@gaonengwww/jose
Version:
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes
383 lines (374 loc) • 10.4 kB
JavaScript
// src/lib/is_object.ts
function isObjectLike(value) {
return typeof value === "object" && value !== null;
}
var is_object_default = (input) => {
if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
return false;
}
if (Object.getPrototypeOf(input) === null) {
return true;
}
let proto = input;
while (Object.getPrototypeOf(proto) !== null) {
proto = Object.getPrototypeOf(proto);
}
return Object.getPrototypeOf(input) === proto;
};
// src/lib/is_jwk.ts
function isJWK(key) {
return is_object_default(key) && typeof key.kty === "string";
}
// src/lib/buffer_utils.ts
var encoder = new TextEncoder();
var decoder = new TextDecoder();
var MAX_INT32 = 2 ** 32;
// src/lib/base64.ts
function decodeBase64(encoded) {
if (Uint8Array.fromBase64) {
return Uint8Array.fromBase64(encoded);
}
const binary = atob(encoded);
const bytes = new Uint8Array(binary.length);
for (let i = 0; i < binary.length; i++) {
bytes[i] = binary.charCodeAt(i);
}
return bytes;
}
// src/util/base64url.ts
function decode(input) {
if (Uint8Array.fromBase64) {
return Uint8Array.fromBase64(typeof input === "string" ? input : decoder.decode(input), {
alphabet: "base64url"
});
}
let encoded = input;
if (encoded instanceof Uint8Array) {
encoded = decoder.decode(encoded);
}
encoded = encoded.replace(/-/g, "+").replace(/_/g, "/").replace(/\s/g, "");
try {
return decodeBase64(encoded);
} catch {
throw new TypeError("The input to be decoded is not correctly encoded.");
}
}
// src/util/errors.ts
var JOSEError = class extends Error {
/**
* A unique error code for the particular error subclass.
*
* @ignore
*/
static code = "ERR_JOSE_GENERIC";
/** A unique error code for {@link JOSEError}. */
code = "ERR_JOSE_GENERIC";
/** @ignore */
constructor(message, options) {
super(message, options);
this.name = this.constructor.name;
Error.captureStackTrace?.(this, this.constructor);
}
};
var JOSENotSupported = class extends JOSEError {
/** @ignore */
static code = "ERR_JOSE_NOT_SUPPORTED";
/** A unique error code for {@link JOSENotSupported}. */
code = "ERR_JOSE_NOT_SUPPORTED";
};
// src/lib/jwk_to_key.ts
function subtleMapping(jwk) {
let algorithm;
let keyUsages;
switch (jwk.kty) {
case "RSA": {
switch (jwk.alg) {
case "PS256":
case "PS384":
case "PS512":
algorithm = { name: "RSA-PSS", hash: `SHA-${jwk.alg.slice(-3)}` };
keyUsages = jwk.d ? ["sign"] : ["verify"];
break;
case "RS256":
case "RS384":
case "RS512":
algorithm = { name: "RSASSA-PKCS1-v1_5", hash: `SHA-${jwk.alg.slice(-3)}` };
keyUsages = jwk.d ? ["sign"] : ["verify"];
break;
case "RSA-OAEP":
case "RSA-OAEP-256":
case "RSA-OAEP-384":
case "RSA-OAEP-512":
algorithm = {
name: "RSA-OAEP",
hash: `SHA-${parseInt(jwk.alg.slice(-3), 10) || 1}`
};
keyUsages = jwk.d ? ["decrypt", "unwrapKey"] : ["encrypt", "wrapKey"];
break;
default:
throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
}
break;
}
case "EC": {
switch (jwk.alg) {
case "ES256":
algorithm = { name: "ECDSA", namedCurve: "P-256" };
keyUsages = jwk.d ? ["sign"] : ["verify"];
break;
case "ES384":
algorithm = { name: "ECDSA", namedCurve: "P-384" };
keyUsages = jwk.d ? ["sign"] : ["verify"];
break;
case "ES512":
algorithm = { name: "ECDSA", namedCurve: "P-521" };
keyUsages = jwk.d ? ["sign"] : ["verify"];
break;
case "ECDH-ES":
case "ECDH-ES+A128KW":
case "ECDH-ES+A192KW":
case "ECDH-ES+A256KW":
algorithm = { name: "ECDH", namedCurve: jwk.crv };
keyUsages = jwk.d ? ["deriveBits"] : [];
break;
default:
throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
}
break;
}
case "OKP": {
switch (jwk.alg) {
case "Ed25519":
// Fall through
case "EdDSA":
algorithm = { name: "Ed25519" };
keyUsages = jwk.d ? ["sign"] : ["verify"];
break;
case "ECDH-ES":
case "ECDH-ES+A128KW":
case "ECDH-ES+A192KW":
case "ECDH-ES+A256KW":
algorithm = { name: jwk.crv };
keyUsages = jwk.d ? ["deriveBits"] : [];
break;
default:
throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
}
break;
}
default:
throw new JOSENotSupported('Invalid or unsupported JWK "kty" (Key Type) Parameter value');
}
return { algorithm, keyUsages };
}
var jwk_to_key_default = async (jwk) => {
if (!jwk.alg) {
throw new TypeError('"alg" argument is required when "jwk.alg" is not present');
}
const { algorithm, keyUsages } = subtleMapping(jwk);
const keyData = { ...jwk };
delete keyData.alg;
delete keyData.use;
return crypto.subtle.importKey(
"jwk",
keyData,
algorithm,
jwk.ext ?? (jwk.d ? false : true),
jwk.key_ops ?? keyUsages
);
};
// src/lib/is_key_like.ts
function isCryptoKey(key) {
return key?.[Symbol.toStringTag] === "CryptoKey";
}
function isKeyObject(key) {
return key?.[Symbol.toStringTag] === "KeyObject";
}
// src/lib/normalize_key.ts
var cache;
var handleJWK = async (key, jwk, alg, freeze = false) => {
cache ||= /* @__PURE__ */ new WeakMap();
let cached = cache.get(key);
if (cached?.[alg]) {
return cached[alg];
}
const cryptoKey = await jwk_to_key_default({ ...jwk, alg });
if (freeze) Object.freeze(key);
if (!cached) {
cache.set(key, { [alg]: cryptoKey });
} else {
cached[alg] = cryptoKey;
}
return cryptoKey;
};
var handleKeyObject = (keyObject, alg) => {
cache ||= /* @__PURE__ */ new WeakMap();
let cached = cache.get(keyObject);
if (cached?.[alg]) {
return cached[alg];
}
const isPublic = keyObject.type === "public";
const extractable = isPublic ? true : false;
let cryptoKey;
if (keyObject.asymmetricKeyType === "x25519") {
switch (alg) {
case "ECDH-ES":
case "ECDH-ES+A128KW":
case "ECDH-ES+A192KW":
case "ECDH-ES+A256KW":
break;
default:
throw new TypeError("given KeyObject instance cannot be used for this algorithm");
}
cryptoKey = keyObject.toCryptoKey(
keyObject.asymmetricKeyType,
extractable,
isPublic ? [] : ["deriveBits"]
);
}
if (keyObject.asymmetricKeyType === "ed25519") {
if (alg !== "EdDSA" && alg !== "Ed25519") {
throw new TypeError("given KeyObject instance cannot be used for this algorithm");
}
cryptoKey = keyObject.toCryptoKey(keyObject.asymmetricKeyType, extractable, [
isPublic ? "verify" : "sign"
]);
}
if (keyObject.asymmetricKeyType === "rsa") {
let hash;
switch (alg) {
case "RSA-OAEP":
hash = "SHA-1";
break;
case "RS256":
case "PS256":
case "RSA-OAEP-256":
hash = "SHA-256";
break;
case "RS384":
case "PS384":
case "RSA-OAEP-384":
hash = "SHA-384";
break;
case "RS512":
case "PS512":
case "RSA-OAEP-512":
hash = "SHA-512";
break;
default:
throw new TypeError("given KeyObject instance cannot be used for this algorithm");
}
if (alg.startsWith("RSA-OAEP")) {
return keyObject.toCryptoKey(
{
name: "RSA-OAEP",
hash
},
extractable,
isPublic ? ["encrypt"] : ["decrypt"]
);
}
cryptoKey = keyObject.toCryptoKey(
{
name: alg.startsWith("PS") ? "RSA-PSS" : "RSASSA-PKCS1-v1_5",
hash
},
extractable,
[isPublic ? "verify" : "sign"]
);
}
if (keyObject.asymmetricKeyType === "ec") {
const nist = /* @__PURE__ */ new Map([
["prime256v1", "P-256"],
["secp384r1", "P-384"],
["secp521r1", "P-521"]
]);
const namedCurve = nist.get(keyObject.asymmetricKeyDetails?.namedCurve);
if (!namedCurve) {
throw new TypeError("given KeyObject instance cannot be used for this algorithm");
}
if (alg === "ES256" && namedCurve === "P-256") {
cryptoKey = keyObject.toCryptoKey(
{
name: "ECDSA",
namedCurve
},
extractable,
[isPublic ? "verify" : "sign"]
);
}
if (alg === "ES384" && namedCurve === "P-384") {
cryptoKey = keyObject.toCryptoKey(
{
name: "ECDSA",
namedCurve
},
extractable,
[isPublic ? "verify" : "sign"]
);
}
if (alg === "ES512" && namedCurve === "P-521") {
cryptoKey = keyObject.toCryptoKey(
{
name: "ECDSA",
namedCurve
},
extractable,
[isPublic ? "verify" : "sign"]
);
}
if (alg.startsWith("ECDH-ES")) {
cryptoKey = keyObject.toCryptoKey(
{
name: "ECDH",
namedCurve
},
extractable,
isPublic ? [] : ["deriveBits"]
);
}
}
if (!cryptoKey) {
throw new TypeError("given KeyObject instance cannot be used for this algorithm");
}
if (!cached) {
cache.set(keyObject, { [alg]: cryptoKey });
} else {
cached[alg] = cryptoKey;
}
return cryptoKey;
};
var normalize_key_default = async (key, alg) => {
if (key instanceof Uint8Array) {
return key;
}
if (isCryptoKey(key)) {
return key;
}
if (isKeyObject(key)) {
if (key.type === "secret") {
return key.export();
}
if ("toCryptoKey" in key && typeof key.toCryptoKey === "function") {
try {
return handleKeyObject(key, alg);
} catch (err) {
if (err instanceof TypeError) {
throw err;
}
}
}
let jwk = key.export({ format: "jwk" });
return handleJWK(key, jwk, alg);
}
if (isJWK(key)) {
if (key.k) {
return decode(key.k);
}
return handleJWK(key, key, alg, true);
}
throw new Error("unreachable");
};
export {
normalize_key_default as default
};