edhoc
Version:
A Node.js implementation of EDHOC (Ephemeral Diffie-Hellman Over COSE) protocol for lightweight authenticated key exchange in IoT and other constrained environments.
88 lines (87 loc) • 3.17 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.CCSCredentialManager = void 0;
const edhoc_1 = require("./edhoc");
/**
* Credential manager for CCS (CWT Claims Set) credentials identified by kid.
*
* Use `addOwnCredential()` to register the local party's credential (returned
* by `fetch()`) and `addPeerCredential()` for each remote party whose
* credentials should be accepted (matched during `verify()`).
*/
class CCSCredentialManager {
ownCredential = null;
peerCredentials = [];
/**
* Register the local party's CCS credential.
*
* @param kid - Key identifier (integer or Buffer)
* @param ccsBytes - Raw CBOR-encoded CCS map
* @param publicKey - Public key bytes (e.g. P-256 x-coordinate or x||y)
* @param privateKey - Private key bytes
*/
addOwnCredential(kid, ccsBytes, publicKey, privateKey) {
this.ownCredential = { kid, ccsBytes, publicKey, privateKey };
}
/**
* Register a peer's CCS credential for verification.
*
* @param kid - Key identifier (integer or Buffer)
* @param ccsBytes - Raw CBOR-encoded CCS map
* @param publicKey - Public key bytes
*/
addPeerCredential(kid, ccsBytes, publicKey) {
this.peerCredentials.push({ kid, ccsBytes, publicKey });
}
/**
* Return the local party's credentials for inclusion in an EDHOC message.
*/
async fetch(_edhoc) {
if (!this.ownCredential) {
throw new Error('No own credential configured. Call addOwnCredential() first.');
}
return {
format: edhoc_1.EdhocCredentialsFormat.kid,
privateKey: this.ownCredential.privateKey,
publicKey: this.ownCredential.publicKey,
kid: {
kid: this.ownCredential.kid,
credentials: this.ownCredential.ccsBytes,
isCBOR: true,
},
};
}
/**
* Verify received peer credentials by looking up the kid value among
* registered peer credentials.
*/
async verify(_edhoc, credentials) {
if (credentials.format !== edhoc_1.EdhocCredentialsFormat.kid) {
throw new Error('CCSCredentialManager only supports kid credentials format');
}
const kidCred = credentials;
const receivedKid = kidCred.kid.kid;
const peer = this.peerCredentials.find(p => {
if (typeof p.kid === 'number' && typeof receivedKid === 'number') {
return p.kid === receivedKid;
}
if (Buffer.isBuffer(p.kid) && Buffer.isBuffer(receivedKid)) {
return p.kid.equals(receivedKid);
}
return false;
});
if (!peer) {
throw new Error(`Unknown peer kid: ${receivedKid}`);
}
return {
format: edhoc_1.EdhocCredentialsFormat.kid,
publicKey: peer.publicKey,
kid: {
kid: peer.kid,
credentials: peer.ccsBytes,
isCBOR: true,
},
};
}
}
exports.CCSCredentialManager = CCSCredentialManager;