@oari/jose 0.0.0

package/dist/types/util/base64url.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Base64URL encoding and decoding utilities
+ *
+ * @module
+ */
+/** Decodes a Base64URL encoded input. */
+export declare function decode(input: Uint8Array | string): Uint8Array;
+/** Encodes an input using Base64URL with no padding. */
+export declare function encode(input: Uint8Array | string): string;

package/dist/types/util/decode_jwt.d.ts

@@ -0,0 +1,25 @@
+/**
+ * JSON Web Token (JWT) Claims Set Decoding (no validation, no signature checking)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * Decodes a signed JSON Web Token payload. This does not validate the JWT Claims Set types or
+ * values. This does not validate the JWS Signature. For a proper Signed JWT Claims Set validation
+ * and JWS signature verification use `jose.jwtVerify()`. For an encrypted JWT Claims Set validation
+ * and JWE decryption use `jose.jwtDecrypt()`.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/jwt/decode'`.
+ *
+ * @example
+ *
+ * ```js
+ * const claims = jose.decodeJwt(token)
+ * console.log(claims)
+ * ```
+ *
+ * @param jwt JWT token in compact JWS serialization.
+ */
+export declare function decodeJwt<PayloadType = types.JWTPayload>(jwt: string): PayloadType & types.JWTPayload;

package/dist/types/util/decode_protected_header.d.ts

@@ -0,0 +1,24 @@
+/**
+ * JOSE Protected Header Decoding (JWE, JWS, all serialization syntaxes)
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/** JWE and JWS Header Parameters */
+export type ProtectedHeaderParameters = types.JWSHeaderParameters & types.JWEHeaderParameters;
+/**
+ * Decodes the Protected Header of a JWE/JWS/JWT token utilizing any JOSE serialization.
+ *
+ * This function is exported (as a named export) from the main `'jose'` module entry point as well
+ * as from its subpath export `'jose/decode/protected_header'`.
+ *
+ * @example
+ *
+ * ```js
+ * const protectedHeader = jose.decodeProtectedHeader(token)
+ * console.log(protectedHeader)
+ * ```
+ *
+ * @param token JWE/JWS/JWT token in any JOSE serialization.
+ */
+export declare function decodeProtectedHeader(token: string | object): ProtectedHeaderParameters;

package/dist/types/util/errors.d.ts

@@ -0,0 +1,488 @@
+/**
+ * JOSE module errors and error codes
+ *
+ * @module
+ */
+import type * as types from '../types.d.ts';
+/**
+ * A generic Error that all other JOSE specific Error subclasses extend.
+ *
+ * @example
+ *
+ * Checking thrown error is a JOSE one
+ *
+ * ```js
+ * if (err instanceof jose.errors.JOSEError) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JOSEError extends Error {
+    /**
+     * A unique error code for the particular error subclass.
+     *
+     * @ignore
+     */
+    static code: string;
+    /** A unique error code for {@link JOSEError}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * An error subclass thrown when a JWT Claim Set member validation fails.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWT_CLAIM_VALIDATION_FAILED') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWTClaimValidationFailed) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWTClaimValidationFailed extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWTClaimValidationFailed}. */
+    code: string;
+    /** The Claim for which the validation failed. */
+    claim: string;
+    /** Reason code for the validation failure. */
+    reason: string;
+    /**
+     * The parsed JWT Claims Set (aka payload). Other JWT claims may or may not have been verified at
+     * this point. The JSON Web Signature (JWS) or a JSON Web Encryption (JWE) structures' integrity
+     * has however been verified. Claims Set verification happens after the JWS Signature or JWE
+     * Decryption processes.
+     */
+    payload: types.JWTPayload;
+    /** @ignore */
+    constructor(message: string, payload: types.JWTPayload, claim?: string, reason?: string);
+}
+/**
+ * An error subclass thrown when a JWT is expired.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWT_EXPIRED') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWTExpired) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWTExpired extends JOSEError implements JWTClaimValidationFailed {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWTExpired}. */
+    code: string;
+    /** The Claim for which the validation failed. */
+    claim: string;
+    /** Reason code for the validation failure. */
+    reason: string;
+    /**
+     * The parsed JWT Claims Set (aka payload). Other JWT claims may or may not have been verified at
+     * this point. The JSON Web Signature (JWS) or a JSON Web Encryption (JWE) structures' integrity
+     * has however been verified. Claims Set verification happens after the JWS Signature or JWE
+     * Decryption processes.
+     */
+    payload: types.JWTPayload;
+    /** @ignore */
+    constructor(message: string, payload: types.JWTPayload, claim?: string, reason?: string);
+}
+/**
+ * An error subclass thrown when a JOSE Algorithm is not allowed per developer preference.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JOSE_ALG_NOT_ALLOWED') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JOSEAlgNotAllowed) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JOSEAlgNotAllowed extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JOSEAlgNotAllowed}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a particular feature or algorithm is not supported by this
+ * implementation or JOSE in general.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JOSE_NOT_SUPPORTED') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JOSENotSupported) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JOSENotSupported extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JOSENotSupported}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWE ciphertext decryption fails.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWE_DECRYPTION_FAILED') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWEDecryptionFailed) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWEDecryptionFailed extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWEDecryptionFailed}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * An error subclass thrown when a JWE is invalid.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWE_INVALID') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWEInvalid) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWEInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWEInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWS is invalid.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWS_INVALID') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWSInvalid) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWSInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWSInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWT is invalid.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWT_INVALID') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWTInvalid) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWTInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWTInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWK is invalid.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWK_INVALID') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWKInvalid) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWKInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when a JWKS is invalid.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWKS_INVALID') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWKSInvalid) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWKSInvalid extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKSInvalid}. */
+    code: string;
+}
+/**
+ * An error subclass thrown when no keys match from a JWKS.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWKS_NO_MATCHING_KEY') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWKSNoMatchingKey) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWKSNoMatchingKey extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKSNoMatchingKey}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * An error subclass thrown when multiple keys match from a JWKS.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWKS_MULTIPLE_MATCHING_KEYS') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWKSMultipleMatchingKeys) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWKSMultipleMatchingKeys extends JOSEError {
+    /** @ignore */
+    [Symbol.asyncIterator]: () => AsyncIterableIterator<types.CryptoKey>;
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKSMultipleMatchingKeys}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * Timeout was reached when retrieving the JWKS response.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWKS_TIMEOUT') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWKSTimeout) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWKSTimeout extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWKSTimeout}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}
+/**
+ * An error subclass thrown when JWS signature verification fails.
+ *
+ * @example
+ *
+ * Checking thrown error is this one using a stable error code
+ *
+ * ```js
+ * if (err.code === 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED') {
+ *   // ...
+ * }
+ * ```
+ *
+ * @example
+ *
+ * Checking thrown error is this one using `instanceof`
+ *
+ * ```js
+ * if (err instanceof jose.errors.JWSSignatureVerificationFailed) {
+ *   // ...
+ * }
+ * ```
+ */
+export declare class JWSSignatureVerificationFailed extends JOSEError {
+    /** @ignore */
+    static code: string;
+    /** A unique error code for {@link JWSSignatureVerificationFailed}. */
+    code: string;
+    /** @ignore */
+    constructor(message?: string, options?: {
+        cause?: unknown;
+    });
+}

package/dist/webapi/index.js

@@ -0,0 +1,32 @@
+export { compactDecrypt } from './jwe/compact/decrypt.js';
+export { flattenedDecrypt } from './jwe/flattened/decrypt.js';
+export { generalDecrypt } from './jwe/general/decrypt.js';
+export { GeneralEncrypt } from './jwe/general/encrypt.js';
+export { compactVerify } from './jws/compact/verify.js';
+export { flattenedVerify } from './jws/flattened/verify.js';
+export { generalVerify } from './jws/general/verify.js';
+export { jwtVerify } from './jwt/verify.js';
+export { jwtDecrypt } from './jwt/decrypt.js';
+export { CompactEncrypt } from './jwe/compact/encrypt.js';
+export { FlattenedEncrypt } from './jwe/flattened/encrypt.js';
+export { CompactSign } from './jws/compact/sign.js';
+export { FlattenedSign } from './jws/flattened/sign.js';
+export { GeneralSign } from './jws/general/sign.js';
+export { SignJWT } from './jwt/sign.js';
+export { EncryptJWT } from './jwt/encrypt.js';
+export { calculateJwkThumbprint, calculateJwkThumbprintUri } from './jwk/thumbprint.js';
+export { EmbeddedJWK } from './jwk/embedded.js';
+export { createLocalJWKSet } from './jwks/local.js';
+export { createRemoteJWKSet, jwksCache, customFetch } from './jwks/remote.js';
+export { UnsecuredJWT } from './jwt/unsecured.js';
+export { exportPKCS8, exportSPKI, exportJWK } from './key/export.js';
+export { importSPKI, importPKCS8, importX509, importJWK } from './key/import.js';
+export { decodeProtectedHeader } from './util/decode_protected_header.js';
+export { decodeJwt } from './util/decode_jwt.js';
+import * as errors from './util/errors.js';
+export { errors };
+export { generateKeyPair } from './key/generate_key_pair.js';
+export { generateSecret } from './key/generate_secret.js';
+import * as base64url from './util/base64url.js';
+export { base64url };
+export const cryptoRuntime = 'WebCryptoAPI';

package/dist/webapi/jwe/compact/decrypt.js

@@ -0,0 +1,27 @@
+import { flattenedDecrypt } from '../flattened/decrypt.js';
+import { JWEInvalid } from '../../util/errors.js';
+import { decoder } from '../../lib/buffer_utils.js';
+export async function compactDecrypt(jwe, key, options) {
+    if (jwe instanceof Uint8Array) {
+        jwe = decoder.decode(jwe);
+    }
+    if (typeof jwe !== 'string') {
+        throw new JWEInvalid('Compact JWE must be a string or Uint8Array');
+    }
+    const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length, } = jwe.split('.');
+    if (length !== 5) {
+        throw new JWEInvalid('Invalid Compact JWE');
+    }
+    const decrypted = await flattenedDecrypt({
+        ciphertext,
+        iv: iv || undefined,
+        protected: protectedHeader,
+        tag: tag || undefined,
+        encrypted_key: encryptedKey || undefined,
+    }, key, options);
+    const result = { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader };
+    if (typeof key === 'function') {
+        return { ...result, key: decrypted.key };
+    }
+    return result;
+}

package/dist/webapi/jwe/compact/encrypt.js

@@ -0,0 +1,27 @@
+import { FlattenedEncrypt } from '../flattened/encrypt.js';
+export class CompactEncrypt {
+    #flattened;
+    constructor(plaintext) {
+        this.#flattened = new FlattenedEncrypt(plaintext);
+    }
+    setContentEncryptionKey(cek) {
+        this.#flattened.setContentEncryptionKey(cek);
+        return this;
+    }
+    setInitializationVector(iv) {
+        this.#flattened.setInitializationVector(iv);
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        this.#flattened.setProtectedHeader(protectedHeader);
+        return this;
+    }
+    setKeyManagementParameters(parameters) {
+        this.#flattened.setKeyManagementParameters(parameters);
+        return this;
+    }
+    async encrypt(key, options) {
+        const jwe = await this.#flattened.encrypt(key, options);
+        return [jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join('.');
+    }
+}