npm - @sphereon/ssi-sdk-ext.jwt-service - Versions diffs - 0.24.1-unstable.93 → 0.25.1-feature.OIDF.69.39 - Mend

@sphereon/ssi-sdk-ext.jwt-service 0.24.1-unstable.93 → 0.25.1-feature.OIDF.69.39

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/README.md +73 -374
package/dist/agent/JwtService.d.ts +3 -0
package/dist/agent/JwtService.d.ts.map +1 -1
package/dist/agent/JwtService.js +78 -1
package/dist/agent/JwtService.js.map +1 -1
package/dist/functions/JWE.d.ts +75 -0
package/dist/functions/JWE.d.ts.map +1 -0
package/dist/functions/JWE.js +280 -0
package/dist/functions/JWE.js.map +1 -0
package/dist/functions/index.d.ts +19 -5
package/dist/functions/index.d.ts.map +1 -1
package/dist/functions/index.js +171 -19
package/dist/functions/index.js.map +1 -1
package/dist/index.d.ts +1 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +3 -1
package/dist/index.js.map +1 -1
package/dist/tsdoc-metadata.json +1 -1
package/dist/types/IJwtService.d.ts +149 -20
package/dist/types/IJwtService.d.ts.map +1 -1
package/dist/types/IJwtService.js +54 -1
package/dist/types/IJwtService.js.map +1 -1
package/package.json +15 -13
package/plugin.schema.json +4292 -282
package/src/agent/JwtService.ts +103 -39
package/src/functions/JWE.ts +360 -0
package/src/functions/index.ts +206 -26
package/src/index.ts +4 -0
package/src/types/IJwtService.ts +273 -55

package/src/functions/index.ts CHANGED Viewed

@@ -1,45 +1,70 @@
+import { jwkTtoPublicKeyHex } from '@sphereon/ssi-sdk-ext.did-utils'
 import {
+  ensureManagedIdentifierResult,
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierX5cOpts,
+  IIdentifierResolution,
   isManagedIdentifierDidResult,
   isManagedIdentifierX5cResult,
   ManagedIdentifierMethod,
   ManagedIdentifierResult,
-  ensureManagedIdentifierResult,
+  resolveExternalJwkIdentifier,
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { bytesToBase64url, encodeJoseBlob } from '@veramo/utils'
+import { keyTypeFromCryptographicSuite, verifySignatureWithSubtle } from '@sphereon/ssi-sdk-ext.key-utils'
+import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
+import { JWK } from '@sphereon/ssi-types'
+import { IAgentContext } from '@veramo/core'
+import { bytesToBase64url, decodeJoseBlob, encodeJoseBlob } from '@veramo/utils'
+import { base64ToBytes } from '@veramo/utils'
 import * as u8a from 'uint8arrays'
 import {
   CreateJwsCompactArgs,
   CreateJwsFlattenedArgs,
   CreateJwsJsonArgs,
-  CreateJwsMode,
+  IJwsValidationResult,
   IRequiredContext,
+  isJwsCompact,
+  isJwsJsonFlattened,
+  isJwsJsonGeneral,
+  Jws,
   JwsCompact,
+  JwsIdentifierMode,
   JwsJsonFlattened,
   JwsJsonGeneral,
-  JwsJsonSignature,
-  JwtHeader,
+  JwsJsonGeneralWithIdentifiers,
+  JwsJsonSignature, JwsJsonSignatureWithIdentifier,
+  JwsHeader,
+  JwsPayload,
   PreparedJwsObject,
+  VerifyJwsArgs, JweHeader,
 } from '../types/IJwtService'
+const payloadToBytes = (payload: string | JwsPayload | Uint8Array): Uint8Array => {
+  const isBytes = payload instanceof Uint8Array
+  const isString = typeof payload === 'string'
+  return isBytes ? payload : isString ? u8a.fromString(payload, 'base64url') : u8a.fromString(JSON.stringify(payload), 'utf-8')
+}
 export const prepareJwsObject = async (args: CreateJwsJsonArgs, context: IRequiredContext): Promise<PreparedJwsObject> => {
-  const { existingSignatures, protectedHeader, unprotectedHeader, issuer, payload, mode = 'auto' } = args
+  const { existingSignatures, protectedHeader, unprotectedHeader, issuer, payload, mode = 'auto', clientId, clientIdScheme } = args
   const { noIdentifierInHeader = false } = issuer
-  const combinedHeader = { ...unprotectedHeader, ...protectedHeader }
-  if (!combinedHeader.alg) {
-    return Promise.reject(`No 'alg' key present in the JWS header`)
-  }
   const identifier = await ensureManagedIdentifierResult(issuer, context)
-  await checkAndUpdateJwtHeader({ mode, identifier, noIdentifierInHeader, header: protectedHeader }, context)
+  await checkAndUpdateJwsHeader({ mode, identifier, noIdentifierInHeader, header: protectedHeader }, context)
   const isBytes = payload instanceof Uint8Array
   const isString = typeof payload === 'string'
   if (!isBytes && !isString) {
     if (issuer.noIssPayloadUpdate !== true && !payload.iss && identifier.issuer) {
       payload.iss = identifier.issuer
     }
+    if (clientIdScheme && !payload.client_id_scheme) {
+      payload.client_id_scheme = clientIdScheme
+    }
+    if (clientId && !payload.client_id) {
+      payload.client_id = clientId
+    }
   }
-  const payloadBytes = isBytes ? payload : isString ? u8a.fromString(payload, 'base64url') : u8a.fromString(JSON.stringify(payload), 'utf-8')
+  const payloadBytes = payloadToBytes(payload)
   const base64urlHeader = encodeJoseBlob(protectedHeader)
   const base64urlPayload = bytesToBase64url(payloadBytes)
@@ -113,31 +138,31 @@ export const createJwsJsonGeneral = async (args: CreateJwsJsonArgs, context: IRe
  * @param context
  */
-export const checkAndUpdateJwtHeader = async (
+export const checkAndUpdateJwsHeader = async (
   {
     mode = 'auto',
     identifier,
     header,
     noIdentifierInHeader = false,
   }: {
-    mode?: CreateJwsMode
+    mode?: JwsIdentifierMode
     identifier: ManagedIdentifierResult
     noIdentifierInHeader?: boolean
-    header: JwtHeader
+    header: JwsHeader
   },
   context: IRequiredContext
 ) => {
-  if (isMode(mode, identifier.method, 'did')) {
+  if (isIdentifierMode(mode, identifier.method, 'did')) {
     // kid is VM of the DID
     // @see https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4
     await checkAndUpdateDidHeader({ header, identifier, noIdentifierInHeader }, context)
-  } else if (isMode(mode, identifier.method, 'x5c')) {
+  } else if (isIdentifierMode(mode, identifier.method, 'x5c')) {
     // Include the x5c in the header. No kid
     // @see https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6
     await checkAndUpdateX5cHeader({ header, identifier, noIdentifierInHeader }, context)
-  } else if (isMode(mode, identifier.method, 'kid', false)) {
+  } else if (isIdentifierMode(mode, identifier.method, 'kid', false)) {
     await checkAndUpdateKidHeader({ header, identifier, noIdentifierInHeader }, context)
-  } else if (isMode(mode, identifier.method, 'jwk', false)) {
+  } else if (isIdentifierMode(mode, identifier.method, 'jwk', false)) {
     // Include the JWK in the header as well as its kid if present
     // @see https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.3
     // @see https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4
@@ -154,7 +179,7 @@ const checkAndUpdateX5cHeader = async (
     identifier,
     noIdentifierInHeader = false,
   }: {
-    header: JwtHeader
+    header: JwsHeader | JweHeader
     identifier: ManagedIdentifierResult
     noIdentifierInHeader?: boolean
   },
@@ -183,7 +208,7 @@ const checkAndUpdateDidHeader = async (
     identifier,
     noIdentifierInHeader = false,
   }: {
-    header: JwtHeader
+    header: JwsHeader | JweHeader
     identifier: ManagedIdentifierResult
     noIdentifierInHeader?: boolean
   },
@@ -212,7 +237,7 @@ const checkAndUpdateJwkHeader = async (
     identifier,
     noIdentifierInHeader = false,
   }: {
-    header: JwtHeader
+    header: JwsHeader | JweHeader
     identifier: ManagedIdentifierResult
     noIdentifierInHeader?: boolean
   },
@@ -221,7 +246,7 @@ const checkAndUpdateJwkHeader = async (
   const { jwk } = header
   if (jwk) {
     // let's resolve the provided x5c to be sure
-    const jwkIdentifier = await context.agent.identifierManagedGetByJwk({ identifier: jwk })
+    const jwkIdentifier = await context.agent.identifierManagedGetByJwk({ identifier: jwk as JWK })
     if (jwkIdentifier.kmsKeyRef !== identifier.kmsKeyRef) {
       return Promise.reject(Error(`A jwk header was present, but its value did not match the provided signing jwk or kid!`))
     }
@@ -240,7 +265,7 @@ const checkAndUpdateKidHeader = async (
     identifier,
     noIdentifierInHeader = false,
   }: {
-    header: JwtHeader
+    header: JwsHeader | JweHeader
     identifier: ManagedIdentifierResult
     noIdentifierInHeader?: boolean
   },
@@ -262,7 +287,7 @@ const checkAndUpdateKidHeader = async (
   }
 }
-const isMode = (mode: CreateJwsMode, identifierMethod: ManagedIdentifierMethod, checkMode: CreateJwsMode, loose = true) => {
+const isIdentifierMode = (mode: JwsIdentifierMode, identifierMethod: ManagedIdentifierMethod, checkMode: JwsIdentifierMode, loose = true) => {
   if (loose && (checkMode === 'jwk' || checkMode === 'kid')) {
     // we always have the kid and jwk at hand no matter the identifier method, so we are okay with that
     // todo: check the impact on the above expressions, as this will now always return true for the both of them
@@ -277,3 +302,158 @@ const isMode = (mode: CreateJwsMode, identifierMethod: ManagedIdentifierMethod,
   // we always have the kid and jwk at hand no matter the identifier method, so we are okay with that
   return mode === 'auto' && identifierMethod === checkMode
 }
+export const verifyJws = async (args: VerifyJwsArgs, context: IAgentContext<IIdentifierResolution>): Promise<IJwsValidationResult> => {
+  const jws = await toJwsJsonGeneralWithIdentifiers(args, context)
+  let errorMessages: string[] = []
+  let index = 0
+  await Promise.all(
+    jws.signatures.map(async (sigWithId) => {
+      // If we have a specific KMS agent plugin that can do the verification prefer that over the generic verification
+      index++
+      let valid: boolean
+      const data = u8a.fromString(`${sigWithId.protected}.${jws.payload}`, 'utf-8')
+      const jwkInfo = sigWithId.identifier.jwks[0]
+      if (sigWithId.header?.alg === 'RSA' && contextHasPlugin(context, 'keyManagerVerify')) {
+        const publicKeyHex = jwkTtoPublicKeyHex(jwkInfo.jwk)
+        valid = await context.agent.keyManagerVerify({
+          signature: sigWithId.signature,
+          data,
+          publicKeyHex,
+          type: keyTypeFromCryptographicSuite({ suite: jwkInfo.jwk.crv ?? 'ES256' }),
+          // no kms arg, as the current key manager needs a bit more work
+        })
+      } else {
+        const signature = base64ToBytes(sigWithId.signature)
+        valid = await verifySignatureWithSubtle({ data, signature, key: jwkInfo.jwk })
+      }
+      if (!valid) {
+        errorMessages.push(`Signature ${index} was not valid`)
+      }
+      return {
+        sigWithId,
+        valid,
+      }
+    })
+  )
+  const error = errorMessages.length !== 0
+  return {
+    name: 'jws',
+    jws,
+    error,
+    critical: error,
+    message: error ? errorMessages.join(', ') : 'Signature validated',
+    verificationTime: new Date(),
+  } satisfies IJwsValidationResult
+}
+export const toJwsJsonGeneral = async ({ jws }: { jws: Jws }, context: IAgentContext<any>): Promise<JwsJsonGeneral> => {
+  let payload: string
+  let signatures: JwsJsonSignature[] = []
+  if (isJwsCompact(jws)) {
+    const split = jws.split('.')
+    payload = split[1]
+    signatures[0] = {
+      protected: split[0],
+      signature: split[2],
+    } satisfies JwsJsonSignature
+  } else if (isJwsJsonGeneral(jws)) {
+    payload = jws.payload
+    signatures = jws.signatures
+  } else if (isJwsJsonFlattened(jws)) {
+    const { payload: _payload, ...signature } = jws
+    payload = _payload
+    signatures = [signature]
+  } else {
+    return Promise.reject(Error(`Invalid JWS supplied`))
+  }
+  return {
+    payload,
+    signatures,
+  }
+}
+async function resolveExternalIdentifierFromJwsHeader(
+  protectedHeader: JwsHeader,
+  context: IAgentContext<IIdentifierResolution>,
+  args: {
+    jws: Jws
+    opts?: { x5c?: Omit<ExternalIdentifierX5cOpts, 'identifier'>; did?: Omit<ExternalIdentifierDidOpts, 'identifier'> }
+  }
+) {
+  if (protectedHeader.x5c) {
+    const x5c = protectedHeader.x5c
+    return await context.agent.identifierExternalResolveByX5c({
+      ...args.opts?.x5c,
+      identifier: x5c,
+      verify: true,
+    })
+  } else if (protectedHeader.jwk) {
+    const jwk = protectedHeader.jwk
+    const x5c = jwk.x5c // todo resolve x5u
+    return await context.agent.identifierExternalResolveByJwk({
+      identifier: protectedHeader.jwk,
+      ...(x5c && {
+        x5c: {
+          ...args?.opts?.x5c,
+          identifier: x5c,
+        },
+      }),
+    })
+  } else if (protectedHeader.kid && protectedHeader.kid.startsWith('did:')) {
+    return await context.agent.identifierExternalResolveByDid({ ...args?.opts?.did, identifier: protectedHeader.kid })
+  } else if (protectedHeader.alg === 'none') {
+    return undefined
+  } else {
+    return Promise.reject(Error(`We can only process DIDs, X.509 certificate chains and JWKs for signature validation at present`))
+  }
+}
+function loadJWK(
+  providedJwk: JWK | undefined,
+  protectedHeader: JwsHeader,
+  jws: JwsJsonGeneral,
+): JWK | undefined {
+  if (providedJwk) {
+    return providedJwk
+  }
+  // TODO SDK-47 the identityResolver could handle this as well, but it's a really tiny function
+  if (protectedHeader?.typ === 'entity-statement+jwt') {
+    const payload = decodeJoseBlob(jws.payload)
+    if (!payload?.jwks?.keys?.[0]) {
+      throw new Error('Missing or invalid JWK in payload')
+    }
+    return payload.jwks.keys[0]
+  }
+  return undefined
+}
+export const toJwsJsonGeneralWithIdentifiers = async (
+  args: {
+    jws: Jws
+    jwk?: JWK
+    opts?: { x5c?: Omit<ExternalIdentifierX5cOpts, 'identifier'>; did?: Omit<ExternalIdentifierDidOpts, 'identifier'> }
+  },
+  context: IAgentContext<IIdentifierResolution>
+): Promise<JwsJsonGeneralWithIdentifiers> => {
+  const jws = await toJwsJsonGeneral(args, context)
+  const signatures = (await Promise.all(
+    jws.signatures.map(async (signature) => {
+      const protectedHeader: JwsHeader = decodeJoseBlob(signature.protected)
+      const jwk = loadJWK(args.jwk, protectedHeader, jws)
+      const identifier = jwk
+        ? await resolveExternalJwkIdentifier({ identifier: jwk, method: 'jwk' }, context)
+        : await resolveExternalIdentifierFromJwsHeader(protectedHeader, context, args)
+      if (identifier !== undefined) {
+        return { ...signature, identifier }
+      }
+      return undefined
+    })
+  )) as Array<JwsJsonSignatureWithIdentifier>
+  return { payload: jws.payload, signatures }
+}

package/src/index.ts CHANGED Viewed

@@ -1,8 +1,12 @@
+import {Loggers} from "@sphereon/ssi-types";
 /**
  * @internal
  */
 const schema = require('../plugin.schema.json')
 export { schema }
+export const JwtLogger = Loggers.DEFAULT.get('sphereon:sdk:jwt')
 /**
  * @public
  */