@oari/jose 0.0.0

package/dist/webapi/jwe/flattened/decrypt.js

@@ -0,0 +1,159 @@
+import { decode as b64u } from '../../util/base64url.js';
+import { decrypt } from '../../lib/content_encryption.js';
+import { decodeBase64url } from '../../lib/helpers.js';
+import { JOSEAlgNotAllowed, JOSENotSupported, JWEInvalid } from '../../util/errors.js';
+import { isDisjoint } from '../../lib/type_checks.js';
+import { isObject } from '../../lib/type_checks.js';
+import { decryptKeyManagement } from '../../lib/key_management.js';
+import { decoder, concat, encode } from '../../lib/buffer_utils.js';
+import { generateCek } from '../../lib/content_encryption.js';
+import { validateCrit } from '../../lib/validate_crit.js';
+import { validateAlgorithms } from '../../lib/validate_algorithms.js';
+import { normalizeKey } from '../../lib/normalize_key.js';
+import { checkKeyType } from '../../lib/check_key_type.js';
+import { decompress } from '../../lib/deflate.js';
+export async function flattenedDecrypt(jwe, key, options) {
+    if (!isObject(jwe)) {
+        throw new JWEInvalid('Flattened JWE must be an object');
+    }
+    if (jwe.protected === undefined && jwe.header === undefined && jwe.unprotected === undefined) {
+        throw new JWEInvalid('JOSE Header missing');
+    }
+    if (jwe.iv !== undefined && typeof jwe.iv !== 'string') {
+        throw new JWEInvalid('JWE Initialization Vector incorrect type');
+    }
+    if (typeof jwe.ciphertext !== 'string') {
+        throw new JWEInvalid('JWE Ciphertext missing or incorrect type');
+    }
+    if (jwe.tag !== undefined && typeof jwe.tag !== 'string') {
+        throw new JWEInvalid('JWE Authentication Tag incorrect type');
+    }
+    if (jwe.protected !== undefined && typeof jwe.protected !== 'string') {
+        throw new JWEInvalid('JWE Protected Header incorrect type');
+    }
+    if (jwe.encrypted_key !== undefined && typeof jwe.encrypted_key !== 'string') {
+        throw new JWEInvalid('JWE Encrypted Key incorrect type');
+    }
+    if (jwe.aad !== undefined && typeof jwe.aad !== 'string') {
+        throw new JWEInvalid('JWE AAD incorrect type');
+    }
+    if (jwe.header !== undefined && !isObject(jwe.header)) {
+        throw new JWEInvalid('JWE Shared Unprotected Header incorrect type');
+    }
+    if (jwe.unprotected !== undefined && !isObject(jwe.unprotected)) {
+        throw new JWEInvalid('JWE Per-Recipient Unprotected Header incorrect type');
+    }
+    let parsedProt;
+    if (jwe.protected) {
+        try {
+            const protectedHeader = b64u(jwe.protected);
+            parsedProt = JSON.parse(decoder.decode(protectedHeader));
+        }
+        catch {
+            throw new JWEInvalid('JWE Protected Header is invalid');
+        }
+    }
+    if (!isDisjoint(parsedProt, jwe.header, jwe.unprotected)) {
+        throw new JWEInvalid('JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint');
+    }
+    const joseHeader = {
+        ...parsedProt,
+        ...jwe.header,
+        ...jwe.unprotected,
+    };
+    validateCrit(JWEInvalid, new Map(), options?.crit, parsedProt, joseHeader);
+    if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
+        throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+    }
+    if (joseHeader.zip !== undefined && !parsedProt?.zip) {
+        throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+    }
+    const { alg, enc } = joseHeader;
+    if (typeof alg !== 'string' || !alg) {
+        throw new JWEInvalid('missing JWE Algorithm (alg) in JWE Header');
+    }
+    if (typeof enc !== 'string' || !enc) {
+        throw new JWEInvalid('missing JWE Encryption Algorithm (enc) in JWE Header');
+    }
+    const keyManagementAlgorithms = options && validateAlgorithms('keyManagementAlgorithms', options.keyManagementAlgorithms);
+    const contentEncryptionAlgorithms = options &&
+        validateAlgorithms('contentEncryptionAlgorithms', options.contentEncryptionAlgorithms);
+    if ((keyManagementAlgorithms && !keyManagementAlgorithms.has(alg)) ||
+        (!keyManagementAlgorithms && alg.startsWith('PBES2'))) {
+        throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
+    }
+    if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) {
+        throw new JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter value not allowed');
+    }
+    let encryptedKey;
+    if (jwe.encrypted_key !== undefined) {
+        encryptedKey = decodeBase64url(jwe.encrypted_key, 'encrypted_key', JWEInvalid);
+    }
+    let resolvedKey = false;
+    if (typeof key === 'function') {
+        key = await key(parsedProt, jwe);
+        resolvedKey = true;
+    }
+    checkKeyType(alg === 'dir' ? enc : alg, key, 'decrypt');
+    const k = await normalizeKey(key, alg);
+    let cek;
+    try {
+        cek = await decryptKeyManagement(alg, k, encryptedKey, joseHeader, options);
+    }
+    catch (err) {
+        if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
+            throw err;
+        }
+        cek = generateCek(enc);
+    }
+    let iv;
+    let tag;
+    if (jwe.iv !== undefined) {
+        iv = decodeBase64url(jwe.iv, 'iv', JWEInvalid);
+    }
+    if (jwe.tag !== undefined) {
+        tag = decodeBase64url(jwe.tag, 'tag', JWEInvalid);
+    }
+    const protectedHeader = jwe.protected !== undefined ? encode(jwe.protected) : new Uint8Array();
+    let additionalData;
+    if (jwe.aad !== undefined) {
+        additionalData = concat(protectedHeader, encode('.'), encode(jwe.aad));
+    }
+    else {
+        additionalData = protectedHeader;
+    }
+    const ciphertext = decodeBase64url(jwe.ciphertext, 'ciphertext', JWEInvalid);
+    const plaintext = await decrypt(enc, cek, ciphertext, iv, tag, additionalData);
+    const result = { plaintext };
+    if (joseHeader.zip === 'DEF') {
+        const maxDecompressedLength = options?.maxDecompressedLength ?? 250_000;
+        if (maxDecompressedLength === 0) {
+            throw new JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
+        }
+        if (maxDecompressedLength !== Infinity &&
+            (!Number.isSafeInteger(maxDecompressedLength) || maxDecompressedLength < 1)) {
+            throw new TypeError('maxDecompressedLength must be 0, a positive safe integer, or Infinity');
+        }
+        result.plaintext = await decompress(plaintext, maxDecompressedLength).catch((cause) => {
+            if (cause instanceof JWEInvalid)
+                throw cause;
+            throw new JWEInvalid('Failed to decompress plaintext', { cause });
+        });
+    }
+    if (jwe.protected !== undefined) {
+        result.protectedHeader = parsedProt;
+    }
+    if (jwe.aad !== undefined) {
+        result.additionalAuthenticatedData = decodeBase64url(jwe.aad, 'aad', JWEInvalid);
+    }
+    if (jwe.unprotected !== undefined) {
+        result.sharedUnprotectedHeader = jwe.unprotected;
+    }
+    if (jwe.header !== undefined) {
+        result.unprotectedHeader = jwe.header;
+    }
+    if (resolvedKey) {
+        return { ...result, key: k };
+    }
+    return result;
+}

package/dist/webapi/jwe/flattened/encrypt.js

@@ -0,0 +1,167 @@
+import { encode as b64u } from '../../util/base64url.js';
+import { unprotected, assertNotSet } from '../../lib/helpers.js';
+import { encrypt } from '../../lib/content_encryption.js';
+import { encryptKeyManagement } from '../../lib/key_management.js';
+import { JOSENotSupported, JWEInvalid } from '../../util/errors.js';
+import { isDisjoint } from '../../lib/type_checks.js';
+import { concat, encode } from '../../lib/buffer_utils.js';
+import { validateCrit } from '../../lib/validate_crit.js';
+import { normalizeKey } from '../../lib/normalize_key.js';
+import { checkKeyType } from '../../lib/check_key_type.js';
+import { compress } from '../../lib/deflate.js';
+export class FlattenedEncrypt {
+    #plaintext;
+    #protectedHeader;
+    #sharedUnprotectedHeader;
+    #unprotectedHeader;
+    #aad;
+    #cek;
+    #iv;
+    #keyManagementParameters;
+    constructor(plaintext) {
+        if (!(plaintext instanceof Uint8Array)) {
+            throw new TypeError('plaintext must be an instance of Uint8Array');
+        }
+        this.#plaintext = plaintext;
+    }
+    setKeyManagementParameters(parameters) {
+        assertNotSet(this.#keyManagementParameters, 'setKeyManagementParameters');
+        this.#keyManagementParameters = parameters;
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        assertNotSet(this.#protectedHeader, 'setProtectedHeader');
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    setSharedUnprotectedHeader(sharedUnprotectedHeader) {
+        assertNotSet(this.#sharedUnprotectedHeader, 'setSharedUnprotectedHeader');
+        this.#sharedUnprotectedHeader = sharedUnprotectedHeader;
+        return this;
+    }
+    setUnprotectedHeader(unprotectedHeader) {
+        assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader');
+        this.#unprotectedHeader = unprotectedHeader;
+        return this;
+    }
+    setAdditionalAuthenticatedData(aad) {
+        this.#aad = aad;
+        return this;
+    }
+    setContentEncryptionKey(cek) {
+        assertNotSet(this.#cek, 'setContentEncryptionKey');
+        this.#cek = cek;
+        return this;
+    }
+    setInitializationVector(iv) {
+        assertNotSet(this.#iv, 'setInitializationVector');
+        this.#iv = iv;
+        return this;
+    }
+    async encrypt(key, options) {
+        if (!this.#protectedHeader && !this.#unprotectedHeader && !this.#sharedUnprotectedHeader) {
+            throw new JWEInvalid('either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()');
+        }
+        if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, this.#sharedUnprotectedHeader)) {
+            throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');
+        }
+        const joseHeader = {
+            ...this.#protectedHeader,
+            ...this.#unprotectedHeader,
+            ...this.#sharedUnprotectedHeader,
+        };
+        validateCrit(JWEInvalid, new Map(), options?.crit, this.#protectedHeader, joseHeader);
+        if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
+            throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+        }
+        if (joseHeader.zip !== undefined && !this.#protectedHeader?.zip) {
+            throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+        }
+        const { alg, enc } = joseHeader;
+        if (typeof alg !== 'string' || !alg) {
+            throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
+        }
+        if (typeof enc !== 'string' || !enc) {
+            throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
+        }
+        let encryptedKey;
+        if (this.#cek && (alg === 'dir' || alg === 'ECDH-ES')) {
+            throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${alg}`);
+        }
+        checkKeyType(alg === 'dir' ? enc : alg, key, 'encrypt');
+        let cek;
+        {
+            let parameters;
+            const k = await normalizeKey(key, alg);
+            ({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, this.#cek, this.#keyManagementParameters));
+            if (parameters) {
+                if (options && unprotected in options) {
+                    if (!this.#unprotectedHeader) {
+                        this.setUnprotectedHeader(parameters);
+                    }
+                    else {
+                        this.#unprotectedHeader = { ...this.#unprotectedHeader, ...parameters };
+                    }
+                }
+                else if (!this.#protectedHeader) {
+                    this.setProtectedHeader(parameters);
+                }
+                else {
+                    this.#protectedHeader = { ...this.#protectedHeader, ...parameters };
+                }
+            }
+        }
+        let additionalData;
+        let protectedHeaderS;
+        let protectedHeaderB;
+        let aadMember;
+        if (this.#protectedHeader) {
+            protectedHeaderS = b64u(JSON.stringify(this.#protectedHeader));
+            protectedHeaderB = encode(protectedHeaderS);
+        }
+        else {
+            protectedHeaderS = '';
+            protectedHeaderB = new Uint8Array();
+        }
+        if (this.#aad) {
+            aadMember = b64u(this.#aad);
+            const aadMemberBytes = encode(aadMember);
+            additionalData = concat(protectedHeaderB, encode('.'), aadMemberBytes);
+        }
+        else {
+            additionalData = protectedHeaderB;
+        }
+        let plaintext = this.#plaintext;
+        if (joseHeader.zip === 'DEF') {
+            plaintext = await compress(plaintext).catch((cause) => {
+                throw new JWEInvalid('Failed to compress plaintext', { cause });
+            });
+        }
+        const { ciphertext, tag, iv } = await encrypt(enc, plaintext, cek, this.#iv, additionalData);
+        const jwe = {
+            ciphertext: b64u(ciphertext),
+        };
+        if (iv) {
+            jwe.iv = b64u(iv);
+        }
+        if (tag) {
+            jwe.tag = b64u(tag);
+        }
+        if (encryptedKey) {
+            jwe.encrypted_key = b64u(encryptedKey);
+        }
+        if (aadMember) {
+            jwe.aad = aadMember;
+        }
+        if (this.#protectedHeader) {
+            jwe.protected = protectedHeaderS;
+        }
+        if (this.#sharedUnprotectedHeader) {
+            jwe.unprotected = this.#sharedUnprotectedHeader;
+        }
+        if (this.#unprotectedHeader) {
+            jwe.header = this.#unprotectedHeader;
+        }
+        return jwe;
+    }
+}

package/dist/webapi/jwe/general/decrypt.js

@@ -0,0 +1,31 @@
+import { flattenedDecrypt } from '../flattened/decrypt.js';
+import { JWEDecryptionFailed, JWEInvalid } from '../../util/errors.js';
+import { isObject } from '../../lib/type_checks.js';
+export async function generalDecrypt(jwe, key, options) {
+    if (!isObject(jwe)) {
+        throw new JWEInvalid('General JWE must be an object');
+    }
+    if (!Array.isArray(jwe.recipients) || !jwe.recipients.every(isObject)) {
+        throw new JWEInvalid('JWE Recipients missing or incorrect type');
+    }
+    if (!jwe.recipients.length) {
+        throw new JWEInvalid('JWE Recipients has no members');
+    }
+    for (const recipient of jwe.recipients) {
+        try {
+            return await flattenedDecrypt({
+                aad: jwe.aad,
+                ciphertext: jwe.ciphertext,
+                encrypted_key: recipient.encrypted_key,
+                header: recipient.header,
+                iv: jwe.iv,
+                protected: jwe.protected,
+                tag: jwe.tag,
+                unprotected: jwe.unprotected,
+            }, key, options);
+        }
+        catch {
+        }
+    }
+    throw new JWEDecryptionFailed();
+}

package/dist/webapi/jwe/general/encrypt.js

@@ -0,0 +1,182 @@
+import { FlattenedEncrypt } from '../flattened/encrypt.js';
+import { unprotected, assertNotSet } from '../../lib/helpers.js';
+import { JOSENotSupported, JWEInvalid } from '../../util/errors.js';
+import { generateCek } from '../../lib/content_encryption.js';
+import { isDisjoint } from '../../lib/type_checks.js';
+import { encryptKeyManagement } from '../../lib/key_management.js';
+import { encode as b64u } from '../../util/base64url.js';
+import { validateCrit } from '../../lib/validate_crit.js';
+import { normalizeKey } from '../../lib/normalize_key.js';
+import { checkKeyType } from '../../lib/check_key_type.js';
+class IndividualRecipient {
+    #parent;
+    unprotectedHeader;
+    keyManagementParameters;
+    key;
+    options;
+    constructor(enc, key, options) {
+        this.#parent = enc;
+        this.key = key;
+        this.options = options;
+    }
+    setUnprotectedHeader(unprotectedHeader) {
+        assertNotSet(this.unprotectedHeader, 'setUnprotectedHeader');
+        this.unprotectedHeader = unprotectedHeader;
+        return this;
+    }
+    setKeyManagementParameters(parameters) {
+        assertNotSet(this.keyManagementParameters, 'setKeyManagementParameters');
+        this.keyManagementParameters = parameters;
+        return this;
+    }
+    addRecipient(...args) {
+        return this.#parent.addRecipient(...args);
+    }
+    encrypt(...args) {
+        return this.#parent.encrypt(...args);
+    }
+    done() {
+        return this.#parent;
+    }
+}
+export class GeneralEncrypt {
+    #plaintext;
+    #recipients = [];
+    #protectedHeader;
+    #unprotectedHeader;
+    #aad;
+    constructor(plaintext) {
+        this.#plaintext = plaintext;
+    }
+    addRecipient(key, options) {
+        const recipient = new IndividualRecipient(this, key, { crit: options?.crit });
+        this.#recipients.push(recipient);
+        return recipient;
+    }
+    setProtectedHeader(protectedHeader) {
+        assertNotSet(this.#protectedHeader, 'setProtectedHeader');
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    setSharedUnprotectedHeader(sharedUnprotectedHeader) {
+        assertNotSet(this.#unprotectedHeader, 'setSharedUnprotectedHeader');
+        this.#unprotectedHeader = sharedUnprotectedHeader;
+        return this;
+    }
+    setAdditionalAuthenticatedData(aad) {
+        this.#aad = aad;
+        return this;
+    }
+    async encrypt() {
+        if (!this.#recipients.length) {
+            throw new JWEInvalid('at least one recipient must be added');
+        }
+        if (this.#recipients.length === 1) {
+            const [recipient] = this.#recipients;
+            const flattened = await new FlattenedEncrypt(this.#plaintext)
+                .setAdditionalAuthenticatedData(this.#aad)
+                .setProtectedHeader(this.#protectedHeader)
+                .setSharedUnprotectedHeader(this.#unprotectedHeader)
+                .setUnprotectedHeader(recipient.unprotectedHeader)
+                .encrypt(recipient.key, { ...recipient.options });
+            const jwe = {
+                ciphertext: flattened.ciphertext,
+                iv: flattened.iv,
+                recipients: [{}],
+                tag: flattened.tag,
+            };
+            if (flattened.aad)
+                jwe.aad = flattened.aad;
+            if (flattened.protected)
+                jwe.protected = flattened.protected;
+            if (flattened.unprotected)
+                jwe.unprotected = flattened.unprotected;
+            if (flattened.encrypted_key)
+                jwe.recipients[0].encrypted_key = flattened.encrypted_key;
+            if (flattened.header)
+                jwe.recipients[0].header = flattened.header;
+            return jwe;
+        }
+        let enc;
+        for (let i = 0; i < this.#recipients.length; i++) {
+            const recipient = this.#recipients[i];
+            if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, recipient.unprotectedHeader)) {
+                throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');
+            }
+            const joseHeader = {
+                ...this.#protectedHeader,
+                ...this.#unprotectedHeader,
+                ...recipient.unprotectedHeader,
+            };
+            const { alg } = joseHeader;
+            if (typeof alg !== 'string' || !alg) {
+                throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
+            }
+            if (alg === 'dir' || alg === 'ECDH-ES') {
+                throw new JWEInvalid('"dir" and "ECDH-ES" alg may only be used with a single recipient');
+            }
+            if (typeof joseHeader.enc !== 'string' || !joseHeader.enc) {
+                throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
+            }
+            if (!enc) {
+                enc = joseHeader.enc;
+            }
+            else if (enc !== joseHeader.enc) {
+                throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');
+            }
+            validateCrit(JWEInvalid, new Map(), recipient.options.crit, this.#protectedHeader, joseHeader);
+            if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
+                throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
+            }
+            if (joseHeader.zip !== undefined && !this.#protectedHeader?.zip) {
+                throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
+            }
+        }
+        const cek = generateCek(enc);
+        const jwe = {
+            ciphertext: '',
+            recipients: [],
+        };
+        for (let i = 0; i < this.#recipients.length; i++) {
+            const recipient = this.#recipients[i];
+            const target = {};
+            jwe.recipients.push(target);
+            if (i === 0) {
+                const flattened = await new FlattenedEncrypt(this.#plaintext)
+                    .setAdditionalAuthenticatedData(this.#aad)
+                    .setContentEncryptionKey(cek)
+                    .setProtectedHeader(this.#protectedHeader)
+                    .setSharedUnprotectedHeader(this.#unprotectedHeader)
+                    .setUnprotectedHeader(recipient.unprotectedHeader)
+                    .setKeyManagementParameters(recipient.keyManagementParameters)
+                    .encrypt(recipient.key, {
+                    ...recipient.options,
+                    [unprotected]: true,
+                });
+                jwe.ciphertext = flattened.ciphertext;
+                jwe.iv = flattened.iv;
+                jwe.tag = flattened.tag;
+                if (flattened.aad)
+                    jwe.aad = flattened.aad;
+                if (flattened.protected)
+                    jwe.protected = flattened.protected;
+                if (flattened.unprotected)
+                    jwe.unprotected = flattened.unprotected;
+                target.encrypted_key = flattened.encrypted_key;
+                if (flattened.header)
+                    target.header = flattened.header;
+                continue;
+            }
+            const alg = recipient.unprotectedHeader?.alg ||
+                this.#protectedHeader?.alg ||
+                this.#unprotectedHeader?.alg;
+            checkKeyType(alg === 'dir' ? enc : alg, recipient.key, 'encrypt');
+            const k = await normalizeKey(recipient.key, alg);
+            const { encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, cek, recipient.keyManagementParameters);
+            target.encrypted_key = b64u(encryptedKey);
+            if (recipient.unprotectedHeader || parameters)
+                target.header = { ...recipient.unprotectedHeader, ...parameters };
+        }
+        return jwe;
+    }
+}

package/dist/webapi/jwk/embedded.js

@@ -0,0 +1,17 @@
+import { importJWK } from '../key/import.js';
+import { isObject } from '../lib/type_checks.js';
+import { JWSInvalid } from '../util/errors.js';
+export async function EmbeddedJWK(protectedHeader, token) {
+    const joseHeader = {
+        ...protectedHeader,
+        ...token?.header,
+    };
+    if (!isObject(joseHeader.jwk)) {
+        throw new JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a JSON object');
+    }
+    const key = await importJWK({ ...joseHeader.jwk, ext: true }, joseHeader.alg);
+    if (key instanceof Uint8Array || key.type !== 'public') {
+        throw new JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a public key');
+    }
+    return key;
+}

package/dist/webapi/jwk/thumbprint.js

@@ -0,0 +1,68 @@
+import { digest } from '../lib/helpers.js';
+import { encode as b64u } from '../util/base64url.js';
+import { JOSENotSupported, JWKInvalid } from '../util/errors.js';
+import { encode } from '../lib/buffer_utils.js';
+import { isKeyLike } from '../lib/is_key_like.js';
+import { isJWK } from '../lib/type_checks.js';
+import { exportJWK } from '../key/export.js';
+import { invalidKeyInput } from '../lib/invalid_key_input.js';
+const check = (value, description) => {
+    if (typeof value !== 'string' || !value) {
+        throw new JWKInvalid(`${description} missing or invalid`);
+    }
+};
+export async function calculateJwkThumbprint(key, digestAlgorithm) {
+    let jwk;
+    if (isJWK(key)) {
+        jwk = key;
+    }
+    else if (isKeyLike(key)) {
+        jwk = await exportJWK(key);
+    }
+    else {
+        throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'JSON Web Key'));
+    }
+    digestAlgorithm ??= 'sha256';
+    if (digestAlgorithm !== 'sha256' &&
+        digestAlgorithm !== 'sha384' &&
+        digestAlgorithm !== 'sha512') {
+        throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');
+    }
+    let components;
+    switch (jwk.kty) {
+        case 'AKP':
+            check(jwk.alg, '"alg" (Algorithm) Parameter');
+            check(jwk.pub, '"pub" (Public key) Parameter');
+            components = { alg: jwk.alg, kty: jwk.kty, pub: jwk.pub };
+            break;
+        case 'EC':
+            check(jwk.crv, '"crv" (Curve) Parameter');
+            check(jwk.x, '"x" (X Coordinate) Parameter');
+            check(jwk.y, '"y" (Y Coordinate) Parameter');
+            components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
+            break;
+        case 'OKP':
+            check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
+            check(jwk.x, '"x" (Public Key) Parameter');
+            components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
+            break;
+        case 'RSA':
+            check(jwk.e, '"e" (Exponent) Parameter');
+            check(jwk.n, '"n" (Modulus) Parameter');
+            components = { e: jwk.e, kty: jwk.kty, n: jwk.n };
+            break;
+        case 'oct':
+            check(jwk.k, '"k" (Key Value) Parameter');
+            components = { k: jwk.k, kty: jwk.kty };
+            break;
+        default:
+            throw new JOSENotSupported('"kty" (Key Type) Parameter missing or unsupported');
+    }
+    const data = encode(JSON.stringify(components));
+    return b64u(await digest(digestAlgorithm, data));
+}
+export async function calculateJwkThumbprintUri(key, digestAlgorithm) {
+    digestAlgorithm ??= 'sha256';
+    const thumbprint = await calculateJwkThumbprint(key, digestAlgorithm);
+    return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;
+}