@sphereon/ssi-sdk-ext.jwt-service 0.28.1-feature.jose.vcdm.52 → 0.28.1-feature.oyd.cmsm.improv.20

package/src/agent/JwtService.ts

@@ -1,34 +1,31 @@
-import { Loggers } from '@sphereon/ssi-types'
-import type { IAgentPlugin } from '@veramo/core'
-const logger = Loggers.DEFAULT.get('sphereon:jwt-service')
+import { IAgentPlugin } from '@veramo/core'
+import debug from 'debug'
 import { importJWK } from 'jose'
 
-// @ts-ignore
 import * as u8a from 'uint8arrays'
-const { fromString } = u8a
 import {
   createJwsCompact,
-  type CreateJwsCompactArgs,
-  type CreateJwsFlattenedArgs,
-  type CreateJwsJsonArgs,
+  CreateJwsCompactArgs,
+  CreateJwsFlattenedArgs,
+  CreateJwsJsonArgs,
   createJwsJsonFlattened,
   createJwsJsonGeneral,
-  type DecryptJweCompactJwtArgs,
-  type EncryptJweCompactJwtArgs,
-  type IJwsValidationResult,
-  type IJwtService,
-  type IRequiredContext,
+  DecryptJweCompactJwtArgs,
+  EncryptJweCompactJwtArgs,
+  IJwsValidationResult,
+  IJwtService,
+  IRequiredContext,
   jweAlg,
   jweEnc,
-  type JwsJsonFlattened,
-  type JwsJsonGeneral,
-  type JwtCompactResult,
+  JwsJsonFlattened,
+  JwsJsonGeneral,
+  JwtCompactResult,
   JwtLogger,
-  type PreparedJwsObject,
+  PreparedJwsObject,
   prepareJwsObject,
   schema,
   verifyJws,
-  type VerifyJwsArgs,
+  VerifyJwsArgs,
 } from '..'
 import { CompactJwtEncrypter } from '../functions/JWE'
 
@@ -72,7 +69,7 @@ export class JwtService implements IAgentPlugin {
     const { payload, protectedHeader = { alg: args.alg, enc: args.enc }, recipientKey, issuer, expirationTime, audience } = args
 
     try {
-      logger.debug(`JWE Encrypt: ${JSON.stringify(args, null, 2)}`)
+      debug(`JWE Encrypt: ${JSON.stringify(args, null, 2)}`)
 
       const alg = jweAlg(args.alg) ?? jweAlg(protectedHeader.alg) ?? 'ECDH-ES'
       const enc = jweEnc(args.enc) ?? jweEnc(protectedHeader.enc) ?? 'A256GCM'
@@ -91,9 +88,9 @@ export class JwtService implements IAgentPlugin {
         return Promise.reject(Error(`Currently only ECDH-ES is supported for encryption. JWK alg ${jwkInfo.jwk.kty}, header alg ${alg}`)) // TODO: Probably we support way more already
       }
       const apuVal = protectedHeader.apu ?? args.apu
-      const apu = apuVal ? fromString(apuVal, 'base64url') : undefined
+      const apu = apuVal ? u8a.fromString(apuVal, 'base64url') : undefined
       const apvVal = protectedHeader.apv ?? args.apv
-      const apv = apvVal ? fromString(apvVal, 'base64url') : undefined
+      const apv = apvVal ? u8a.fromString(apvVal, 'base64url') : undefined
 
       const pubKey = await importJWK(jwkInfo.jwk)
       const encrypter = new CompactJwtEncrypter({

package/src/functions/JWE.ts

@@ -1,24 +1,20 @@
-import { defaultRandomSource, randomBytes, type RandomSource } from '@stablelib/random'
+import { defaultRandomSource, randomBytes, RandomSource } from '@stablelib/random'
 import { base64ToBytes, bytesToBase64url, decodeBase64url } from '@veramo/utils'
 import * as jose from 'jose'
-import type { JWEKeyManagementHeaderParameters, JWTDecryptOptions } from 'jose'
-// // @ts-ignore
-// import type { KeyLike } from 'jose/dist/types/types'
-export type KeyLike = { type: string }
-// @ts-ignore
+import { JWEKeyManagementHeaderParameters, JWTDecryptOptions } from 'jose'
+import type { KeyLike } from 'jose/dist/types/types'
 import * as u8a from 'uint8arrays'
-const { fromString, toString, concat } = u8a
 import {
-  type JweAlg,
+  JweAlg,
   JweAlgs,
-  type JweEnc,
+  JweEnc,
   JweEncs,
-  type JweHeader,
-  type JweJsonGeneral,
-  type JweProtectedHeader,
-  type JweRecipient,
-  type JweRecipientUnprotectedHeader,
-  type JwsPayload,
+  JweHeader,
+  JweJsonGeneral,
+  JweProtectedHeader,
+  JweRecipient,
+  JweRecipientUnprotectedHeader,
+  JwsPayload,
 } from '../types/IJwtService'
 
 export interface EncryptionResult {
@@ -241,7 +237,7 @@ export class CompactJwtEncrypter implements JweEncrypter {
   }
 
   async encrypt(payload: Uint8Array, jweProtectedHeader: JweProtectedHeader, aad?: Uint8Array | undefined): Promise<EncryptionResult> {
-    const jwt = await this.encryptCompactJWT(JSON.parse(toString(payload)), jweProtectedHeader, aad)
+    const jwt = await this.encryptCompactJWT(JSON.parse(u8a.toString(payload)), jweProtectedHeader, aad)
     const [protectedHeader, encryptedKey, ivB64, payloadB64, tagB64] = jwt.split('.')
     //[jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join('.');
     console.log(`FIXME: TO EncryptionResult`)
@@ -339,7 +335,7 @@ export async function decryptJwe(jwe: JweJsonGeneral, decrypter: JweDecrypter):
     return Promise.reject(Error(`Decrypter enc '${decrypter.enc}' does not support header enc '${protectedHeader.enc}'`))
   }
   const sealed = toWebCryptoCiphertext(jwe.ciphertext, jwe.tag)
-  const aad = fromString(jwe.aad ? `${jwe.protected}.${jwe.aad}` : jwe.protected)
+  const aad = u8a.fromString(jwe.aad ? `${jwe.protected}.${jwe.aad}` : jwe.protected)
   let cleartext = null
   if (protectedHeader.alg === 'dir' && decrypter.alg === 'dir') {
     cleartext = await decrypter.decrypt(sealed, base64ToBytes(jwe.iv), aad)
@@ -359,5 +355,5 @@ export async function decryptJwe(jwe: JweJsonGeneral, decrypter: JweDecrypter):
 }
 
 export function toWebCryptoCiphertext(ciphertext: string, tag: string): Uint8Array {
-  return concat([base64ToBytes(ciphertext), base64ToBytes(tag)])
+  return u8a.concat([base64ToBytes(ciphertext), base64ToBytes(tag)])
 }

package/src/functions/index.ts

@@ -1,28 +1,28 @@
-import { jwkTtoPublicKeyHex } from '@sphereon/ssi-sdk-ext.did-utils'
 import {
   ensureManagedIdentifierResult,
-  type ExternalIdentifierDidOpts,
-  type ExternalIdentifierX5cOpts,
-  type IIdentifierResolution,
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierX5cOpts,
+  IIdentifierResolution,
   isManagedIdentifierDidResult,
   isManagedIdentifierX5cResult,
-  type ManagedIdentifierMethod,
-  type ManagedIdentifierResult,
+  ManagedIdentifierMethod,
+  ManagedIdentifierResult,
   resolveExternalJwkIdentifier,
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import { keyTypeFromCryptographicSuite, signatureAlgorithmFromKeyType, verifyRawSignature } from '@sphereon/ssi-sdk-ext.key-utils'
-import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
-import type { JoseSignatureAlgorithm, JWK } from '@sphereon/ssi-types'
-import type { IAgentContext } from '@veramo/core'
+import { verifyRawSignature } from '@sphereon/ssi-sdk-ext.key-utils'
+import { JWK } from '@sphereon/ssi-types'
+import { IAgentContext } from '@veramo/core'
 import { base64ToBytes, bytesToBase64url, decodeJoseBlob, encodeJoseBlob } from '@veramo/utils'
-// @ts-ignore
 import * as u8a from 'uint8arrays'
-import type {
+import {
   CreateJwsCompactArgs,
   CreateJwsFlattenedArgs,
   CreateJwsJsonArgs,
   IJwsValidationResult,
   IRequiredContext,
+  isJwsCompact,
+  isJwsJsonFlattened,
+  isJwsJsonGeneral,
   JweHeader,
   Jws,
   JwsCompact,
@@ -37,14 +37,11 @@ import type {
   PreparedJwsObject,
   VerifyJwsArgs,
 } from '../types/IJwtService'
-import { isJwsCompact, isJwsJsonFlattened, isJwsJsonGeneral } from '../types/IJwtService'
-
-const { fromString } = u8a
 
 const payloadToBytes = (payload: string | JwsPayload | Uint8Array): Uint8Array => {
   const isBytes = payload instanceof Uint8Array
   const isString = typeof payload === 'string'
-  return isBytes ? payload : isString ? fromString(payload, 'base64url') : fromString(JSON.stringify(payload), 'utf-8')
+  return isBytes ? payload : isString ? u8a.fromString(payload, 'base64url') : u8a.fromString(JSON.stringify(payload), 'utf-8')
 }
 
 export const prepareJwsObject = async (args: CreateJwsJsonArgs, context: IRequiredContext): Promise<PreparedJwsObject> => {
@@ -114,15 +111,11 @@ export const createJwsJsonGeneral = async (args: CreateJwsJsonArgs, context: IRe
     },
     context
   )
-
-  const alg: string | undefined = protectedHeader.alg ?? signatureAlgorithmFromKeyType({ type: identifier.key.type })
-
   // const algorithm = await signatureAlgorithmFromKey({ key: identifier.key })
   const signature = await context.agent.keyManagerSign({
     keyRef: identifier.kmsKeyRef,
     data: `${b64.protectedHeader}.${b64.payload}`,
     encoding: undefined,
-    algorithm: alg,
   })
   const jsonSignature = {
     protected: b64.protectedHeader,
@@ -158,8 +151,6 @@ export const checkAndUpdateJwsHeader = async (
   },
   context: IRequiredContext
 ) => {
-  // Make sure we have an alg in the header (https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.1)
-  header.alg = header.alg ?? signatureAlgorithmFromKeyType({ type: identifier.key.type })
   if (isIdentifierMode(mode, identifier.method, 'did')) {
     // kid is VM of the DID
     // @see https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4
@@ -321,31 +312,25 @@ export const verifyJws = async (args: VerifyJwsArgs, context: IAgentContext<IIde
       // If we have a specific KMS agent plugin that can do the verification prefer that over the generic verification
       index++
       let valid: boolean
-      const data = fromString(`${sigWithId.protected}.${jws.payload}`, 'utf-8')
+      const data = u8a.fromString(`${sigWithId.protected}.${jws.payload}`, 'utf-8')
       const jwkInfo = sigWithId.identifier.jwks[0]
-      let signatureAlg: JoseSignatureAlgorithm | undefined = undefined
-      if (sigWithId.protected.startsWith(`ey`)) {
-        const header = decodeJoseBlob(sigWithId.protected)
-        signatureAlg = header.alg as JoseSignatureAlgorithm | undefined
-      }
-
-      if (false && signatureAlg?.startsWith('PS') && contextHasPlugin(context, 'keyManagerVerify')) {
+      /* if (sigWithId.header?.alg === 'RSA' && contextHasPlugin(context, 'keyManagerVerify')) {
         const publicKeyHex = jwkTtoPublicKeyHex(jwkInfo.jwk)
         valid = await context.agent.keyManagerVerify({
           signature: sigWithId.signature,
           data,
           publicKeyHex,
-          type: keyTypeFromCryptographicSuite({ ...(jwkInfo.jwk.crv && { crv: jwkInfo.jwk.crv }), alg: signatureAlg as string }),
+          type: keyTypeFromCryptographicSuite({ crv: jwkInfo.jwk.crv ?? 'ES256' }),
           // no kms arg, as the current key manager needs a bit more work
         })
-      } else {
-        const signature = base64ToBytes(sigWithId.signature)
-        valid = await verifyRawSignature({ data, signature, key: jwkInfo.jwk, opts: { signatureAlg: signatureAlg } })
-        // }
-      }
+      } else {*/
+      const signature = base64ToBytes(sigWithId.signature)
+      valid = await verifyRawSignature({ data, signature, key: jwkInfo.jwk })
+      // }
       if (!valid) {
         errorMessages.push(`Signature ${index} was not valid`)
       }
+
       return {
         sigWithId,
         valid,

package/src/types/IJwtService.ts

@@ -1,4 +1,4 @@
-import type {
+import {
   ExternalIdentifierDidOpts,
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
@@ -6,9 +6,9 @@ import type {
   ManagedIdentifierOptsOrResult,
   ManagedIdentifierResult,
 } from '@sphereon/ssi-sdk-ext.identifier-resolution'
-import type { ClientIdScheme } from '@sphereon/ssi-sdk-ext.x509-utils'
-import type { BaseJWK, IValidationResult, JoseSignatureAlgorithm, JoseSignatureAlgorithmString, JWK } from '@sphereon/ssi-types'
-import type { IAgentContext, IKeyManager, IPluginMethodMap } from '@veramo/core'
+import { ClientIdScheme } from '@sphereon/ssi-sdk-ext.x509-utils'
+import { BaseJWK, IValidationResult, JoseSignatureAlgorithm, JoseSignatureAlgorithmString, JWK } from '@sphereon/ssi-types'
+import { IAgentContext, IKeyManager, IPluginMethodMap } from '@veramo/core'
 
 export type IRequiredContext = IAgentContext<IIdentifierResolution & IKeyManager> // could we still interop with Veramo?