native-jwe 1.0.0

package/LICENSE

@@ -0,0 +1,23 @@
+MIT License
+
+Copyright (c) 2026 thangngh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+Portions of this software are based on the work of https://github.com/psenger/jwe_example.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,66 @@
+# In-House High-Performance JWE/JWS Core Engine
+
+[![Donate with PayPal](https://img.shields.io/badge/Donate-PayPal-blue.svg)](https://paypal.me/thangngh)
+
+A high-performance JWE/JWS encryption/decryption and signing module, with zero dependencies (using only Node.js `crypto` & `zlib`), specifically optimized for multi-session IAM (Identity and Access Management) systems.
+
+## 1. Design Philosophy
+
+*   **Zero-Dependency:** Utilizes only native Node.js `crypto` and `zlib` modules. Minimizes Supply Chain Attack risks and keeps the source code lean.
+*   **Low-Level Optimization:** Directly manipulates Buffers to optimize RAM and CPU usage.
+*   **Security First:** Hardened against common attack vectors such as DoS, Zip Bombs, Timing Attacks, and Information Leakage.
+*   **Robustness:** Prioritizes operational stability, fail-safe mechanisms, and resource protection.
+
+## 2. Technical Architecture & Performance Optimization
+
+This Core Engine is not just a simple wrapper; it applies deep processing techniques:
+
+### ⚡ Direct Native Bindings (OpenSSL Support)
+Instead of processing encryption logic with slow pure Javascript, all heavy tasks (`createCipheriv`, `publicEncrypt`, `verify`) are bound directly to the C++ OpenSSL layer of Node.js.
+*   => **Speed:** Comparable to compiled languages like Go/Rust for Crypto tasks.
+
+### 🚀 Zero-Copy & Native Base64Url
+The system **completely eliminates** manual regex string processing functions (which are memory-intensive and slow).
+Instead, it uses the `Buffer.from(str, 'base64url')` API (Node.js native):
+*   Minimizes Intermediate Memory Allocation.
+*   Avoids Memory Fragmentation when handling thousands of concurrent requests.
+
+### 🛡️ Memory Protection (First Line of Defense)
+Before any logic runs, the system applies **"Hard Limits"**:
+*   **JWE Max Size:** 200KB.
+*   **JWS Max Size:** 50KB.
+*   **Zip Max Output:** 2MB.
+*   **Effect:** Prevents DoS attacks aiming for Out-Of-Memory (OOM) via large malicious payloads.
+
+## 3. Security Hardening Features
+
+The engine has been patched and fortified against the following vulnerabilities:
+
+| Threat Vector | Technical Countermeasure |
+| :--- | :--- |
+| **Zip Bomb (DoS)** | Limits `gunzipSync` output to a maximum of 2MB. |
+| **Information Leakage** | `decrypt` only returns a generic `DecryptionFailed` error. Does not reveal specific Header/Key errors to prevent Enumeration. |
+| **Timing Attacks** | Uses safe comparison functions or appropriate fail-fast logic at the Header level. |
+| **Downgrade Attacks** | Hardcodes the strongest algorithms `RSA-OAEP-256` and `AES-256-GCM`. Rejects all weaker algorithms. |
+
+## 4. Operational Usage in IAM Systems
+
+### Scenarios
+1.  **JWS (Signature):** Used as **Access Token** (short-term).
+    *   *Location:* API Gateway.
+    *   *Pros:* Extremely fast `verify`, high load tolerance.
+2.  **JWE (Encryption):** Used as **Refresh Token** or **Secure Cookie** (long-term).
+    *   *Location:* Auth Service.
+    *   *Pros:* Completely hides token structure, protects session information (Session ID) stored on Client.
+
+### Best Practices
+*   **Key Management:** The module uses PEM keys. In Production, mount Keys from a Secret Manager (Vault/AWS/K8s Secrets) into RAM at startup; avoid hardcoding them.
+*   **Error Logging:** Although generic errors are returned to the Client, the system still logs details via `console.error`. Connect these logs to a Monitoring system (ELK, Loki) to detect attack signs.
+
+## 5. Credits & Acknowledgments
+This project is inspired by and based on portions of the work from [psenger/jwe_example](https://github.com/psenger/jwe_example).
+
+## 6. License
+MIT License.
+
+

package/dist/index.d.ts

@@ -0,0 +1,38 @@
+import { KeyLike, PrivateKeyInput } from 'crypto';
+export declare enum ZIP {
+    GZIP = "GZIP"
+}
+export interface JOSE {
+    alg: string;
+    /**
+     * The content of the message
+     */
+    cty?: MEDIA_TYPES;
+    /**
+     * The public key to which the JWE was encrypted; this can be used to determine the private key needed to decrypt the JWE.
+     * @see https://tools.ietf.org/html/rfc7515#section-4.1.4
+     */
+    kid?: string;
+}
+export interface JWE_JOSE extends JOSE {
+    enc: string;
+    zip?: ZIP;
+}
+export interface JWS_JOSE extends JOSE {
+}
+export declare enum MEDIA_TYPES {
+    JSON = "json"
+}
+export interface JWE_OPTIONS {
+    zip?: ZIP;
+    cty: MEDIA_TYPES;
+}
+export declare const JWE: {
+    encrypt: (value: string, publicKey: KeyLike, options: JWE_OPTIONS) => string;
+    decrypt: (payload: string, privateKey: KeyLike, passphrase: string) => string;
+};
+export declare const JWS: {
+    decode: (jwsPayload: string) => string;
+    encode: (value: string, privateKey: PrivateKeyInput) => string;
+    verify: (jwsPayload: string, publicKey: string) => boolean;
+};

package/dist/index.js

@@ -0,0 +1,328 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JWS = exports.JWE = exports.MEDIA_TYPES = exports.ZIP = void 0;
+const crypto_1 = require("crypto");
+const zlib_1 = require("zlib");
+var ZIP;
+(function (ZIP) {
+    ZIP["GZIP"] = "GZIP";
+})(ZIP || (exports.ZIP = ZIP = {}));
+var MEDIA_TYPES;
+(function (MEDIA_TYPES) {
+    MEDIA_TYPES["JSON"] = "json";
+})(MEDIA_TYPES || (exports.MEDIA_TYPES = MEDIA_TYPES = {}));
+/**
+ * a safer way to do toString on an object
+ * @param obj
+ */
+const toSafeString = function toSafeString(obj) {
+    if (typeof obj === 'string')
+        return obj;
+    if (typeof obj === 'number' || Buffer.isBuffer(obj))
+        return obj.toString();
+    return JSON.stringify(obj);
+};
+// Max size limits to protect RAM/CPU (IAM Performance & Security)
+// JWEs can be larger due to encrypted payload + overhead.
+const MAX_JWE_SIZE_BYTES = 200 * 1024; // 200KB limit for JWE
+// JWS is usually smaller (header + payload + signature).
+const MAX_JWS_SIZE_BYTES = 50 * 1024; // 50KB limit for JWS
+/**
+ * a safer way to do toString on an object
+ * @param obj
+ */
+const isObject = function isObject(thing) {
+    return Object.prototype.toString.call(thing) === '[object Object]';
+};
+/**
+ * Safe JSON parse...
+ * @param thing
+ */
+const safeJsonParse = function safeJsonParse(thing) {
+    if (isObject(thing))
+        return thing;
+    try {
+        return JSON.parse(thing);
+    }
+    catch (e) {
+        return undefined;
+    }
+};
+/**
+ * Asymmetric Encrypt With Public Key
+ * @param value
+ * @param publicKey
+ */
+const AsymmetricEncryptWithPublicKey = function AsymmetricEncryptWithPublicKey(value, publicKey) {
+    // If key ( A PEM encoded public key ) is a string, it is treated as the
+    // key with no passphrase and will use RSA_PKCS1_OAEP_PADDING.
+    // We are passing as KeyLike Typescript object, which means
+    // we need to declare the padding.
+    const public_key = {
+        key: publicKey,
+        padding: crypto_1.constants.RSA_PKCS1_OAEP_PADDING
+    };
+    return (0, crypto_1.publicEncrypt)(public_key, value);
+};
+/**
+ * Asymmetric Decrypt With Private Key
+ * @param value
+ * @param privateKey
+ * @param passphrase
+ */
+const AsymmetricDecryptWithPrivateKey = function AsymmetricDecryptWithPrivateKey(value, privateKey, passphrase) {
+    const private_key = {
+        key: privateKey,
+        passphrase,
+        // @todo: Still trying to establish why this is not working.
+        // oaepLabel:  https://github.com/nodejs/help/issues/1726
+        // oaepHash: 'sha256', // this does not appear to work on Mac OSX with OpenSSL 1.0.1g 7 Apr 2014 or OpenSSL 1.1.1d  10 Sep 2019 ( via Brew )
+        padding: crypto_1.constants.RSA_PKCS1_OAEP_PADDING
+    };
+    return (0, crypto_1.privateDecrypt)(private_key, value);
+};
+/**
+ * JWE Decrypt
+ *
+ * When decrypting, particular care must be taken not to allow the JWE recipient to be used as an oracle for
+ * decrypting messages.  RFC 3218 should be consulted for specific countermeasures to attacks on RSAES-PKCS1-v1_5.
+ *
+ * An attacker might modify the contents of the "alg" Header Parameter from "RSA-OAEP" to "RSA1_5" in order to
+ * generate a formatting error that can be detected and used to recover the CEK even if RSAES-OAEP was used to
+ * encrypt the CEK.  It is therefore particularly important to report all formatting errors to the CEK, Additional
+ * Authenticated Data, or ciphertext as a single error when the encrypted content is rejected.
+ *
+ * Additionally, this type of attack can be prevented by restricting the use of a key to a limited set of
+ * algorithms -- usually one.  This means, for instance, that if the key is marked as being for "RSA-OAEP" only,
+ * any attempt to decrypt a message using the "RSA1_5" algorithm with that key should fail immediately due to
+ * invalid use of the key.
+ *
+ * @param payload
+ * @param privateKey
+ * @param passphrase
+ */
+const decrypt = function decrypt(payload, privateKey, passphrase) {
+    // 1. First Line of Defense: Size Check
+    if (!payload || payload.length > MAX_JWE_SIZE_BYTES) {
+        throw new Error('JWE Size Check Failed'); // Protect RAM immediately
+    }
+    try {
+        let joseStr;
+        let cekStr;
+        let ivStr;
+        let cipherTextStr;
+        let tagStr;
+        /**
+         * JOSE - Javascript Object Signing and Encryption Header
+         * CEK - Content Encryption Key ( Asymmetrically encrypted with the )
+         * IV - Initialization Vector
+         * cipherText - The Symmetrically encrypted payload of a UTF-8 String, with the mime type identified as `cty` in the JOSE
+         * tag - Auth tag is the message authentication code (MAC) calculated during the encryption
+         */
+        [joseStr, cekStr, ivStr, cipherTextStr, tagStr] = payload.split('.');
+        // @TODO: need to exit here, if there are any values equal to null
+        // Native Node.js base64url decode (Zero-Regex, High Performance)
+        let jose = safeJsonParse(Buffer.from(joseStr, 'base64url').toString('utf8'));
+        // Security Logic: Information Leakage Prevention
+        // Validate headers internally but do NOT expose specific errors.
+        const isAlgValid = jose.alg === 'RSA-OAEP-256';
+        const isEncValid = jose.enc === 'A256GCM';
+        const isZipValid = !jose.zip || jose.zip === ZIP.GZIP;
+        if (!isAlgValid || !isEncValid || !isZipValid) {
+            console.error(`JWE Header Validation Failed: alg=${jose.alg}, enc=${jose.enc}, zip=${jose.zip}`);
+            throw new Error('JWE Header Validation Failed');
+        }
+        const cek = AsymmetricDecryptWithPrivateKey(Buffer.from(cekStr, 'base64url'), privateKey, passphrase);
+        const decipher = (0, crypto_1.createDecipheriv)('aes-256-gcm', cek, Buffer.from(ivStr, 'base64url'));
+        /**
+         * When using an authenticated encryption mode ( like GCM ),
+         * the decipher.setAuthTag() method is used to pass in the received authentication tag. If no tag is
+         * provided, or if the cipher text has been tampered with, decipher.final() will throw, indicating
+         * that the cipher text should be discarded due to failed authentication. If the tag length is
+         * invalid according to NIST SP 800-38D or does not match the value of the authTagLength option,
+         * decipher.setAuthTag() will throw an error.
+         *
+         * The decipher.setAuthTag() method must be called before decipher.final() and can only be called once.
+         */
+        decipher.setAuthTag(Buffer.from(tagStr, 'base64url'));
+        decipher.setAAD(Buffer.from(toSafeString(jose), 'utf8'));
+        let text = Buffer.concat([decipher.update(Buffer.from(cipherTextStr, 'base64url')), decipher.final()]);
+        if (jose.zip && jose.zip === ZIP.GZIP) {
+            // Added maxOutputLength to prevent Zip Bomb attacks (DoS).
+            // Limiting the uncompressed JSON payload to 2MB.
+            return (0, zlib_1.gunzipSync)(text, {
+                level: zlib_1.constants.Z_BEST_COMPRESSION,
+                maxOutputLength: 2 * 1024 * 1024
+            }).toString('utf8');
+        }
+        return text.toString('utf8');
+    }
+    catch (e) {
+        console.error(e);
+        // Generic Error for all failure cases to prevent Information Leakage
+        throw new Error('DecryptionFailed');
+    }
+};
+const encrypt = function encrypt(value, publicKey, options) {
+    // RSA-OAEP-256 - RSAES OAEP using SHA-256 and MGF1 with SHA-256
+    //  @see https://www.rfc-editor.org/rfc/rfc7518#section-4.3
+    const alg = 'RSA-OAEP-256';
+    // AES 256 GCM - encryption of the content.
+    const enc = 'A256GCM';
+    /**
+     * Javascript Object Signing and Encryption (JOSE ) - describe the encryption
+     * applied to the plaintext and optionally additional properties of the JWE.
+     */
+    const jose = { alg, enc };
+    /**
+     * Optional the body zip type, should be omitted from the JOSE to indicate no compression
+     */
+    if (options && options.zip) {
+        if (options.zip !== ZIP.GZIP) {
+            throw new Error(`Unsupported "zip" detected in JOSE. currently only "${ZIP.GZIP}" supported`);
+        }
+        jose.zip = ZIP.GZIP;
+    }
+    if (options && options.cty !== MEDIA_TYPES.JSON) {
+        throw new Error(`Unsupported "cty" detected in JOSE. currently only "${MEDIA_TYPES.JSON}" supported`);
+    }
+    jose.cty = MEDIA_TYPES.JSON;
+    /**
+     * Content Encryption Key (CEK) - ( this is the symmetrical key, which will later be
+     * encrypted asymmetrically ) A new symmetric key generated to encrypt the Plaintext
+     * for the recipient to produce the Ciphertext, which is encrypted to the recipient as
+     * the JWE Encrypted Key. 32 Bytes = 256 bits
+     */
+    const cek = (0, crypto_1.randomBytes)(32);
+    if (cek.length !== 32)
+        throw new Error('AES Key Must be 256 bytes (32 characters)');
+    /**
+     * JWE Initialization Vector
+     * The bit block size of the encryption algorithm dictates the
+     * Byte size of the IV. eg: A128GCM is 128 Bits = 16 Bytes and 256 Bits would be 32
+     */
+    const iv = (0, crypto_1.randomBytes)(32);
+    /**
+     * aes-256-cgm - Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)
+     * AES-GCM is a more secure cipher than AES-CBC, because AES-CBC, operates by XOR'ing
+     * each block with the previous block and cannot be written in parallel and
+     * Initialization Vector is required because AES is a Block Encryption method.
+     * AES is a block cipher mode type of encryption
+     */
+    const cipher = (0, crypto_1.createCipheriv)('aes-256-gcm', cek, iv);
+    /**
+     * When using an authenticated encryption mode (GCM, CCM and OCB are currently supported), the cipher.setAAD()
+     * method sets the value used for the additional authenticated data (AAD) input parameter.
+     *
+     * The options argument is optional for GCM and OCB. When using CCM, the plaintextLength option must be
+     * specified and its value must match the length of the plaintext in bytes. See CCM mode.
+     *
+     * The cipher.setAAD() method must be called before cipher.update().
+     */
+    cipher.setAAD(Buffer.from(toSafeString(jose), 'utf8'));
+    let content;
+    if (options && options.zip && options.zip === ZIP.GZIP) {
+        content = cipher.update((0, zlib_1.gzipSync)(value, {
+            level: zlib_1.constants.Z_BEST_COMPRESSION
+        }));
+    }
+    else {
+        content = cipher.update(value);
+    }
+    const cipherText = Buffer.concat([content, cipher.final()]);
+    /**
+     * When using an authenticated encryption mode ( like GCM ), cipher.getAuthTag() method
+     * returns a Buffer containing the authentication tag that has been computed from the given data.
+     *
+     * Message Authentication Code (MAC)
+     *
+     * The cipher.getAuthTag() method should only be called after encryption has been completed using the
+     * cipher.final() method.
+     */
+    const tag = cipher.getAuthTag();
+    const ecek = AsymmetricEncryptWithPublicKey(cek, publicKey); // we asymmetrically encrypt the key with the users Public Key.
+    // @todo: I think it would be best, if we make sure the output is ASCII
+    // Buffer.from( '').toString('ascii')
+    // Use native base64url encoding for speed
+    return `${Buffer.from(toSafeString(jose), 'utf8').toString('base64url')}.${ecek.toString('base64url')}.${iv.toString('base64url')}.${cipherText.toString('base64url')}.${tag.toString('base64url')}`;
+};
+/**
+ * Generate a JWS Token
+ * @param value
+ * @param privateKey
+ */
+const encode = function encode(value, privateKey) {
+    // while HMAC-SHA256 is by far better than RSA-SHA256. It would require a private key by both parties. Therefore,
+    // we will use RSA and exchange Public Keys.
+    const signature = (0, crypto_1.createSign)('RSA-SHA256');
+    /**
+     * Javascript Object Signing and Encryption (JOSE ) - describe the encryption
+     * applied to the plaintext and optionally additional properties of the JWE.
+     */
+    const jose = { alg: 'RSA-SHA256' };
+    const joseAndValue = `${Buffer.from(toSafeString(jose), 'utf8').toString('base64url')}.${Buffer.from(value, 'utf8').toString('base64url')}`;
+    /**
+     * Compute the JWS Signature with RSA-SHA256
+     *
+     * ASCII(   BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload)   )
+     *
+     * The "alg" (algorithm) Header Parameter
+     * MUST be present in the JOSE Header, with the algorithm value
+     * accurately representing the algorithm used to construct the JWS
+     * Signature.
+     */
+    signature.write(joseAndValue);
+    signature.end();
+    // Native base64url output
+    const base64Signature = signature.sign(privateKey, 'base64url');
+    return `${joseAndValue}.${base64Signature}`;
+};
+/**
+ * Verify the Payload is signed correctly.
+ * @param jwsPayload
+ * @param publicKey
+ */
+const verify = function verify(jwsPayload, publicKey) {
+    if (!jwsPayload || jwsPayload.length > MAX_JWS_SIZE_BYTES)
+        return false;
+    try {
+        const [joseStr, message, sig] = jwsPayload.split('.');
+        // Ensure encoded parts are valid strings before parsing
+        if (!joseStr || !message || !sig)
+            return false;
+        const jose = JSON.parse(Buffer.from(joseStr, 'base64url').toString('utf8'));
+        // Strict check: return false if algorithm is not RSA-SHA256
+        if (!jose || !jose.alg || jose.alg !== 'RSA-SHA256') {
+            console.error(`JWS Verification Failed: Unsupported alg ${jose?.alg}`);
+            return false;
+        }
+        const verify = (0, crypto_1.createVerify)(jose.alg);
+        verify.write(`${joseStr}.${message}`);
+        verify.end();
+        return verify.verify(publicKey, sig, 'base64url');
+    }
+    catch (e) {
+        console.error('JWS Verification Error:', e);
+        return false;
+    }
+};
+/**
+ * Extract the message from the JwsPayload.
+ * @param jwsPayload
+ */
+const decode = function decode(jwsPayload) {
+    if (!jwsPayload || jwsPayload.length > MAX_JWS_SIZE_BYTES)
+        return '';
+    const [, message,] = jwsPayload.split('.');
+    return Buffer.from(message, 'base64url').toString('utf8');
+};
+exports.JWE = {
+    encrypt,
+    decrypt
+};
+exports.JWS = {
+    decode,
+    encode,
+    verify
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../index.ts"],"names":[],"mappings":";;;AAAA,mCAegB;AAChB,+BAAqE;AAErE,IAAY,GAEX;AAFD,WAAY,GAAG;IACX,oBAAa,CAAA;AACjB,CAAC,EAFW,GAAG,mBAAH,GAAG,QAEd;AAuBD,IAAY,WAEX;AAFD,WAAY,WAAW;IACnB,4BAAa,CAAA;AACjB,CAAC,EAFW,WAAW,2BAAX,WAAW,QAEtB;AAOD;;;GAGG;AACH,MAAM,YAAY,GAAG,SAAS,YAAY,CAAC,GAAQ;IAC/C,IAAI,OAAO,GAAG,KAAK,QAAQ;QACvB,OAAO,GAAG,CAAC;IACf,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC;QAC/C,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC1B,OAAO,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC;AAC/B,CAAC,CAAC;AAEF,kEAAkE;AAClE,0DAA0D;AAC1D,MAAM,kBAAkB,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,sBAAsB;AAC7D,yDAAyD;AACzD,MAAM,kBAAkB,GAAG,EAAE,GAAG,IAAI,CAAC,CAAE,qBAAqB;AAE5D;;;GAGG;AACH,MAAM,QAAQ,GAAG,SAAS,QAAQ,CAAC,KAAU;IACzC,OAAO,MAAM,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,KAAK,iBAAiB,CAAC;AACvE,CAAC,CAAC;AAEF;;;GAGG;AACH,MAAM,aAAa,GAAG,SAAS,aAAa,CAAC,KAAU;IACnD,IAAI,QAAQ,CAAC,KAAK,CAAC;QACf,OAAO,KAAK,CAAC;IACjB,IAAI,CAAC;QAAC,OAAO,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAAC,CAAC;IACjC,OAAO,CAAC,EAAE,CAAC;QAAC,OAAO,SAAS,CAAC;IAAC,CAAC;AACnC,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,8BAA8B,GAAG,SAAS,8BAA8B,CAAC,KAAa,EAAE,SAAkB;IAC5G,wEAAwE;IACxE,8DAA8D;IAC9D,2DAA2D;IAC3D,kCAAkC;IAClC,MAAM,UAAU,GAAiB;QAC7B,GAAG,EAAE,SAAS;QACd,OAAO,EAAE,kBAAS,CAAC,sBAAsB;KAC5C,CAAC;IACF,OAAO,IAAA,sBAAa,EAAC,UAAU,EAAE,KAAK,CAAC,CAAC;AAC5C,CAAC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,+BAA+B,GAAG,SAAS,+BAA+B,CAAC,KAAa,EAAE,UAAmB,EAAE,UAAkB;IACnI,MAAM,WAAW,GAAkB;QAC/B,GAAG,EAAE,UAAU;QACf,UAAU;QACV,4DAA4D;QAC5D,yDAAyD;QACzD,4IAA4I;QAC5I,OAAO,EAAE,kBAAS,CAAC,sBAAsB;KAC5C,CAAC;IACF,OAAO,IAAA,uBAAc,EAAC,WAAW,EAAE,KAAK,CAAC,CAAC;AAC9C,CAAC,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,OAAe,EAAE,UAAmB,EAAE,UAAkB;IACrF,uCAAuC;IACvC,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,kBAAkB,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC,CAAC,0BAA0B;IACxE,CAAC;IAED,IAAI,CAAC;QACD,IAAI,OAAe,CAAC;QACpB,IAAI,MAAc,CAAC;QACnB,IAAI,KAAa,CAAC;QAClB,IAAI,aAAqB,CAAC;QAC1B,IAAI,MAAc,CAAC;QACnB;;;;;;WAMG;QACH,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,aAAa,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACrE,kEAAkE;QAElE,iEAAiE;QACjE,IAAI,IAAI,GAAa,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAEvF,iDAAiD;QACjD,iEAAiE;QACjE,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,KAAK,cAAc,CAAC;QAC/C,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,KAAK,SAAS,CAAC;QAC1C,MAAM,UAAU,GAAG,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,KAAK,GAAG,CAAC,IAAI,CAAC;QAEtD,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,IAAI,CAAC,UAAU,EAAE,CAAC;YAC5C,OAAO,CAAC,KAAK,CAAC,qCAAqC,IAAI,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,SAAS,IAAI,CAAC,GAAG,EAAE,CAAC,CAAC;YACjG,MAAM,IAAI,KAAK,CAAC,8BAA8B,CAAC,CAAC;QACpD,CAAC;QAED,MAAM,GAAG,GAAW,+BAA+B,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,EAAE,UAAU,EAAE,UAAU,CAAC,CAAC;QAC9G,MAAM,QAAQ,GAAgB,IAAA,yBAAgB,EAAC,aAAa,EAAE,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC,CAAC;QACpG;;;;;;;;;WASG;QACH,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC,CAAC;QACtD,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;QACzD,IAAI,IAAI,GAAW,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,aAAa,EAAE,WAAW,CAAC,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/G,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;YACpC,2DAA2D;YAC3D,iDAAiD;YACjD,OAAO,IAAA,iBAAU,EAAC,IAAI,EAAE;gBACpB,KAAK,EAAE,gBAAU,CAAC,kBAAkB;gBACpC,eAAe,EAAE,CAAC,GAAG,IAAI,GAAG,IAAI;aACnC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;QACxB,CAAC;QACD,OAAO,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACjC,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACT,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QACjB,qEAAqE;QACrE,MAAM,IAAI,KAAK,CAAC,kBAAkB,CAAC,CAAC;IACxC,CAAC;AACL,CAAC,CAAC;AAEF,MAAM,OAAO,GAAG,SAAS,OAAO,CAAC,KAAa,EAAE,SAAkB,EAAE,OAAoB;IAEpF,gEAAgE;IAChE,2DAA2D;IAC3D,MAAM,GAAG,GAAW,cAAc,CAAC;IACnC,2CAA2C;IAC3C,MAAM,GAAG,GAAW,SAAS,CAAC;IAE9B;;;OAGG;IACH,MAAM,IAAI,GAAa,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC;IACpC;;OAEG;IACH,IAAI,OAAO,IAAI,OAAO,CAAC,GAAG,EAAE,CAAC;QACzB,IAAI,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;YAC3B,MAAM,IAAI,KAAK,CAAC,uDAAuD,GAAG,CAAC,IAAI,aAAa,CAAC,CAAC;QAClG,CAAC;QACD,IAAI,CAAC,GAAG,GAAG,GAAG,CAAC,IAAI,CAAC;IACxB,CAAC;IACD,IAAI,OAAO,IAAI,OAAO,CAAC,GAAG,KAAK,WAAW,CAAC,IAAI,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CAAC,uDAAuD,WAAW,CAAC,IAAI,aAAa,CAAC,CAAC;IAC1G,CAAC;IACD,IAAI,CAAC,GAAG,GAAG,WAAW,CAAC,IAAI,CAAC;IAC5B;;;;;OAKG;IACH,MAAM,GAAG,GAAW,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC;IACpC,IAAI,GAAG,CAAC,MAAM,KAAK,EAAE;QAAE,MAAM,IAAI,KAAK,CAAC,2CAA2C,CAAC,CAAC;IACpF;;;;OAIG;IACH,MAAM,EAAE,GAAW,IAAA,oBAAW,EAAC,EAAE,CAAC,CAAC;IACnC;;;;;;OAMG;IACH,MAAM,MAAM,GAAc,IAAA,uBAAc,EAAC,aAAa,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACjE;;;;;;;;OAQG;IACH,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;IACvD,IAAI,OAAe,CAAC;IACpB,IAAI,OAAO,IAAI,OAAO,CAAC,GAAG,IAAI,OAAO,CAAC,GAAG,KAAK,GAAG,CAAC,IAAI,EAAE,CAAC;QACrD,OAAO,GAAG,MAAM,CAAC,MAAM,CACnB,IAAA,eAAQ,EAAC,KAAK,EAAE;YACZ,KAAK,EAAE,gBAAU,CAAC,kBAAkB;SACvC,CAAC,CACL,CAAC;IACN,CAAC;SAAM,CAAC;QACJ,OAAO,GAAG,MAAM,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACnC,CAAC;IACD,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC5D;;;;;;;;OAQG;IACH,MAAM,GAAG,GAAW,MAAM,CAAC,UAAU,EAAE,CAAC;IACxC,MAAM,IAAI,GAAW,8BAA8B,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC,CAAC,+DAA+D;IAEpI,uEAAuE;IACvE,qCAAqC;IACrC,0CAA0C;IAC1C,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAA;AACxM,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,GAAG,SAAS,MAAM,CAAC,KAAa,EAAE,UAA2B;IACrE,iHAAiH;IACjH,4CAA4C;IAC5C,MAAM,SAAS,GAAG,IAAA,mBAAU,EAAC,YAAY,CAAC,CAAC;IAC3C;;;OAGG;IACH,MAAM,IAAI,GAAa,EAAE,GAAG,EAAE,YAAY,EAAE,CAAC;IAC7C,MAAM,YAAY,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;IAC5I;;;;;;;;;OASG;IACH,SAAS,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IAC9B,SAAS,CAAC,GAAG,EAAE,CAAC;IAChB,0BAA0B;IAC1B,MAAM,eAAe,GAAW,SAAS,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IACxE,OAAO,GAAG,YAAY,IAAI,eAAe,EAAE,CAAC;AAChD,CAAC,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,GAAG,SAAS,MAAM,CAAC,UAAkB,EAAE,SAAiB;IAChE,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,GAAG,kBAAkB;QAAE,OAAO,KAAK,CAAC;IAExE,IAAI,CAAC;QACD,MAAM,CAAC,OAAO,EAAE,OAAO,EAAE,GAAG,CAAC,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACtD,wDAAwD;QACxD,IAAI,CAAC,OAAO,IAAI,CAAC,OAAO,IAAI,CAAC,GAAG;YAAE,OAAO,KAAK,CAAC;QAE/C,MAAM,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;QAE5E,4DAA4D;QAC5D,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,KAAK,YAAY,EAAE,CAAC;YAClD,OAAO,CAAC,KAAK,CAAC,4CAA4C,IAAI,EAAE,GAAG,EAAE,CAAC,CAAC;YACvE,OAAO,KAAK,CAAC;QACjB,CAAC;QAED,MAAM,MAAM,GAAG,IAAA,qBAAY,EAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACtC,MAAM,CAAC,KAAK,CAAC,GAAG,OAAO,IAAI,OAAO,EAAE,CAAC,CAAC;QACtC,MAAM,CAAC,GAAG,EAAE,CAAC;QACb,OAAO,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,GAAG,EAAE,WAAW,CAAC,CAAC;IACtD,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACT,OAAO,CAAC,KAAK,CAAC,yBAAyB,EAAE,CAAC,CAAC,CAAC;QAC5C,OAAO,KAAK,CAAC;IACjB,CAAC;AACL,CAAC,CAAC;AAEF;;;GAGG;AACH,MAAM,MAAM,GAAG,SAAS,MAAM,CAAC,UAAkB;IAC7C,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,GAAG,kBAAkB;QAAE,OAAO,EAAE,CAAC;IACrE,MAAM,CAAC,EAAE,OAAO,EAAE,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAC3C,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AAC7D,CAAC,CAAC;AAEW,QAAA,GAAG,GAAG;IACf,OAAO;IACP,OAAO;CACV,CAAC;AACW,QAAA,GAAG,GAAG;IACf,MAAM;IACN,MAAM;IACN,MAAM;CACT,CAAC"}

package/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "native-jwe",
+  "version": "1.0.0",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "pretest": "npm run prepare",
+    "prepare": "tsc"
+  },
+  "author": "",
+  "license": "MIT",
+  "funding": {
+    "type": "paypal",
+    "url": "https://paypal.me/thangngh"
+  },
+  "description": "",
+  "devDependencies": {
+    "@types/node": "^25.0.5",
+    "typescript": "^5.9.3"
+  }
+}