gdc-common-utils-ts 2.0.9 → 2.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -0
- package/dist/utils/jwt.d.ts +47 -0
- package/dist/utils/jwt.js +56 -0
- package/dist/utils/vp-token.js +4 -12
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -136,6 +136,7 @@ If you need the canonical explanation of how DIDComm envelope, batch body,
|
|
|
136
136
|
entry types, FHIR-like resources, and `resource.meta.claims` fit together,
|
|
137
137
|
read first:
|
|
138
138
|
|
|
139
|
+
- [`docs/101-ID_TOKEN.md`](docs/101-ID_TOKEN.md)
|
|
139
140
|
- [`docs/101-COMMUNICATION_LAYERING.md`](docs/101-COMMUNICATION_LAYERING.md)
|
|
140
141
|
- [`docs/101-BUNDLE_EDITOR_READER.md`](docs/101-BUNDLE_EDITOR_READER.md)
|
|
141
142
|
- [`docs/101-CLINICAL-IPS.md`](docs/101-CLINICAL-IPS.md)
|
package/dist/utils/jwt.d.ts
CHANGED
|
@@ -51,6 +51,53 @@ export declare function encodeSignature(signatureBytes?: Uint8Array): string;
|
|
|
51
51
|
* @returns A compact JWT string.
|
|
52
52
|
*/
|
|
53
53
|
export declare function compactJWT(header: object, payload: object, signatureBytes?: Uint8Array): Promise<string>;
|
|
54
|
+
/**
|
|
55
|
+
* Prepares the JOSE compact-signing input for an externally signed JWT/JWS.
|
|
56
|
+
*
|
|
57
|
+
* This helper is intended for BFF, wallet, Expo/native, or server-side flows
|
|
58
|
+
* where the signing key lives in an external KMS/HSM and the application must:
|
|
59
|
+
*
|
|
60
|
+
* 1. build the protected header and JWT payload locally
|
|
61
|
+
* 2. obtain the canonical `base64url(header).base64url(payload)` string
|
|
62
|
+
* 3. sign that exact byte sequence with the external signer
|
|
63
|
+
* 4. assemble the final compact JWS/JWT by appending the returned signature
|
|
64
|
+
*
|
|
65
|
+
* References:
|
|
66
|
+
* - RFC 7515 (JWS), Compact Serialization
|
|
67
|
+
* - RFC 7519 (JWT)
|
|
68
|
+
* - OpenID Connect Core 1.0 (`id_token` profile claims such as `email`)
|
|
69
|
+
*
|
|
70
|
+
* Note:
|
|
71
|
+
* - this helper only prepares the compact signing input
|
|
72
|
+
* - it does not verify that the payload is a particular profile such as
|
|
73
|
+
* `vp_token`, `id_token`, or `private_key_jwt`
|
|
74
|
+
*/
|
|
75
|
+
export declare function prepareJwtForSignature(header: object, payload: object): {
|
|
76
|
+
encodedHeader: string;
|
|
77
|
+
encodedPayload: string;
|
|
78
|
+
signingInput: string;
|
|
79
|
+
};
|
|
80
|
+
/**
|
|
81
|
+
* Returns the UTF-8 bytes of the canonical compact JWT/JWS signing input.
|
|
82
|
+
*
|
|
83
|
+
* This is the exact byte sequence that an external signer must sign before the
|
|
84
|
+
* caller assembles the final compact JWT string with
|
|
85
|
+
* `buildJwtCompact(...)`.
|
|
86
|
+
*/
|
|
87
|
+
export declare function prepareJwtBytesForSignature(header: object, payload: object): Uint8Array;
|
|
88
|
+
/**
|
|
89
|
+
* Assembles the final compact JWT/JWS once the caller already has:
|
|
90
|
+
*
|
|
91
|
+
* - the base64url-encoded protected header
|
|
92
|
+
* - the base64url-encoded payload
|
|
93
|
+
* - the detached signature returned by the external signer, also base64url-encoded
|
|
94
|
+
*
|
|
95
|
+
* This helper is profile-agnostic. It can be used for:
|
|
96
|
+
* - OpenID Connect `id_token`
|
|
97
|
+
* - `vp_token`
|
|
98
|
+
* - other compact JWS/JWT profiles that follow RFC 7515 / RFC 7519
|
|
99
|
+
*/
|
|
100
|
+
export declare function buildJwtCompact(encodedHeader: string, encodedPayload: string, signatureBase64Url: string): string;
|
|
54
101
|
/**
|
|
55
102
|
* Builds an unsigned compact JWT with `alg=none`.
|
|
56
103
|
*
|
package/dist/utils/jwt.js
CHANGED
|
@@ -152,6 +152,62 @@ export async function compactJWT(header, payload, signatureBytes) {
|
|
|
152
152
|
const encodedSignature = encodeSignature(signatureBytes);
|
|
153
153
|
return `${encodedHeader}.${encodedPayload}.${encodedSignature}`;
|
|
154
154
|
}
|
|
155
|
+
/**
|
|
156
|
+
* Prepares the JOSE compact-signing input for an externally signed JWT/JWS.
|
|
157
|
+
*
|
|
158
|
+
* This helper is intended for BFF, wallet, Expo/native, or server-side flows
|
|
159
|
+
* where the signing key lives in an external KMS/HSM and the application must:
|
|
160
|
+
*
|
|
161
|
+
* 1. build the protected header and JWT payload locally
|
|
162
|
+
* 2. obtain the canonical `base64url(header).base64url(payload)` string
|
|
163
|
+
* 3. sign that exact byte sequence with the external signer
|
|
164
|
+
* 4. assemble the final compact JWS/JWT by appending the returned signature
|
|
165
|
+
*
|
|
166
|
+
* References:
|
|
167
|
+
* - RFC 7515 (JWS), Compact Serialization
|
|
168
|
+
* - RFC 7519 (JWT)
|
|
169
|
+
* - OpenID Connect Core 1.0 (`id_token` profile claims such as `email`)
|
|
170
|
+
*
|
|
171
|
+
* Note:
|
|
172
|
+
* - this helper only prepares the compact signing input
|
|
173
|
+
* - it does not verify that the payload is a particular profile such as
|
|
174
|
+
* `vp_token`, `id_token`, or `private_key_jwt`
|
|
175
|
+
*/
|
|
176
|
+
export function prepareJwtForSignature(header, payload) {
|
|
177
|
+
const encodedHeader = encodeHeader(header);
|
|
178
|
+
const encodedPayload = Content.objectToRawBase64UrlSafe(payload);
|
|
179
|
+
return {
|
|
180
|
+
encodedHeader,
|
|
181
|
+
encodedPayload,
|
|
182
|
+
signingInput: `${encodedHeader}.${encodedPayload}`,
|
|
183
|
+
};
|
|
184
|
+
}
|
|
185
|
+
/**
|
|
186
|
+
* Returns the UTF-8 bytes of the canonical compact JWT/JWS signing input.
|
|
187
|
+
*
|
|
188
|
+
* This is the exact byte sequence that an external signer must sign before the
|
|
189
|
+
* caller assembles the final compact JWT string with
|
|
190
|
+
* `buildJwtCompact(...)`.
|
|
191
|
+
*/
|
|
192
|
+
export function prepareJwtBytesForSignature(header, payload) {
|
|
193
|
+
const { signingInput } = prepareJwtForSignature(header, payload);
|
|
194
|
+
return new TextEncoder().encode(signingInput);
|
|
195
|
+
}
|
|
196
|
+
/**
|
|
197
|
+
* Assembles the final compact JWT/JWS once the caller already has:
|
|
198
|
+
*
|
|
199
|
+
* - the base64url-encoded protected header
|
|
200
|
+
* - the base64url-encoded payload
|
|
201
|
+
* - the detached signature returned by the external signer, also base64url-encoded
|
|
202
|
+
*
|
|
203
|
+
* This helper is profile-agnostic. It can be used for:
|
|
204
|
+
* - OpenID Connect `id_token`
|
|
205
|
+
* - `vp_token`
|
|
206
|
+
* - other compact JWS/JWT profiles that follow RFC 7515 / RFC 7519
|
|
207
|
+
*/
|
|
208
|
+
export function buildJwtCompact(encodedHeader, encodedPayload, signatureBase64Url) {
|
|
209
|
+
return `${encodedHeader}.${encodedPayload}.${String(signatureBase64Url || '').trim()}`;
|
|
210
|
+
}
|
|
155
211
|
/**
|
|
156
212
|
* Builds an unsigned compact JWT with `alg=none`.
|
|
157
213
|
*
|
package/dist/utils/vp-token.js
CHANGED
|
@@ -1,5 +1,4 @@
|
|
|
1
|
-
|
|
2
|
-
import { Content } from './content.js';
|
|
1
|
+
import { buildJwtCompact, prepareJwtBytesForSignature, prepareJwtForSignature } from './jwt.js';
|
|
3
2
|
import { ORGANIZATION_ACTIVATION_VC_TYPES, REPRESENTATIVE_ACTIVATION_VC_TYPES, W3cCredentialContexts, W3cCredentialTypes, } from '../constants/verifiable-credentials.js';
|
|
4
3
|
function fallbackId() {
|
|
5
4
|
const rand = Math.random().toString(36).slice(2, 10);
|
|
@@ -224,13 +223,7 @@ export function addLegalRepresentativeCredential(vpPayload, vc) {
|
|
|
224
223
|
return addTypedVC(vpPayload, vc, [...REPRESENTATIVE_ACTIVATION_VC_TYPES], 'LegalRepresentative');
|
|
225
224
|
}
|
|
226
225
|
export function prepareForSignature(header, payload) {
|
|
227
|
-
|
|
228
|
-
const encodedPayload = Content.objectToRawBase64UrlSafe(payload);
|
|
229
|
-
return {
|
|
230
|
-
encodedHeader,
|
|
231
|
-
encodedPayload,
|
|
232
|
-
signingInput: `${encodedHeader}.${encodedPayload}`,
|
|
233
|
-
};
|
|
226
|
+
return prepareJwtForSignature(header, payload);
|
|
234
227
|
}
|
|
235
228
|
/**
|
|
236
229
|
* Returns the UTF-8 bytes of the canonical `base64url(header).base64url(payload)`
|
|
@@ -241,8 +234,7 @@ export function prepareForSignature(header, payload) {
|
|
|
241
234
|
* `buildVpTokenCompact(...)`.
|
|
242
235
|
*/
|
|
243
236
|
export function prepareBytesForSignature(header, payload) {
|
|
244
|
-
|
|
245
|
-
return new TextEncoder().encode(signingInput);
|
|
237
|
+
return prepareJwtBytesForSignature(header, payload);
|
|
246
238
|
}
|
|
247
239
|
/**
|
|
248
240
|
* Assembles the final compact VP JWT once the caller already has:
|
|
@@ -252,5 +244,5 @@ export function prepareBytesForSignature(header, payload) {
|
|
|
252
244
|
* - the detached signature returned by the external signer, also base64url-encoded
|
|
253
245
|
*/
|
|
254
246
|
export function buildVpTokenCompact(encodedHeader, encodedPayload, signatureBase64Url) {
|
|
255
|
-
return
|
|
247
|
+
return buildJwtCompact(encodedHeader, encodedPayload, signatureBase64Url);
|
|
256
248
|
}
|