jose-browser-runtime - npm Package Compare versions

Comparing version 3.11.2 to 3.11.3

dist/browser/lib/decrypt_key_management.js

		@@ -9,2 +9,3 @@ import { JOSENotSupported, JWEInvalid } from '../util/errors.js';
		import { bitLengths as cekLengths } from '../lib/cek.js';
		import { parseJwk } from '../jwk/parse.js';
		function assertEnryptedKey(encryptedKey) {
		@@ -39,3 +40,3 @@ if (!encryptedKey) {
		}
		const ephemeralKey = await ECDH.publicJwkToEphemeralKey(joseHeader.epk);
		const epk = await parseJwk(joseHeader.epk, alg);
		let partyUInfo;
		@@ -47,3 +48,3 @@ let partyVInfo;
		partyVInfo = base64url(joseHeader.apv);
		const sharedSecret = await ECDH.deriveKey(ephemeralKey, key, alg === 'ECDH-ES' ? joseHeader.enc : alg, parseInt(alg.substr(-5, 3), 10) \|\| cekLengths.get(joseHeader.enc), partyUInfo, partyVInfo);
		const sharedSecret = await ECDH.deriveKey(epk, key, alg === 'ECDH-ES' ? joseHeader.enc : alg, parseInt(alg.substr(-5, 3), 10) \|\| cekLengths.get(joseHeader.enc), partyUInfo, partyVInfo);
		if (alg === 'ECDH-ES') {
		@@ -50,0 +51,0 @@ return sharedSecret;

dist/browser/lib/encrypt_key_management.js

		@@ -10,2 +10,3 @@ import cekFactory, { bitLengths as cekLengths } from '../lib/cek.js';
		import { encode as base64url } from '../runtime/base64url.js';
		import { fromKeyLike } from '../jwk/from_key_like.js';
		const generateCek = cekFactory(random);
		@@ -31,5 +32,5 @@ async function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {
		ephemeralKey \|\| (ephemeralKey = await ECDH.generateEpk(key));
		const epk = await ECDH.ephemeralKeyToPublicJWK(ephemeralKey);
		const { x, y, crv, kty } = await fromKeyLike(ephemeralKey);
		const sharedSecret = await ECDH.deriveKey(key, ephemeralKey, alg === 'ECDH-ES' ? enc : alg, parseInt(alg.substr(-5, 3), 10) \|\| cekLengths.get(enc), apu, apv);
		parameters = { epk };
		parameters = { epk: { x, y, crv, kty } };
		if (apu)
		@@ -36,0 +37,0 @@ parameters.apu = base64url(apu);

dist/browser/runtime/ecdhes.js

		@@ -22,9 +22,2 @@ import { encoder, concat, uint32be, lengthAndInput, concatKdf } from '../lib/buffer_utils.js';
		};
		export const ephemeralKeyToPublicJWK = async function ephemeralKeyToPublicJWK(key) {
		if (!isCryptoKey(key)) {
		throw new TypeError('invalid key input');
		}
		const { crv, kty, x, y } = await crypto.subtle.exportKey('jwk', key);
		return { crv, kty, x, y };
		};
		export const generateEpk = async (key) => {
		@@ -36,4 +29,2 @@ if (!isCryptoKey(key)) {
		};
		export const publicJwkToEphemeralKey = (jwk) => crypto.subtle.importKey('jwk', jwk, { name: 'ECDH', namedCurve: jwk.crv }, true, []);
		const curves = ['P-256', 'P-384', 'P-521'];
		export const ecdhAllowed = (key) => {
		@@ -43,3 +34,3 @@ if (!isCryptoKey(key)) {
		}
		return curves.includes(key.algorithm.namedCurve);
		return ['P-256', 'P-384', 'P-521'].includes(key.algorithm.namedCurve);
		};

466

dist/types/types.d.ts

		/// <reference lib="dom"/>

		/* eslint-disable @typescript-eslint/naming-convention */
		import type { KeyObject } from 'crypto'

		/**
		* JSON Web Key ([JWK](https://tools.ietf.org/html/rfc7517)).
		* "RSA", "EC", "OKP", and "oct" key types are supported.
		*/
		export interface JWK {
		/**
		* JWK "alg" (Algorithm) Parameter.
		*/
		alg?: string
		@@ -20,18 +10,6 @@ crv?: string
		e?: string
		/**
		* JWK "ext" (Extractable) Parameter.
		*/
		ext?: boolean
		k?: string
		/**
		* JWK "key_ops" (Key Operations) Parameter.
		*/
		key_ops?: string[]
		/**
		* JWK "kid" (Key ID) Parameter.
		*/
		kid?: string
		/**
		* JWK "kty" (Key Type) Parameter.
		*/
		kty?: string
		@@ -47,121 +25,24 @@ n?: string
		qi?: string
		/**
		* JWK "use" (Public Key Use) Parameter.
		*/
		use?: string
		x?: string
		y?: string
		/**
		* JWK "x5c" (X.509 Certificate Chain) Parameter.
		*/
		x5c?: string[]
		/**
		* JWK "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter.
		*/
		x5t?: string
		/**
		* "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter.
		*/
		'x5t#S256'?: string
		/**
		* JWK "x5u" (X.509 URL) Parameter.
		*/
		x5u?: string
		}

		/**
		* Generic Interface for consuming operations dynamic key resolution.
		* No token components have been verified at the time of this function call.
		*
		* If you cannot match a key suitable for the token, throw an error instead.
		*
		* @param protectedHeader JWE or JWS Protected Header.
		* @param token The consumed JWE or JWS token.
		*/
		export interface GetKeyFunction<T, T2> {
		(protectedHeader: T, token: T2): Promise<KeyLike>
		}

		/* eslint-disable jsdoc/check-indentation */
		/**
		* KeyLike are platform-specific references to keying material.
		*
		* - [KeyObject](https://nodejs.org/api/crypto.html#crypto_class_keyobject) instances come from
		* node's [crypto module](https://nodejs.org/api/crypto.html), e.g.:
		* - [crypto.generateKeyPair](https://nodejs.org/api/crypto.html#crypto_crypto_generatekeypair_type_options_callback)
		* - [crypto.createPublicKey](https://nodejs.org/api/crypto.html#crypto_crypto_createpublickey_key)
		* - [crypto.createPrivateKey](https://nodejs.org/api/crypto.html#crypto_crypto_createprivatekey_key)
		* - [crypto.createSecretKey](https://nodejs.org/api/crypto.html#crypto_crypto_createsecretkey_key_encoding)
		* - [CryptoKey](https://developer.mozilla.org/en-US/docs/Web/API/CryptoKey) instances come from
		* [Web Cryptography API](https://www.w3.org/TR/WebCryptoAPI), e.g.:
		* - [SubtleCrypto.importKey](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey)
		* - [SubtleCrypto.generateKey](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey)
		* - [Uint8Array](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array)
		* is used exclusively for symmetric secret representations, a CryptoKey or KeyObject is
		* preferred, but in Web Crypto API this isn't an option for some algorithms.
		*/
		export type KeyLike = KeyObject \| CryptoKey \| Uint8Array
		/* eslint-enable */

		/**
		* Flattened JWS definition for verify function inputs, allows payload as
		* Uint8Array for detached signature validation.
		*/
		export interface FlattenedJWSInput {
		/**
		* The "header" member MUST be present and contain the value JWS
		* Unprotected Header when the JWS Unprotected Header value is non-
		* empty; otherwise, it MUST be absent. This value is represented as
		* an unencoded JSON object, rather than as a string. These Header
		* Parameter values are not integrity protected.
		*/
		header?: JWSHeaderParameters

		/**
		* The "payload" member MUST be present and contain the value
		* BASE64URL(JWS Payload). When RFC7797 "b64": false is used
		* the value passed may also be a Uint8Array.
		*/
		payload: string \| Uint8Array

		/**
		* The "protected" member MUST be present and contain the value
		* BASE64URL(UTF8(JWS Protected Header)) when the JWS Protected
		* Header value is non-empty; otherwise, it MUST be absent. These
		* Header Parameter values are integrity protected.
		*/
		protected?: string

		/**
		* The "signature" member MUST be present and contain the value
		* BASE64URL(JWS Signature).
		*/
		signature: string
		}

		/**
		* General JWS definition for verify function inputs, allows payload as
		* Uint8Array for detached signature validation.
		*/
		export interface GeneralJWSInput {
		/**
		* The "payload" member MUST be present and contain the value
		* BASE64URL(JWS Payload). When RFC7797 "b64": false is used
		* the value passed may also be a Uint8Array.
		*/
		payload: string \| Uint8Array

		/**
		* The "signatures" member value MUST be an array of JSON objects.
		* Each object represents a signature or MAC over the JWS Payload and
		* the JWS Protected Header.
		*/
		signatures: Omit<FlattenedJWSInput, 'payload'>[]
		}

		/**
		* Flattened JWS definition. Payload is an optional return property, it
		* is not returned when JWS Unencoded Payload Option
		* [RFC7797](https://tools.ietf.org/html/rfc7797) is used.
		*/
		export interface FlattenedJWS extends Partial<FlattenedJWSInput> {
		@@ -171,8 +52,2 @@ payload?: string
		}

		/**
		* General JWS definition. Payload is an optional return property, it
		* is not returned when JWS Unencoded Payload Option
		* [RFC7797](https://tools.ietf.org/html/rfc7797) is used.
		*/
		export interface GeneralJWS {
		@@ -182,71 +57,17 @@ payload?: string
		}

		export interface JoseHeaderParameters {
		/**
		* "kid" (Key ID) Header Parameter.
		*/
		kid?: string

		/**
		* "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter.
		*/
		x5t?: string

		/**
		* "x5c" (X.509 Certificate Chain) Header Parameter.
		*/
		x5c?: string[]

		/**
		* "x5u" (X.509 URL) Header Parameter.
		*/
		x5u?: string

		/**
		* "jwk" (JSON Web Key) Header Parameter.
		*/
		jwk?: Pick<JWK, 'kty' \| 'crv' \| 'x' \| 'y' \| 'e' \| 'n'>

		/**
		* "typ" (Type) Header Parameter.
		*/
		typ?: string

		/**
		* "cty" (Content Type) Header Parameter.
		*/
		cty?: string
		}

		/**
		* Recognized JWS Header Parameters, any other Header Members
		* may also be present.
		*/
		export interface JWSHeaderParameters extends JoseHeaderParameters {
		/**
		* JWS "alg" (Algorithm) Header Parameter.
		*/
		alg?: string

		/**
		* This JWS Extension Header Parameter modifies the JWS Payload
		* representation and the JWS Signing Input computation as per
		* [RFC7797](https://tools.ietf.org/html/rfc7797).
		*/
		b64?: boolean

		/**
		* JWS "crit" (Critical) Header Parameter.
		*/
		crit?: string[]

		/**
		* Any other JWS Header member.
		*/
		[propName: string]: unknown
		}

		/**
		* Recognized JWE Key Management-related Header Parameters.
		*/
		export interface JWEKeyManagementHeaderParameters {
		@@ -260,130 +81,23 @@ apu?: Uint8Array
		}

		/**
		* Flattened JWE definition.
		*/
		export interface FlattenedJWE {
		/**
		* The "aad" member MUST be present and contain the value
		* BASE64URL(JWE AAD)) when the JWE AAD value is non-empty;
		* otherwise, it MUST be absent. A JWE AAD value can be included to
		* supply a base64url-encoded value to be integrity protected but not
		* encrypted.
		*/
		aad?: string

		/**
		* The "ciphertext" member MUST be present and contain the value
		* BASE64URL(JWE Ciphertext).
		*/
		ciphertext: string

		/**
		* The "encrypted_key" member MUST be present and contain the value
		* BASE64URL(JWE Encrypted Key) when the JWE Encrypted Key value is
		* non-empty; otherwise, it MUST be absent.
		*/
		encrypted_key?: string

		/**
		* The "header" member MUST be present and contain the value JWE Per-
		* Recipient Unprotected Header when the JWE Per-Recipient
		* Unprotected Header value is non-empty; otherwise, it MUST be
		* absent. This value is represented as an unencoded JSON object,
		* rather than as a string. These Header Parameter values are not
		* integrity protected.
		*/
		header?: JWEHeaderParameters

		/**
		* The "iv" member MUST be present and contain the value
		* BASE64URL(JWE Initialization Vector) when the JWE Initialization
		* Vector value is non-empty; otherwise, it MUST be absent.
		*/
		iv: string

		/**
		* The "protected" member MUST be present and contain the value
		* BASE64URL(UTF8(JWE Protected Header)) when the JWE Protected
		* Header value is non-empty; otherwise, it MUST be absent. These
		* Header Parameter values are integrity protected.
		*/
		protected?: string

		/**
		* The "tag" member MUST be present and contain the value
		* BASE64URL(JWE Authentication Tag) when the JWE Authentication Tag
		* value is non-empty; otherwise, it MUST be absent.
		*/
		tag: string

		/**
		* The "unprotected" member MUST be present and contain the value JWE
		* Shared Unprotected Header when the JWE Shared Unprotected Header
		* value is non-empty; otherwise, it MUST be absent. This value is
		* represented as an unencoded JSON object, rather than as a string.
		* These Header Parameter values are not integrity protected.
		*/
		unprotected?: JWEHeaderParameters
		}

		export interface GeneralJWE extends Omit<FlattenedJWE, 'encrypted_key' \| 'header'> {
		recipients: Pick<FlattenedJWE, 'encrypted_key' \| 'header'>[]
		}

		/**
		* Recognized JWE Header Parameters, any other Header members
		* may also be present.
		*/
		export interface JWEHeaderParameters extends JoseHeaderParameters {
		/**
		* JWE "alg" (Algorithm) Header Parameter.
		*/
		alg?: string

		/**
		* JWE "enc" (Encryption Algorithm) Header Parameter.
		*/
		enc?: string

		/**
		* JWE "crit" (Critical) Header Parameter.
		*/
		crit?: string[]

		/**
		* JWE "zip" (Compression Algorithm) Header Parameter.
		*/
		zip?: string

		/**
		* Any other JWE Header member.
		*/
		[propName: string]: unknown
		}

		/**
		* Shared Interface with a "crit" property for all sign and verify operations.
		*/
		export interface CritOption {
		/**
		* An object with keys representing recognized "crit" (Critical) Header Parameter
		* names. The value for those is either `true` or `false`. `true` when the
		* Header Parameter MUST be integrity protected, `false` when it's irrelevant.
		*
		* This makes the "Extension Header Parameter "${parameter}" is not recognized"
		* error go away.
		*
		* Use this when a given JWS/JWT/JWE profile requires the use of proprietary
		* non-registered "crit" (Critical) Header Parameters. This will only make sure
		* the Header Parameter is syntactically correct when provided and that it is
		* optionally integrity protected. It will not process the Header Parameter in
		* any way or reject if the operation if it is missing. You MUST still
		* verify the Header Parameter was present and process it according to the
		* profile's validation steps after the operation succeeds.
		*
		* The JWS extension Header Parameter `b64` is always recognized and processed
		* properly. No other registered Header Parameters that need this kind of
		* default built-in treatment are currently available.
		*/
		crit?: {
		@@ -393,248 +107,68 @@ [propName: string]: boolean
		}

		/**
		* JWE Decryption options.
		*/
		export interface DecryptOptions extends CritOption {
		/**
		* A list of accepted JWE "alg" (Algorithm) Header Parameter values.
		*/
		keyManagementAlgorithms?: string[]

		/**
		* A list of accepted JWE "enc" (Encryption Algorithm) Header Parameter values.
		*/
		contentEncryptionAlgorithms?: string[]

		/**
		* In a browser runtime you have to provide an implementation for Inflate Raw
		* when you expect JWEs with compressed plaintext.
		*/
		inflateRaw?: InflateFunction
		}

		/**
		* JWE Encryption options.
		*/
		export interface EncryptOptions extends CritOption {
		/**
		* In a browser runtime you have to provide an implementation for Deflate Raw
		* when you will be producing JWEs with compressed plaintext.
		*/
		deflateRaw?: DeflateFunction
		}

		/**
		* JWT Claims Set verification options.
		*/
		export interface JWTClaimVerificationOptions {
		/**
		* Expected JWT "aud" (Audience) Claim value(s).
		*/
		audience?: string \| string[]

		/**
		* Expected clock tolerance
		* - in seconds when number (e.g. 5)
		* - parsed as seconds when a string (e.g. "5 seconds", "10 minutes", "2 hours").
		*/
		clockTolerance?: string \| number

		/**
		* Expected JWT "iss" (Issuer) Claim value(s).
		*/
		issuer?: string \| string[]

		/**
		* Maximum time elapsed (in seconds) from the JWT "iat" (Issued At) Claim value.
		* - in seconds when number (e.g. 5)
		* - parsed as seconds when a string (e.g. "5 seconds", "10 minutes", "2 hours").
		*/
		maxTokenAge?: string \| number

		/**
		* Expected JWT "sub" (Subject) Claim value.
		*/
		subject?: string

		/**
		* Expected JWT "typ" (Type) Header Parameter value.
		*/
		typ?: string

		/**
		* Date to use when comparing NumericDate claims, defaults to `new Date()`.
		*/
		currentDate?: Date
		}

		/**
		* JWS Verification options.
		*/
		export interface VerifyOptions extends CritOption {
		/**
		* A list of accepted JWS "alg" (Algorithm) Header Parameter values.
		*/
		algorithms?: string[]
		}

		/**
		* JWS Signing options.
		*/
		export interface SignOptions extends CritOption {}

		/**
		* Recognized JWT Claims Set members, any other members
		* may also be present.
		*/
		export interface JWTPayload {
		/**
		* JWT Issuer - [RFC7519#section-4.1.1](https://tools.ietf.org/html/rfc7519#section-4.1.1).
		*/
		iss?: string

		/**
		* JWT Subject - [RFC7519#section-4.1.2](https://tools.ietf.org/html/rfc7519#section-4.1.2).
		*/
		sub?: string

		/**
		* JWT Audience [RFC7519#section-4.1.3](https://tools.ietf.org/html/rfc7519#section-4.1.3).
		*/
		aud?: string \| string[]

		/**
		* JWT ID - [RFC7519#section-4.1.7](https://tools.ietf.org/html/rfc7519#section-4.1.7).
		*/
		jti?: string

		/**
		* JWT Not Before - [RFC7519#section-4.1.5](https://tools.ietf.org/html/rfc7519#section-4.1.5).
		*/
		nbf?: number

		/**
		* JWT Expiration Time - [RFC7519#section-4.1.4](https://tools.ietf.org/html/rfc7519#section-4.1.4).
		*/
		exp?: number

		/**
		* JWT Issued At - [RFC7519#section-4.1.6](https://tools.ietf.org/html/rfc7519#section-4.1.6).
		*/
		iat?: number

		/**
		* Any other JWT Claim Set member.
		*/
		[propName: string]: unknown
		}

		/**
		* Deflate Raw implementation, e.g. promisified [zlib.deflateRaw](https://nodejs.org/api/zlib.html#zlib_zlib_deflateraw_buffer_options_callback).
		*/
		export interface DeflateFunction {
		(input: Uint8Array): Promise<Uint8Array>
		}

		/**
		* Inflate Raw implementation, e.g. promisified [zlib.inflateRaw](https://nodejs.org/api/zlib.html#zlib_zlib_inflateraw_buffer_options_callback).
		*/
		export interface InflateFunction {
		(input: Uint8Array): Promise<Uint8Array>
		}

		export interface FlattenedDecryptResult {
		/**
		* JWE AAD.
		*/
		additionalAuthenticatedData?: Uint8Array

		/**
		* Plaintext.
		*/
		plaintext: Uint8Array

		/**
		* JWE Protected Header.
		*/
		protectedHeader?: JWEHeaderParameters

		/**
		* JWE Shared Unprotected Header.
		*/
		sharedUnprotectedHeader?: JWEHeaderParameters

		/**
		* JWE Per-Recipient Unprotected Header.
		*/
		unprotectedHeader?: JWEHeaderParameters
		}

		export interface GeneralDecryptResult extends FlattenedDecryptResult {}

		export interface CompactDecryptResult {
		/**
		* Plaintext.
		*/
		plaintext: Uint8Array

		/**
		* JWE Protected Header.
		*/
		protectedHeader: JWEHeaderParameters
		}

		export interface FlattenedVerifyResult {
		/**
		* JWS Payload.
		*/
		payload: Uint8Array

		/**
		* JWS Protected Header.
		*/
		protectedHeader?: JWSHeaderParameters

		/**
		* JWS Unprotected Header.
		*/
		unprotectedHeader?: JWSHeaderParameters
		}

		export interface GeneralVerifyResult extends FlattenedVerifyResult {}

		export interface CompactVerifyResult {
		/**
		* JWS Payload.
		*/
		payload: Uint8Array

		/**
		* JWS Protected Header.
		*/
		protectedHeader: JWSHeaderParameters
		}

		export interface JWTVerifyResult {
		/**
		* JWT Claims Set.
		*/
		payload: JWTPayload

		/**
		* JWS Protected Header.
		*/
		protectedHeader: JWSHeaderParameters
		}

		export interface JWTDecryptResult {
		/**
		* JWT Claims Set.
		*/
		payload: JWTPayload

		/**
		* JWE Protected Header.
		*/
		protectedHeader: JWEHeaderParameters
		}

package.json

		{
		"name": "jose-browser-runtime",
		"version": "3.11.2",
		"version": "3.11.3",
		"description": "(Browser Runtime) 'JSON Web Almost Everything' - JWA, JWS, JWE, JWT, JWK with no dependencies",
		@@ -5,0 +5,0 @@ "keywords": [

jose-browser-runtime - npm Package Compare versions

New alerts

Fixed alerts

Worsened metrics