cose-kit
Version:
This is an early prototype of a RFC8152 COSE library for node.js.
59 lines (58 loc) • 2.29 kB
JavaScript
import { importX509 } from 'jose';
import { pkijs } from '#runtime/pkijs.js';
import { decodeBase64 } from '#runtime/base64.js';
import { X509InvalidCertificateChain, X509NoMatchingCertificate } from '../util/errors.js';
import { certToPEM, pemToCert } from '../util/cert.js';
import { headers, algs } from '../headers.js';
import { WithHeaders } from './WithHeaders.js';
export class SignatureBase extends WithHeaders {
constructor(protectedHeaders, unprotectedHeaders, signature) {
super(protectedHeaders, unprotectedHeaders);
this.signature = signature;
}
get alg() {
return this.protectedHeaders.get(headers.alg) ||
this.unprotectedHeaders.get(headers.alg);
}
get algName() {
var _a;
return this.alg ? (_a = algs.get(this.alg)) === null || _a === void 0 ? void 0 : _a.name : undefined;
}
get kid() {
return this.protectedHeaders.get(headers.kid) ||
this.unprotectedHeaders.get(headers.kid);
}
get x5bag() {
const x5bag = this.protectedHeaders.get(headers.x5bag) ||
this.unprotectedHeaders.get(headers.x5bag);
if (!x5bag) {
return;
}
return Array.isArray(x5bag) ? x5bag : [x5bag];
}
get x5chain() {
const x5chain = this.protectedHeaders.get(headers.x5chain) ||
this.unprotectedHeaders.get(headers.x5chain);
if (!x5chain) {
return;
}
return Array.isArray(x5chain) ? x5chain : [x5chain];
}
async verifyX509Chain(caRoots) {
const { x5chain } = this;
if (!x5chain || x5chain.length === 0) {
throw new X509NoMatchingCertificate();
}
const chainEngine = new pkijs.CertificateChainValidationEngine({
certs: x5chain.map((c) => pkijs.Certificate.fromBER(c)),
trustedCerts: caRoots.map((c) => pkijs.Certificate.fromBER(decodeBase64(pemToCert(c)))),
});
const chain = await chainEngine.verify();
if (!chain.result) {
throw new X509InvalidCertificateChain(chain.resultMessage);
}
const x509Cert = certToPEM(x5chain[0]);
const publicKey = await importX509(x509Cert, this.algName);
return { publicKey, raw: x5chain[0] };
}
}