UNPKG

cose-kit

Version:

**DEPRECATED:** Use [@auth0/cose](https://www.npmjs.com/package/@auth0/cose).

github.com/jfromaniello/cose-kit

jfromaniello/cose-kit

107 lines (106 loc) 4.79 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
"use strict"; var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { if (k2 === undefined) k2 = k; var desc = Object.getOwnPropertyDescriptor(m, k); if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { desc = { enumerable: true, get: function() { return m[k]; } }; } Object.defineProperty(o, k2, desc); }) : (function(o, m, k, k2) { if (k2 === undefined) k2 = k; o[k2] = m[k]; })); var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { Object.defineProperty(o, "default", { enumerable: true, value: v }); }) : function(o, v) { o["default"] = v; }); var __importStar = (this && this.__importStar) || function (mod) { if (mod && mod.__esModule) return mod; var result = {}; if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); __setModuleDefault(result, mod); return result; }; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; Object.defineProperty(exports, "__esModule", { value: true }); exports.SignatureBase = void 0; const verify_js_1 = __importDefault(require("#runtime/verify.js")); const jose_1 = require("jose"); const pkijs_js_1 = require("#runtime/pkijs.js"); const base64_js_1 = require("#runtime/base64.js"); const errors_js_1 = require("../util/errors.js"); const cert_js_1 = require("../util/cert.js"); const headers_js_1 = require("../headers.js"); const COSEBase_js_1 = require("./COSEBase.js"); const errors = __importStar(require("../util/errors.js")); const validate_algorithms_js_1 = __importDefault(require("../lib/validate_algorithms.js")); class SignatureBase extends COSEBase_js_1.COSEBase { constructor(protectedHeaders, unprotectedHeaders, signature) { super(protectedHeaders, unprotectedHeaders); this.signature = signature; } get alg() { return this.protectedHeaders.get(headers_js_1.Headers.Algorithm) || this.unprotectedHeaders.get(headers_js_1.Headers.Algorithm); } get algName() { return this.alg ? headers_js_1.AlgorithmNames.get(this.alg) : undefined; } get kid() { return this.protectedHeaders.get(headers_js_1.Headers.KeyID) || this.unprotectedHeaders.get(headers_js_1.Headers.KeyID); } get x5bag() { const x5bag = this.protectedHeaders.get(headers_js_1.Headers.X5Bag) || this.unprotectedHeaders.get(headers_js_1.Headers.X5Bag); if (!x5bag) { return; } return Array.isArray(x5bag) ? x5bag : [x5bag]; } get x5chain() { const x5chain = this.protectedHeaders.get(headers_js_1.Headers.X5Chain) || this.unprotectedHeaders.get(headers_js_1.Headers.X5Chain); if (!x5chain) { return; } return Array.isArray(x5chain) ? x5chain : [x5chain]; } async verifyX509Chain(caRoots) { const { x5chain } = this; if (!x5chain || x5chain.length === 0) { throw new errors_js_1.X509NoMatchingCertificate(); } const chainEngine = new pkijs_js_1.pkijs.CertificateChainValidationEngine({ certs: x5chain.map((c) => pkijs_js_1.pkijs.Certificate.fromBER(c)), trustedCerts: caRoots.map((c) => pkijs_js_1.pkijs.Certificate.fromBER((0, base64_js_1.decodeBase64)((0, cert_js_1.pemToCert)(c)))), }); const chain = await chainEngine.verify(); if (!chain.result) { throw new errors_js_1.X509InvalidCertificateChain(chain.resultMessage); } const x509Cert = (0, cert_js_1.certToPEM)(x5chain[0]); const publicKey = await (0, jose_1.importX509)(x509Cert, this.algName); return { publicKey, raw: x5chain[0] }; } async internalVerify(payload, key, options) { if (!this.alg || !this.algName || !headers_js_1.AlgorithmNames.has(this.alg)) { throw new errors.COSEInvalid(`Unsupported algorithm ${this.alg}`); } const algorithms = options && (0, validate_algorithms_js_1.default)('algorithms', options.algorithms); if (algorithms && !algorithms.has(this.alg)) { throw new errors.COSEAlgNotAllowed(`[${headers_js_1.Headers.Algorithm}] (algorithm) Header Parameter not allowed`); } if (typeof key === 'function') { key = await key(this); } const isValid = await (0, verify_js_1.default)(this.algName, key, this.signature, payload); if (!isValid) { throw new errors.COSESignatureVerificationFailed(); } } } exports.SignatureBase = SignatureBase;