decrypt.js';
+export type { CompactDecryptGetKey } from './jwe/compact/decrypt.js';
+export { flattenedDecrypt } from './jwe/flattened/decrypt.js';
+export type { FlattenedDecryptGetKey } from './jwe/flattened/decrypt.js';
+export { generalDecrypt } from './jwe/general/decrypt.js';
+export type { GeneralDecryptGetKey } from './jwe/general/decrypt.js';
+export { GeneralEncrypt } from './jwe/general/encrypt.js';
+export type { Recipient } from './jwe/general/encrypt.js';
+export { compactVerify } from './jws/compact/verify.js';
+export type { CompactVerifyGetKey } from './jws/compact/verify.js';
+export { flattenedVerify } from './jws/flattened/verify.js';
+export type { FlattenedVerifyGetKey } from './jws/flattened/verify.js';
+export { generalVerify } from './jws/general/verify.js';
+export type { GeneralVerifyGetKey } from './jws/general/verify.js';
+export { jwtVerify } from './jwt/verify.js';
+export type { JWTVerifyOptions, JWTVerifyGetKey } from './jwt/verify.js';
+export { jwtDecrypt } from './jwt/decrypt.js';
+export type { JWTDecryptOptions, JWTDecryptGetKey } from './jwt/decrypt.js';
+export { CompactEncrypt } from './jwe/compact/encrypt.js';
+export { FlattenedEncrypt } from './jwe/flattened/encrypt.js';
+export { CompactSign } from './jws/compact/sign.js';
+export { FlattenedSign } from './jws/flattened/sign.js';
+export { GeneralSign } from './jws/general/sign.js';
+export type { Signature } from './jws/general/sign.js';
+export { SignJWT } from './jwt/sign.js';
+export { EncryptJWT } from './jwt/encrypt.js';
+export { calculateJwkThumbprint, calculateJwkThumbprintUri } from './jwk/thumbprint.js';
+export { EmbeddedJWK } from './jwk/embedded.js';
+export { createLocalJWKSet } from './jwks/local.js';
+export { createRemoteJWKSet, jwksCache, customFetch } from './jwks/remote.js';
+export type { RemoteJWKSetOptions, JWKSCacheInput, ExportedJWKSCache, FetchImplementation, } from './jwks/remote.js';
+export { UnsecuredJWT } from './jwt/unsecured.js';
+export type { UnsecuredResult } from './jwt/unsecured.js';
+export { exportPKCS8, exportSPKI, exportJWK } from './key/export.js';
+export { importSPKI, importPKCS8, importX509, importJWK } from './key/import.js';
+export type { KeyImportOptions } from './key/import.js';
+export { decodeProtectedHeader } from './util/decode_protected_header.js';
+export { decodeJwt } from './util/decode_jwt.js';
+export type { ProtectedHeaderParameters } from './util/decode_protected_header.js';
+import * as errors from './util/errors.js';
+export { errors };
+export { generateKeyPair } from './key/generate_key_pair.js';
+export type { GenerateKeyPairResult, GenerateKeyPairOptions } from './key/generate_key_pair.js';
+export { generateSecret } from './key/generate_secret.js';
+export type { GenerateSecretOptions } from './key/generate_secret.js';
+import * as base64url from './util/base64url.js';
+export { base64url };
+export type { CompactDecryptResult, CompactJWEHeaderParameters, CompactJWSHeaderParameters, CompactVerifyResult, CritOption, CryptoKey, DecryptOptions, EncryptOptions, FlattenedDecryptResult, FlattenedJWE, FlattenedJWS, FlattenedJWSInput, FlattenedVerifyResult, GeneralDecryptResult, GeneralJWE, GeneralJWS, GeneralJWSInput, GeneralVerifyResult, GetKeyFunction, JoseHeaderParameters, JSONWebKeySet, JWEHeaderParameters, JWEKeyManagementHeaderParameters, JWK_EC_Private, JWK_EC_Public, JWK_oct, JWK_OKP_Private, JWK_OKP_Public, JWK_RSA_Private, JWK_RSA_Public, JWK, JWKParameters, JWSHeaderParameters, JWTClaimVerificationOptions, JWTDecryptResult, JWTHeaderParameters, JWTPayload, JWTVerifyResult, KeyObject, ProduceJWT, ResolvedKey, SignOptions, VerifyOptions, } from './types.d.ts';
+/**
+ * In prior releases this indicated whether a Node.js-specific build was loaded, this is now fixed
+ * to `"WebCryptoAPI"`
+ *
+ * @deprecated
+ */
+export declare const cryptoRuntime = "WebCryptoAPI";

package/dist/types/jwe/compact/decrypt.d.ts

@@ -0,0 +1,43 @@
+/**
+ * Decrypting JSON Web Encryption (JWE) in Compact Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * Interface for Compact JWE Decryption dynamic key resolution. No token components have been
+ * verified at the time of this function call.
+ */
+export interface CompactDecryptGetKey extends types.GetKeyFunction<types.CompactJWEHeaderParameters, types.FlattenedJWE> {
+}
+/**
+ * Decrypts a Compact JWE.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwe/compact/decrypt'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jwe =
+ *   'eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.nyQ19eq9ogh9wA7fFtnI2oouzy5_8b5DeLkoRMfi2yijgfTs2zEnayCEofz_qhnL-nwszabd9qUeHv0-IwvhhJJS7GUJOU3ikiIe42qcIAFme1A_Fo9CTxw4XTOy-I5qanl8So91u6hwfyN1VxAqVLsSE7_23EC-gfGEg_5znew9PyXXsOIE-K_HH7IQowRrlZ1X_bM_Liu53RzDpLDvRz59mp3S8L56YqpM8FexFGTGpEaoTcEIst375qncYt3-79IVR7gZN1RWsWgjPatfvVbnh74PglQcATSf3UUhaW0OAKn6q7r3PDx6DIKQ35bgHQg5QopuN00eIfLQL2trGw.W3grIVj5HVuAb76X.6PcuDe5D6ttWFYyv0oqqdDXfI2R8wBg1F2Q80UUA_Gv8eEimNWfxIWdLxrjzgQGSvIhxmFKuLM0.a93_Ug3uZHuczj70Zavx8Q'
+ *
+ * const { plaintext, protectedHeader } = await jose.compactDecrypt(jwe, privateKey)
+ *
+ * console.log(protectedHeader)
+ * console.log(new TextDecoder().decode(plaintext))
+ * ```
+ *
+ * @param jwe Compact JWE.
+ * @param key Private Key or Secret to decrypt the JWE with. See
+ *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+ * @param options JWE Decryption options.
+ */
+export declare function compactDecrypt(jwe: string | Uint8Array, key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.DecryptOptions): Promise<types.CompactDecryptResult>;
+/**
+ * @param jwe Compact JWE.
+ * @param getKey Function resolving Private Key or Secret to decrypt the JWE with. See
+ *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+ * @param options JWE Decryption options.
+ */
+export declare function compactDecrypt(jwe: string | Uint8Array, getKey: CompactDecryptGetKey, options?: types.DecryptOptions): Promise<types.CompactDecryptResult & types.ResolvedKey>;

package/dist/types/jwe/compact/encrypt.d.ts

@@ -0,0 +1,76 @@
+/**
+ * Encrypting JSON Web Encryption (JWE) in Compact Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * The CompactEncrypt class is used to build and encrypt Compact JWE strings.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jwe/compact/encrypt'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jwe = await new jose.CompactEncrypt(
+ *   new TextEncoder().encode('It’s a dangerous business, Frodo, going out your door.'),
+ * )
+ *   .setProtectedHeader({ alg: 'RSA-OAEP-256', enc: 'A256GCM' })
+ *   .encrypt(publicKey)
+ *
+ * console.log(jwe)
+ * ```
+ */
+export declare class CompactEncrypt {
+    #private;
+    /**
+     * {@link CompactEncrypt} constructor
+     *
+     * @param plaintext Binary representation of the plaintext to encrypt.
+     */
+    constructor(plaintext: Uint8Array);
+    /**
+     * Sets a content encryption key to use, by default a random suitable one is generated for the JWE
+     * enc" (Encryption Algorithm) Header Parameter.
+     *
+     * @deprecated You should not use this method. It is only really intended for test and vector
+     *   validation purposes.
+     *
+     * @param cek JWE Content Encryption Key.
+     */
+    setContentEncryptionKey(cek: Uint8Array): this;
+    /**
+     * Sets the JWE Initialization Vector to use for content encryption, by default a random suitable
+     * one is generated for the JWE enc" (Encryption Algorithm) Header Parameter.
+     *
+     * @deprecated You should not use this method. It is only really intended for test and vector
+     *   validation purposes.
+     *
+     * @param iv JWE Initialization Vector.
+     */
+    setInitializationVector(iv: Uint8Array): this;
+    /**
+     * Sets the JWE Protected Header on the CompactEncrypt object.
+     *
+     * @param protectedHeader JWE Protected Header object.
+     */
+    setProtectedHeader(protectedHeader: types.CompactJWEHeaderParameters): this;
+    /**
+     * Sets the JWE Key Management parameters to be used when encrypting.
+     *
+     * (ECDH-ES) Use of this method is needed for ECDH based algorithms to set the "apu" (Agreement
+     * PartyUInfo) or "apv" (Agreement PartyVInfo) parameters.
+     *
+     * @param parameters JWE Key Management parameters.
+     */
+    setKeyManagementParameters(parameters: types.JWEKeyManagementHeaderParameters): this;
+    /**
+     * Encrypts and resolves the value of the Compact JWE string.
+     *
+     * @param key Public Key or Secret to encrypt the JWE with. See
+     *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+     * @param options JWE Encryption options.
+     */
+    encrypt(key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.EncryptOptions): Promise<string>;
+}

package/dist/types/jwe/flattened/decrypt.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Decrypting JSON Web Encryption (JWE) in Flattened JSON Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * Interface for Flattened JWE Decryption dynamic key resolution. No token components have been
+ * verified at the time of this function call.
+ */
+export interface FlattenedDecryptGetKey extends types.GetKeyFunction<types.JWEHeaderParameters | undefined, types.FlattenedJWE> {
+}
+/**
+ * Decrypts a Flattened JWE.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwe/flattened/decrypt'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jwe = {
+ *   ciphertext: '9EzjFISUyoG-ifC2mSihfP0DPC80yeyrxhTzKt1C_VJBkxeBG0MI4Te61Pk45RAGubUvBpU9jm4',
+ *   iv: '8Fy7A_IuoX5VXG9s',
+ *   tag: 'W76IYV6arGRuDSaSyWrQNg',
+ *   encrypted_key:
+ *     'Z6eD4UK_yFb5ZoKvKkGAdqywEG_m0e4IYo0x8Vf30LAMJcsc-_zSgIeiF82teZyYi2YYduHKoqImk7MRnoPZOlEs0Q5BNK1OgBmSOhCE8DFyqh9Zh48TCTP6lmBQ52naqoUJFMtHzu-0LwZH26hxos0GP3Dt19O379MJB837TdKKa87skq0zHaVLAquRHOBF77GI54Bc7O49d8aOrSu1VEFGMThlW2caspPRiTSePDMDPq7_WGk50izRhB3Asl9wmP9wEeaTrkJKRnQj5ips1SAZ1hDBsqEQKKukxP1HtdcopHV5_qgwU8Hjm5EwSLMluMQuiE6hwlkXGOujZLVizA',
+ *   aad: 'VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc',
+ *   protected: 'eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0',
+ * }
+ *
+ * const { plaintext, protectedHeader, additionalAuthenticatedData } =
+ *   await jose.flattenedDecrypt(jwe, privateKey)
+ *
+ * console.log(protectedHeader)
+ * const decoder = new TextDecoder()
+ * console.log(decoder.decode(plaintext))
+ * console.log(decoder.decode(additionalAuthenticatedData))
+ * ```
+ *
+ * @param jwe Flattened JWE.
+ * @param key Private Key or Secret to decrypt the JWE with. See
+ *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+ * @param options JWE Decryption options.
+ */
+export declare function flattenedDecrypt(jwe: types.FlattenedJWE, key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.DecryptOptions): Promise<types.FlattenedDecryptResult>;
+/**
+ * @param jwe Flattened JWE.
+ * @param getKey Function resolving Private Key or Secret to decrypt the JWE with. See
+ *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+ * @param options JWE Decryption options.
+ */
+export declare function flattenedDecrypt(jwe: types.FlattenedJWE, getKey: FlattenedDecryptGetKey, options?: types.DecryptOptions): Promise<types.FlattenedDecryptResult & types.ResolvedKey>;

package/dist/types/jwe/flattened/encrypt.d.ts

@@ -0,0 +1,95 @@
+/**
+ * Encrypting JSON Web Encryption (JWE) in Flattened JSON Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * The FlattenedEncrypt class is used to build and encrypt Flattened JWE objects.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jwe/flattened/encrypt'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jwe = await new jose.FlattenedEncrypt(
+ *   new TextEncoder().encode('It’s a dangerous business, Frodo, going out your door.'),
+ * )
+ *   .setProtectedHeader({ alg: 'RSA-OAEP-256', enc: 'A256GCM' })
+ *   .setAdditionalAuthenticatedData(encoder.encode('The Fellowship of the Ring'))
+ *   .encrypt(publicKey)
+ *
+ * console.log(jwe)
+ * ```
+ */
+export declare class FlattenedEncrypt {
+    #private;
+    /**
+     * {@link FlattenedEncrypt} constructor
+     *
+     * @param plaintext Binary representation of the plaintext to encrypt.
+     */
+    constructor(plaintext: Uint8Array);
+    /**
+     * Sets the JWE Key Management parameters to be used when encrypting.
+     *
+     * (ECDH-ES) Use of this method is needed for ECDH based algorithms to set the "apu" (Agreement
+     * PartyUInfo) or "apv" (Agreement PartyVInfo) parameters.
+     *
+     * @param parameters JWE Key Management parameters.
+     */
+    setKeyManagementParameters(parameters: types.JWEKeyManagementHeaderParameters): this;
+    /**
+     * Sets the JWE Protected Header on the FlattenedEncrypt object.
+     *
+     * @param protectedHeader JWE Protected Header.
+     */
+    setProtectedHeader(protectedHeader: types.JWEHeaderParameters): this;
+    /**
+     * Sets the JWE Shared Unprotected Header on the FlattenedEncrypt object.
+     *
+     * @param sharedUnprotectedHeader JWE Shared Unprotected Header.
+     */
+    setSharedUnprotectedHeader(sharedUnprotectedHeader: types.JWEHeaderParameters): this;
+    /**
+     * Sets the JWE Per-Recipient Unprotected Header on the FlattenedEncrypt object.
+     *
+     * @param unprotectedHeader JWE Per-Recipient Unprotected Header.
+     */
+    setUnprotectedHeader(unprotectedHeader: types.JWEHeaderParameters): this;
+    /**
+     * Sets the Additional Authenticated Data on the FlattenedEncrypt object.
+     *
+     * @param aad Additional Authenticated Data.
+     */
+    setAdditionalAuthenticatedData(aad: Uint8Array): this;
+    /**
+     * Sets a content encryption key to use, by default a random suitable one is generated for the JWE
+     * enc" (Encryption Algorithm) Header Parameter.
+     *
+     * @deprecated You should not use this method. It is only really intended for test and vector
+     *   validation purposes.
+     *
+     * @param cek JWE Content Encryption Key.
+     */
+    setContentEncryptionKey(cek: Uint8Array): this;
+    /**
+     * Sets the JWE Initialization Vector to use for content encryption, by default a random suitable
+     * one is generated for the JWE enc" (Encryption Algorithm) Header Parameter.
+     *
+     * @deprecated You should not use this method. It is only really intended for test and vector
+     *   validation purposes.
+     *
+     * @param iv JWE Initialization Vector.
+     */
+    setInitializationVector(iv: Uint8Array): this;
+    /**
+     * Encrypts and resolves the value of the Flattened JWE object.
+     *
+     * @param key Public Key or Secret to encrypt the JWE with. See
+     *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+     * @param options JWE Encryption options.
+     */
+    encrypt(key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.EncryptOptions): Promise<types.FlattenedJWE>;
+}

package/dist/types/jwe/general/decrypt.d.ts

@@ -0,0 +1,64 @@
+/**
+ * Decrypting JSON Web Encryption (JWE) in General JSON Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/**
+ * Interface for General JWE Decryption dynamic key resolution. No token components have been
+ * verified at the time of this function call.
+ */
+export interface GeneralDecryptGetKey extends types.GetKeyFunction<types.JWEHeaderParameters, types.FlattenedJWE> {
+}
+/**
+ * Decrypts a General JWE.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwe/general/decrypt'`.
+ *
+ * > [!NOTE]\
+ * > The function iterates over the `recipients` array in the General JWE and returns the decryption
+ * > result of the first recipient entry that can be successfully decrypted. The result only contains
+ * > the plaintext and headers of that successfully decrypted recipient entry. Other recipient entries
+ * > in the General JWE are not validated, and their headers are not included in the returned result.
+ * > Recipients of a General JWE should only rely on the returned (decrypted) data.
+ *
+ * @example
+ *
+ * ```js
+ * const jwe = {
+ *   ciphertext: '9EzjFISUyoG-ifC2mSihfP0DPC80yeyrxhTzKt1C_VJBkxeBG0MI4Te61Pk45RAGubUvBpU9jm4',
+ *   iv: '8Fy7A_IuoX5VXG9s',
+ *   tag: 'W76IYV6arGRuDSaSyWrQNg',
+ *   aad: 'VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc',
+ *   protected: 'eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0',
+ *   recipients: [
+ *     {
+ *       encrypted_key:
+ *         'Z6eD4UK_yFb5ZoKvKkGAdqywEG_m0e4IYo0x8Vf30LAMJcsc-_zSgIeiF82teZyYi2YYduHKoqImk7MRnoPZOlEs0Q5BNK1OgBmSOhCE8DFyqh9Zh48TCTP6lmBQ52naqoUJFMtHzu-0LwZH26hxos0GP3Dt19O379MJB837TdKKa87skq0zHaVLAquRHOBF77GI54Bc7O49d8aOrSu1VEFGMThlW2caspPRiTSePDMDPq7_WGk50izRhB3Asl9wmP9wEeaTrkJKRnQj5ips1SAZ1hDBsqEQKKukxP1HtdcopHV5_qgwU8Hjm5EwSLMluMQuiE6hwlkXGOujZLVizA',
+ *     },
+ *   ],
+ * }
+ *
+ * const { plaintext, protectedHeader, additionalAuthenticatedData } =
+ *   await jose.generalDecrypt(jwe, privateKey)
+ *
+ * console.log(protectedHeader)
+ * const decoder = new TextDecoder()
+ * console.log(decoder.decode(plaintext))
+ * console.log(decoder.decode(additionalAuthenticatedData))
+ * ```
+ *
+ * @param jwe General JWE.
+ * @param key Private Key or Secret to decrypt the JWE with. See
+ *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+ * @param options JWE Decryption options.
+ */
+export declare function generalDecrypt(jwe: types.GeneralJWE, key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.DecryptOptions): Promise<types.GeneralDecryptResult>;
+/**
+ * @param jwe General JWE.
+ * @param getKey Function resolving Private Key or Secret to decrypt the JWE with. See
+ *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+ * @param options JWE Decryption options.
+ */
+export declare function generalDecrypt(jwe: types.GeneralJWE, getKey: GeneralDecryptGetKey, options?: types.DecryptOptions): Promise<types.GeneralDecryptResult & types.ResolvedKey>;

package/dist/types/jwe/general/encrypt.d.ts

@@ -0,0 +1,89 @@
+/**
+ * Encrypting JSON Web Encryption (JWE) in General JSON Serialization
+ *
+ * @module
+ */
+import type * as types from '../../types.d.ts';
+/** Used to build General JWE object's individual recipients. */
+export interface Recipient {
+    /**
+     * Sets the JWE Per-Recipient Unprotected Header on the Recipient object.
+     *
+     * @param unprotectedHeader JWE Per-Recipient Unprotected Header.
+     */
+    setUnprotectedHeader(unprotectedHeader: types.JWEHeaderParameters): Recipient;
+    /**
+     * Sets the JWE Key Management parameters to be used when encrypting.
+     *
+     * (ECDH-ES) Use of this method is needed for ECDH based algorithms to set the "apu" (Agreement
+     * PartyUInfo) or "apv" (Agreement PartyVInfo) parameters.
+     *
+     * @param parameters JWE Key Management parameters.
+     */
+    setKeyManagementParameters(parameters: types.JWEKeyManagementHeaderParameters): Recipient;
+    /** A shorthand for calling addRecipient() on the enclosing {@link GeneralEncrypt} instance */
+    addRecipient(...args: Parameters<GeneralEncrypt['addRecipient']>): Recipient;
+    /** A shorthand for calling encrypt() on the enclosing {@link GeneralEncrypt} instance */
+    encrypt(...args: Parameters<GeneralEncrypt['encrypt']>): Promise<types.GeneralJWE>;
+    /** Returns the enclosing {@link GeneralEncrypt} instance */
+    done(): GeneralEncrypt;
+}
+/**
+ * The GeneralEncrypt class is used to build and encrypt General JWE objects.
+ *
+ * This class is exported (as a named export) from the main `'jose'` module entry point as well as
+ * from its subpath export `'jose/jwe/general/encrypt'`.
+ *
+ * @example
+ *
+ * ```js
+ * const jwe = await new jose.GeneralEncrypt(
+ *   new TextEncoder().encode('It’s a dangerous business, Frodo, going out your door.'),
+ * )
+ *   .setProtectedHeader({ enc: 'A256GCM' })
+ *   .addRecipient(ecPublicKey)
+ *   .setUnprotectedHeader({ alg: 'ECDH-ES+A256KW' })
+ *   .addRecipient(rsaPublicKey)
+ *   .setUnprotectedHeader({ alg: 'RSA-OAEP-384' })
+ *   .encrypt()
+ *
+ * console.log(jwe)
+ * ```
+ */
+export declare class GeneralEncrypt {
+    #private;
+    /**
+     * {@link GeneralEncrypt} constructor
+     *
+     * @param plaintext Binary representation of the plaintext to encrypt.
+     */
+    constructor(plaintext: Uint8Array);
+    /**
+     * Adds an additional recipient for the General JWE object.
+     *
+     * @param key Public Key or Secret to encrypt the Content Encryption Key for the recipient with.
+     *   See {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.
+     * @param options JWE Encryption options.
+     */
+    addRecipient(key: types.CryptoKey | types.KeyObject | types.JWK | Uint8Array, options?: types.CritOption): Recipient;
+    /**
+     * Sets the JWE Protected Header on the GeneralEncrypt object.
+     *
+     * @param protectedHeader JWE Protected Header object.
+     */
+    setProtectedHeader(protectedHeader: types.JWEHeaderParameters): this;
+    /**
+     * Sets the JWE Shared Unprotected Header on the GeneralEncrypt object.
+     *
+     * @param sharedUnprotectedHeader JWE Shared Unprotected Header object.
+     */
+    setSharedUnprotectedHeader(sharedUnprotectedHeader: types.JWEHeaderParameters): this;
+    /**
+     * Sets the Additional Authenticated Data on the GeneralEncrypt object.
+     *
+     * @param aad Additional Authenticated Data.
+     */
+    setAdditionalAuthenticatedData(aad: Uint8Array): this;
+    /** Encrypts and resolves the value of the General JWE object. */
+    encrypt(): Promise<types.GeneralJWE>;
+}