gdc-common-utils-ts 2.0.9 → 2.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -136,6 +136,7 @@ If you need the canonical explanation of how DIDComm envelope, batch body,
136
136
  entry types, FHIR-like resources, and `resource.meta.claims` fit together,
137
137
  read first:
138
138
 
139
+ - [`docs/101-ID_TOKEN.md`](docs/101-ID_TOKEN.md)
139
140
  - [`docs/101-COMMUNICATION_LAYERING.md`](docs/101-COMMUNICATION_LAYERING.md)
140
141
  - [`docs/101-BUNDLE_EDITOR_READER.md`](docs/101-BUNDLE_EDITOR_READER.md)
141
142
  - [`docs/101-CLINICAL-IPS.md`](docs/101-CLINICAL-IPS.md)
@@ -51,6 +51,53 @@ export declare function encodeSignature(signatureBytes?: Uint8Array): string;
51
51
  * @returns A compact JWT string.
52
52
  */
53
53
  export declare function compactJWT(header: object, payload: object, signatureBytes?: Uint8Array): Promise<string>;
54
+ /**
55
+ * Prepares the JOSE compact-signing input for an externally signed JWT/JWS.
56
+ *
57
+ * This helper is intended for BFF, wallet, Expo/native, or server-side flows
58
+ * where the signing key lives in an external KMS/HSM and the application must:
59
+ *
60
+ * 1. build the protected header and JWT payload locally
61
+ * 2. obtain the canonical `base64url(header).base64url(payload)` string
62
+ * 3. sign that exact byte sequence with the external signer
63
+ * 4. assemble the final compact JWS/JWT by appending the returned signature
64
+ *
65
+ * References:
66
+ * - RFC 7515 (JWS), Compact Serialization
67
+ * - RFC 7519 (JWT)
68
+ * - OpenID Connect Core 1.0 (`id_token` profile claims such as `email`)
69
+ *
70
+ * Note:
71
+ * - this helper only prepares the compact signing input
72
+ * - it does not verify that the payload is a particular profile such as
73
+ * `vp_token`, `id_token`, or `private_key_jwt`
74
+ */
75
+ export declare function prepareJwtForSignature(header: object, payload: object): {
76
+ encodedHeader: string;
77
+ encodedPayload: string;
78
+ signingInput: string;
79
+ };
80
+ /**
81
+ * Returns the UTF-8 bytes of the canonical compact JWT/JWS signing input.
82
+ *
83
+ * This is the exact byte sequence that an external signer must sign before the
84
+ * caller assembles the final compact JWT string with
85
+ * `buildJwtCompact(...)`.
86
+ */
87
+ export declare function prepareJwtBytesForSignature(header: object, payload: object): Uint8Array;
88
+ /**
89
+ * Assembles the final compact JWT/JWS once the caller already has:
90
+ *
91
+ * - the base64url-encoded protected header
92
+ * - the base64url-encoded payload
93
+ * - the detached signature returned by the external signer, also base64url-encoded
94
+ *
95
+ * This helper is profile-agnostic. It can be used for:
96
+ * - OpenID Connect `id_token`
97
+ * - `vp_token`
98
+ * - other compact JWS/JWT profiles that follow RFC 7515 / RFC 7519
99
+ */
100
+ export declare function buildJwtCompact(encodedHeader: string, encodedPayload: string, signatureBase64Url: string): string;
54
101
  /**
55
102
  * Builds an unsigned compact JWT with `alg=none`.
56
103
  *
package/dist/utils/jwt.js CHANGED
@@ -152,6 +152,62 @@ export async function compactJWT(header, payload, signatureBytes) {
152
152
  const encodedSignature = encodeSignature(signatureBytes);
153
153
  return `${encodedHeader}.${encodedPayload}.${encodedSignature}`;
154
154
  }
155
+ /**
156
+ * Prepares the JOSE compact-signing input for an externally signed JWT/JWS.
157
+ *
158
+ * This helper is intended for BFF, wallet, Expo/native, or server-side flows
159
+ * where the signing key lives in an external KMS/HSM and the application must:
160
+ *
161
+ * 1. build the protected header and JWT payload locally
162
+ * 2. obtain the canonical `base64url(header).base64url(payload)` string
163
+ * 3. sign that exact byte sequence with the external signer
164
+ * 4. assemble the final compact JWS/JWT by appending the returned signature
165
+ *
166
+ * References:
167
+ * - RFC 7515 (JWS), Compact Serialization
168
+ * - RFC 7519 (JWT)
169
+ * - OpenID Connect Core 1.0 (`id_token` profile claims such as `email`)
170
+ *
171
+ * Note:
172
+ * - this helper only prepares the compact signing input
173
+ * - it does not verify that the payload is a particular profile such as
174
+ * `vp_token`, `id_token`, or `private_key_jwt`
175
+ */
176
+ export function prepareJwtForSignature(header, payload) {
177
+ const encodedHeader = encodeHeader(header);
178
+ const encodedPayload = Content.objectToRawBase64UrlSafe(payload);
179
+ return {
180
+ encodedHeader,
181
+ encodedPayload,
182
+ signingInput: `${encodedHeader}.${encodedPayload}`,
183
+ };
184
+ }
185
+ /**
186
+ * Returns the UTF-8 bytes of the canonical compact JWT/JWS signing input.
187
+ *
188
+ * This is the exact byte sequence that an external signer must sign before the
189
+ * caller assembles the final compact JWT string with
190
+ * `buildJwtCompact(...)`.
191
+ */
192
+ export function prepareJwtBytesForSignature(header, payload) {
193
+ const { signingInput } = prepareJwtForSignature(header, payload);
194
+ return new TextEncoder().encode(signingInput);
195
+ }
196
+ /**
197
+ * Assembles the final compact JWT/JWS once the caller already has:
198
+ *
199
+ * - the base64url-encoded protected header
200
+ * - the base64url-encoded payload
201
+ * - the detached signature returned by the external signer, also base64url-encoded
202
+ *
203
+ * This helper is profile-agnostic. It can be used for:
204
+ * - OpenID Connect `id_token`
205
+ * - `vp_token`
206
+ * - other compact JWS/JWT profiles that follow RFC 7515 / RFC 7519
207
+ */
208
+ export function buildJwtCompact(encodedHeader, encodedPayload, signatureBase64Url) {
209
+ return `${encodedHeader}.${encodedPayload}.${String(signatureBase64Url || '').trim()}`;
210
+ }
155
211
  /**
156
212
  * Builds an unsigned compact JWT with `alg=none`.
157
213
  *
@@ -1,5 +1,4 @@
1
- // Always create JSDoc, do not use strings inline in keys nor values, use types instead, and reuse the data test examples.
2
- import { Content } from './content.js';
1
+ import { buildJwtCompact, prepareJwtBytesForSignature, prepareJwtForSignature } from './jwt.js';
3
2
  import { ORGANIZATION_ACTIVATION_VC_TYPES, REPRESENTATIVE_ACTIVATION_VC_TYPES, W3cCredentialContexts, W3cCredentialTypes, } from '../constants/verifiable-credentials.js';
4
3
  function fallbackId() {
5
4
  const rand = Math.random().toString(36).slice(2, 10);
@@ -224,13 +223,7 @@ export function addLegalRepresentativeCredential(vpPayload, vc) {
224
223
  return addTypedVC(vpPayload, vc, [...REPRESENTATIVE_ACTIVATION_VC_TYPES], 'LegalRepresentative');
225
224
  }
226
225
  export function prepareForSignature(header, payload) {
227
- const encodedHeader = Content.objectToRawBase64UrlSafe(header);
228
- const encodedPayload = Content.objectToRawBase64UrlSafe(payload);
229
- return {
230
- encodedHeader,
231
- encodedPayload,
232
- signingInput: `${encodedHeader}.${encodedPayload}`,
233
- };
226
+ return prepareJwtForSignature(header, payload);
234
227
  }
235
228
  /**
236
229
  * Returns the UTF-8 bytes of the canonical `base64url(header).base64url(payload)`
@@ -241,8 +234,7 @@ export function prepareForSignature(header, payload) {
241
234
  * `buildVpTokenCompact(...)`.
242
235
  */
243
236
  export function prepareBytesForSignature(header, payload) {
244
- const { signingInput } = prepareForSignature(header, payload);
245
- return new TextEncoder().encode(signingInput);
237
+ return prepareJwtBytesForSignature(header, payload);
246
238
  }
247
239
  /**
248
240
  * Assembles the final compact VP JWT once the caller already has:
@@ -252,5 +244,5 @@ export function prepareBytesForSignature(header, payload) {
252
244
  * - the detached signature returned by the external signer, also base64url-encoded
253
245
  */
254
246
  export function buildVpTokenCompact(encodedHeader, encodedPayload, signatureBase64Url) {
255
- return `${encodedHeader}.${encodedPayload}.${String(signatureBase64Url || '').trim()}`;
247
+ return buildJwtCompact(encodedHeader, encodedPayload, signatureBase64Url);
256
248
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "gdc-common-utils-ts",
3
- "version": "2.0.9",
3
+ "version": "2.0.10",
4
4
  "publishConfig": {
5
5
  "access": "public"
6
6
  },