UNPKG

edhoc

Version:

A Node.js implementation of EDHOC (Ephemeral Diffie-Hellman Over COSE) protocol for lightweight authenticated key exchange in IoT and other constrained environments.

88 lines (87 loc) 3.17 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.CCSCredentialManager = void 0; const edhoc_1 = require("./edhoc"); /** * Credential manager for CCS (CWT Claims Set) credentials identified by kid. * * Use `addOwnCredential()` to register the local party's credential (returned * by `fetch()`) and `addPeerCredential()` for each remote party whose * credentials should be accepted (matched during `verify()`). */ class CCSCredentialManager { ownCredential = null; peerCredentials = []; /** * Register the local party's CCS credential. * * @param kid - Key identifier (integer or Buffer) * @param ccsBytes - Raw CBOR-encoded CCS map * @param publicKey - Public key bytes (e.g. P-256 x-coordinate or x||y) * @param privateKey - Private key bytes */ addOwnCredential(kid, ccsBytes, publicKey, privateKey) { this.ownCredential = { kid, ccsBytes, publicKey, privateKey }; } /** * Register a peer's CCS credential for verification. * * @param kid - Key identifier (integer or Buffer) * @param ccsBytes - Raw CBOR-encoded CCS map * @param publicKey - Public key bytes */ addPeerCredential(kid, ccsBytes, publicKey) { this.peerCredentials.push({ kid, ccsBytes, publicKey }); } /** * Return the local party's credentials for inclusion in an EDHOC message. */ async fetch(_edhoc) { if (!this.ownCredential) { throw new Error('No own credential configured. Call addOwnCredential() first.'); } return { format: edhoc_1.EdhocCredentialsFormat.kid, privateKey: this.ownCredential.privateKey, publicKey: this.ownCredential.publicKey, kid: { kid: this.ownCredential.kid, credentials: this.ownCredential.ccsBytes, isCBOR: true, }, }; } /** * Verify received peer credentials by looking up the kid value among * registered peer credentials. */ async verify(_edhoc, credentials) { if (credentials.format !== edhoc_1.EdhocCredentialsFormat.kid) { throw new Error('CCSCredentialManager only supports kid credentials format'); } const kidCred = credentials; const receivedKid = kidCred.kid.kid; const peer = this.peerCredentials.find(p => { if (typeof p.kid === 'number' && typeof receivedKid === 'number') { return p.kid === receivedKid; } if (Buffer.isBuffer(p.kid) && Buffer.isBuffer(receivedKid)) { return p.kid.equals(receivedKid); } return false; }); if (!peer) { throw new Error(`Unknown peer kid: ${receivedKid}`); } return { format: edhoc_1.EdhocCredentialsFormat.kid, publicKey: peer.publicKey, kid: { kid: peer.kid, credentials: peer.ccsBytes, isCBOR: true, }, }; } } exports.CCSCredentialManager = CCSCredentialManager;