@sphereon/ssi-sdk-ext.jwt-service 0.26.1-next.3 → 0.26.1-next.30
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agent/JwtService.d.ts.map +1 -1
- package/dist/agent/JwtService.js +8 -5
- package/dist/agent/JwtService.js.map +1 -1
- package/dist/functions/JWE.d.ts +6 -6
- package/dist/functions/JWE.d.ts.map +1 -1
- package/dist/functions/JWE.js +13 -13
- package/dist/functions/JWE.js.map +1 -1
- package/dist/functions/index.d.ts.map +1 -1
- package/dist/functions/index.js +2 -2
- package/dist/functions/index.js.map +1 -1
- package/dist/index.js.map +1 -1
- package/dist/tsdoc-metadata.json +1 -1
- package/dist/types/IJwtService.d.ts +2 -2
- package/dist/types/IJwtService.d.ts.map +1 -1
- package/dist/types/IJwtService.js +20 -2
- package/dist/types/IJwtService.js.map +1 -1
- package/package.json +10 -10
- package/plugin.schema.json +12 -0
- package/src/agent/JwtService.ts +99 -90
- package/src/functions/JWE.ts +281 -282
- package/src/functions/index.ts +8 -10
- package/src/index.ts +1 -1
- package/src/types/IJwtService.ts +166 -170
package/src/agent/JwtService.ts
CHANGED
|
@@ -1,29 +1,30 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { globalCrypto } from '@sphereon/ssi-sdk-ext.key-utils'
|
|
2
|
+
import { IAgentPlugin } from '@veramo/core'
|
|
2
3
|
import {
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
4
|
+
createJwsCompact,
|
|
5
|
+
CreateJwsCompactArgs,
|
|
6
|
+
CreateJwsFlattenedArgs,
|
|
7
|
+
CreateJwsJsonArgs,
|
|
8
|
+
createJwsJsonFlattened,
|
|
9
|
+
createJwsJsonGeneral,
|
|
10
|
+
DecryptJweCompactJwtArgs,
|
|
11
|
+
EncryptJweCompactJwtArgs,
|
|
12
|
+
IJwsValidationResult,
|
|
13
|
+
IJwtService,
|
|
14
|
+
IRequiredContext,
|
|
15
|
+
jweAlg,
|
|
16
|
+
jweEnc,
|
|
17
|
+
JwsJsonFlattened,
|
|
18
|
+
JwsJsonGeneral,
|
|
19
|
+
JwtCompactResult,
|
|
20
|
+
JwtLogger,
|
|
21
|
+
PreparedJwsObject,
|
|
22
|
+
prepareJwsObject,
|
|
23
|
+
schema,
|
|
24
|
+
verifyJws,
|
|
25
|
+
VerifyJwsArgs,
|
|
25
26
|
} from '..'
|
|
26
|
-
import {CompactJwtEncrypter} from
|
|
27
|
+
import { CompactJwtEncrypter } from '../functions/JWE'
|
|
27
28
|
|
|
28
29
|
import * as u8a from 'uint8arrays'
|
|
29
30
|
|
|
@@ -31,81 +32,89 @@ import * as u8a from 'uint8arrays'
|
|
|
31
32
|
* @public
|
|
32
33
|
*/
|
|
33
34
|
export class JwtService implements IAgentPlugin {
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
private async jwtPrepareJws(args: CreateJwsJsonArgs, context: IRequiredContext): Promise<PreparedJwsObject> {
|
|
46
|
-
return await prepareJwsObject(args, context)
|
|
47
|
-
}
|
|
35
|
+
readonly schema = schema.IJwtService
|
|
36
|
+
readonly methods: IJwtService = {
|
|
37
|
+
jwtPrepareJws: this.jwtPrepareJws.bind(this),
|
|
38
|
+
jwtCreateJwsJsonGeneralSignature: this.jwtCreateJwsJsonGeneralSignature.bind(this),
|
|
39
|
+
jwtCreateJwsJsonFlattenedSignature: this.jwtCreateJwsJsonFlattenedSignature.bind(this),
|
|
40
|
+
jwtCreateJwsCompactSignature: this.jwtCreateJwsCompactSignature.bind(this),
|
|
41
|
+
jwtVerifyJwsSignature: this.jwtVerifyJwsSignature.bind(this),
|
|
42
|
+
jwtEncryptJweCompactJwt: this.jwtEncryptJweCompactJwt.bind(this),
|
|
43
|
+
jwtDecryptJweCompactJwt: this.jwtDecryptJweCompactJwt.bind(this),
|
|
44
|
+
}
|
|
48
45
|
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
private async jwtCreateJwsJsonFlattenedSignature(args: CreateJwsFlattenedArgs, context: IRequiredContext): Promise<JwsJsonFlattened> {
|
|
54
|
-
return await createJwsJsonFlattened(args, context)
|
|
55
|
-
}
|
|
46
|
+
private async jwtPrepareJws(args: CreateJwsJsonArgs, context: IRequiredContext): Promise<PreparedJwsObject> {
|
|
47
|
+
return await prepareJwsObject(args, context)
|
|
48
|
+
}
|
|
56
49
|
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
}
|
|
50
|
+
private async jwtCreateJwsJsonGeneralSignature(args: CreateJwsJsonArgs, context: IRequiredContext): Promise<JwsJsonGeneral> {
|
|
51
|
+
return await createJwsJsonGeneral(args, context)
|
|
52
|
+
}
|
|
61
53
|
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
54
|
+
private async jwtCreateJwsJsonFlattenedSignature(args: CreateJwsFlattenedArgs, context: IRequiredContext): Promise<JwsJsonFlattened> {
|
|
55
|
+
return await createJwsJsonFlattened(args, context)
|
|
56
|
+
}
|
|
65
57
|
|
|
66
|
-
|
|
67
|
-
|
|
58
|
+
private async jwtCreateJwsCompactSignature(args: CreateJwsCompactArgs, context: IRequiredContext): Promise<JwtCompactResult> {
|
|
59
|
+
// We wrap it in a json object for remote REST calls
|
|
60
|
+
return { jwt: await createJwsCompact(args, context) }
|
|
61
|
+
}
|
|
68
62
|
|
|
69
|
-
|
|
63
|
+
private async jwtVerifyJwsSignature(args: VerifyJwsArgs, context: IRequiredContext): Promise<IJwsValidationResult> {
|
|
64
|
+
return await verifyJws(args, context)
|
|
65
|
+
}
|
|
70
66
|
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
const encJwks = recipientKey.jwks.length === 1 ? [recipientKey.jwks[0]] : recipientKey.jwks.filter(jwk => (jwk.kid && (jwk.kid === jwk.jwk.kid || jwk.kid === jwk.jwkThumbprint)) || jwk.jwk.use === 'enc')
|
|
74
|
-
if (encJwks.length === 0) {
|
|
75
|
-
return Promise.reject(Error(`No public JWK found that can be used to encrypt against`))
|
|
76
|
-
}
|
|
77
|
-
const jwkInfo = encJwks[0]
|
|
78
|
-
if (encJwks.length > 0) {
|
|
79
|
-
JwtLogger.warning(`More than one JWK with 'enc' usage found. Selected the first one as no 'kid' was provided`, encJwks)
|
|
80
|
-
}
|
|
81
|
-
if (jwkInfo.jwk.kty?.startsWith('EC') !== true || !alg.startsWith('ECDH')) {
|
|
82
|
-
return Promise.reject(Error(`Currently only ECDH-ES is supported for encryption. JWK alg ${jwkInfo.jwk.kty}, header alg ${alg}`)) // TODO: Probably we support way more already
|
|
83
|
-
}
|
|
84
|
-
const apuVal = protectedHeader.apu ?? args.apu
|
|
85
|
-
const apu = apuVal ? u8a.fromString(apuVal, 'base64url') : undefined
|
|
86
|
-
const apvVal = protectedHeader.apv ?? args.apv
|
|
87
|
-
const apv = apvVal ? u8a.fromString(apvVal, 'base64url') : undefined
|
|
67
|
+
private async jwtEncryptJweCompactJwt(args: EncryptJweCompactJwtArgs, context: IRequiredContext): Promise<JwtCompactResult> {
|
|
68
|
+
const { payload, protectedHeader = { alg: args.alg, enc: args.enc }, recipientKey, issuer, expirationTime, audience } = args
|
|
88
69
|
|
|
89
|
-
|
|
90
|
-
name: 'ECDH',
|
|
91
|
-
namedCurve: 'P-256',
|
|
92
|
-
}, true, [])
|
|
93
|
-
const encrypter = new CompactJwtEncrypter({
|
|
94
|
-
enc,
|
|
95
|
-
alg,
|
|
96
|
-
keyManagementParams: {apu, apv},
|
|
97
|
-
key: pubKey,
|
|
98
|
-
issuer,
|
|
99
|
-
expirationTime,
|
|
100
|
-
audience
|
|
101
|
-
})
|
|
70
|
+
console.log(JSON.stringify(args, null, 2))
|
|
102
71
|
|
|
103
|
-
|
|
104
|
-
|
|
72
|
+
const alg = jweAlg(args.alg) ?? jweAlg(protectedHeader.alg) ?? 'ECDH-ES'
|
|
73
|
+
const enc = jweEnc(args.enc) ?? jweEnc(protectedHeader.enc) ?? 'A256GCM'
|
|
74
|
+
const encJwks =
|
|
75
|
+
recipientKey.jwks.length === 1
|
|
76
|
+
? [recipientKey.jwks[0]]
|
|
77
|
+
: recipientKey.jwks.filter((jwk) => (jwk.kid && (jwk.kid === jwk.jwk.kid || jwk.kid === jwk.jwkThumbprint)) || jwk.jwk.use === 'enc')
|
|
78
|
+
if (encJwks.length === 0) {
|
|
79
|
+
return Promise.reject(Error(`No public JWK found that can be used to encrypt against`))
|
|
80
|
+
}
|
|
81
|
+
const jwkInfo = encJwks[0]
|
|
82
|
+
if (encJwks.length > 0) {
|
|
83
|
+
JwtLogger.warning(`More than one JWK with 'enc' usage found. Selected the first one as no 'kid' was provided`, encJwks)
|
|
105
84
|
}
|
|
85
|
+
if (jwkInfo.jwk.kty?.startsWith('EC') !== true || !alg.startsWith('ECDH')) {
|
|
86
|
+
return Promise.reject(Error(`Currently only ECDH-ES is supported for encryption. JWK alg ${jwkInfo.jwk.kty}, header alg ${alg}`)) // TODO: Probably we support way more already
|
|
87
|
+
}
|
|
88
|
+
const apuVal = protectedHeader.apu ?? args.apu
|
|
89
|
+
const apu = apuVal ? u8a.fromString(apuVal, 'base64url') : undefined
|
|
90
|
+
const apvVal = protectedHeader.apv ?? args.apv
|
|
91
|
+
const apv = apvVal ? u8a.fromString(apvVal, 'base64url') : undefined
|
|
106
92
|
|
|
107
|
-
|
|
93
|
+
const pubKey = await globalCrypto(false).subtle.importKey(
|
|
94
|
+
'jwk',
|
|
95
|
+
jwkInfo.jwk,
|
|
96
|
+
{
|
|
97
|
+
name: 'ECDH',
|
|
98
|
+
namedCurve: 'P-256',
|
|
99
|
+
},
|
|
100
|
+
true,
|
|
101
|
+
[]
|
|
102
|
+
)
|
|
103
|
+
const encrypter = new CompactJwtEncrypter({
|
|
104
|
+
enc,
|
|
105
|
+
alg,
|
|
106
|
+
keyManagementParams: { apu, apv },
|
|
107
|
+
key: pubKey,
|
|
108
|
+
issuer,
|
|
109
|
+
expirationTime,
|
|
110
|
+
audience,
|
|
111
|
+
})
|
|
108
112
|
|
|
109
|
-
|
|
110
|
-
}
|
|
113
|
+
const jwe = await encrypter.encryptCompactJWT(payload, {})
|
|
114
|
+
return { jwt: jwe }
|
|
115
|
+
}
|
|
116
|
+
|
|
117
|
+
private async jwtDecryptJweCompactJwt(args: DecryptJweCompactJwtArgs, context: IRequiredContext): Promise<JwtCompactResult> {
|
|
118
|
+
return { jwt: 'FIXME' }
|
|
119
|
+
}
|
|
111
120
|
}
|