@schemavaults/jwt 0.6.13

package/dist/jwt/jwt_keys/generate_new_jwt_keyset.js

@@ -0,0 +1,110 @@
+import { apiServerIdSchema } from "@schemavaults/app-definitions";
+import ContentEncryptionKeyPairFactory from "./ContentEncryptionKeyPairFactory";
+import JWT_Keys from "./jwt_keys";
+import SigningKeyPairFactory from "./SigningKeyPairFactory";
+import isValidUuid from "../../utils/isValidUuid";
+/**
+ * @name generateJwtSigningKeyPair
+ * @param debug Enable additional debug logging
+ * @returns A PKCS8 and SPKI formatted RS256 key pair
+ */
+export async function generateJwtSigningKeyPair(debug = false) {
+    const signing_key_pair_factory = new SigningKeyPairFactory({ debug });
+    const [privateKey, publicKey] = await signing_key_pair_factory.generate("pem");
+    return [privateKey, publicKey];
+}
+/**
+ * @name generateJwtContentEncryptionKeyPair()
+ * @param debug Enable additional debug logging
+ * @returns 256-bit base64url-encoded content encryption key (string)
+ */
+export async function generateJwtContentEncryptionKeyPair(debug = false) {
+    const cek_key_pair_factory = new ContentEncryptionKeyPairFactory({ debug });
+    const [privateKey, publicKey] = await cek_key_pair_factory.generate("pem");
+    if (debug) {
+        console.log("[JWT_Keys] Generated encryption/decryption key pair: ", [
+            privateKey,
+            publicKey,
+        ]);
+    }
+    return [privateKey, publicKey];
+}
+const DEFAULT_KEYSET_VALID_DURATION = 1000 * 60 * 60 * 24 * 30; // 30 days
+export async function generateNewJwtKeySet(opts) {
+    if (!opts || typeof opts !== "object") {
+        throw new TypeError("Expected first argument to be an object of type IGenerateNewJwtKeySetOpts");
+    }
+    const debug = opts?.debug || false;
+    const audience_id = opts.audience_id;
+    if (typeof audience_id !== "string") {
+        throw new TypeError(`Invalid audience ID: '${audience_id}'. Should be a string.`);
+    }
+    else if (!apiServerIdSchema.safeParse(audience_id).success) {
+        throw new TypeError(`Invalid audience ID: '${audience_id}'. Should be a valid API server ID.`);
+    }
+    if (typeof opts?.keyset_id === "string") {
+        if (!isValidUuid(opts.keyset_id)) {
+            throw new TypeError(`Invalid keyset ID: '${opts.keyset_id}'. Should be a valid UUID, if provided.`);
+        }
+    }
+    else {
+        opts.keyset_id = undefined;
+    }
+    const [[privateEncryptDecryptKey, publicEncryptDecryptKey], [privateSigningKey, publicSigningVerifierKey],] = await Promise.all([
+        generateJwtContentEncryptionKeyPair(debug),
+        generateJwtSigningKeyPair(debug),
+    ]);
+    const keyset_id = typeof opts?.keyset_id === "string" ? opts.keyset_id : crypto.randomUUID();
+    const keyset_expiry = typeof opts?.keyset_expiry === "number"
+        ? opts.keyset_expiry
+        : Date.now() + DEFAULT_KEYSET_VALID_DURATION;
+    if (keyset_expiry < Date.now()) {
+        throw new Error(`Invalid keyset expiry: '${keyset_expiry}'. Should be a future timestamp.`);
+    }
+    const generatedKeys = new JWT_Keys({
+        audience_id,
+        keyset_id,
+        keyset_expiry,
+        encryption: {
+            // encryption happens with public key
+            format: "pem",
+            privacy_level: "public",
+            value: publicEncryptDecryptKey,
+            key_type: "encryption",
+            keyset_id,
+            audience_id,
+        },
+        decryption: {
+            // decryption happens with private key (counter-intuitively)
+            value: privateEncryptDecryptKey,
+            privacy_level: "private",
+            format: "pem",
+            key_type: "decryption",
+            keyset_id,
+            audience_id,
+        },
+        signing: {
+            value: privateSigningKey,
+            privacy_level: "private",
+            format: "pem",
+            key_type: "signing",
+            keyset_id,
+            audience_id,
+        },
+        verification: {
+            value: publicSigningVerifierKey,
+            privacy_level: "public",
+            format: "pem",
+            key_type: "verification",
+            keyset_id,
+            audience_id,
+        },
+        is_auth_server: true,
+    });
+    if (debug) {
+        console.log("generateNewJwtKeySet() -> ", generatedKeys);
+    }
+    return generatedKeys;
+}
+export default generateNewJwtKeySet;
+//# sourceMappingURL=generate_new_jwt_keyset.js.map

package/dist/jwt/jwt_keys/generate_new_jwt_keyset.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"generate_new_jwt_keyset.js","sourceRoot":"","sources":["../../../src/jwt/jwt_keys/generate_new_jwt_keyset.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,+BAA+B,CAAC;AAClE,OAAO,+BAA+B,MAAM,mCAAmC,CAAC;AAChF,OAAO,QAAQ,MAAM,YAAY,CAAC;AAClC,OAAO,qBAAqB,MAAM,yBAAyB,CAAC;AAC5D,OAAO,WAAW,MAAM,qBAAqB,CAAC;AAE9C;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,yBAAyB,CAC7C,QAAiB,KAAK;IAEtB,MAAM,wBAAwB,GAAG,IAAI,qBAAqB,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IACtE,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,GAC3B,MAAM,wBAAwB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAEjD,OAAO,CAAC,UAAU,EAAE,SAAS,CAG5B,CAAC;AACJ,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,mCAAmC,CACvD,QAAiB,KAAK;IAEtB,MAAM,oBAAoB,GAAG,IAAI,+BAA+B,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC;IAC5E,MAAM,CAAC,UAAU,EAAE,SAAS,CAAC,GAAG,MAAM,oBAAoB,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;IAE3E,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,uDAAuD,EAAE;YACnE,UAAU;YACV,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAED,OAAO,CAAC,UAAU,EAAE,SAAS,CAG5B,CAAC;AACJ,CAAC;AASD,MAAM,6BAA6B,GAAW,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,UAAU;AAElF,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,IAA+B;IAE/B,IAAI,CAAC,IAAI,IAAI,OAAO,IAAI,KAAK,QAAQ,EAAE,CAAC;QACtC,MAAM,IAAI,SAAS,CACjB,2EAA2E,CAC5E,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAY,IAAI,EAAE,KAAK,IAAI,KAAK,CAAC;IAE5C,MAAM,WAAW,GAAW,IAAI,CAAC,WAAW,CAAC;IAC7C,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;QACpC,MAAM,IAAI,SAAS,CACjB,yBAAyB,WAAW,wBAAwB,CAC7D,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,iBAAiB,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC,OAAO,EAAE,CAAC;QAC7D,MAAM,IAAI,SAAS,CACjB,yBAAyB,WAAW,qCAAqC,CAC1E,CAAC;IACJ,CAAC;IAED,IAAI,OAAO,IAAI,EAAE,SAAS,KAAK,QAAQ,EAAE,CAAC;QACxC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;YACjC,MAAM,IAAI,SAAS,CACjB,uBAAuB,IAAI,CAAC,SAAS,yCAAyC,CAC/E,CAAC;QACJ,CAAC;IACH,CAAC;SAAM,CAAC;QACN,IAAI,CAAC,SAAS,GAAG,SAAS,CAAC;IAC7B,CAAC;IAED,MAAM,CACJ,CAAC,wBAAwB,EAAE,uBAAuB,CAAC,EACnD,CAAC,iBAAiB,EAAE,wBAAwB,CAAC,EAC9C,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACpB,mCAAmC,CAAC,KAAK,CAAC;QAC1C,yBAAyB,CAAC,KAAK,CAAC;KACjC,CAAC,CAAC;IAEH,MAAM,SAAS,GACb,OAAO,IAAI,EAAE,SAAS,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC;IAC7E,MAAM,aAAa,GACjB,OAAO,IAAI,EAAE,aAAa,KAAK,QAAQ;QACrC,CAAC,CAAC,IAAI,CAAC,aAAa;QACpB,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,6BAA6B,CAAC;IACjD,IAAI,aAAa,GAAG,IAAI,CAAC,GAAG,EAAE,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,2BAA2B,aAAa,kCAAkC,CAC3E,CAAC;IACJ,CAAC;IAED,MAAM,aAAa,GAAa,IAAI,QAAQ,CAAC;QAC3C,WAAW;QACX,SAAS;QACT,aAAa;QACb,UAAU,EAAE;YACV,qCAAqC;YACrC,MAAM,EAAE,KAAK;YACb,aAAa,EAAE,QAAQ;YACvB,KAAK,EAAE,uBAAuB;YAC9B,QAAQ,EAAE,YAAY;YACtB,SAAS;YACT,WAAW;SACZ;QACD,UAAU,EAAE;YACV,4DAA4D;YAC5D,KAAK,EAAE,wBAAwB;YAC/B,aAAa,EAAE,SAAS;YACxB,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,YAAY;YACtB,SAAS;YACT,WAAW;SACZ;QACD,OAAO,EAAE;YACP,KAAK,EAAE,iBAAiB;YACxB,aAAa,EAAE,SAAS;YACxB,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,SAAS;YACnB,SAAS;YACT,WAAW;SACZ;QACD,YAAY,EAAE;YACZ,KAAK,EAAE,wBAAwB;YAC/B,aAAa,EAAE,QAAQ;YACvB,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,cAAc;YACxB,SAAS;YACT,WAAW;SACZ;QACD,cAAc,EAAE,IAAI;KACrB,CAAC,CAAC;IAEH,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,GAAG,CAAC,4BAA4B,EAAE,aAAa,CAAC,CAAC;IAC3D,CAAC;IAED,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,eAAe,oBAAoB,CAAC"}

package/dist/jwt/jwt_keys/getAlgorithmForKey.d.ts

@@ -0,0 +1,2 @@
+import type { JsonSerializedJwtKey } from "./JsonSerializedJwtKey";
+export default function getAlgorithmForKey(key: JsonSerializedJwtKey): string;

package/dist/jwt/jwt_keys/getAlgorithmForKey.js

@@ -0,0 +1,14 @@
+import encryptDecryptAlg from "../encrypt_decrypt_alg";
+import signVerifyAlg from "../sign_verify_alg";
+export default function getAlgorithmForKey(key) {
+    if (key.key_type === "encryption" || key.key_type === "decryption") {
+        return encryptDecryptAlg;
+    }
+    else if (key.key_type === "signing" || key.key_type === "verification") {
+        return signVerifyAlg;
+    }
+    else {
+        throw new Error(`Unsupported key type: ${key.key_type}`);
+    }
+}
+//# sourceMappingURL=getAlgorithmForKey.js.map

package/dist/jwt/jwt_keys/getAlgorithmForKey.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"getAlgorithmForKey.js","sourceRoot":"","sources":["../../../src/jwt/jwt_keys/getAlgorithmForKey.ts"],"names":[],"mappings":"AACA,OAAO,iBAAiB,MAAM,wBAAwB,CAAC;AACvD,OAAO,aAAa,MAAM,oBAAoB,CAAC;AAE/C,MAAM,CAAC,OAAO,UAAU,kBAAkB,CAAC,GAAyB;IAClE,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,IAAI,GAAG,CAAC,QAAQ,KAAK,YAAY,EAAE,CAAC;QACnE,OAAO,iBAAiB,CAAC;IAC3B,CAAC;SAAM,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,IAAI,GAAG,CAAC,QAAQ,KAAK,cAAc,EAAE,CAAC;QACzE,OAAO,aAAa,CAAC;IACvB,CAAC;SAAM,CAAC;QACN,MAAM,IAAI,KAAK,CAAC,yBAAyB,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC;IAC3D,CAAC;AACH,CAAC"}

package/dist/jwt/jwt_keys/importAsymmetricJWK.d.ts

@@ -0,0 +1,3 @@
+import type { JWK } from "./JWK";
+export declare function importAsymmetricJWK(jwk: JWK): Promise<CryptoKey>;
+export default importAsymmetricJWK;

package/dist/jwt/jwt_keys/importAsymmetricJWK.js

@@ -0,0 +1,15 @@
+import { importJWK as importJsonWebKey } from "jose";
+export async function importAsymmetricJWK(jwk) {
+    if (!("alg" in jwk)) {
+        throw new Error("Invalid JWK: missing 'alg' property");
+    }
+    const activated_key = await importJsonWebKey(jwk);
+    // Symmetric JSON Web Keys (i.e. kty: "oct") yield back an Uint8Array instead of a CryptoKey.
+    // We're only using asymmetric keys, so we can safely ignore this case.
+    if (activated_key instanceof Uint8Array) {
+        throw new TypeError("Invalid JWK: asymmetric key expected");
+    }
+    return activated_key;
+}
+export default importAsymmetricJWK;
+//# sourceMappingURL=importAsymmetricJWK.js.map

package/dist/jwt/jwt_keys/importAsymmetricJWK.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"importAsymmetricJWK.js","sourceRoot":"","sources":["../../../src/jwt/jwt_keys/importAsymmetricJWK.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,IAAI,gBAAgB,EAAE,MAAM,MAAM,CAAC;AAErD,MAAM,CAAC,KAAK,UAAU,mBAAmB,CAAC,GAAQ;IAChD,IAAI,CAAC,CAAC,KAAK,IAAI,GAAG,CAAC,EAAE,CAAC;QACpB,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,MAAM,aAAa,GAAG,MAAM,gBAAgB,CAAC,GAAG,CAAC,CAAC;IAElD,6FAA6F;IAC7F,uEAAuE;IAEvE,IAAI,aAAa,YAAY,UAAU,EAAE,CAAC;QACxC,MAAM,IAAI,SAAS,CAAC,sCAAsC,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO,aAAa,CAAC;AACvB,CAAC;AAED,eAAe,mBAAmB,CAAC"}

package/dist/jwt/jwt_keys/index.d.ts

@@ -0,0 +1,13 @@
+export { JWT_Keys, JWT_Keys as default } from "./jwt_keys";
+export type { I_JWT_Keys } from './I_JWT_Keys';
+export { jsonSerializedJwtKeySchema } from './JsonSerializedJwtKey';
+export type { JsonSerializedJwtKey } from './JsonSerializedJwtKey';
+export { ContentEncryptionKeyPairFactory } from './ContentEncryptionKeyPairFactory';
+export { SigningKeyPairFactory } from "./SigningKeyPairFactory";
+export { generateNewJwtKeySet, generateJwtContentEncryptionKeyPair, generateJwtSigningKeyPair } from './generate_new_jwt_keyset';
+import { to_public_jwks } from './to_public_jwks';
+export { to_public_jwks };
+export type { JWK } from './JWK';
+export type { JWKS } from './JWKS';
+export { importAsymmetricJWK } from "./importAsymmetricJWK";
+export { PEMFormat } from './pem-format';

package/dist/jwt/jwt_keys/index.js

@@ -0,0 +1,12 @@
+// jwt_keys/index.ts
+// JWT_Keys contains a set of keys used for JWT encryption and signing
+export { JWT_Keys, JWT_Keys as default } from "./jwt_keys";
+export { jsonSerializedJwtKeySchema } from './JsonSerializedJwtKey';
+export { ContentEncryptionKeyPairFactory } from './ContentEncryptionKeyPairFactory';
+export { SigningKeyPairFactory } from "./SigningKeyPairFactory";
+export { generateNewJwtKeySet, generateJwtContentEncryptionKeyPair, generateJwtSigningKeyPair } from './generate_new_jwt_keyset';
+import { to_public_jwks } from './to_public_jwks';
+export { to_public_jwks };
+export { importAsymmetricJWK } from "./importAsymmetricJWK";
+export { PEMFormat } from './pem-format';
+//# sourceMappingURL=index.js.map

package/dist/jwt/jwt_keys/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/jwt/jwt_keys/index.ts"],"names":[],"mappings":"AAAA,oBAAoB;AACpB,sEAAsE;AAEtE,OAAO,EAAE,QAAQ,EAAE,QAAQ,IAAI,OAAO,EAAE,MAAM,YAAY,CAAC;AAG3D,OAAO,EAAE,0BAA0B,EAAE,MAAM,wBAAwB,CAAC;AAGpE,OAAO,EAAE,+BAA+B,EAAE,MAAM,mCAAmC,CAAC;AACpF,OAAO,EAAE,qBAAqB,EAAE,MAAM,yBAAyB,CAAC;AAEhE,OAAO,EACL,oBAAoB,EACpB,mCAAmC,EACnC,yBAAyB,EAC1B,MAAM,2BAA2B,CAAC;AAEnC,OAAO,EAAE,cAAc,EAAE,MAAM,kBAAkB,CAAC;AAClD,OAAO,EAAE,cAAc,EAAE,CAAC;AAI1B,OAAO,EAAE,mBAAmB,EAAE,MAAM,uBAAuB,CAAC;AAE5D,OAAO,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA"}

package/dist/jwt/jwt_keys/jwt_keys.d.ts

@@ -0,0 +1,33 @@
+import { type CryptoKey } from "jose";
+import Raw_JWT_Keys_Store, { type IInitRawJwtKeysStoreOptions } from "./raw_jwt_keys_store";
+import type { JsonSerializedJwtKey } from "./JsonSerializedJwtKey";
+import type { I_JWT_Keys } from "./I_JWT_Keys";
+/**
+ * @name JWT_Keys
+ * @class
+ * @description A class for interacting with JWT keys-- both encryption/decryption
+ * @constructor JWT_Keys.init(...)
+ * @hideconstructor
+ */
+export declare class JWT_Keys implements I_JWT_Keys {
+    get audience_id(): string;
+    get keyset_id(): string;
+    get keyset_expiry(): number;
+    readonly raw_keys: Raw_JWT_Keys_Store;
+    constructor(raw_keys_or_opts: Raw_JWT_Keys_Store | IInitRawJwtKeysStoreOptions);
+    get signing_key(): Promise<CryptoKey> | null;
+    get verification_key(): Promise<CryptoKey>;
+    private static init_private_signing_crypto_key;
+    private static init_spki_public_verification_key;
+    private static init_decryption_key;
+    private static init_encryption_key;
+    get encryption_key(): Promise<CryptoKey> | null;
+    get decryption_key(): Promise<CryptoKey>;
+    exportKeys(): Raw_JWT_Keys_Store;
+    listSerializedKeys(): readonly JsonSerializedJwtKey[];
+    get signing_key_json(): JsonSerializedJwtKey | null;
+    get verification_key_json(): JsonSerializedJwtKey;
+    get encryption_key_json(): JsonSerializedJwtKey | null;
+    get decryption_key_json(): JsonSerializedJwtKey;
+}
+export default JWT_Keys;

package/dist/jwt/jwt_keys/jwt_keys.js

@@ -0,0 +1,96 @@
+import { importPKCS8, importSPKI } from "jose";
+import Raw_JWT_Keys_Store from "./raw_jwt_keys_store";
+import encryptDecryptAlg from "../encrypt_decrypt_alg";
+import signingVerificationAlg from "../sign_verify_alg";
+/**
+ * @name JWT_Keys
+ * @class
+ * @description A class for interacting with JWT keys-- both encryption/decryption
+ * @constructor JWT_Keys.init(...)
+ * @hideconstructor
+ */
+export class JWT_Keys {
+    get audience_id() {
+        const audience_id = this.raw_keys.audience_id;
+        if (typeof audience_id !== "string") {
+            throw new Error("Expected 'audience_id' to be a string!");
+        }
+        return audience_id;
+    }
+    get keyset_id() {
+        return this.raw_keys.keyset_id;
+    }
+    get keyset_expiry() {
+        return this.raw_keys.keyset_expiry;
+    }
+    raw_keys;
+    constructor(raw_keys_or_opts) {
+        this.raw_keys =
+            raw_keys_or_opts instanceof Raw_JWT_Keys_Store
+                ? raw_keys_or_opts
+                : new Raw_JWT_Keys_Store(raw_keys_or_opts);
+    }
+    get signing_key() {
+        const raw_signing_key = this.raw_keys.signing;
+        if (!raw_signing_key) {
+            return null;
+        }
+        return JWT_Keys.init_private_signing_crypto_key(raw_signing_key);
+    }
+    get verification_key() {
+        const raw_verifier_key = this.raw_keys.verification;
+        return JWT_Keys.init_spki_public_verification_key(raw_verifier_key);
+    }
+    static async init_private_signing_crypto_key(pkcs8) {
+        return (await importPKCS8(pkcs8, signingVerificationAlg, {
+            extractable: true,
+        }));
+    }
+    static async init_spki_public_verification_key(spki) {
+        return await importSPKI(spki, signingVerificationAlg, {
+            extractable: true,
+        });
+    }
+    static async init_decryption_key(pkcs8) {
+        const initializedPkcs8EncryptionKey = await importPKCS8(pkcs8, encryptDecryptAlg, {
+            extractable: true,
+        });
+        return initializedPkcs8EncryptionKey;
+    }
+    static async init_encryption_key(spki) {
+        return await importSPKI(spki, encryptDecryptAlg, {
+            extractable: true,
+        });
+    }
+    get encryption_key() {
+        const raw_encryption_key = this.raw_keys.encryption;
+        if (!raw_encryption_key) {
+            return null;
+        }
+        return JWT_Keys.init_encryption_key(raw_encryption_key);
+    }
+    get decryption_key() {
+        const raw_decryption_key = this.raw_keys.decryption;
+        return JWT_Keys.init_decryption_key(raw_decryption_key);
+    }
+    exportKeys() {
+        return this.raw_keys;
+    }
+    listSerializedKeys() {
+        return this.exportKeys().listSerializedKeys();
+    }
+    get signing_key_json() {
+        return this.raw_keys.signing_json ?? null;
+    }
+    get verification_key_json() {
+        return this.raw_keys.verification_json;
+    }
+    get encryption_key_json() {
+        return this.raw_keys.encryption_json ?? null;
+    }
+    get decryption_key_json() {
+        return this.raw_keys.decryption_json;
+    }
+}
+export default JWT_Keys;
+//# sourceMappingURL=jwt_keys.js.map

package/dist/jwt/jwt_keys/jwt_keys.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jwt_keys.js","sourceRoot":"","sources":["../../../src/jwt/jwt_keys/jwt_keys.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,UAAU,EAAkB,MAAM,MAAM,CAAC;AAC/D,OAAO,kBAEN,MAAM,sBAAsB,CAAC;AAC9B,OAAO,iBAAiB,MAAM,wBAAwB,CAAC;AACvD,OAAO,sBAAsB,MAAM,oBAAoB,CAAC;AAIxD;;;;;;GAMG;AACH,MAAM,OAAO,QAAQ;IACnB,IAAW,WAAW;QACpB,MAAM,WAAW,GAAW,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC;QACtD,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAC5D,CAAC;QACD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,IAAW,SAAS;QAClB,OAAO,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC;IACjC,CAAC;IAED,IAAW,aAAa;QACtB,OAAO,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC;IACrC,CAAC;IAEe,QAAQ,CAAqB;IAE7C,YACE,gBAAkE;QAElE,IAAI,CAAC,QAAQ;YACX,gBAAgB,YAAY,kBAAkB;gBAC5C,CAAC,CAAC,gBAAgB;gBAClB,CAAC,CAAC,IAAI,kBAAkB,CAAC,gBAAgB,CAAC,CAAC;IACjD,CAAC;IAED,IAAW,WAAW;QACpB,MAAM,eAAe,GAAkB,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC;QAC7D,IAAI,CAAC,eAAe,EAAE,CAAC;YACrB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,QAAQ,CAAC,+BAA+B,CAAC,eAAe,CAAC,CAAC;IACnE,CAAC;IAED,IAAW,gBAAgB;QACzB,MAAM,gBAAgB,GAAW,IAAI,CAAC,QAAQ,CAAC,YAAY,CAAC;QAC5D,OAAO,QAAQ,CAAC,iCAAiC,CAAC,gBAAgB,CAAC,CAAC;IACtE,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,+BAA+B,CAClD,KAAa;QAEb,OAAO,CAAC,MAAM,WAAW,CAAC,KAAK,EAAE,sBAAsB,EAAE;YACvD,WAAW,EAAE,IAAI;SAClB,CAAC,CAAqB,CAAC;IAC1B,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,iCAAiC,CACpD,IAAY;QAEZ,OAAO,MAAM,UAAU,CAAC,IAAI,EAAE,sBAAsB,EAAE;YACpD,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,KAAa;QACpD,MAAM,6BAA6B,GAAc,MAAM,WAAW,CAChE,KAAK,EACL,iBAAiB,EACjB;YACE,WAAW,EAAE,IAAI;SAClB,CACF,CAAC;QACF,OAAO,6BAA6B,CAAC;IACvC,CAAC;IAEO,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,IAAY;QACnD,OAAO,MAAM,UAAU,CAAC,IAAI,EAAE,iBAAiB,EAAE;YAC/C,WAAW,EAAE,IAAI;SAClB,CAAC,CAAC;IACL,CAAC;IAED,IAAW,cAAc;QACvB,MAAM,kBAAkB,GAAkB,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QACnE,IAAI,CAAC,kBAAkB,EAAE,CAAC;YACxB,OAAO,IAAI,CAAC;QACd,CAAC;QACD,OAAO,QAAQ,CAAC,mBAAmB,CAAC,kBAAkB,CAAC,CAAC;IAC1D,CAAC;IAED,IAAW,cAAc;QACvB,MAAM,kBAAkB,GAAW,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC;QAC5D,OAAO,QAAQ,CAAC,mBAAmB,CAAC,kBAAkB,CAAC,CAAC;IAC1D,CAAC;IAEM,UAAU;QACf,OAAO,IAAI,CAAC,QAAQ,CAAC;IACvB,CAAC;IAEM,kBAAkB;QACvB,OAAO,IAAI,CAAC,UAAU,EAAE,CAAC,kBAAkB,EAAE,CAAC;IAChD,CAAC;IAED,IAAW,gBAAgB;QACzB,OAAO,IAAI,CAAC,QAAQ,CAAC,YAAY,IAAI,IAAI,CAAC;IAC5C,CAAC;IAED,IAAW,qBAAqB;QAC9B,OAAO,IAAI,CAAC,QAAQ,CAAC,iBAAiB,CAAC;IACzC,CAAC;IAED,IAAW,mBAAmB;QAC5B,OAAO,IAAI,CAAC,QAAQ,CAAC,eAAe,IAAI,IAAI,CAAC;IAC/C,CAAC;IAED,IAAW,mBAAmB;QAC5B,OAAO,IAAI,CAAC,QAAQ,CAAC,eAAe,CAAC;IACvC,CAAC;CACF;AAED,eAAe,QAAQ,CAAC"}

package/dist/jwt/jwt_keys/pem-format.d.ts

@@ -0,0 +1,17 @@
+/**
+ * @name PEMFormat
+ * @class
+ * @hideconstructor
+ * @see PEMFormat.toPemFormat()
+ * @see PEMFormat.isPemFormat()
+ */
+export declare class PEMFormat {
+    private constructor();
+    private static arrayBufferToBase64;
+    private static addNewLines;
+    private static getPemPrefix;
+    private static getPemSuffix;
+    static toPemFormat(key: ArrayBuffer, key_type: "PUBLIC" | "PRIVATE"): string;
+    static isPemFormat(key: string, key_type: "PUBLIC" | "PRIVATE"): boolean;
+}
+export default PEMFormat;

package/dist/jwt/jwt_keys/pem-format.js

@@ -0,0 +1,69 @@
+/**
+ * @name PEMFormat
+ * @class
+ * @hideconstructor
+ * @see PEMFormat.toPemFormat()
+ * @see PEMFormat.isPemFormat()
+ */
+export class PEMFormat {
+    constructor() { }
+    static arrayBufferToBase64(arrayBuffer) {
+        let byteArray = new Uint8Array(arrayBuffer);
+        let byteString = "";
+        for (var i = 0; i < byteArray.byteLength; i++) {
+            byteString += String.fromCharCode(byteArray[i]);
+        }
+        return btoa(byteString);
+    }
+    static addNewLines(base64str) {
+        let finalString = "";
+        let remainingString = base64str;
+        while (remainingString.length > 0) {
+            finalString += `${remainingString.substring(0, 64)}\n`;
+            remainingString = remainingString.substring(64);
+        }
+        return finalString;
+    }
+    static getPemPrefix(key_type) {
+        return `-----BEGIN ${key_type} KEY-----`;
+    }
+    static getPemSuffix(key_type) {
+        return `-----END ${key_type} KEY-----`;
+    }
+    static toPemFormat(key, key_type) {
+        if (key_type !== "PUBLIC" && key_type !== "PRIVATE") {
+            throw new Error("Expected 'key_type' to be 'PUBLIC' or 'PRIVATE'");
+        }
+        const raw_base64_key = PEMFormat.arrayBufferToBase64(key);
+        const with_newlines = PEMFormat.addNewLines(raw_base64_key);
+        const pem = `${PEMFormat.getPemPrefix(key_type)}\n` +
+            with_newlines +
+            `${PEMFormat.getPemSuffix(key_type)}`;
+        return pem;
+    }
+    static isPemFormat(key, key_type) {
+        if (key_type !== "PUBLIC" && key_type !== "PRIVATE") {
+            throw new Error("Expected 'key_type' to be 'PUBLIC' or 'PRIVATE'");
+        }
+        const prefix = PEMFormat.getPemPrefix(key_type);
+        const suffix = PEMFormat.getPemSuffix(key_type);
+        if (!key.startsWith(prefix)) {
+            console.error("[isPemFormat] key does not start with prefix: ", prefix);
+            return false;
+        }
+        else if (!key.endsWith(suffix)) {
+            console.error("[isPemFormat] key does not end with suffix: ", suffix);
+            return false;
+        }
+        const allLinesLessThan64Chars = key
+            .split("\n")
+            .every((line) => line.length <= 64);
+        if (!allLinesLessThan64Chars) {
+            console.error("[isPemFormat] key has line length longer than 64!");
+            return false;
+        }
+        return true;
+    }
+}
+export default PEMFormat;
+//# sourceMappingURL=pem-format.js.map

package/dist/jwt/jwt_keys/pem-format.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"pem-format.js","sourceRoot":"","sources":["../../../src/jwt/jwt_keys/pem-format.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AACH,MAAM,OAAO,SAAS;IACpB,gBAAuB,CAAC;IAEhB,MAAM,CAAC,mBAAmB,CAAC,WAAwB;QACzD,IAAI,SAAS,GAAe,IAAI,UAAU,CAAC,WAAW,CAAC,CAAC;QACxD,IAAI,UAAU,GAAW,EAAE,CAAC;QAC5B,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,SAAS,CAAC,UAAU,EAAE,CAAC,EAAE,EAAE,CAAC;YAC9C,UAAU,IAAI,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;QAClD,CAAC;QACD,OAAO,IAAI,CAAC,UAAU,CAAC,CAAC;IAC1B,CAAC;IAEO,MAAM,CAAC,WAAW,CAAC,SAAiB;QAC1C,IAAI,WAAW,GAAW,EAAE,CAAC;QAC7B,IAAI,eAAe,GAAW,SAAS,CAAC;QACxC,OAAO,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,WAAW,IAAI,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC;YACvD,eAAe,GAAG,eAAe,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QAClD,CAAC;QAED,OAAO,WAAW,CAAC;IACrB,CAAC;IAEO,MAAM,CAAC,YAAY,CAAC,QAA8B;QACxD,OAAO,cAAc,QAAQ,WAAqC,CAAC;IACrE,CAAC;IAEO,MAAM,CAAC,YAAY,CAAC,QAA8B;QACxD,OAAO,YAAY,QAAQ,WAAqC,CAAC;IACnE,CAAC;IAEM,MAAM,CAAC,WAAW,CAAC,GAAgB,EAAE,QAA8B;QACxE,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,cAAc,GAAW,SAAS,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC;QAClE,MAAM,aAAa,GAAW,SAAS,CAAC,WAAW,CAAC,cAAc,CAAC,CAAC;QAEpE,MAAM,GAAG,GACP,GAAG,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI;YACvC,aAAa;YACb,GAAG,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,EAAE,CAAC;QAExC,OAAO,GAAG,CAAC;IACb,CAAC;IAEM,MAAM,CAAC,WAAW,CACvB,GAAW,EACX,QAA8B;QAE9B,IAAI,QAAQ,KAAK,QAAQ,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YACpD,MAAM,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC;QACrE,CAAC;QAED,MAAM,MAAM,GAAG,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAChD,MAAM,MAAM,GAAG,SAAS,CAAC,YAAY,CAAC,QAAQ,CAAC,CAAC;QAChD,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;YAC5B,OAAO,CAAC,KAAK,CAAC,gDAAgD,EAAE,MAAM,CAAC,CAAC;YACxE,OAAO,KAAK,CAAC;QACf,CAAC;aAAM,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACjC,OAAO,CAAC,KAAK,CAAC,8CAA8C,EAAE,MAAM,CAAC,CAAC;YACtE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,MAAM,uBAAuB,GAAG,GAAG;aAChC,KAAK,CAAC,IAAI,CAAC;aACX,KAAK,CAAC,CAAC,IAAI,EAAW,EAAE,CAAC,IAAI,CAAC,MAAM,IAAI,EAAE,CAAC,CAAC;QAC/C,IAAI,CAAC,uBAAuB,EAAE,CAAC;YAC7B,OAAO,CAAC,KAAK,CAAC,mDAAmD,CAAC,CAAC;YACnE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF;AAED,eAAe,SAAS,CAAC"}

package/dist/jwt/jwt_keys/raw_jwt_keys_store.d.ts

@@ -0,0 +1,38 @@
+import { type JsonSerializedJwtKey } from "./JsonSerializedJwtKey";
+export interface IInitRawJwtKeysStoreOptions {
+    audience_id: string;
+    keyset_id: string;
+    keyset_expiry: number;
+    encryption?: JsonSerializedJwtKey;
+    decryption: JsonSerializedJwtKey;
+    signing?: JsonSerializedJwtKey;
+    verification: JsonSerializedJwtKey;
+    is_auth_server?: boolean;
+}
+declare class Raw_JWT_Keys_Store {
+    readonly audience_id: string;
+    readonly keyset_id: string;
+    private readonly is_auth_server;
+    readonly keyset_expiry: number;
+    private readonly _raw_encryption_key;
+    private readonly _raw_decryption_key;
+    private readonly _raw_signing_key;
+    private readonly _raw_verification_key;
+    private static parseKeyValue;
+    private static encodeBase64Url;
+    constructor({ audience_id, keyset_id, keyset_expiry, encryption, decryption, signing, verification, is_auth_server, }: IInitRawJwtKeysStoreOptions);
+    get encryption(): string | null;
+    get decryption(): string;
+    get signing(): string | null;
+    get verification(): string;
+    get encryption_base64url(): string | null;
+    get decryption_base64url(): string;
+    get verification_base64url(): string;
+    get signing_base64url(): string | null;
+    get encryption_json(): JsonSerializedJwtKey | null;
+    get decryption_json(): JsonSerializedJwtKey;
+    get signing_json(): JsonSerializedJwtKey | null;
+    get verification_json(): JsonSerializedJwtKey;
+    listSerializedKeys(): readonly JsonSerializedJwtKey[];
+}
+export default Raw_JWT_Keys_Store;

package/dist/jwt/jwt_keys/raw_jwt_keys_store.js

@@ -0,0 +1,191 @@
+import isValidBase64UrlEncoding from "../../utils/isValidBase64UrlEncoding";
+import PEMFormat from "./pem-format";
+import { base64url } from "jose";
+import { jsonSerializedJwtKeySchema, } from "./JsonSerializedJwtKey";
+import isValidUuid from "../../utils/isValidUuid";
+import { apiServerIdSchema } from "@schemavaults/app-definitions";
+class Raw_JWT_Keys_Store {
+    audience_id;
+    keyset_id;
+    is_auth_server;
+    keyset_expiry;
+    // Keys for encryption/decryption (JWE)
+    _raw_encryption_key;
+    _raw_decryption_key;
+    // Keys for signing/verification (JWS)
+    _raw_signing_key;
+    _raw_verification_key;
+    // Parses the IKeyInitFormat into 'pem' format
+    static parseKeyValue(key) {
+        const parsed_key = jsonSerializedJwtKeySchema.safeParse(key);
+        if (!parsed_key.success) {
+            console.error("Invalid key to save within Raw_Jwt_Keys_Store:", parsed_key.error);
+            throw new TypeError("Invalid key to save within Raw_Jwt_Keys_Store!");
+        }
+        if (key.format === "pem") {
+            if (!PEMFormat.isPemFormat(key.value, key.privacy_level === "private" ? "PRIVATE" : "PUBLIC")) {
+                throw new TypeError("Invalid PEM format for key!");
+            }
+            return key.value;
+        }
+        else if (key.format === "base64url") {
+            if (!isValidBase64UrlEncoding(key.value)) {
+                throw new TypeError("Invalid base64url format for key!");
+            }
+            const utf8_key_value = Buffer.from(key.value, "base64url").toString("utf8");
+            return Raw_JWT_Keys_Store.parseKeyValue({
+                format: "pem",
+                value: utf8_key_value,
+                privacy_level: key.privacy_level,
+                key_type: key.key_type,
+                keyset_id: key.keyset_id,
+                audience_id: key.audience_id,
+            });
+        }
+        else {
+            throw new Error("Invalid key format. Expected either 'pem' or 'base64url'");
+        }
+    }
+    static encodeBase64Url(key) {
+        return base64url.encode(key);
+    }
+    constructor({ audience_id, keyset_id, keyset_expiry, encryption, decryption, signing, verification, is_auth_server, }) {
+        // Validate keyset ID
+        if (!isValidUuid(keyset_id)) {
+            throw new TypeError("Expected 'keyset_id' to be a valid UUID!");
+        }
+        this.keyset_id = keyset_id;
+        // Validate audience ID
+        if (typeof audience_id !== "string" ||
+            !apiServerIdSchema.safeParse(audience_id).success) {
+            throw new TypeError("Expected 'audience_id' to be a valid API server ID!");
+        }
+        this.audience_id = audience_id;
+        if (typeof keyset_expiry !== "number" || isNaN(keyset_expiry)) {
+            // Validate keyset expiry time
+            throw new TypeError("Expected 'keyset_expiry' to be a number!");
+        }
+        this.keyset_expiry = keyset_expiry;
+        // Parse keys from options
+        this._raw_encryption_key = encryption?.value
+            ? Raw_JWT_Keys_Store.parseKeyValue(encryption)
+            : null;
+        this._raw_decryption_key = Raw_JWT_Keys_Store.parseKeyValue(decryption);
+        this._raw_signing_key = signing?.value
+            ? Raw_JWT_Keys_Store.parseKeyValue(signing)
+            : null;
+        this._raw_verification_key = Raw_JWT_Keys_Store.parseKeyValue(verification);
+        // Enable auth server mode if specified (throws if missing signing/encryption keys)
+        this.is_auth_server = is_auth_server || false;
+        if (this.is_auth_server) {
+            // Signing & Encryption Keys are required for the auth server
+            if (!this._raw_encryption_key || !this._raw_signing_key) {
+                throw new Error("Missing required key(s) for auth server");
+            }
+        }
+        // Throw if decryption or verifier are missing (always required)
+        if (!this._raw_decryption_key) {
+            throw new Error("Decryption key must always be present!");
+        }
+        else if (!this._raw_verification_key) {
+            throw new Error("Verifier key must always be present!");
+        }
+    }
+    // Returns the PEM-encoded encryption key, if stored
+    get encryption() {
+        return this._raw_encryption_key ?? null;
+    }
+    // Returns the PEM-encoded decryption key
+    get decryption() {
+        return this._raw_decryption_key;
+    }
+    // Returns the PEM-encoded signing key, if stored
+    get signing() {
+        return this._raw_signing_key;
+    }
+    // Returns the PEM-encoded verification key
+    get verification() {
+        return this._raw_verification_key;
+    }
+    get encryption_base64url() {
+        return this.encryption
+            ? Raw_JWT_Keys_Store.encodeBase64Url(this.encryption)
+            : null;
+    }
+    get decryption_base64url() {
+        return Raw_JWT_Keys_Store.encodeBase64Url(this.decryption);
+    }
+    get verification_base64url() {
+        return Raw_JWT_Keys_Store.encodeBase64Url(this.verification);
+    }
+    get signing_base64url() {
+        return this.signing
+            ? Raw_JWT_Keys_Store.encodeBase64Url(this.signing)
+            : null;
+    }
+    get encryption_json() {
+        const value = this.encryption;
+        if (!value) {
+            return null;
+        }
+        return {
+            format: "pem",
+            value,
+            privacy_level: "public",
+            key_type: "encryption",
+            keyset_id: this.keyset_id,
+            audience_id: this.audience_id,
+        };
+    }
+    get decryption_json() {
+        const value = this.decryption;
+        return {
+            format: "pem",
+            value,
+            privacy_level: "private", // decryption is with private-key, counter-intuitively
+            key_type: "decryption",
+            keyset_id: this.keyset_id,
+            audience_id: this.audience_id,
+        };
+    }
+    get signing_json() {
+        const value = this.signing;
+        if (!value) {
+            return null;
+        }
+        return {
+            format: "pem",
+            value,
+            privacy_level: "private",
+            key_type: "signing",
+            keyset_id: this.keyset_id,
+            audience_id: this.audience_id,
+        };
+    }
+    get verification_json() {
+        const value = this.verification;
+        return {
+            format: "pem",
+            value,
+            privacy_level: "public",
+            key_type: "verification",
+            keyset_id: this.keyset_id,
+            audience_id: this.audience_id,
+        };
+    }
+    listSerializedKeys() {
+        const keys = [
+            this.decryption_json,
+            this.verification_json,
+        ];
+        if (this.encryption) {
+            keys.push(this.encryption_json);
+        }
+        if (this.signing) {
+            keys.push(this.signing_json);
+        }
+        return keys;
+    }
+}
+export default Raw_JWT_Keys_Store;
+//# sourceMappingURL=raw_jwt_keys_store.js.map