npm - conductor-oss - Versions diffs - 0.4.0 → 0.5.0 - Mend

conductor-oss 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (133) hide show

package/node_modules/jose/dist/webapi/lib/content_encryption.js ADDED Viewed

@@ -0,0 +1,217 @@
+import { concat, uint64be } from './buffer_utils.js';
+import { checkEncCryptoKey } from './crypto_key.js';
+import { invalidKeyInput } from './invalid_key_input.js';
+import { JOSENotSupported, JWEDecryptionFailed, JWEInvalid } from '../util/errors.js';
+import { isCryptoKey } from './is_key_like.js';
+export function cekLength(alg) {
+    switch (alg) {
+        case 'A128GCM':
+            return 128;
+        case 'A192GCM':
+            return 192;
+        case 'A256GCM':
+        case 'A128CBC-HS256':
+            return 256;
+        case 'A192CBC-HS384':
+            return 384;
+        case 'A256CBC-HS512':
+            return 512;
+        default:
+            throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
+    }
+}
+export const generateCek = (alg) => crypto.getRandomValues(new Uint8Array(cekLength(alg) >> 3));
+function checkCekLength(cek, expected) {
+    const actual = cek.byteLength << 3;
+    if (actual !== expected) {
+        throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
+    }
+}
+function ivBitLength(alg) {
+    switch (alg) {
+        case 'A128GCM':
+        case 'A128GCMKW':
+        case 'A192GCM':
+        case 'A192GCMKW':
+        case 'A256GCM':
+        case 'A256GCMKW':
+            return 96;
+        case 'A128CBC-HS256':
+        case 'A192CBC-HS384':
+        case 'A256CBC-HS512':
+            return 128;
+        default:
+            throw new JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
+    }
+}
+export const generateIv = (alg) => crypto.getRandomValues(new Uint8Array(ivBitLength(alg) >> 3));
+export function checkIvLength(enc, iv) {
+    if (iv.length << 3 !== ivBitLength(enc)) {
+        throw new JWEInvalid('Invalid Initialization Vector length');
+    }
+}
+async function cbcKeySetup(enc, cek, usage) {
+    if (!(cek instanceof Uint8Array)) {
+        throw new TypeError(invalidKeyInput(cek, 'Uint8Array'));
+    }
+    const keySize = parseInt(enc.slice(1, 4), 10);
+    const encKey = await crypto.subtle.importKey('raw', cek.subarray(keySize >> 3), 'AES-CBC', false, [usage]);
+    const macKey = await crypto.subtle.importKey('raw', cek.subarray(0, keySize >> 3), {
+        hash: `SHA-${keySize << 1}`,
+        name: 'HMAC',
+    }, false, ['sign']);
+    return { encKey, macKey, keySize };
+}
+async function cbcHmacTag(macKey, macData, keySize) {
+    return new Uint8Array((await crypto.subtle.sign('HMAC', macKey, macData)).slice(0, keySize >> 3));
+}
+async function cbcEncrypt(enc, plaintext, cek, iv, aad) {
+    const { encKey, macKey, keySize } = await cbcKeySetup(enc, cek, 'encrypt');
+    const ciphertext = new Uint8Array(await crypto.subtle.encrypt({
+        iv: iv,
+        name: 'AES-CBC',
+    }, encKey, plaintext));
+    const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+    const tag = await cbcHmacTag(macKey, macData, keySize);
+    return { ciphertext, tag, iv };
+}
+async function timingSafeEqual(a, b) {
+    if (!(a instanceof Uint8Array)) {
+        throw new TypeError('First argument must be a buffer');
+    }
+    if (!(b instanceof Uint8Array)) {
+        throw new TypeError('Second argument must be a buffer');
+    }
+    const algorithm = { name: 'HMAC', hash: 'SHA-256' };
+    const key = (await crypto.subtle.generateKey(algorithm, false, ['sign']));
+    const aHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, a));
+    const bHmac = new Uint8Array(await crypto.subtle.sign(algorithm, key, b));
+    let out = 0;
+    let i = -1;
+    while (++i < 32) {
+        out |= aHmac[i] ^ bHmac[i];
+    }
+    return out === 0;
+}
+async function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {
+    const { encKey, macKey, keySize } = await cbcKeySetup(enc, cek, 'decrypt');
+    const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
+    const expectedTag = await cbcHmacTag(macKey, macData, keySize);
+    let macCheckPassed;
+    try {
+        macCheckPassed = await timingSafeEqual(tag, expectedTag);
+    }
+    catch {
+    }
+    if (!macCheckPassed) {
+        throw new JWEDecryptionFailed();
+    }
+    let plaintext;
+    try {
+        plaintext = new Uint8Array(await crypto.subtle.decrypt({ iv: iv, name: 'AES-CBC' }, encKey, ciphertext));
+    }
+    catch {
+    }
+    if (!plaintext) {
+        throw new JWEDecryptionFailed();
+    }
+    return plaintext;
+}
+async function gcmEncrypt(enc, plaintext, cek, iv, aad) {
+    let encKey;
+    if (cek instanceof Uint8Array) {
+        encKey = await crypto.subtle.importKey('raw', cek, 'AES-GCM', false, ['encrypt']);
+    }
+    else {
+        checkEncCryptoKey(cek, enc, 'encrypt');
+        encKey = cek;
+    }
+    const encrypted = new Uint8Array(await crypto.subtle.encrypt({
+        additionalData: aad,
+        iv: iv,
+        name: 'AES-GCM',
+        tagLength: 128,
+    }, encKey, plaintext));
+    const tag = encrypted.slice(-16);
+    const ciphertext = encrypted.slice(0, -16);
+    return { ciphertext, tag, iv };
+}
+async function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {
+    let encKey;
+    if (cek instanceof Uint8Array) {
+        encKey = await crypto.subtle.importKey('raw', cek, 'AES-GCM', false, ['decrypt']);
+    }
+    else {
+        checkEncCryptoKey(cek, enc, 'decrypt');
+        encKey = cek;
+    }
+    try {
+        return new Uint8Array(await crypto.subtle.decrypt({
+            additionalData: aad,
+            iv: iv,
+            name: 'AES-GCM',
+            tagLength: 128,
+        }, encKey, concat(ciphertext, tag)));
+    }
+    catch {
+        throw new JWEDecryptionFailed();
+    }
+}
+const unsupportedEnc = 'Unsupported JWE Content Encryption Algorithm';
+export async function encrypt(enc, plaintext, cek, iv, aad) {
+    if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
+        throw new TypeError(invalidKeyInput(cek, 'CryptoKey', 'KeyObject', 'Uint8Array', 'JSON Web Key'));
+    }
+    if (iv) {
+        checkIvLength(enc, iv);
+    }
+    else {
+        iv = generateIv(enc);
+    }
+    switch (enc) {
+        case 'A128CBC-HS256':
+        case 'A192CBC-HS384':
+        case 'A256CBC-HS512':
+            if (cek instanceof Uint8Array) {
+                checkCekLength(cek, parseInt(enc.slice(-3), 10));
+            }
+            return cbcEncrypt(enc, plaintext, cek, iv, aad);
+        case 'A128GCM':
+        case 'A192GCM':
+        case 'A256GCM':
+            if (cek instanceof Uint8Array) {
+                checkCekLength(cek, parseInt(enc.slice(1, 4), 10));
+            }
+            return gcmEncrypt(enc, plaintext, cek, iv, aad);
+        default:
+            throw new JOSENotSupported(unsupportedEnc);
+    }
+}
+export async function decrypt(enc, cek, ciphertext, iv, tag, aad) {
+    if (!isCryptoKey(cek) && !(cek instanceof Uint8Array)) {
+        throw new TypeError(invalidKeyInput(cek, 'CryptoKey', 'KeyObject', 'Uint8Array', 'JSON Web Key'));
+    }
+    if (!iv) {
+        throw new JWEInvalid('JWE Initialization Vector missing');
+    }
+    if (!tag) {
+        throw new JWEInvalid('JWE Authentication Tag missing');
+    }
+    checkIvLength(enc, iv);
+    switch (enc) {
+        case 'A128CBC-HS256':
+        case 'A192CBC-HS384':
+        case 'A256CBC-HS512':
+            if (cek instanceof Uint8Array)
+                checkCekLength(cek, parseInt(enc.slice(-3), 10));
+            return cbcDecrypt(enc, cek, ciphertext, iv, tag, aad);
+        case 'A128GCM':
+        case 'A192GCM':
+        case 'A256GCM':
+            if (cek instanceof Uint8Array)
+                checkCekLength(cek, parseInt(enc.slice(1, 4), 10));
+            return gcmDecrypt(enc, cek, ciphertext, iv, tag, aad);
+        default:
+            throw new JOSENotSupported(unsupportedEnc);
+    }
+}

package/node_modules/jose/dist/webapi/lib/crypto_key.js CHANGED Viewed

@@ -3,6 +3,11 @@ const isAlgorithm = (algorithm, name) => algorithm.name === name;
 function getHashLength(hash) {
     return parseInt(hash.name.slice(4), 10);
 }
+function checkHashLength(algorithm, expected) {
+    const actual = getHashLength(algorithm.hash);
+    if (actual !== expected)
+        throw unusable(`SHA-${expected}`, 'algorithm.hash');
+}
 function getNamedCurve(alg) {
     switch (alg) {
         case 'ES256':
@@ -27,10 +32,7 @@ export function checkSigCryptoKey(key, alg, usage) {
         case 'HS512': {
             if (!isAlgorithm(key.algorithm, 'HMAC'))
                 throw unusable('HMAC');
-            const expected = parseInt(alg.slice(2), 10);
-            const actual = getHashLength(key.algorithm.hash);
-            if (actual !== expected)
-                throw unusable(`SHA-${expected}`, 'algorithm.hash');
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
             break;
         }
         case 'RS256':
@@ -38,10 +40,7 @@ export function checkSigCryptoKey(key, alg, usage) {
         case 'RS512': {
             if (!isAlgorithm(key.algorithm, 'RSASSA-PKCS1-v1_5'))
                 throw unusable('RSASSA-PKCS1-v1_5');
-            const expected = parseInt(alg.slice(2), 10);
-            const actual = getHashLength(key.algorithm.hash);
-            if (actual !== expected)
-                throw unusable(`SHA-${expected}`, 'algorithm.hash');
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
             break;
         }
         case 'PS256':
@@ -49,10 +48,7 @@ export function checkSigCryptoKey(key, alg, usage) {
         case 'PS512': {
             if (!isAlgorithm(key.algorithm, 'RSA-PSS'))
                 throw unusable('RSA-PSS');
-            const expected = parseInt(alg.slice(2), 10);
-            const actual = getHashLength(key.algorithm.hash);
-            if (actual !== expected)
-                throw unusable(`SHA-${expected}`, 'algorithm.hash');
+            checkHashLength(key.algorithm, parseInt(alg.slice(2), 10));
             break;
         }
         case 'Ed25519':
@@ -130,10 +126,7 @@ export function checkEncCryptoKey(key, alg, usage) {
         case 'RSA-OAEP-512': {
             if (!isAlgorithm(key.algorithm, 'RSA-OAEP'))
                 throw unusable('RSA-OAEP');
-            const expected = parseInt(alg.slice(9), 10) || 1;
-            const actual = getHashLength(key.algorithm.hash);
-            if (actual !== expected)
-                throw unusable(`SHA-${expected}`, 'algorithm.hash');
+            checkHashLength(key.algorithm, parseInt(alg.slice(9), 10) || 1);
             break;
         }
         default:

package/node_modules/jose/dist/webapi/lib/ecdhes.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { encode, concat, uint32be } from './buffer_utils.js';
 import { checkEncCryptoKey } from './crypto_key.js';
-import { digest } from './digest.js';
+import { digest } from './helpers.js';
 function lengthAndInput(input) {
     return concat(uint32be(input.length), input);
 }

package/node_modules/jose/dist/webapi/lib/helpers.js ADDED Viewed

@@ -0,0 +1,19 @@
+import { decode } from '../util/base64url.js';
+export const unprotected = Symbol();
+export function assertNotSet(value, name) {
+    if (value) {
+        throw new TypeError(`${name} can only be called once`);
+    }
+}
+export function decodeBase64url(value, label, ErrorClass) {
+    try {
+        return decode(value);
+    }
+    catch {
+        throw new ErrorClass(`Failed to base64url decode the ${label}`);
+    }
+}
+export async function digest(algorithm, data) {
+    const subtleDigest = `SHA-${algorithm.slice(-3)}`;
+    return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));
+}

package/node_modules/jose/dist/webapi/lib/jwk_to_key.js CHANGED Viewed

@@ -1,4 +1,5 @@
 import { JOSENotSupported } from '../util/errors.js';
+const unsupportedAlg = 'Invalid or unsupported JWK "alg" (Algorithm) Parameter value';
 function subtleMapping(jwk) {
     let algorithm;
     let keyUsages;
@@ -12,7 +13,7 @@ function subtleMapping(jwk) {
                     keyUsages = jwk.priv ? ['sign'] : ['verify'];
                     break;
                 default:
-                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+                    throw new JOSENotSupported(unsupportedAlg);
             }
             break;
         }
@@ -41,22 +42,19 @@ function subtleMapping(jwk) {
                     keyUsages = jwk.d ? ['decrypt', 'unwrapKey'] : ['encrypt', 'wrapKey'];
                     break;
                 default:
-                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+                    throw new JOSENotSupported(unsupportedAlg);
             }
             break;
         }
         case 'EC': {
             switch (jwk.alg) {
                 case 'ES256':
-                    algorithm = { name: 'ECDSA', namedCurve: 'P-256' };
-                    keyUsages = jwk.d ? ['sign'] : ['verify'];
-                    break;
                 case 'ES384':
-                    algorithm = { name: 'ECDSA', namedCurve: 'P-384' };
-                    keyUsages = jwk.d ? ['sign'] : ['verify'];
-                    break;
                 case 'ES512':
-                    algorithm = { name: 'ECDSA', namedCurve: 'P-521' };
+                    algorithm = {
+                        name: 'ECDSA',
+                        namedCurve: { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' }[jwk.alg],
+                    };
                     keyUsages = jwk.d ? ['sign'] : ['verify'];
                     break;
                 case 'ECDH-ES':
@@ -67,7 +65,7 @@ function subtleMapping(jwk) {
                     keyUsages = jwk.d ? ['deriveBits'] : [];
                     break;
                 default:
-                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+                    throw new JOSENotSupported(unsupportedAlg);
             }
             break;
         }
@@ -86,7 +84,7 @@ function subtleMapping(jwk) {
                     keyUsages = jwk.d ? ['deriveBits'] : [];
                     break;
                 default:
-                    throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
+                    throw new JOSENotSupported(unsupportedAlg);
             }
             break;
         }

package/node_modules/jose/dist/webapi/lib/jwt_claims_set.js CHANGED Viewed

@@ -1,6 +1,6 @@
 import { JWTClaimValidationFailed, JWTExpired, JWTInvalid } from '../util/errors.js';
 import { encoder, decoder } from './buffer_utils.js';
-import { isObject } from './is_object.js';
+import { isObject } from './type_checks.js';
 const epoch = (date) => Math.floor(date.getTime() / 1000);
 const minute = 60;
 const hour = minute * 60;

package/node_modules/jose/dist/webapi/lib/key_management.js ADDED Viewed

@@ -0,0 +1,186 @@
+import * as aeskw from './aeskw.js';
+import * as ecdhes from './ecdhes.js';
+import * as pbes2kw from './pbes2kw.js';
+import * as rsaes from './rsaes.js';
+import { encode as b64u } from '../util/base64url.js';
+import { normalizeKey } from './normalize_key.js';
+import { JOSENotSupported, JWEInvalid } from '../util/errors.js';
+import { decodeBase64url } from './helpers.js';
+import { generateCek, cekLength } from './content_encryption.js';
+import { importJWK } from '../key/import.js';
+import { exportJWK } from '../key/export.js';
+import { isObject } from './type_checks.js';
+import { wrap as aesGcmKwWrap, unwrap as aesGcmKwUnwrap } from './aesgcmkw.js';
+import { assertCryptoKey } from './is_key_like.js';
+const unsupportedAlgHeader = 'Invalid or unsupported "alg" (JWE Algorithm) header value';
+function assertEncryptedKey(encryptedKey) {
+    if (encryptedKey === undefined)
+        throw new JWEInvalid('JWE Encrypted Key missing');
+}
+export async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
+    switch (alg) {
+        case 'dir': {
+            if (encryptedKey !== undefined)
+                throw new JWEInvalid('Encountered unexpected JWE Encrypted Key');
+            return key;
+        }
+        case 'ECDH-ES':
+            if (encryptedKey !== undefined)
+                throw new JWEInvalid('Encountered unexpected JWE Encrypted Key');
+        case 'ECDH-ES+A128KW':
+        case 'ECDH-ES+A192KW':
+        case 'ECDH-ES+A256KW': {
+            if (!isObject(joseHeader.epk))
+                throw new JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
+            assertCryptoKey(key);
+            if (!ecdhes.allowed(key))
+                throw new JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');
+            const epk = await importJWK(joseHeader.epk, alg);
+            assertCryptoKey(epk);
+            let partyUInfo;
+            let partyVInfo;
+            if (joseHeader.apu !== undefined) {
+                if (typeof joseHeader.apu !== 'string')
+                    throw new JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
+                partyUInfo = decodeBase64url(joseHeader.apu, 'apu', JWEInvalid);
+            }
+            if (joseHeader.apv !== undefined) {
+                if (typeof joseHeader.apv !== 'string')
+                    throw new JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
+                partyVInfo = decodeBase64url(joseHeader.apv, 'apv', JWEInvalid);
+            }
+            const sharedSecret = await ecdhes.deriveKey(epk, key, alg === 'ECDH-ES' ? joseHeader.enc : alg, alg === 'ECDH-ES' ? cekLength(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);
+            if (alg === 'ECDH-ES')
+                return sharedSecret;
+            assertEncryptedKey(encryptedKey);
+            return aeskw.unwrap(alg.slice(-6), sharedSecret, encryptedKey);
+        }
+        case 'RSA-OAEP':
+        case 'RSA-OAEP-256':
+        case 'RSA-OAEP-384':
+        case 'RSA-OAEP-512': {
+            assertEncryptedKey(encryptedKey);
+            assertCryptoKey(key);
+            return rsaes.decrypt(alg, key, encryptedKey);
+        }
+        case 'PBES2-HS256+A128KW':
+        case 'PBES2-HS384+A192KW':
+        case 'PBES2-HS512+A256KW': {
+            assertEncryptedKey(encryptedKey);
+            if (typeof joseHeader.p2c !== 'number')
+                throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+            const p2cLimit = options?.maxPBES2Count || 10_000;
+            if (joseHeader.p2c > p2cLimit)
+                throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
+            if (typeof joseHeader.p2s !== 'string')
+                throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
+            let p2s;
+            p2s = decodeBase64url(joseHeader.p2s, 'p2s', JWEInvalid);
+            return pbes2kw.unwrap(alg, key, encryptedKey, joseHeader.p2c, p2s);
+        }
+        case 'A128KW':
+        case 'A192KW':
+        case 'A256KW': {
+            assertEncryptedKey(encryptedKey);
+            return aeskw.unwrap(alg, key, encryptedKey);
+        }
+        case 'A128GCMKW':
+        case 'A192GCMKW':
+        case 'A256GCMKW': {
+            assertEncryptedKey(encryptedKey);
+            if (typeof joseHeader.iv !== 'string')
+                throw new JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
+            if (typeof joseHeader.tag !== 'string')
+                throw new JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
+            let iv;
+            iv = decodeBase64url(joseHeader.iv, 'iv', JWEInvalid);
+            let tag;
+            tag = decodeBase64url(joseHeader.tag, 'tag', JWEInvalid);
+            return aesGcmKwUnwrap(alg, key, encryptedKey, iv, tag);
+        }
+        default: {
+            throw new JOSENotSupported(unsupportedAlgHeader);
+        }
+    }
+}
+export async function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {
+    let encryptedKey;
+    let parameters;
+    let cek;
+    switch (alg) {
+        case 'dir': {
+            cek = key;
+            break;
+        }
+        case 'ECDH-ES':
+        case 'ECDH-ES+A128KW':
+        case 'ECDH-ES+A192KW':
+        case 'ECDH-ES+A256KW': {
+            assertCryptoKey(key);
+            if (!ecdhes.allowed(key)) {
+                throw new JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');
+            }
+            const { apu, apv } = providedParameters;
+            let ephemeralKey;
+            if (providedParameters.epk) {
+                ephemeralKey = (await normalizeKey(providedParameters.epk, alg));
+            }
+            else {
+                ephemeralKey = (await crypto.subtle.generateKey(key.algorithm, true, ['deriveBits'])).privateKey;
+            }
+            const { x, y, crv, kty } = await exportJWK(ephemeralKey);
+            const sharedSecret = await ecdhes.deriveKey(key, ephemeralKey, alg === 'ECDH-ES' ? enc : alg, alg === 'ECDH-ES' ? cekLength(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv);
+            parameters = { epk: { x, crv, kty } };
+            if (kty === 'EC')
+                parameters.epk.y = y;
+            if (apu)
+                parameters.apu = b64u(apu);
+            if (apv)
+                parameters.apv = b64u(apv);
+            if (alg === 'ECDH-ES') {
+                cek = sharedSecret;
+                break;
+            }
+            cek = providedCek || generateCek(enc);
+            const kwAlg = alg.slice(-6);
+            encryptedKey = await aeskw.wrap(kwAlg, sharedSecret, cek);
+            break;
+        }
+        case 'RSA-OAEP':
+        case 'RSA-OAEP-256':
+        case 'RSA-OAEP-384':
+        case 'RSA-OAEP-512': {
+            cek = providedCek || generateCek(enc);
+            assertCryptoKey(key);
+            encryptedKey = await rsaes.encrypt(alg, key, cek);
+            break;
+        }
+        case 'PBES2-HS256+A128KW':
+        case 'PBES2-HS384+A192KW':
+        case 'PBES2-HS512+A256KW': {
+            cek = providedCek || generateCek(enc);
+            const { p2c, p2s } = providedParameters;
+            ({ encryptedKey, ...parameters } = await pbes2kw.wrap(alg, key, cek, p2c, p2s));
+            break;
+        }
+        case 'A128KW':
+        case 'A192KW':
+        case 'A256KW': {
+            cek = providedCek || generateCek(enc);
+            encryptedKey = await aeskw.wrap(alg, key, cek);
+            break;
+        }
+        case 'A128GCMKW':
+        case 'A192GCMKW':
+        case 'A256GCMKW': {
+            cek = providedCek || generateCek(enc);
+            const { iv } = providedParameters;
+            ({ encryptedKey, ...parameters } = await aesGcmKwWrap(alg, key, cek, iv));
+            break;
+        }
+        default: {
+            throw new JOSENotSupported(unsupportedAlgHeader);
+        }
+    }
+    return { cek, encryptedKey, parameters };
+}

package/node_modules/jose/dist/webapi/lib/normalize_key.js CHANGED Viewed

@@ -1,7 +1,8 @@
-import { isJWK } from './is_jwk.js';
+import { isJWK } from './type_checks.js';
 import { decode } from '../util/base64url.js';
 import { jwkToKey } from './jwk_to_key.js';
 import { isCryptoKey, isKeyObject } from './is_key_like.js';
+const unusableForAlg = 'given KeyObject instance cannot be used for this algorithm';
 let cache;
 const handleJWK = async (key, jwk, alg, freeze = false) => {
     cache ||= new WeakMap();
@@ -37,13 +38,13 @@ const handleKeyObject = (keyObject, alg) => {
             case 'ECDH-ES+A256KW':
                 break;
             default:
-                throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+                throw new TypeError(unusableForAlg);
         }
         cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, isPublic ? [] : ['deriveBits']);
     }
     if (keyObject.asymmetricKeyType === 'ed25519') {
         if (alg !== 'EdDSA' && alg !== 'Ed25519') {
-            throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+            throw new TypeError(unusableForAlg);
         }
         cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
             isPublic ? 'verify' : 'sign',
@@ -54,7 +55,7 @@ const handleKeyObject = (keyObject, alg) => {
         case 'ml-dsa-65':
         case 'ml-dsa-87': {
             if (alg !== keyObject.asymmetricKeyType.toUpperCase()) {
-                throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+                throw new TypeError(unusableForAlg);
             }
             cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
                 isPublic ? 'verify' : 'sign',
@@ -83,7 +84,7 @@ const handleKeyObject = (keyObject, alg) => {
                 hash = 'SHA-512';
                 break;
             default:
-                throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+                throw new TypeError(unusableForAlg);
         }
         if (alg.startsWith('RSA-OAEP')) {
             return keyObject.toCryptoKey({
@@ -104,21 +105,10 @@ const handleKeyObject = (keyObject, alg) => {
         ]);
         const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
         if (!namedCurve) {
-            throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+            throw new TypeError(unusableForAlg);
         }
-        if (alg === 'ES256' && namedCurve === 'P-256') {
-            cryptoKey = keyObject.toCryptoKey({
-                name: 'ECDSA',
-                namedCurve,
-            }, extractable, [isPublic ? 'verify' : 'sign']);
-        }
-        if (alg === 'ES384' && namedCurve === 'P-384') {
-            cryptoKey = keyObject.toCryptoKey({
-                name: 'ECDSA',
-                namedCurve,
-            }, extractable, [isPublic ? 'verify' : 'sign']);
-        }
-        if (alg === 'ES512' && namedCurve === 'P-521') {
+        const expectedCurve = { ES256: 'P-256', ES384: 'P-384', ES512: 'P-521' };
+        if (expectedCurve[alg] && namedCurve === expectedCurve[alg]) {
             cryptoKey = keyObject.toCryptoKey({
                 name: 'ECDSA',
                 namedCurve,
@@ -132,7 +122,7 @@ const handleKeyObject = (keyObject, alg) => {
         }
     }
     if (!cryptoKey) {
-        throw new TypeError('given KeyObject instance cannot be used for this algorithm');
+        throw new TypeError(unusableForAlg);
     }
     if (!cached) {
         cache.set(keyObject, { [alg]: cryptoKey });

package/node_modules/jose/dist/webapi/lib/rsaes.js CHANGED Viewed

@@ -1,5 +1,5 @@
 import { checkEncCryptoKey } from './crypto_key.js';
-import { checkKeyLength } from './check_key_length.js';
+import { checkKeyLength } from './signing.js';
 import { JOSENotSupported } from '../util/errors.js';
 const subtleAlgorithm = (alg) => {
     switch (alg) {