@oari/jose 0.0.0

package/dist/webapi/jwt/encrypt.js

@@ -0,0 +1,101 @@
+import { CompactEncrypt } from '../jwe/compact/encrypt.js';
+import { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';
+import { assertNotSet } from '../lib/helpers.js';
+export class EncryptJWT {
+    #cek;
+    #iv;
+    #keyManagementParameters;
+    #protectedHeader;
+    #replicateIssuerAsHeader;
+    #replicateSubjectAsHeader;
+    #replicateAudienceAsHeader;
+    #jwt;
+    constructor(payload = {}) {
+        this.#jwt = new JWTClaimsBuilder(payload);
+    }
+    setIssuer(issuer) {
+        this.#jwt.iss = issuer;
+        return this;
+    }
+    setSubject(subject) {
+        this.#jwt.sub = subject;
+        return this;
+    }
+    setAudience(audience) {
+        this.#jwt.aud = audience;
+        return this;
+    }
+    setJti(jwtId) {
+        this.#jwt.jti = jwtId;
+        return this;
+    }
+    setNotBefore(input) {
+        this.#jwt.nbf = input;
+        return this;
+    }
+    setExpirationTime(input) {
+        this.#jwt.exp = input;
+        return this;
+    }
+    setIssuedAt(input) {
+        this.#jwt.iat = input;
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        assertNotSet(this.#protectedHeader, 'setProtectedHeader');
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    setKeyManagementParameters(parameters) {
+        assertNotSet(this.#keyManagementParameters, 'setKeyManagementParameters');
+        this.#keyManagementParameters = parameters;
+        return this;
+    }
+    setContentEncryptionKey(cek) {
+        assertNotSet(this.#cek, 'setContentEncryptionKey');
+        this.#cek = cek;
+        return this;
+    }
+    setInitializationVector(iv) {
+        assertNotSet(this.#iv, 'setInitializationVector');
+        this.#iv = iv;
+        return this;
+    }
+    replicateIssuerAsHeader() {
+        this.#replicateIssuerAsHeader = true;
+        return this;
+    }
+    replicateSubjectAsHeader() {
+        this.#replicateSubjectAsHeader = true;
+        return this;
+    }
+    replicateAudienceAsHeader() {
+        this.#replicateAudienceAsHeader = true;
+        return this;
+    }
+    async encrypt(key, options) {
+        const enc = new CompactEncrypt(this.#jwt.data());
+        if (this.#protectedHeader &&
+            (this.#replicateIssuerAsHeader ||
+                this.#replicateSubjectAsHeader ||
+                this.#replicateAudienceAsHeader)) {
+            this.#protectedHeader = {
+                ...this.#protectedHeader,
+                iss: this.#replicateIssuerAsHeader ? this.#jwt.iss : undefined,
+                sub: this.#replicateSubjectAsHeader ? this.#jwt.sub : undefined,
+                aud: this.#replicateAudienceAsHeader ? this.#jwt.aud : undefined,
+            };
+        }
+        enc.setProtectedHeader(this.#protectedHeader);
+        if (this.#iv) {
+            enc.setInitializationVector(this.#iv);
+        }
+        if (this.#cek) {
+            enc.setContentEncryptionKey(this.#cek);
+        }
+        if (this.#keyManagementParameters) {
+            enc.setKeyManagementParameters(this.#keyManagementParameters);
+        }
+        return enc.encrypt(key, options);
+    }
+}

package/dist/webapi/jwt/sign.js

@@ -0,0 +1,52 @@
+import { CompactSign } from '../jws/compact/sign.js';
+import { JWTInvalid } from '../util/errors.js';
+import { JWTClaimsBuilder } from '../lib/jwt_claims_set.js';
+export class SignJWT {
+    #protectedHeader;
+    #jwt;
+    constructor(payload = {}) {
+        this.#jwt = new JWTClaimsBuilder(payload);
+    }
+    setIssuer(issuer) {
+        this.#jwt.iss = issuer;
+        return this;
+    }
+    setSubject(subject) {
+        this.#jwt.sub = subject;
+        return this;
+    }
+    setAudience(audience) {
+        this.#jwt.aud = audience;
+        return this;
+    }
+    setJti(jwtId) {
+        this.#jwt.jti = jwtId;
+        return this;
+    }
+    setNotBefore(input) {
+        this.#jwt.nbf = input;
+        return this;
+    }
+    setExpirationTime(input) {
+        this.#jwt.exp = input;
+        return this;
+    }
+    setIssuedAt(input) {
+        this.#jwt.iat = input;
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        this.#protectedHeader = protectedHeader;
+        return this;
+    }
+    async sign(key, options) {
+        const sig = new CompactSign(this.#jwt.data());
+        sig.setProtectedHeader(this.#protectedHeader);
+        if (Array.isArray(this.#protectedHeader?.crit) &&
+            this.#protectedHeader.crit.includes('b64') &&
+            this.#protectedHeader.b64 === false) {
+            throw new JWTInvalid('JWTs MUST NOT use unencoded payload');
+        }
+        return sig.sign(key, options);
+    }
+}

package/dist/webapi/jwt/unsecured.js

@@ -0,0 +1,63 @@
+import * as b64u from '../util/base64url.js';
+import { decoder } from '../lib/buffer_utils.js';
+import { JWTInvalid } from '../util/errors.js';
+import { validateClaimsSet, JWTClaimsBuilder } from '../lib/jwt_claims_set.js';
+export class UnsecuredJWT {
+    #jwt;
+    constructor(payload = {}) {
+        this.#jwt = new JWTClaimsBuilder(payload);
+    }
+    encode() {
+        const header = b64u.encode(JSON.stringify({ alg: 'none' }));
+        const payload = b64u.encode(this.#jwt.data());
+        return `${header}.${payload}.`;
+    }
+    setIssuer(issuer) {
+        this.#jwt.iss = issuer;
+        return this;
+    }
+    setSubject(subject) {
+        this.#jwt.sub = subject;
+        return this;
+    }
+    setAudience(audience) {
+        this.#jwt.aud = audience;
+        return this;
+    }
+    setJti(jwtId) {
+        this.#jwt.jti = jwtId;
+        return this;
+    }
+    setNotBefore(input) {
+        this.#jwt.nbf = input;
+        return this;
+    }
+    setExpirationTime(input) {
+        this.#jwt.exp = input;
+        return this;
+    }
+    setIssuedAt(input) {
+        this.#jwt.iat = input;
+        return this;
+    }
+    static decode(jwt, options) {
+        if (typeof jwt !== 'string') {
+            throw new JWTInvalid('Unsecured JWT must be a string');
+        }
+        const { 0: encodedHeader, 1: encodedPayload, 2: signature, length } = jwt.split('.');
+        if (length !== 3 || signature !== '') {
+            throw new JWTInvalid('Invalid Unsecured JWT');
+        }
+        let header;
+        try {
+            header = JSON.parse(decoder.decode(b64u.decode(encodedHeader)));
+            if (header.alg !== 'none')
+                throw new Error();
+        }
+        catch {
+            throw new JWTInvalid('Invalid Unsecured JWT');
+        }
+        const payload = validateClaimsSet(header, b64u.decode(encodedPayload), options);
+        return { payload, header };
+    }
+}

package/dist/webapi/jwt/verify.js

@@ -0,0 +1,15 @@
+import { compactVerify } from '../jws/compact/verify.js';
+import { validateClaimsSet } from '../lib/jwt_claims_set.js';
+import { JWTInvalid } from '../util/errors.js';
+export async function jwtVerify(jwt, key, options) {
+    const verified = await compactVerify(jwt, key, options);
+    if (verified.protectedHeader.crit?.includes('b64') && verified.protectedHeader.b64 === false) {
+        throw new JWTInvalid('JWTs MUST NOT use unencoded payload');
+    }
+    const payload = validateClaimsSet(verified.protectedHeader, verified.payload, options);
+    const result = { payload, protectedHeader: verified.protectedHeader };
+    if (typeof key === 'function') {
+        return { ...result, key: verified.key };
+    }
+    return result;
+}

package/dist/webapi/key/export.js

@@ -0,0 +1,11 @@
+import { toSPKI as exportPublic, toPKCS8 as exportPrivate } from '../lib/asn1.js';
+import { keyToJWK } from '../lib/key_to_jwk.js';
+export async function exportSPKI(key) {
+    return exportPublic(key);
+}
+export async function exportPKCS8(key) {
+    return exportPrivate(key);
+}
+export async function exportJWK(key) {
+    return keyToJWK(key);
+}

package/dist/webapi/key/generate_key_pair.js

@@ -0,0 +1,97 @@
+import { JOSENotSupported } from '../util/errors.js';
+function getModulusLengthOption(options) {
+    const modulusLength = options?.modulusLength ?? 2048;
+    if (typeof modulusLength !== 'number' || modulusLength < 2048) {
+        throw new JOSENotSupported('Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used');
+    }
+    return modulusLength;
+}
+export async function generateKeyPair(alg, options) {
+    let algorithm;
+    let keyUsages;
+    switch (alg) {
+        case 'PS256':
+        case 'PS384':
+        case 'PS512':
+            algorithm = {
+                name: 'RSA-PSS',
+                hash: `SHA-${alg.slice(-3)}`,
+                publicExponent: Uint8Array.of(0x01, 0x00, 0x01),
+                modulusLength: getModulusLengthOption(options),
+            };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'RS256':
+        case 'RS384':
+        case 'RS512':
+            algorithm = {
+                name: 'RSASSA-PKCS1-v1_5',
+                hash: `SHA-${alg.slice(-3)}`,
+                publicExponent: Uint8Array.of(0x01, 0x00, 0x01),
+                modulusLength: getModulusLengthOption(options),
+            };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'RSA-OAEP':
+        case 'RSA-OAEP-256':
+        case 'RSA-OAEP-384':
+        case 'RSA-OAEP-512':
+            algorithm = {
+                name: 'RSA-OAEP',
+                hash: `SHA-${parseInt(alg.slice(-3), 10) || 1}`,
+                publicExponent: Uint8Array.of(0x01, 0x00, 0x01),
+                modulusLength: getModulusLengthOption(options),
+            };
+            keyUsages = ['decrypt', 'unwrapKey', 'encrypt', 'wrapKey'];
+            break;
+        case 'ES256':
+            algorithm = { name: 'ECDSA', namedCurve: 'P-256' };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'ES384':
+            algorithm = { name: 'ECDSA', namedCurve: 'P-384' };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'ES512':
+            algorithm = { name: 'ECDSA', namedCurve: 'P-521' };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'Ed25519':
+        case 'EdDSA': {
+            keyUsages = ['sign', 'verify'];
+            algorithm = { name: 'Ed25519' };
+            break;
+        }
+        case 'ML-DSA-44':
+        case 'ML-DSA-65':
+        case 'ML-DSA-87': {
+            keyUsages = ['sign', 'verify'];
+            algorithm = { name: alg };
+            break;
+        }
+        case 'ECDH-ES':
+        case 'ECDH-ES+A128KW':
+        case 'ECDH-ES+A192KW':
+        case 'ECDH-ES+A256KW': {
+            keyUsages = ['deriveBits'];
+            const crv = options?.crv ?? 'P-256';
+            switch (crv) {
+                case 'P-256':
+                case 'P-384':
+                case 'P-521': {
+                    algorithm = { name: 'ECDH', namedCurve: crv };
+                    break;
+                }
+                case 'X25519':
+                    algorithm = { name: 'X25519' };
+                    break;
+                default:
+                    throw new JOSENotSupported('Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519');
+            }
+            break;
+        }
+        default:
+            throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+    }
+    return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, keyUsages);
+}

package/dist/webapi/key/generate_secret.js

@@ -0,0 +1,40 @@
+import { JOSENotSupported } from '../util/errors.js';
+export async function generateSecret(alg, options) {
+    let length;
+    let algorithm;
+    let keyUsages;
+    switch (alg) {
+        case 'HS256':
+        case 'HS384':
+        case 'HS512':
+            length = parseInt(alg.slice(-3), 10);
+            algorithm = { name: 'HMAC', hash: `SHA-${length}`, length };
+            keyUsages = ['sign', 'verify'];
+            break;
+        case 'A128CBC-HS256':
+        case 'A192CBC-HS384':
+        case 'A256CBC-HS512':
+            length = parseInt(alg.slice(-3), 10);
+            return crypto.getRandomValues(new Uint8Array(length >> 3));
+        case 'A128KW':
+        case 'A192KW':
+        case 'A256KW':
+            length = parseInt(alg.slice(1, 4), 10);
+            algorithm = { name: 'AES-KW', length };
+            keyUsages = ['wrapKey', 'unwrapKey'];
+            break;
+        case 'A128GCMKW':
+        case 'A192GCMKW':
+        case 'A256GCMKW':
+        case 'A128GCM':
+        case 'A192GCM':
+        case 'A256GCM':
+            length = parseInt(alg.slice(1, 4), 10);
+            algorithm = { name: 'AES-GCM', length };
+            keyUsages = ['encrypt', 'decrypt'];
+            break;
+        default:
+            throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+    }
+    return crypto.subtle.generateKey(algorithm, options?.extractable ?? false, keyUsages);
+}

package/dist/webapi/key/import.js

@@ -0,0 +1,57 @@
+import { decode as decodeBase64URL } from '../util/base64url.js';
+import { fromSPKI, fromPKCS8, fromX509 } from '../lib/asn1.js';
+import { jwkToKey } from '../lib/jwk_to_key.js';
+import { JOSENotSupported } from '../util/errors.js';
+import { isObject } from '../lib/type_checks.js';
+export async function importSPKI(spki, alg, options) {
+    if (typeof spki !== 'string' || spki.indexOf('-----BEGIN PUBLIC KEY-----') !== 0) {
+        throw new TypeError('"spki" must be SPKI formatted string');
+    }
+    return fromSPKI(spki, alg, options);
+}
+export async function importX509(x509, alg, options) {
+    if (typeof x509 !== 'string' || x509.indexOf('-----BEGIN CERTIFICATE-----') !== 0) {
+        throw new TypeError('"x509" must be X.509 formatted string');
+    }
+    return fromX509(x509, alg, options);
+}
+export async function importPKCS8(pkcs8, alg, options) {
+    if (typeof pkcs8 !== 'string' || pkcs8.indexOf('-----BEGIN PRIVATE KEY-----') !== 0) {
+        throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
+    }
+    return fromPKCS8(pkcs8, alg, options);
+}
+export async function importJWK(jwk, alg, options) {
+    if (!isObject(jwk)) {
+        throw new TypeError('JWK must be an object');
+    }
+    let ext;
+    alg ??= jwk.alg;
+    ext ??= options?.extractable ?? jwk.ext;
+    switch (jwk.kty) {
+        case 'oct':
+            if (typeof jwk.k !== 'string' || !jwk.k) {
+                throw new TypeError('missing "k" (Key Value) Parameter value');
+            }
+            return decodeBase64URL(jwk.k);
+        case 'RSA':
+            if ('oth' in jwk && jwk.oth !== undefined) {
+                throw new JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
+            }
+            return jwkToKey({ ...jwk, alg, ext });
+        case 'AKP': {
+            if (typeof jwk.alg !== 'string' || !jwk.alg) {
+                throw new TypeError('missing "alg" (Algorithm) Parameter value');
+            }
+            if (alg !== undefined && alg !== jwk.alg) {
+                throw new TypeError('JWK alg and alg option value mismatch');
+            }
+            return jwkToKey({ ...jwk, ext });
+        }
+        case 'EC':
+        case 'OKP':
+            return jwkToKey({ ...jwk, alg, ext });
+        default:
+            throw new JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
+    }
+}

package/dist/webapi/lib/aesgcmkw.js

@@ -0,0 +1,15 @@
+import { encrypt, decrypt } from './content_encryption.js';
+import { encode as b64u } from '../util/base64url.js';
+export async function wrap(alg, key, cek, iv) {
+    const jweAlgorithm = alg.slice(0, 7);
+    const wrapped = await encrypt(jweAlgorithm, cek, key, iv, new Uint8Array());
+    return {
+        encryptedKey: wrapped.ciphertext,
+        iv: b64u(wrapped.iv),
+        tag: b64u(wrapped.tag),
+    };
+}
+export async function unwrap(alg, key, encryptedKey, iv, tag) {
+    const jweAlgorithm = alg.slice(0, 7);
+    return decrypt(jweAlgorithm, key, encryptedKey, iv, tag, new Uint8Array());
+}

package/dist/webapi/lib/aeskw.js

@@ -0,0 +1,25 @@
+import { checkEncCryptoKey } from './crypto_key.js';
+function checkKeySize(key, alg) {
+    if (key.algorithm.length !== parseInt(alg.slice(1, 4), 10)) {
+        throw new TypeError(`Invalid key size for alg: ${alg}`);
+    }
+}
+function getCryptoKey(key, alg, usage) {
+    if (key instanceof Uint8Array) {
+        return crypto.subtle.importKey('raw', key, 'AES-KW', true, [usage]);
+    }
+    checkEncCryptoKey(key, alg, usage);
+    return key;
+}
+export async function wrap(alg, key, cek) {
+    const cryptoKey = await getCryptoKey(key, alg, 'wrapKey');
+    checkKeySize(cryptoKey, alg);
+    const cryptoKeyCek = await crypto.subtle.importKey('raw', cek, { hash: 'SHA-256', name: 'HMAC' }, true, ['sign']);
+    return new Uint8Array(await crypto.subtle.wrapKey('raw', cryptoKeyCek, cryptoKey, 'AES-KW'));
+}
+export async function unwrap(alg, key, encryptedKey) {
+    const cryptoKey = await getCryptoKey(key, alg, 'unwrapKey');
+    checkKeySize(cryptoKey, alg);
+    const cryptoKeyCek = await crypto.subtle.unwrapKey('raw', encryptedKey, cryptoKey, 'AES-KW', { hash: 'SHA-256', name: 'HMAC' }, true, ['sign']);
+    return new Uint8Array(await crypto.subtle.exportKey('raw', cryptoKeyCek));
+}