Huge News!Announcing our $40M Series B led by Abstract Ventures.Learn More
Socket
Sign inDemoInstall
Socket
Sign inDemoInstall

jose-node-esm-runtime

Package Overview
Dependencies
Maintainers
1
Versions
132
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

jose-node-esm-runtime - npm Package Compare versions

Comparing version 4.5.3 to 4.6.0

9

dist/node/esm/jwe/general/encrypt.js

@@ -136,2 +136,8 @@ import { FlattenedEncrypt, unprotected } from '../flattened/encrypt.js';

jwe.recipients.push(target);
const joseHeader = {
...this._protectedHeader,
...this._unprotectedHeader,
...recipient.unprotectedHeader,
};
const p2c = joseHeader.alg.startsWith('PBES2') ? 2048 + i : undefined;
if (i === 0) {

@@ -144,2 +150,3 @@ const flattened = await new FlattenedEncrypt(this._plaintext)

.setUnprotectedHeader(recipient.unprotectedHeader)
.setKeyManagementParameters({ p2c })
.encrypt(recipient.key, {

@@ -166,3 +173,3 @@ ...recipient.options,

((_b = this._protectedHeader) === null || _b === void 0 ? void 0 : _b.alg) ||
((_c = this._unprotectedHeader) === null || _c === void 0 ? void 0 : _c.alg), enc, recipient.key, cek);
((_c = this._unprotectedHeader) === null || _c === void 0 ? void 0 : _c.alg), enc, recipient.key, cek, { p2c });
target.encrypted_key = base64url(encryptedKey);

@@ -169,0 +176,0 @@ if (recipient.unprotectedHeader || parameters)

2

dist/node/esm/lib/crypto_key.js

@@ -124,3 +124,3 @@ import { isCloudflareWorkers, isNodeJs } from '../runtime/env.js';

}
case 'ECDH-ES':
case 'ECDH':
if (!isAlgorithm(key.algorithm, 'ECDH'))

@@ -127,0 +127,0 @@ throw unusable('ECDH');

2

dist/node/esm/lib/decrypt_key_management.js

@@ -29,3 +29,3 @@ import { unwrap as aesKw } from '../runtime/aeskw.js';

if (!ECDH.ecdhAllowed(key))
throw new JOSENotSupported('ECDH-ES with the provided key is not allowed or not supported by your javascript runtime');
throw new JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');
const epk = await importJWK(joseHeader.epk, alg);

@@ -32,0 +32,0 @@ let partyUInfo;

2

dist/node/esm/lib/encrypt_key_management.js

@@ -26,3 +26,3 @@ import { wrap as aesKw } from '../runtime/aeskw.js';

if (!ECDH.ecdhAllowed(key)) {
throw new JOSENotSupported('ECDH-ES with the provided key is not allowed or not supported by your javascript runtime');
throw new JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');
}

@@ -29,0 +29,0 @@ const { apu, apv } = providedParameters;

4

dist/node/esm/runtime/ecdhes.js

@@ -15,3 +15,3 @@ import { diffieHellman, generateKeyPair as generateKeyPairCb, KeyObject } from 'crypto';

if (isCryptoKey(publicKee)) {
checkEncCryptoKey(publicKee, 'ECDH-ES');
checkEncCryptoKey(publicKee, 'ECDH');
publicKey = KeyObject.from(publicKee);

@@ -27,3 +27,3 @@ }

if (isCryptoKey(privateKee)) {
checkEncCryptoKey(privateKee, 'ECDH-ES', 'deriveBits', 'deriveKey');
checkEncCryptoKey(privateKee, 'ECDH', 'deriveBits');
privateKey = KeyObject.from(privateKee);

@@ -30,0 +30,0 @@ }

2

dist/node/esm/runtime/pbes2kw.js

@@ -27,3 +27,3 @@ import { promisify } from 'util';

}
export const encrypt = async (alg, key, cek, p2c = Math.floor(Math.random() * 2049) + 2048, p2s = random(new Uint8Array(16))) => {
export const encrypt = async (alg, key, cek, p2c = 2048, p2s = random(new Uint8Array(16))) => {
checkP2s(p2s);

@@ -30,0 +30,0 @@ const salt = concatSalt(alg, p2s);

26

dist/types/jwe/compact/decrypt.d.ts
import type { KeyLike, DecryptOptions, CompactJWEHeaderParameters, GetKeyFunction, FlattenedJWE, CompactDecryptResult, ResolvedKey } from '../../types';
/**
* Interface for Compact JWE Decryption dynamic key resolution.
* No token components have been verified at the time of this function call.
*/
export interface CompactDecryptGetKey extends GetKeyFunction<CompactJWEHeaderParameters, FlattenedJWE> {
}
/**
* Decrypts a Compact JWE.
*
* @param jwe Compact JWE.
* @param key Private Key or Secret to decrypt the JWE with.
* @param options JWE Decryption options.
*
* @example Usage
* ```js
* const jwe = 'eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0.nyQ19eq9ogh9wA7fFtnI2oouzy5_8b5DeLkoRMfi2yijgfTs2zEnayCEofz_qhnL-nwszabd9qUeHv0-IwvhhJJS7GUJOU3ikiIe42qcIAFme1A_Fo9CTxw4XTOy-I5qanl8So91u6hwfyN1VxAqVLsSE7_23EC-gfGEg_5znew9PyXXsOIE-K_HH7IQowRrlZ1X_bM_Liu53RzDpLDvRz59mp3S8L56YqpM8FexFGTGpEaoTcEIst375qncYt3-79IVR7gZN1RWsWgjPatfvVbnh74PglQcATSf3UUhaW0OAKn6q7r3PDx6DIKQ35bgHQg5QopuN00eIfLQL2trGw.W3grIVj5HVuAb76X.6PcuDe5D6ttWFYyv0oqqdDXfI2R8wBg1F2Q80UUA_Gv8eEimNWfxIWdLxrjzgQGSvIhxmFKuLM0.a93_Ug3uZHuczj70Zavx8Q'
*
* const { plaintext, protectedHeader } = await jose.compactDecrypt(jwe, privateKey)
*
* console.log(protectedHeader)
* console.log(new TextDecoder().decode(plaintext))
* ```
*/
export declare function compactDecrypt(jwe: string | Uint8Array, key: KeyLike | Uint8Array, options?: DecryptOptions): Promise<CompactDecryptResult>;
/**
* @param jwe Compact JWE.
* @param getKey Function resolving Private Key or Secret to decrypt the JWE with.
* @param options JWE Decryption options.
*/
export declare function compactDecrypt(jwe: string | Uint8Array, getKey: CompactDecryptGetKey, options?: DecryptOptions): Promise<CompactDecryptResult & ResolvedKey>;

56

dist/types/jwe/compact/encrypt.d.ts
import type { KeyLike, JWEKeyManagementHeaderParameters, CompactJWEHeaderParameters, EncryptOptions } from '../../types';
/**
* The CompactEncrypt class is a utility for creating Compact JWE strings.
*
* @example Usage
* ```js
* const jwe = await new jose.CompactEncrypt(
* new TextEncoder().encode(
* 'It’s a dangerous business, Frodo, going out your door.'
* )
* )
* .setProtectedHeader({ alg: 'RSA-OAEP-256', enc: 'A256GCM' })
* .encrypt(publicKey)
*
* console.log(jwe)
* ```
*/
export declare class CompactEncrypt {
private _flattened;
/**
* @param plaintext Binary representation of the plaintext to encrypt.
*/
constructor(plaintext: Uint8Array);
/**
* Sets a content encryption key to use, by default a random suitable one
* is generated for the JWE enc" (Encryption Algorithm) Header Parameter.
*
* @param cek JWE Content Encryption Key.
*
* @deprecated You should not use this method. It is only really intended
* for test and vector validation purposes.
*/
setContentEncryptionKey(cek: Uint8Array): this;
/**
* Sets the JWE Initialization Vector to use for content encryption, by default
* a random suitable one is generated for the JWE enc" (Encryption Algorithm)
* Header Parameter.
*
* @param iv JWE Initialization Vector.
*
* @deprecated You should not use this method. It is only really intended
* for test and vector validation purposes.
*/
setInitializationVector(iv: Uint8Array): this;
/**
* Sets the JWE Protected Header on the CompactEncrypt object.
*
* @param protectedHeader JWE Protected Header object.
*/
setProtectedHeader(protectedHeader: CompactJWEHeaderParameters): this;
/**
* Sets the JWE Key Management parameters to be used when encrypting the Content
* Encryption Key. You do not need to invoke this method, it is only really
* intended for test and vector validation purposes.
*
* @param parameters JWE Key Management parameters.
*/
setKeyManagementParameters(parameters: JWEKeyManagementHeaderParameters): this;
/**
* Encrypts and resolves the value of the Compact JWE string.
*
* @param key Public Key or Secret to encrypt the JWE with.
* @param options JWE Encryption options.
*/
encrypt(key: KeyLike | Uint8Array, options?: EncryptOptions): Promise<string>;
}

39

dist/types/jwe/flattened/decrypt.d.ts
import type { FlattenedDecryptResult, KeyLike, FlattenedJWE, JWEHeaderParameters, DecryptOptions, GetKeyFunction, ResolvedKey } from '../../types';
/**
* Interface for Flattened JWE Decryption dynamic key resolution.
* No token components have been verified at the time of this function call.
*/
export interface FlattenedDecryptGetKey extends GetKeyFunction<JWEHeaderParameters | undefined, FlattenedJWE> {
}
/**
* Decrypts a Flattened JWE.
*
* @param jwe Flattened JWE.
* @param key Private Key or Secret to decrypt the JWE with.
* @param options JWE Decryption options.
*
* @example Usage
* ```js
* const jwe = {
* ciphertext: '9EzjFISUyoG-ifC2mSihfP0DPC80yeyrxhTzKt1C_VJBkxeBG0MI4Te61Pk45RAGubUvBpU9jm4',
* iv: '8Fy7A_IuoX5VXG9s',
* tag: 'W76IYV6arGRuDSaSyWrQNg',
* encrypted_key: 'Z6eD4UK_yFb5ZoKvKkGAdqywEG_m0e4IYo0x8Vf30LAMJcsc-_zSgIeiF82teZyYi2YYduHKoqImk7MRnoPZOlEs0Q5BNK1OgBmSOhCE8DFyqh9Zh48TCTP6lmBQ52naqoUJFMtHzu-0LwZH26hxos0GP3Dt19O379MJB837TdKKa87skq0zHaVLAquRHOBF77GI54Bc7O49d8aOrSu1VEFGMThlW2caspPRiTSePDMDPq7_WGk50izRhB3Asl9wmP9wEeaTrkJKRnQj5ips1SAZ1hDBsqEQKKukxP1HtdcopHV5_qgwU8Hjm5EwSLMluMQuiE6hwlkXGOujZLVizA',
* aad: 'VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc',
* protected: 'eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0'
* }
*
* const {
* plaintext,
* protectedHeader,
* additionalAuthenticatedData
* } = await jose.flattenedDecrypt(jwe, privateKey)
*
* console.log(protectedHeader)
* const decoder = new TextDecoder()
* console.log(decoder.decode(plaintext))
* console.log(decoder.decode(additionalAuthenticatedData))
* ```
*/
export declare function flattenedDecrypt(jwe: FlattenedJWE, key: KeyLike | Uint8Array, options?: DecryptOptions): Promise<FlattenedDecryptResult>;
/**
* @param jwe Flattened JWE.
* @param getKey Function resolving Private Key or Secret to decrypt the JWE with.
* @param options JWE Decryption options.
*/
export declare function flattenedDecrypt(jwe: FlattenedJWE, getKey: FlattenedDecryptGetKey, options?: DecryptOptions): Promise<FlattenedDecryptResult & ResolvedKey>;

77

dist/types/jwe/flattened/encrypt.d.ts
import type { KeyLike, FlattenedJWE, JWEHeaderParameters, JWEKeyManagementHeaderParameters, EncryptOptions } from '../../types';
/**
* @private
*/
export declare const unprotected: unique symbol;
/**
* The FlattenedEncrypt class is a utility for creating Flattened JWE
* objects.
*
* @example Usage
* ```js
* const jwe = await new jose.FlattenedEncrypt(
* new TextEncoder().encode(
* 'It’s a dangerous business, Frodo, going out your door.'
* )
* )
* .setProtectedHeader({ alg: 'RSA-OAEP-256', enc: 'A256GCM' })
* .setAdditionalAuthenticatedData(encoder.encode('The Fellowship of the Ring'))
* .encrypt(publicKey)
*
* console.log(jwe)
* ```
*/
export declare class FlattenedEncrypt {

@@ -12,11 +33,67 @@ private _plaintext;

private _keyManagementParameters;
/**
* @param plaintext Binary representation of the plaintext to encrypt.
*/
constructor(plaintext: Uint8Array);
/**
* Sets the JWE Key Management parameters to be used when encrypting.
* Use of this is method is really only needed for ECDH based algorithms
* when utilizing the Agreement PartyUInfo or Agreement PartyVInfo parameters.
* Other parameters will always be randomly generated when needed and missing.
*
* @param parameters JWE Key Management parameters.
*/
setKeyManagementParameters(parameters: JWEKeyManagementHeaderParameters): this;
/**
* Sets the JWE Protected Header on the FlattenedEncrypt object.
*
* @param protectedHeader JWE Protected Header.
*/
setProtectedHeader(protectedHeader: JWEHeaderParameters): this;
/**
* Sets the JWE Shared Unprotected Header on the FlattenedEncrypt object.
*
* @param sharedUnprotectedHeader JWE Shared Unprotected Header.
*/
setSharedUnprotectedHeader(sharedUnprotectedHeader: JWEHeaderParameters): this;
/**
* Sets the JWE Per-Recipient Unprotected Header on the FlattenedEncrypt object.
*
* @param unprotectedHeader JWE Per-Recipient Unprotected Header.
*/
setUnprotectedHeader(unprotectedHeader: JWEHeaderParameters): this;
/**
* Sets the Additional Authenticated Data on the FlattenedEncrypt object.
*
* @param aad Additional Authenticated Data.
*/
setAdditionalAuthenticatedData(aad: Uint8Array): this;
/**
* Sets a content encryption key to use, by default a random suitable one
* is generated for the JWE enc" (Encryption Algorithm) Header Parameter.
*
* @param cek JWE Content Encryption Key.
*
* @deprecated You should not use this method. It is only really intended
* for test and vector validation purposes.
*/
setContentEncryptionKey(cek: Uint8Array): this;
/**
* Sets the JWE Initialization Vector to use for content encryption, by default
* a random suitable one is generated for the JWE enc" (Encryption Algorithm)
* Header Parameter.
*
* @param iv JWE Initialization Vector.
*
* @deprecated You should not use this method. It is only really intended
* for test and vector validation purposes.
*/
setInitializationVector(iv: Uint8Array): this;
/**
* Encrypts and resolves the value of the Flattened JWE object.
*
* @param key Public Key or Secret to encrypt the JWE with.
* @param options JWE Encryption options.
*/
encrypt(key: KeyLike | Uint8Array, options?: EncryptOptions): Promise<FlattenedJWE>;
}

43

dist/types/jwe/general/decrypt.d.ts
import type { KeyLike, DecryptOptions, JWEHeaderParameters, GetKeyFunction, FlattenedJWE, GeneralJWE, GeneralDecryptResult, ResolvedKey } from '../../types';
/**
* Interface for General JWE Decryption dynamic key resolution.
* No token components have been verified at the time of this function call.
*/
export interface GeneralDecryptGetKey extends GetKeyFunction<JWEHeaderParameters, FlattenedJWE> {
}
/**
* Decrypts a General JWE.
*
* @param jwe General JWE.
* @param key Private Key or Secret to decrypt the JWE with.
* @param options JWE Decryption options.
*
* @example Usage
* ```js
* const jwe = {
* ciphertext: '9EzjFISUyoG-ifC2mSihfP0DPC80yeyrxhTzKt1C_VJBkxeBG0MI4Te61Pk45RAGubUvBpU9jm4',
* iv: '8Fy7A_IuoX5VXG9s',
* tag: 'W76IYV6arGRuDSaSyWrQNg',
* aad: 'VGhlIEZlbGxvd3NoaXAgb2YgdGhlIFJpbmc',
* protected: 'eyJhbGciOiJSU0EtT0FFUC0yNTYiLCJlbmMiOiJBMjU2R0NNIn0',
* recipients: [
* {
* encrypted_key: 'Z6eD4UK_yFb5ZoKvKkGAdqywEG_m0e4IYo0x8Vf30LAMJcsc-_zSgIeiF82teZyYi2YYduHKoqImk7MRnoPZOlEs0Q5BNK1OgBmSOhCE8DFyqh9Zh48TCTP6lmBQ52naqoUJFMtHzu-0LwZH26hxos0GP3Dt19O379MJB837TdKKa87skq0zHaVLAquRHOBF77GI54Bc7O49d8aOrSu1VEFGMThlW2caspPRiTSePDMDPq7_WGk50izRhB3Asl9wmP9wEeaTrkJKRnQj5ips1SAZ1hDBsqEQKKukxP1HtdcopHV5_qgwU8Hjm5EwSLMluMQuiE6hwlkXGOujZLVizA'
* }
* ]
* }
*
* const {
* plaintext,
* protectedHeader,
* additionalAuthenticatedData
* } = await jose.generalDecrypt(jwe, privateKey)
*
* console.log(protectedHeader)
* const decoder = new TextDecoder()
* console.log(decoder.decode(plaintext))
* console.log(decoder.decode(additionalAuthenticatedData))
* ```
*/
export declare function generalDecrypt(jwe: GeneralJWE, key: KeyLike | Uint8Array, options?: DecryptOptions): Promise<GeneralDecryptResult>;
/**
* @param jwe General JWE.
* @param getKey Function resolving Private Key or Secret to decrypt the JWE with.
* @param options JWE Decryption options.
*/
export declare function generalDecrypt(jwe: GeneralJWE, getKey: GeneralDecryptGetKey, options?: DecryptOptions): Promise<GeneralDecryptResult & ResolvedKey>;

63

dist/types/jwe/general/encrypt.d.ts
import type { KeyLike, GeneralJWE, JWEHeaderParameters, CritOption, DeflateOption } from '../../types';
export interface Recipient {
/**
* Sets the JWE Per-Recipient Unprotected Header on the Recipient object.
*
* @param unprotectedHeader JWE Per-Recipient Unprotected Header.
*/
setUnprotectedHeader(unprotectedHeader: JWEHeaderParameters): Recipient;
/**
* A shorthand for calling addRecipient() on the enclosing GeneralEncrypt instance
*/
addRecipient(...args: Parameters<GeneralEncrypt['addRecipient']>): Recipient;
/**
* A shorthand for calling encrypt() on the enclosing GeneralEncrypt instance
*/
encrypt(...args: Parameters<GeneralEncrypt['encrypt']>): Promise<GeneralJWE>;
/**
* Returns the enclosing GeneralEncrypt
*/
done(): GeneralEncrypt;
}
/**
* The GeneralEncrypt class is a utility for creating General JWE objects.
*
* @example Usage
* ```js
* const jwe = await new jose.GeneralEncrypt(
* new TextEncoder().encode(
* 'It’s a dangerous business, Frodo, going out your door.'
* )
* )
* .setProtectedHeader({ enc: 'A256GCM' })
* .addRecipient(ecPublicKey)
* .setUnprotectedHeader({ alg: 'ECDH-ES+A256KW' })
* .addRecipient(rsaPublicKey)
* .setUnprotectedHeader({ alg: 'RSA-OAEP-384' })
* .encrypt()
*
* console.log(jwe)
* ```
*/
export declare class GeneralEncrypt {

@@ -14,8 +48,37 @@ private _plaintext;

private _aad;
/**
* @param plaintext Binary representation of the plaintext to encrypt.
*/
constructor(plaintext: Uint8Array);
/**
* Adds an additional recipient for the General JWE object.
*
* @param key Public Key or Secret to encrypt the Content Encryption Key for the recipient with.
* @param options JWE Encryption options.
*/
addRecipient(key: KeyLike | Uint8Array, options?: CritOption): Recipient;
/**
* Sets the JWE Protected Header on the GeneralEncrypt object.
*
* @param protectedHeader JWE Protected Header object.
*/
setProtectedHeader(protectedHeader: JWEHeaderParameters): this;
/**
* Sets the JWE Shared Unprotected Header on the GeneralEncrypt object.
*
* @param sharedUnprotectedHeader JWE Shared Unprotected Header object.
*/
setSharedUnprotectedHeader(sharedUnprotectedHeader: JWEHeaderParameters): this;
/**
* Sets the Additional Authenticated Data on the GeneralEncrypt object.
*
* @param aad Additional Authenticated Data.
*/
setAdditionalAuthenticatedData(aad: Uint8Array): this;
/**
* Encrypts and resolves the value of the General JWE object.
*
* @param options JWE Encryption options.
*/
encrypt(options?: DeflateOption): Promise<GeneralJWE>;
}

20

dist/types/jwk/embedded.d.ts
import type { FlattenedJWSInput, JWSHeaderParameters } from '../types';
/**
* EmbeddedJWK is an implementation of a GetKeyFunction intended to be used with the
* JWS/JWT verify operations whenever you need to opt-in to verify signatures with
* a public key embedded in the token's "jwk" (JSON Web Key) Header Parameter.
* It is recommended to combine this with the verify algorithms option to whitelist
* JWS algorithms to accept.
*
* @example Usage
* ```js
* const jwt = 'eyJqd2siOnsiY3J2IjoiUC0yNTYiLCJ4IjoiVU05ZzVuS25aWFlvdldBbE03NmNMejl2VG96UmpfX0NIVV9kT2wtZ09vRSIsInkiOiJkczhhZVF3MWwyY0RDQTdiQ2tPTnZ3REtwWEFidFhqdnFDbGVZSDhXc19VIiwia3R5IjoiRUMifSwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSIsImlhdCI6MTYwNDU4MDc5NH0.60boak3_dErnW47ZPty1C0nrjeVq86EN_eK0GOq6K8w2OA0thKoBxFK4j-NuU9yZ_A9UKGxPT_G87DladBaV9g'
*
* const { payload, protectedHeader } = await jose.jwtVerify(jwt, jose.EmbeddedJWK, {
* issuer: 'urn:example:issuer',
* audience: 'urn:example:audience'
* })
*
* console.log(protectedHeader)
* console.log(payload)
* ```
*/
export declare function EmbeddedJWK(protectedHeader: JWSHeaderParameters, token: FlattenedJWSInput): Promise<import("../types.d").KeyLike>;

19

dist/types/jwk/thumbprint.d.ts
import type { JWK } from '../types';
/**
* Calculates a base64url-encoded JSON Web Key (JWK) Thumbprint as per
* [RFC7638](https://www.rfc-editor.org/rfc/rfc7638).
*
* @param jwk JSON Web Key.
* @param digestAlgorithm Digest Algorithm to use for calculating the thumbprint.
* Default is sha256. Accepted is "sha256", "sha384", "sha512".
*
* @example Usage
* ```js
* const thumbprint = await jose.calculateJwkThumbprint({
* kty: 'RSA',
* e: 'AQAB',
* n: '12oBZRhCiZFJLcPg59LkZZ9mdhSMTKAQZYq32k_ti5SBB6jerkh-WzOMAO664r_qyLkqHUSp3u5SbXtseZEpN3XPWGKSxjsy-1JyEFTdLSYe6f9gfrmxkUF_7DTpq0gn6rntP05g2-wFW50YO7mosfdslfrTJYWHFhJALabAeYirYD7-9kqq9ebfFMF4sRRELbv9oi36As6Q9B3Qb5_C1rAzqfao_PCsf9EPsTZsVVVkA5qoIAr47lo1ipfiBPxUCCNSdvkmDTYgvvRm6ZoMjFbvOtgyts55fXKdMWv7I9HMD5HwE9uW839PWA514qhbcIsXEYSFMPMV6fnlsiZvQQ'
* })
*
* console.log(thumbprint)
* ```
*/
export declare function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: 'sha256' | 'sha384' | 'sha512'): Promise<string>;

42

dist/types/jwks/local.d.ts
import type { KeyLike, JWSHeaderParameters, JSONWebKeySet, FlattenedJWSInput, GetKeyFunction } from '../types';
/**
* @private
*/
export declare function isJWKSLike(jwks: unknown): jwks is JSONWebKeySet;
/**
* @private
*/
export declare class LocalJWKSet {

@@ -9,2 +15,38 @@ protected _jwks?: JSONWebKeySet;

}
/**
* Returns a function that resolves to a key object from a locally
* stored, or otherwise available, JSON Web Key Set.
*
* Only a single public key must match the selection process.
*
* @param jwks JSON Web Key Set formatted object.
*
* @example Usage
* ```js
* const JWKS = jose.createLocalJWKSet({
* keys: [
* {
* kty: 'RSA',
* e: 'AQAB',
* n: '12oBZRhCiZFJLcPg59LkZZ9mdhSMTKAQZYq32k_ti5SBB6jerkh-WzOMAO664r_qyLkqHUSp3u5SbXtseZEpN3XPWGKSxjsy-1JyEFTdLSYe6f9gfrmxkUF_7DTpq0gn6rntP05g2-wFW50YO7mosfdslfrTJYWHFhJALabAeYirYD7-9kqq9ebfFMF4sRRELbv9oi36As6Q9B3Qb5_C1rAzqfao_PCsf9EPsTZsVVVkA5qoIAr47lo1ipfiBPxUCCNSdvkmDTYgvvRm6ZoMjFbvOtgyts55fXKdMWv7I9HMD5HwE9uW839PWA514qhbcIsXEYSFMPMV6fnlsiZvQQ',
* alg: 'PS256'
* },
* {
* crv: 'P-256',
* kty: 'EC',
* x: 'ySK38C1jBdLwDsNWKzzBHqKYEE5Cgv-qjWvorUXk9fw',
* y: '_LeQBw07cf5t57Iavn4j-BqJsAD1dpoz8gokd3sBsOo',
* alg: 'ES256'
* }
* ]
* })
*
* const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
* issuer: 'urn:example:issuer',
* audience: 'urn:example:audience'
* })
* console.log(protectedHeader)
* console.log(payload)
* ```
*/
export declare function createLocalJWKSet(jwks: JSONWebKeySet): GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;

44

dist/types/jwks/remote.d.ts
import type { JWSHeaderParameters, FlattenedJWSInput, GetKeyFunction } from '../types';
/**
* Options for the remote JSON Web Key Set.
*/
export interface RemoteJWKSetOptions {
/**
* Timeout (in milliseconds) for the HTTP request. When reached the request will be
* aborted and the verification will fail. Default is 5000.
*/
timeoutDuration?: number;
/**
* Duration (in milliseconds) for which no more HTTP requests will be triggered
* after a previous successful fetch. Default is 30000.
*/
cooldownDuration?: number;
/**
* An instance of [http.Agent](https://nodejs.org/api/http.html#http_class_http_agent)
* or [https.Agent](https://nodejs.org/api/https.html#https_class_https_agent) to pass
* to the [http.get](https://nodejs.org/api/http.html#http_http_get_options_callback)
* or [https.get](https://nodejs.org/api/https.html#https_https_get_options_callback)
* method's options. Use when behind an http(s) proxy.
* This is a Node.js runtime specific option, it is ignored
* when used outside of Node.js runtime.
*/
agent?: any;

@@ -10,3 +30,27 @@ }

}
/**
* Returns a function that resolves to a key object downloaded from a
* remote endpoint returning a JSON Web Key Set, that is, for example,
* an OAuth 2.0 or OIDC jwks_uri. Only a single public key must match
* the selection process.
* The JSON Web Key Set is fetched when no key matches the selection
* process but only as frequently as the `cooldownDuration` option allows,
* to prevent abuse.
*
* @param url URL to fetch the JSON Web Key Set from.
* @param options Options for the remote JSON Web Key Set.
*
* @example Usage
* ```js
* const JWKS = jose.createRemoteJWKSet(new URL('https://www.googleapis.com/oauth2/v3/certs'))
*
* const { payload, protectedHeader } = await jose.jwtVerify(jwt, JWKS, {
* issuer: 'urn:example:issuer',
* audience: 'urn:example:audience'
* })
* console.log(protectedHeader)
* console.log(payload)
* ```
*/
export declare function createRemoteJWKSet(url: URL, options?: RemoteJWKSetOptions): GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput>;
export {};

30

dist/types/jws/compact/sign.d.ts
import type { CompactJWSHeaderParameters, KeyLike, SignOptions } from '../../types';
/**
* The CompactSign class is a utility for creating Compact JWS strings.
*
* @example Usage
* ```js
* const jws = await new jose.CompactSign(
* new TextEncoder().encode(
* 'It’s a dangerous business, Frodo, going out your door.'
* )
* )
* .setProtectedHeader({ alg: 'ES256' })
* .sign(privateKey)
*
* console.log(jws)
* ```
*/
export declare class CompactSign {
private _flattened;
/**
* @param payload Binary representation of the payload to sign.
*/
constructor(payload: Uint8Array);
/**
* Sets the JWS Protected Header on the Sign object.
*
* @param protectedHeader JWS Protected Header.
*/
setProtectedHeader(protectedHeader: CompactJWSHeaderParameters): this;
/**
* Signs and resolves the value of the Compact JWS string.
*
* @param key Private Key or Secret to sign the JWS with.
* @param options JWS Sign options.
*/
sign(key: KeyLike | Uint8Array, options?: SignOptions): Promise<string>;
}

29

dist/types/jws/compact/verify.d.ts
import type { CompactVerifyResult, FlattenedJWSInput, GetKeyFunction, CompactJWSHeaderParameters, KeyLike, VerifyOptions, ResolvedKey } from '../../types';
/**
* Interface for Compact JWS Verification dynamic key resolution.
* No token components have been verified at the time of this function call.
*
* See [createRemoteJWKSet](../functions/jwks_remote.createRemoteJWKSet.md#function-createremotejwkset)
* to verify using a remote JSON Web Key Set.
*/
export interface CompactVerifyGetKey extends GetKeyFunction<CompactJWSHeaderParameters, FlattenedJWSInput> {
}
/**
* Verifies the signature and format of and afterwards decodes the Compact JWS.
*
* @param jws Compact JWS.
* @param key Key to verify the JWS with.
* @param options JWS Verify options.
*
* @example Usage
* ```js
* const jws = 'eyJhbGciOiJFUzI1NiJ9.SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4.kkAs_gPPxWMI3rHuVlxHaTPfDWDoqdI8jSvuSmqV-8IHIWXg9mcAeC9ggV-45ZHRbiRJ3obUIFo1rHphPA5URg'
*
* const { payload, protectedHeader } = await jose.compactVerify(jws, publicKey)
*
* console.log(protectedHeader)
* console.log(new TextDecoder().decode(payload))
* ```
*/
export declare function compactVerify(jws: string | Uint8Array, key: KeyLike | Uint8Array, options?: VerifyOptions): Promise<CompactVerifyResult>;
/**
* @param jws Compact JWS.
* @param getKey Function resolving a key to verify the JWS with.
* @param options JWS Verify options.
*/
export declare function compactVerify(jws: string | Uint8Array, getKey: CompactVerifyGetKey, options?: VerifyOptions): Promise<CompactVerifyResult & ResolvedKey>;

35

dist/types/jws/flattened/sign.d.ts
import type { KeyLike, FlattenedJWS, JWSHeaderParameters, SignOptions } from '../../types';
/**
* The FlattenedSign class is a utility for creating Flattened JWS objects.
*
* @example Usage
* ```js
* const jws = await new jose.FlattenedSign(
* new TextEncoder().encode(
* 'It’s a dangerous business, Frodo, going out your door.'
* )
* )
* .setProtectedHeader({ alg: 'ES256' })
* .sign(privateKey)
*
* console.log(jws)
* ```
*/
export declare class FlattenedSign {

@@ -6,6 +22,25 @@ private _payload;

private _unprotectedHeader;
/**
* @param payload Binary representation of the payload to sign.
*/
constructor(payload: Uint8Array);
/**
* Sets the JWS Protected Header on the FlattenedSign object.
*
* @param protectedHeader JWS Protected Header.
*/
setProtectedHeader(protectedHeader: JWSHeaderParameters): this;
/**
* Sets the JWS Unprotected Header on the FlattenedSign object.
*
* @param unprotectedHeader JWS Unprotected Header.
*/
setUnprotectedHeader(unprotectedHeader: JWSHeaderParameters): this;
/**
* Signs and resolves the value of the Flattened JWS object.
*
* @param key Private Key or Secret to sign the JWS with.
* @param options JWS Sign options.
*/
sign(key: KeyLike | Uint8Array, options?: SignOptions): Promise<FlattenedJWS>;
}

34

dist/types/jws/flattened/verify.d.ts
import type { FlattenedVerifyResult, KeyLike, FlattenedJWSInput, JWSHeaderParameters, VerifyOptions, GetKeyFunction, ResolvedKey } from '../../types';
/**
* Interface for Flattened JWS Verification dynamic key resolution.
* No token components have been verified at the time of this function call.
*
* See [createRemoteJWKSet](../functions/jwks_remote.createRemoteJWKSet.md#function-createremotejwkset)
* to verify using a remote JSON Web Key Set.
*/
export interface FlattenedVerifyGetKey extends GetKeyFunction<JWSHeaderParameters | undefined, FlattenedJWSInput> {
}
/**
* Verifies the signature and format of and afterwards decodes the Flattened JWS.
*
* @param jws Flattened JWS.
* @param key Key to verify the JWS with.
* @param options JWS Verify options.
*
* @example Usage
* ```js
* const decoder = new TextDecoder()
* const jws = {
* signature: 'FVVOXwj6kD3DqdfD9yYqfT2W9jv-Nop4kOehp_DeDGNB5dQNSPRvntBY6xH3uxlCxE8na9d_kyhYOcanpDJ0EA',
* payload: 'SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4',
* protected: 'eyJhbGciOiJFUzI1NiJ9'
* }
*
* const { payload, protectedHeader } = await jose.flattenedVerify(jws, publicKey)
*
* console.log(protectedHeader)
* console.log(decoder.decode(payload))
* ```
*/
export declare function flattenedVerify(jws: FlattenedJWSInput, key: KeyLike | Uint8Array, options?: VerifyOptions): Promise<FlattenedVerifyResult>;
/**
* @param jws Flattened JWS.
* @param getKey Function resolving a key to verify the JWS with.
* @param options JWS Verify options.
*/
export declare function flattenedVerify(jws: FlattenedJWSInput, getKey: FlattenedVerifyGetKey, options?: VerifyOptions): Promise<FlattenedVerifyResult & ResolvedKey>;

50

dist/types/jws/general/sign.d.ts
import type { KeyLike, GeneralJWS, JWSHeaderParameters, SignOptions } from '../../types';
export interface Signature {
/**
* Sets the JWS Protected Header on the Signature object.
*
* @param protectedHeader JWS Protected Header.
*/
setProtectedHeader(protectedHeader: JWSHeaderParameters): Signature;
/**
* Sets the JWS Unprotected Header on the Signature object.
*
* @param unprotectedHeader JWS Unprotected Header.
*/
setUnprotectedHeader(unprotectedHeader: JWSHeaderParameters): Signature;
/**
* A shorthand for calling addSignature() on the enclosing GeneralSign instance
*/
addSignature(...args: Parameters<GeneralSign['addSignature']>): Signature;
/**
* A shorthand for calling encrypt() on the enclosing GeneralSign instance
*/
sign(...args: Parameters<GeneralSign['sign']>): Promise<GeneralJWS>;
/**
* Returns the enclosing GeneralSign
*/
done(): GeneralSign;
}
/**
* The GeneralSign class is a utility for creating General JWS objects.
*
* @example Usage
* ```js
* const jws = await new jose.GeneralSign(
* new TextEncoder().encode(
* 'It’s a dangerous business, Frodo, going out your door.'
* )
* )
* .addSignature(ecPrivateKey)
* .setProtectedHeader({ alg: 'ES256' })
* .addSignature(rsaPrivateKey)
* .setProtectedHeader({ alg: 'PS256' })
* .sign()
*
* console.log(jws)
* ```
*/
export declare class GeneralSign {
private _payload;
private _signatures;
/**
* @param payload Binary representation of the payload to sign.
*/
constructor(payload: Uint8Array);
/**
* Adds an additional signature for the General JWS object.
*
* @param key Private Key or Secret to sign the individual JWS signature with.
* @param options JWS Sign options.
*/
addSignature(key: KeyLike | Uint8Array, options?: SignOptions): Signature;
/**
* Signs and resolves the value of the General JWS object.
*/
sign(): Promise<GeneralJWS>;
}

37

dist/types/jws/general/verify.d.ts
import type { GeneralJWSInput, GeneralVerifyResult, FlattenedJWSInput, GetKeyFunction, JWSHeaderParameters, KeyLike, VerifyOptions, ResolvedKey } from '../../types';
/**
* Interface for General JWS Verification dynamic key resolution.
* No token components have been verified at the time of this function call.
*
* See [createRemoteJWKSet](../functions/jwks_remote.createRemoteJWKSet.md#function-createremotejwkset)
* to verify using a remote JSON Web Key Set.
*/
export interface GeneralVerifyGetKey extends GetKeyFunction<JWSHeaderParameters, FlattenedJWSInput> {
}
/**
* Verifies the signature and format of and afterwards decodes the General JWS.
*
* @param jws General JWS.
* @param key Key to verify the JWS with.
* @param options JWS Verify options.
*
* @example Usage
* ```js
* const jws = {
* payload: 'SXTigJlzIGEgZGFuZ2Vyb3VzIGJ1c2luZXNzLCBGcm9kbywgZ29pbmcgb3V0IHlvdXIgZG9vci4',
* signatures: [
* {
* signature: 'FVVOXwj6kD3DqdfD9yYqfT2W9jv-Nop4kOehp_DeDGNB5dQNSPRvntBY6xH3uxlCxE8na9d_kyhYOcanpDJ0EA',
* protected: 'eyJhbGciOiJFUzI1NiJ9'
* }
* ]
* }
*
* const { payload, protectedHeader } = await jose.generalVerify(jws, publicKey)
*
* console.log(protectedHeader)
* console.log(new TextDecoder().decode(payload))
* ```
*/
export declare function generalVerify(jws: GeneralJWSInput, key: KeyLike | Uint8Array, options?: VerifyOptions): Promise<GeneralVerifyResult>;
/**
* @param jws General JWS.
* @param getKey Function resolving a key to verify the JWS with.
* @param options JWS Verify options.
*/
export declare function generalVerify(jws: GeneralJWSInput, getKey: GeneralVerifyGetKey, options?: VerifyOptions): Promise<GeneralVerifyResult & ResolvedKey>;

32

dist/types/jwt/decrypt.d.ts
import type { KeyLike, DecryptOptions, JWTClaimVerificationOptions, GetKeyFunction, CompactJWEHeaderParameters, FlattenedJWE, JWTDecryptResult, ResolvedKey } from '../types';
/**
* Combination of JWE Decryption options and JWT Claims Set verification options.
*/
export interface JWTDecryptOptions extends DecryptOptions, JWTClaimVerificationOptions {
}
/**
* Interface for JWT Decryption dynamic key resolution.
* No token components have been verified at the time of this function call.
*/
export interface JWTDecryptGetKey extends GetKeyFunction<CompactJWEHeaderParameters, FlattenedJWE> {
}
/**
* Verifies the JWT format (to be a JWE Compact format), decrypts the ciphertext, validates the JWT Claims Set.
*
* @param jwt JSON Web Token value (encoded as JWE).
* @param key Private Key or Secret to decrypt and verify the JWT with.
* @param options JWT Decryption and JWT Claims Set validation options.
*
* @example Usage
* ```js
* const jwt = 'eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..KVcNLqK-3-8ZkYIC.xSwF4VxO0kUMUD2W-cifsNUxnr-swyBq-nADBptyt6y9n79-iNc5b0AALJpRwc0wwDkJw8hNOMjApNUTMsK9b-asToZ3DXFMvwfJ6n1aWefvd7RsoZ2LInWFfVAuttJDzoGB.uuexQoWHwrLMEYRElT8pBQ'
*
* const { payload, protectedHeader } = await jose.jwtDecrypt(jwt, secretKey, {
* issuer: 'urn:example:issuer',
* audience: 'urn:example:audience'
* })
*
* console.log(protectedHeader)
* console.log(payload)
* ```
*/
export declare function jwtDecrypt(jwt: string | Uint8Array, key: KeyLike | Uint8Array, options?: JWTDecryptOptions): Promise<JWTDecryptResult>;
/**
* @param jwt JSON Web Token value (encoded as JWE).
* @param getKey Function resolving Private Key or Secret to decrypt and verify the JWT with.
* @param options JWT Decryption and JWT Claims Set validation options.
*/
export declare function jwtDecrypt(jwt: string | Uint8Array, getKey: JWTDecryptGetKey, options?: JWTDecryptOptions): Promise<JWTDecryptResult & ResolvedKey>;

68

dist/types/jwt/encrypt.d.ts
import type { EncryptOptions, CompactJWEHeaderParameters, JWEKeyManagementHeaderParameters, KeyLike } from '../types';
import { ProduceJWT } from './produce';
/**
* The EncryptJWT class is a utility for creating Compact JWE formatted JWT strings.
*
* @example Usage
* ```js
* const jwt = await new jose.EncryptJWT({ 'urn:example:claim': true })
* .setProtectedHeader({ alg: 'dir', enc: 'A256GCM' })
* .setIssuedAt()
* .setIssuer('urn:example:issuer')
* .setAudience('urn:example:audience')
* .setExpirationTime('2h')
* .encrypt(secretKey)
*
* console.log(jwt)
* ```
*/
export declare class EncryptJWT extends ProduceJWT {

@@ -11,10 +27,62 @@ private _cek;

private _replicateAudienceAsHeader;
/**
* Sets the JWE Protected Header on the EncryptJWT object.
*
* @param protectedHeader JWE Protected Header.
* Must contain an "alg" (JWE Algorithm) and "enc" (JWE
* Encryption Algorithm) properties.
*/
setProtectedHeader(protectedHeader: CompactJWEHeaderParameters): this;
/**
* Sets the JWE Key Management parameters to be used when encrypting.
* Use of this is method is really only needed for ECDH based algorithms
* when utilizing the Agreement PartyUInfo or Agreement PartyVInfo parameters.
* Other parameters will always be randomly generated when needed and missing.
*
* @param parameters JWE Key Management parameters.
*/
setKeyManagementParameters(parameters: JWEKeyManagementHeaderParameters): this;
/**
* Sets a content encryption key to use, by default a random suitable one
* is generated for the JWE enc" (Encryption Algorithm) Header Parameter.
*
* @param cek JWE Content Encryption Key.
*
* @deprecated You should not use this method. It is only really intended
* for test and vector validation purposes.
*/
setContentEncryptionKey(cek: Uint8Array): this;
/**
* Sets the JWE Initialization Vector to use for content encryption, by default
* a random suitable one is generated for the JWE enc" (Encryption Algorithm)
* Header Parameter.
*
* @param iv JWE Initialization Vector.
*
* @deprecated You should not use this method. It is only really intended
* for test and vector validation purposes.
*/
setInitializationVector(iv: Uint8Array): this;
/**
* Replicates the "iss" (Issuer) Claim as a JWE Protected Header Parameter as per
* [RFC7519#section-5.3](https://www.rfc-editor.org/rfc/rfc7519#section-5.3).
*/
replicateIssuerAsHeader(): this;
/**
* Replicates the "sub" (Subject) Claim as a JWE Protected Header Parameter as per
* [RFC7519#section-5.3](https://www.rfc-editor.org/rfc/rfc7519#section-5.3).
*/
replicateSubjectAsHeader(): this;
/**
* Replicates the "aud" (Audience) Claim as a JWE Protected Header Parameter as per
* [RFC7519#section-5.3](https://www.rfc-editor.org/rfc/rfc7519#section-5.3).
*/
replicateAudienceAsHeader(): this;
/**
* Encrypts and returns the JWT.
*
* @param key Public Key or Secret to encrypt the JWT with.
* @param options JWE Encryption options.
*/
encrypt(key: KeyLike | Uint8Array, options?: EncryptOptions): Promise<string>;
}

46

dist/types/jwt/produce.d.ts
import type { JWTPayload } from '../types';
/**
* Generic class for JWT producing.
*/
export declare class ProduceJWT {
protected _payload: JWTPayload;
/**
* @param payload The JWT Claims Set object.
*/
constructor(payload: JWTPayload);
/**
* Set "iss" (Issuer) Claim.
*
* @param issuer "Issuer" Claim value to set on the JWT Claims Set.
*/
setIssuer(issuer: string): this;
/**
* Set "sub" (Subject) Claim.
*
* @param subject "sub" (Subject) Claim value to set on the JWT Claims Set.
*/
setSubject(subject: string): this;
/**
* Set "aud" (Audience) Claim.
*
* @param audience "aud" (Audience) Claim value to set on the JWT Claims Set.
*/
setAudience(audience: string | string[]): this;
/**
* Set "jti" (JWT ID) Claim.
*
* @param jwtId "jti" (JWT ID) Claim value to set on the JWT Claims Set.
*/
setJti(jwtId: string): this;
/**
* Set "nbf" (Not Before) Claim.
*
* @param input "nbf" (Not Before) Claim value to set on the JWT Claims Set.
* When number is passed that is used as a value, when string is passed
* it is resolved to a time span and added to the current timestamp.
*/
setNotBefore(input: number | string): this;
/**
* Set "exp" (Expiration Time) Claim.
*
* @param input "exp" (Expiration Time) Claim value to set on the JWT Claims Set.
* When number is passed that is used as a value, when string is passed
* it is resolved to a time span and added to the current timestamp.
*/
setExpirationTime(input: number | string): this;
/**
* Set "iat" (Issued At) Claim.
*
* @param input "iat" (Issued At) Claim value to set on the JWT Claims Set.
* Default is current timestamp.
*/
setIssuedAt(input?: number): this;
}

28

dist/types/jwt/sign.d.ts
import type { JWTHeaderParameters, KeyLike, SignOptions } from '../types';
import { ProduceJWT } from './produce';
/**
* The SignJWT class is a utility for creating Compact JWS formatted JWT strings.
*
* @example Usage
* ```js
* const jwt = await new jose.SignJWT({ 'urn:example:claim': true })
* .setProtectedHeader({ alg: 'ES256' })
* .setIssuedAt()
* .setIssuer('urn:example:issuer')
* .setAudience('urn:example:audience')
* .setExpirationTime('2h')
* .sign(privateKey)
*
* console.log(jwt)
* ```
*/
export declare class SignJWT extends ProduceJWT {
private _protectedHeader;
/**
* Sets the JWS Protected Header on the SignJWT object.
*
* @param protectedHeader JWS Protected Header.
* Must contain an "alg" (JWS Algorithm) property.
*/
setProtectedHeader(protectedHeader: JWTHeaderParameters): this;
/**
* Signs and returns the JWT.
*
* @param key Private Key or Secret to sign the JWT with.
* @param options JWT Sign options.
*/
sign(key: KeyLike | Uint8Array, options?: SignOptions): Promise<string>;
}

34

dist/types/jwt/unsecured.d.ts

@@ -7,5 +7,39 @@ import type { JWSHeaderParameters, JWTClaimVerificationOptions, JWTPayload } from '../types';

}
/**
* The UnsecuredJWT class is a utility for dealing with `{ "alg": "none" }` Unsecured JWTs.
*
* @example Encoding
* ```js
* const unsecuredJwt = new jose.UnsecuredJWT({ 'urn:example:claim': true })
* .setIssuedAt()
* .setIssuer('urn:example:issuer')
* .setAudience('urn:example:audience')
* .setExpirationTime('2h')
* .encode()
*
* console.log(unsecuredJwt)
* ```
*
* @example Decoding
* ```js
* const payload = jose.UnsecuredJWT.decode(jwt, {
* issuer: 'urn:example:issuer',
* audience: 'urn:example:audience'
* })
*
* console.log(payload)
* ```
*/
export declare class UnsecuredJWT extends ProduceJWT {
/**
* Encodes the Unsecured JWT.
*/
encode(): string;
/**
* Decodes an unsecured JWT.
*
* @param jwt Unsecured JWT to decode the payload of.
* @param options JWT Claims Set validation options.
*/
static decode(jwt: string, options?: JWTClaimVerificationOptions): UnsecuredResult;
}

35

dist/types/jwt/verify.d.ts
import type { KeyLike, VerifyOptions, JWTClaimVerificationOptions, JWTHeaderParameters, GetKeyFunction, FlattenedJWSInput, JWTVerifyResult, ResolvedKey } from '../types';
/**
* Combination of JWS Verification options and JWT Claims Set verification options.
*/
export interface JWTVerifyOptions extends VerifyOptions, JWTClaimVerificationOptions {
}
/**
* Interface for JWT Verification dynamic key resolution.
* No token components have been verified at the time of this function call.
*
* See [createRemoteJWKSet](../functions/jwks_remote.createRemoteJWKSet.md#function-createremotejwkset)
* to verify using a remote JSON Web Key Set.
*/
export interface JWTVerifyGetKey extends GetKeyFunction<JWTHeaderParameters, FlattenedJWSInput> {
}
/**
* Verifies the JWT format (to be a JWS Compact format), verifies the JWS signature, validates the JWT Claims Set.
*
* @param jwt JSON Web Token value (encoded as JWS).
* @param key Key to verify the JWT with.
* @param options JWT Decryption and JWT Claims Set validation options.
*
* @example Usage
* ```js
* const jwt = 'eyJhbGciOiJFUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjA0MzE1MDc0LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.hx1nOfAT5LlXuzu8O-bhjXBGpklWDt2EsHw7-MDn49NrnwvVsstNhEnkW2ddauB7eSikFtUNeumLpFI9CWDBsg'
*
* const { payload, protectedHeader } = await jose.jwtVerify(jwt, publicKey, {
* issuer: 'urn:example:issuer',
* audience: 'urn:example:audience'
* })
*
* console.log(protectedHeader)
* console.log(payload)
* ```
*/
export declare function jwtVerify(jwt: string | Uint8Array, key: KeyLike | Uint8Array, options?: JWTVerifyOptions): Promise<JWTVerifyResult>;
/**
* @param jwt JSON Web Token value (encoded as JWS).
* @param getKey Function resolving a key to verify the JWT with.
* @param options JWT Decryption and JWT Claims Set validation options.
*/
export declare function jwtVerify(jwt: string | Uint8Array, getKey: JWTVerifyGetKey, options?: JWTVerifyOptions): Promise<JWTVerifyResult & ResolvedKey>;

38

dist/types/key/export.d.ts
import type { JWK, KeyLike } from '../types';
/**
* Exports a runtime-specific public key representation (KeyObject or CryptoKey) to an PEM-encoded SPKI string format.
*
* @param key Key representation to transform to an PEM-encoded SPKI string format.
*
* @example Usage
* ```js
* const spkiPem = await jose.exportSPKI(publicKey)
*
* console.log(spkiPem)
* ```
*/
export declare function exportSPKI(key: KeyLike): Promise<string>;
/**
* Exports a runtime-specific private key representation (KeyObject or CryptoKey) to an PEM-encoded PKCS8 string format.
*
* @param key Key representation to transform to an PEM-encoded PKCS8 string format.
*
* @example Usage
* ```js
* const pkcs8Pem = await jose.exportPKCS8(privateKey)
*
* console.log(pkcs8Pem)
* ```
*/
export declare function exportPKCS8(key: KeyLike): Promise<string>;
/**
* Exports a runtime-specific key representation (KeyLike) to a JWK.
*
* @param key Key representation to export as JWK.
*
* @example Usage
* ```js
* const privateJwk = await jose.exportJWK(privateKey)
* const publicJwk = await jose.exportJWK(publicKey)
*
* console.log(privateJwk)
* console.log(publicJwk)
* ```
*/
export declare function exportJWK(key: KeyLike | Uint8Array): Promise<JWK>;

38

dist/types/key/generate_key_pair.d.ts
import type { KeyLike } from '../types';
export interface GenerateKeyPairResult {
/**
* The generated Private Key.
*/
privateKey: KeyLike;
/**
* Public Key corresponding to the generated Private Key.
*/
publicKey: KeyLike;
}
export interface GenerateKeyPairOptions {
/**
* The EC "crv" (Curve) or OKP "crv" (Subtype of Key Pair) value to generate.
* The curve must be both supported on the runtime as well as applicable for
* the given JWA algorithm identifier.
*/
crv?: string;
/**
* A hint for RSA algorithms to generate an RSA key of a given `modulusLength`
* (Key size in bits). JOSE requires 2048 bits or larger. Default is 2048.
*/
modulusLength?: number;
/**
* (Web Cryptography API specific) The value to use as
* [SubtleCrypto.generateKey()](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey)
* `extractable` argument. Default is false.
*/
extractable?: boolean;
}
/**
* Generates a private and a public key for a given JWA algorithm identifier.
* This can only generate asymmetric key pairs. For symmetric secrets use the
* `generateSecret` function.
*
* Note: Under Web Cryptography API runtime the `privateKey` is generated with
* `extractable` set to `false` by default.
*
* @param alg JWA Algorithm Identifier to be used with the generated key pair.
* @param options Additional options passed down to the key pair generation.
*
* @example Usage
* ```js
* const { publicKey, privateKey } = await jose.generateKeyPair('PS256')
* console.log(publicKey)
* console.log(privateKey)
* ```
*/
export declare function generateKeyPair(alg: string, options?: GenerateKeyPairOptions): Promise<GenerateKeyPairResult>;

20

dist/types/key/generate_secret.d.ts
import type { KeyLike } from '../types';
export interface GenerateSecretOptions {
/**
* (Web Cryptography API specific) The value to use as
* [SubtleCrypto.generateKey()](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/generateKey)
* `extractable` argument. Default is false.
*/
extractable?: boolean;
}
/**
* Generates a symmetric secret key for a given JWA algorithm identifier.
*
* Note: Under Web Cryptography API runtime the secret key is generated with
* `extractable` set to `false` by default.
*
* @example Usage
* ```js
* const secret = await jose.generateSecret('HS256')
* console.log(secret)
* ```
*
* @param alg JWA Algorithm Identifier to be used with the generated secret.
* @param options Additional options passed down to the secret generation.
*/
export declare function generateSecret(alg: string, options?: GenerateSecretOptions): Promise<KeyLike | Uint8Array>;

96

dist/types/key/import.d.ts
import type { JWK, KeyLike } from '../types';
export interface PEMImportOptions {
/**
* (Web Cryptography API specific) The value to use as
* [SubtleCrypto.importKey()](https://developer.mozilla.org/en-US/docs/Web/API/SubtleCrypto/importKey)
* `extractable` argument. Default is false.
*/
extractable?: boolean;
}
/**
* Imports an PEM-encoded SPKI string as a runtime-specific public key representation (KeyObject or CryptoKey).
* See [Algorithm Key Requirements](https://github.com/panva/jose/issues/210) to learn about key to algorithm
* requirements and mapping.
*
* @param pem PEM-encoded SPKI string
* @param alg JSON Web Algorithm identifier to be used with the imported key.
*
* @example Usage
* ```js
* const algorithm = 'ES256'
* const spki = `-----BEGIN PUBLIC KEY-----
* MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEFlHHWfLk0gLBbsLTcuCrbCqoHqmM
* YJepMC+Q+Dd6RBmBiA41evUsNMwLeN+PNFqib+xwi9JkJ8qhZkq8Y/IzGg==
* -----END PUBLIC KEY-----`
* const ecPublicKey = await jose.importSPKI(spki, algorithm)
* ```
*/
export declare function importSPKI(spki: string, alg: string, options?: PEMImportOptions): Promise<KeyLike>;
/**
* Imports the SPKI from an X.509 string certificate as a runtime-specific public key representation (KeyObject or CryptoKey).
* See [Algorithm Key Requirements](https://github.com/panva/jose/issues/210) to learn about key to algorithm
* requirements and mapping.
*
* @param pem X.509 certificate string
* @param alg JSON Web Algorithm identifier to be used with the imported key.
*
* @example Usage
* ```js
* const algorithm = 'ES256'
* const x509 = `-----BEGIN CERTIFICATE-----
* MIIBXjCCAQSgAwIBAgIGAXvykuMKMAoGCCqGSM49BAMCMDYxNDAyBgNVBAMMK3Np
* QXBNOXpBdk1VaXhXVWVGaGtjZXg1NjJRRzFyQUhXaV96UlFQTVpQaG8wHhcNMjEw
* OTE3MDcwNTE3WhcNMjIwNzE0MDcwNTE3WjA2MTQwMgYDVQQDDCtzaUFwTTl6QXZN
* VWl4V1VlRmhrY2V4NTYyUUcxckFIV2lfelJRUE1aUGhvMFkwEwYHKoZIzj0CAQYI
* KoZIzj0DAQcDQgAE8PbPvCv5D5xBFHEZlBp/q5OEUymq7RIgWIi7tkl9aGSpYE35
* UH+kBKDnphJO3odpPZ5gvgKs2nwRWcrDnUjYLDAKBggqhkjOPQQDAgNIADBFAiEA
* 1yyMTRe66MhEXID9+uVub7woMkNYd0LhSHwKSPMUUTkCIFQGsfm1ecXOpeGOufAh
* v+A1QWZMuTWqYt+uh/YSRNDn
* -----END CERTIFICATE-----`
* const ecPublicKey = await jose.importX509(x509, algorithm)
* ```
*/
export declare function importX509(x509: string, alg: string, options?: PEMImportOptions): Promise<KeyLike>;
/**
* Imports an PEM-encoded PKCS8 string as a runtime-specific private key representation (KeyObject or CryptoKey).
* See [Algorithm Key Requirements](https://github.com/panva/jose/issues/210) to learn about key to algorithm
* requirements and mapping. Encrypted keys are not supported.
*
* @param pem PEM-encoded PKCS8 string
* @param alg JSON Web Algorithm identifier to be used with the imported key.
*
* @example Usage
* ```js
* const algorithm = 'ES256'
* const pkcs8 = `-----BEGIN PRIVATE KEY-----
* MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgiyvo0X+VQ0yIrOaN
* nlrnUclopnvuuMfoc8HHly3505OhRANCAAQWUcdZ8uTSAsFuwtNy4KtsKqgeqYxg
* l6kwL5D4N3pEGYGIDjV69Sw0zAt43480WqJv7HCL0mQnyqFmSrxj8jMa
* -----END PRIVATE KEY-----`
* const ecPrivateKey = await jose.importPKCS8(pkcs8, algorithm)
* ```
*/
export declare function importPKCS8(pkcs8: string, alg: string, options?: PEMImportOptions): Promise<KeyLike>;
/**
* Imports a JWK to a runtime-specific key representation (KeyLike). Either
* JWK "alg" (Algorithm) Parameter must be present or the optional "alg" argument. When
* running on a runtime using [Web Cryptography API](https://www.w3.org/TR/WebCryptoAPI/)
* the jwk parameters "use", "key_ops", and "ext" are also used in the resulting `CryptoKey`.
* See [Algorithm Key Requirements](https://github.com/panva/jose/issues/210) to learn about key to algorithm
* requirements and mapping.
*
* @param jwk JSON Web Key.
* @param alg JSON Web Algorithm identifier to be used with the imported key.
* Default is the "alg" property on the JWK.
* @param octAsKeyObject Forces a symmetric key to be imported to a KeyObject or
* CryptoKey. Default is true unless JWK "ext" (Extractable) is true.
*
* @example Usage
* ```js
* const ecPublicKey = await jose.importJWK({
* crv: 'P-256',
* kty: 'EC',
* x: 'ySK38C1jBdLwDsNWKzzBHqKYEE5Cgv-qjWvorUXk9fw',
* y: '_LeQBw07cf5t57Iavn4j-BqJsAD1dpoz8gokd3sBsOo'
* }, 'ES256')
*
* const rsaPublicKey = await jose.importJWK({
* kty: 'RSA',
* e: 'AQAB',
* n: '12oBZRhCiZFJLcPg59LkZZ9mdhSMTKAQZYq32k_ti5SBB6jerkh-WzOMAO664r_qyLkqHUSp3u5SbXtseZEpN3XPWGKSxjsy-1JyEFTdLSYe6f9gfrmxkUF_7DTpq0gn6rntP05g2-wFW50YO7mosfdslfrTJYWHFhJALabAeYirYD7-9kqq9ebfFMF4sRRELbv9oi36As6Q9B3Qb5_C1rAzqfao_PCsf9EPsTZsVVVkA5qoIAr47lo1ipfiBPxUCCNSdvkmDTYgvvRm6ZoMjFbvOtgyts55fXKdMWv7I9HMD5HwE9uW839PWA514qhbcIsXEYSFMPMV6fnlsiZvQQ'
* }, 'PS256')
* ```
*/
export declare function importJWK(jwk: JWK, alg?: string, octAsKeyObject?: boolean): Promise<KeyLike | Uint8Array>;

501

dist/types/types.d.ts

@@ -90,3 +90,11 @@ /**

export type KeyLike = { type: string }
/**
* JSON Web Key ([JWK](https://www.rfc-editor.org/rfc/rfc7517)).
* "RSA", "EC", "OKP", and "oct" key types are supported.
*/
export interface JWK {
/**
* JWK "alg" (Algorithm) Parameter.
*/
alg?: string

@@ -98,6 +106,18 @@ crv?: string

e?: string
/**
* JWK "ext" (Extractable) Parameter.
*/
ext?: boolean
k?: string
/**
* JWK "key_ops" (Key Operations) Parameter.
*/
key_ops?: string[]
/**
* JWK "kid" (Key ID) Parameter.
*/
kid?: string
/**
* JWK "kty" (Key Type) Parameter.
*/
kty?: string

@@ -113,24 +133,102 @@ n?: string

qi?: string
/**
* JWK "use" (Public Key Use) Parameter.
*/
use?: string
x?: string
y?: string
/**
* JWK "x5c" (X.509 Certificate Chain) Parameter.
*/
x5c?: string[]
/**
* JWK "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter.
*/
x5t?: string
/**
* "x5t#S256" (X.509 Certificate SHA-256 Thumbprint) Parameter.
*/
'x5t#S256'?: string
/**
* JWK "x5u" (X.509 URL) Parameter.
*/
x5u?: string
[propName: string]: unknown
}
/**
* Generic Interface for consuming operations dynamic key resolution.
* No token components have been verified at the time of this function call.
*
* If you cannot match a key suitable for the token, throw an error instead.
*
* @param protectedHeader JWE or JWS Protected Header.
* @param token The consumed JWE or JWS token.
*/
export interface GetKeyFunction<T, T2> {
(protectedHeader: T, token: T2): Promise<KeyLike | Uint8Array> | KeyLike | Uint8Array
}
/**
* Flattened JWS definition for verify function inputs, allows payload as
* Uint8Array for detached signature validation.
*/
export interface FlattenedJWSInput {
/**
* The "header" member MUST be present and contain the value JWS
* Unprotected Header when the JWS Unprotected Header value is non-
* empty; otherwise, it MUST be absent. This value is represented as
* an unencoded JSON object, rather than as a string. These Header
* Parameter values are not integrity protected.
*/
header?: JWSHeaderParameters
/**
* The "payload" member MUST be present and contain the value
* BASE64URL(JWS Payload). When RFC7797 "b64": false is used
* the value passed may also be a Uint8Array.
*/
payload: string | Uint8Array
/**
* The "protected" member MUST be present and contain the value
* BASE64URL(UTF8(JWS Protected Header)) when the JWS Protected
* Header value is non-empty; otherwise, it MUST be absent. These
* Header Parameter values are integrity protected.
*/
protected?: string
/**
* The "signature" member MUST be present and contain the value
* BASE64URL(JWS Signature).
*/
signature: string
}
/**
* General JWS definition for verify function inputs, allows payload as
* Uint8Array for detached signature validation.
*/
export interface GeneralJWSInput {
/**
* The "payload" member MUST be present and contain the value
* BASE64URL(JWS Payload). When RFC7797 "b64": false is used
* the value passed may also be a Uint8Array.
*/
payload: string | Uint8Array
/**
* The "signatures" member value MUST be an array of JSON objects.
* Each object represents a signature or MAC over the JWS Payload and
* the JWS Protected Header.
*/
signatures: Omit<FlattenedJWSInput, 'payload'>[]
}
/**
* Flattened JWS definition. Payload is returned as an empty
* string when JWS Unencoded Payload Option
* [RFC7797](https://www.rfc-editor.org/rfc/rfc7797) is used.
*/
export interface FlattenedJWS extends Partial<FlattenedJWSInput> {

@@ -140,2 +238,8 @@ payload: string

}
/**
* General JWS definition. Payload is returned as an empty
* string when JWS Unencoded Payload Option
* [RFC7797](https://www.rfc-editor.org/rfc/rfc7797) is used.
*/
export interface GeneralJWS {

@@ -145,47 +249,229 @@ payload: string

}
export interface JoseHeaderParameters {
/**
* "kid" (Key ID) Header Parameter.
*/
kid?: string
/**
* "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter.
*/
x5t?: string
/**
* "x5c" (X.509 Certificate Chain) Header Parameter.
*/
x5c?: string[]
/**
* "x5u" (X.509 URL) Header Parameter.
*/
x5u?: string
/**
* "jku" (JWK Set URL) Header Parameter.
*/
jku?: string
/**
* "jwk" (JSON Web Key) Header Parameter.
*/
jwk?: Pick<JWK, 'kty' | 'crv' | 'x' | 'y' | 'e' | 'n'>
/**
* "typ" (Type) Header Parameter.
*/
typ?: string
/**
* "cty" (Content Type) Header Parameter.
*/
cty?: string
}
/**
* Recognized JWS Header Parameters, any other Header Members
* may also be present.
*/
export interface JWSHeaderParameters extends JoseHeaderParameters {
/**
* JWS "alg" (Algorithm) Header Parameter.
*/
alg?: string
/**
* This JWS Extension Header Parameter modifies the JWS Payload
* representation and the JWS Signing Input computation as per
* [RFC7797](https://www.rfc-editor.org/rfc/rfc7797).
*/
b64?: boolean
/**
* JWS "crit" (Critical) Header Parameter.
*/
crit?: string[]
/**
* Any other JWS Header member.
*/
[propName: string]: unknown
}
/**
* Recognized JWE Key Management-related Header Parameters.
*/
export interface JWEKeyManagementHeaderParameters {
apu?: Uint8Array
apv?: Uint8Array
epk?: KeyLike
iv?: Uint8Array
/**
* @deprecated You should not use this parameter. It is only really intended
* for test and vector validation purposes.
*/
p2c?: number
/**
* @deprecated You should not use this parameter. It is only really intended
* for test and vector validation purposes.
*/
p2s?: Uint8Array
/**
* @deprecated You should not use this parameter. It is only really intended
* for test and vector validation purposes.
*/
iv?: Uint8Array
/**
* @deprecated You should not use this parameter. It is only really intended
* for test and vector validation purposes.
*/
epk?: KeyLike
}
/**
* Flattened JWE definition.
*/
export interface FlattenedJWE {
/**
* The "aad" member MUST be present and contain the value
* BASE64URL(JWE AAD)) when the JWE AAD value is non-empty;
* otherwise, it MUST be absent. A JWE AAD value can be included to
* supply a base64url-encoded value to be integrity protected but not
* encrypted.
*/
aad?: string
/**
* The "ciphertext" member MUST be present and contain the value
* BASE64URL(JWE Ciphertext).
*/
ciphertext: string
/**
* The "encrypted_key" member MUST be present and contain the value
* BASE64URL(JWE Encrypted Key) when the JWE Encrypted Key value is
* non-empty; otherwise, it MUST be absent.
*/
encrypted_key?: string
/**
* The "header" member MUST be present and contain the value JWE Per-
* Recipient Unprotected Header when the JWE Per-Recipient
* Unprotected Header value is non-empty; otherwise, it MUST be
* absent. This value is represented as an unencoded JSON object,
* rather than as a string. These Header Parameter values are not
* integrity protected.
*/
header?: JWEHeaderParameters
/**
* The "iv" member MUST be present and contain the value
* BASE64URL(JWE Initialization Vector) when the JWE Initialization
* Vector value is non-empty; otherwise, it MUST be absent.
*/
iv: string
/**
* The "protected" member MUST be present and contain the value
* BASE64URL(UTF8(JWE Protected Header)) when the JWE Protected
* Header value is non-empty; otherwise, it MUST be absent. These
* Header Parameter values are integrity protected.
*/
protected?: string
/**
* The "tag" member MUST be present and contain the value
* BASE64URL(JWE Authentication Tag) when the JWE Authentication Tag
* value is non-empty; otherwise, it MUST be absent.
*/
tag: string
/**
* The "unprotected" member MUST be present and contain the value JWE
* Shared Unprotected Header when the JWE Shared Unprotected Header
* value is non-empty; otherwise, it MUST be absent. This value is
* represented as an unencoded JSON object, rather than as a string.
* These Header Parameter values are not integrity protected.
*/
unprotected?: JWEHeaderParameters
}
export interface GeneralJWE extends Omit<FlattenedJWE, 'encrypted_key' | 'header'> {
recipients: Pick<FlattenedJWE, 'encrypted_key' | 'header'>[]
}
/**
* Recognized JWE Header Parameters, any other Header members
* may also be present.
*/
export interface JWEHeaderParameters extends JoseHeaderParameters {
/**
* JWE "alg" (Algorithm) Header Parameter.
*/
alg?: string
/**
* JWE "enc" (Encryption Algorithm) Header Parameter.
*/
enc?: string
/**
* JWE "crit" (Critical) Header Parameter.
*/
crit?: string[]
/**
* JWE "zip" (Compression Algorithm) Header Parameter.
*/
zip?: string
/**
* Any other JWE Header member.
*/
[propName: string]: unknown
}
/**
* Shared Interface with a "crit" property for all sign, verify, encrypt and decrypt
* operations.
*/
export interface CritOption {
/**
* An object with keys representing recognized "crit" (Critical) Header Parameter
* names. The value for those is either `true` or `false`. `true` when the
* Header Parameter MUST be integrity protected, `false` when it's irrelevant.
*
* This makes the "Extension Header Parameter "${parameter}" is not recognized"
* error go away.
*
* Use this when a given JWS/JWT/JWE profile requires the use of proprietary
* non-registered "crit" (Critical) Header Parameters. This will only make sure
* the Header Parameter is syntactically correct when provided and that it is
* optionally integrity protected. It will not process the Header Parameter in
* any way or reject the operation if it is missing. You MUST still
* verify the Header Parameter was present and process it according to the
* profile's validation steps after the operation succeeds.
*
* The JWS extension Header Parameter `b64` is always recognized and processed
* properly. No other registered Header Parameters that need this kind of
* default built-in treatment are currently available.
*/
crit?: {

@@ -195,79 +481,286 @@ [propName: string]: boolean

}
/**
* JWE Decryption options.
*/
export interface DecryptOptions extends CritOption {
/**
* A list of accepted JWE "alg" (Algorithm) Header Parameter values.
*/
keyManagementAlgorithms?: string[]
/**
* A list of accepted JWE "enc" (Encryption Algorithm) Header Parameter values.
* By default all "enc" (Encryption Algorithm) values applicable for the used
* key/secret are allowed.
*/
contentEncryptionAlgorithms?: string[]
/**
* In a browser runtime you have to provide an implementation for Inflate Raw
* when you expect JWEs with compressed plaintext.
*/
inflateRaw?: InflateFunction
}
/**
* JWE Deflate option.
*/
export interface DeflateOption {
/**
* In a browser runtime you have to provide an implementation for Deflate Raw
* when you will be producing JWEs with compressed plaintext.
*/
deflateRaw?: DeflateFunction
}
/**
* JWE Encryption options.
*/
export interface EncryptOptions extends CritOption, DeflateOption {}
/**
* JWT Claims Set verification options.
*/
export interface JWTClaimVerificationOptions {
/**
* Expected JWT "aud" (Audience) Claim value(s).
*/
audience?: string | string[]
/**
* Expected clock tolerance
* - in seconds when number (e.g. 5)
* - parsed as seconds when a string (e.g. "5 seconds", "10 minutes", "2 hours").
*/
clockTolerance?: string | number
/**
* Expected JWT "iss" (Issuer) Claim value(s).
*/
issuer?: string | string[]
/**
* Maximum time elapsed (in seconds) from the JWT "iat" (Issued At) Claim value.
* - in seconds when number (e.g. 5)
* - parsed as seconds when a string (e.g. "5 seconds", "10 minutes", "2 hours").
*/
maxTokenAge?: string | number
/**
* Expected JWT "sub" (Subject) Claim value.
*/
subject?: string
/**
* Expected JWT "typ" (Type) Header Parameter value.
*/
typ?: string
/**
* Date to use when comparing NumericDate claims, defaults to `new Date()`.
*/
currentDate?: Date
}
/**
* JWS Verification options.
*/
export interface VerifyOptions extends CritOption {
/**
* A list of accepted JWS "alg" (Algorithm) Header Parameter values.
* By default all "alg" (Algorithm) values applicable for the used
* key/secret are allowed. Note: "none" is never accepted.
*/
algorithms?: string[]
}
/**
* JWS Signing options.
*/
export interface SignOptions extends CritOption {}
/**
* Recognized JWT Claims Set members, any other members
* may also be present.
*/
export interface JWTPayload {
/**
* JWT Issuer - [RFC7519#section-4.1.1](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.1).
*/
iss?: string
/**
* JWT Subject - [RFC7519#section-4.1.2](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.2).
*/
sub?: string
/**
* JWT Audience [RFC7519#section-4.1.3](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.3).
*/
aud?: string | string[]
/**
* JWT ID - [RFC7519#section-4.1.7](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.7).
*/
jti?: string
/**
* JWT Not Before - [RFC7519#section-4.1.5](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.5).
*/
nbf?: number
/**
* JWT Expiration Time - [RFC7519#section-4.1.4](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.4).
*/
exp?: number
/**
* JWT Issued At - [RFC7519#section-4.1.6](https://www.rfc-editor.org/rfc/rfc7519#section-4.1.6).
*/
iat?: number
/**
* Any other JWT Claim Set member.
*/
[propName: string]: unknown
}
/**
* Deflate Raw implementation, e.g. promisified [zlib.deflateRaw](https://nodejs.org/api/zlib.html#zlib_zlib_deflateraw_buffer_options_callback).
*/
export interface DeflateFunction {
(input: Uint8Array): Promise<Uint8Array>
}
/**
* Inflate Raw implementation, e.g. promisified [zlib.inflateRaw](https://nodejs.org/api/zlib.html#zlib_zlib_inflateraw_buffer_options_callback).
*/
export interface InflateFunction {
(input: Uint8Array): Promise<Uint8Array>
}
export interface FlattenedDecryptResult {
/**
* JWE AAD.
*/
additionalAuthenticatedData?: Uint8Array
/**
* Plaintext.
*/
plaintext: Uint8Array
/**
* JWE Protected Header.
*/
protectedHeader?: JWEHeaderParameters
/**
* JWE Shared Unprotected Header.
*/
sharedUnprotectedHeader?: JWEHeaderParameters
/**
* JWE Per-Recipient Unprotected Header.
*/
unprotectedHeader?: JWEHeaderParameters
}
export interface GeneralDecryptResult extends FlattenedDecryptResult {}
export interface CompactDecryptResult {
/**
* Plaintext.
*/
plaintext: Uint8Array
/**
* JWE Protected Header.
*/
protectedHeader: CompactJWEHeaderParameters
}
export interface FlattenedVerifyResult {
/**
* JWS Payload.
*/
payload: Uint8Array
/**
* JWS Protected Header.
*/
protectedHeader?: JWSHeaderParameters
/**
* JWS Unprotected Header.
*/
unprotectedHeader?: JWSHeaderParameters
}
export interface GeneralVerifyResult extends FlattenedVerifyResult {}
export interface CompactVerifyResult {
/**
* JWS Payload.
*/
payload: Uint8Array
/**
* JWS Protected Header.
*/
protectedHeader: CompactJWSHeaderParameters
}
export interface JWTVerifyResult {
/**
* JWT Claims Set.
*/
payload: JWTPayload
/**
* JWS Protected Header.
*/
protectedHeader: JWTHeaderParameters
}
export interface JWTDecryptResult {
/**
* JWT Claims Set.
*/
payload: JWTPayload
/**
* JWE Protected Header.
*/
protectedHeader: CompactJWEHeaderParameters
}
export interface ResolvedKey {
/**
* Key resolved from the key resolver function.
*/
key: KeyLike | Uint8Array
}
/**
* Recognized Compact JWS Header Parameters, any other Header Members
* may also be present.
*/
export interface CompactJWSHeaderParameters extends JWSHeaderParameters {
alg: string
}
/**
* Recognized Signed JWT Header Parameters, any other Header Members
* may also be present.
*/
export interface JWTHeaderParameters extends CompactJWSHeaderParameters {
b64?: true
}
/**
* Recognized Compact JWE Header Parameters, any other Header Members
* may also be present.
*/
export interface CompactJWEHeaderParameters extends JWEHeaderParameters {

@@ -277,4 +770,8 @@ alg: string

}
/**
* JSON Web Key Set
*/
export interface JSONWebKeySet {
keys: JWK[]
}

10

dist/types/util/base64url.d.ts

@@ -0,4 +1,14 @@

/**
* Utility function to encode a string or Uint8Array as a base64url string.
*
* @param input Value that will be base64url-encoded.
*/
interface Base64UrlEncode {
(input: Uint8Array | string): string;
}
/**
* Utility function to decode a base64url encoded string.
*
* @param input Value that will be base64url-decoded.
*/
interface Base64UrlDecode {

@@ -5,0 +15,0 @@ (input: Uint8Array | string): Uint8Array;

14

dist/types/util/decode_jwt.d.ts
import type { JWTPayload } from '../types';
/**
* Decodes a signed JSON Web Token payload. This does not validate the JWT Claims Set
* types or values. This does not validate the JWS Signature. For a proper
* Signed JWT Claims Set validation and JWS signature verification use `jose.jwtVerify()`.
* For an encrypted JWT Claims Set validation and JWE decryption use `jose.jwtDecrypt()`.
*
* @param jwt JWT token in compact JWS serialization.
*
* @example Usage
* ```js
* const claims = jose.decodeJwt(token)
* console.log(claims)
* ```
*/
export declare function decodeJwt(jwt: string): JWTPayload;

11

dist/types/util/decode_protected_header.d.ts
import type { JWSHeaderParameters, JWEHeaderParameters } from '../types';
export declare type ProtectedHeaderParameters = JWSHeaderParameters & JWEHeaderParameters;
/**
* Decodes the Protected Header of a JWE/JWS/JWT token utilizing any JOSE serialization.
*
* @param token JWE/JWS/JWT token in any JOSE serialization.
*
* @example Usage
* ```js
* const protectedHeader = jose.decodeProtectedHeader(token)
* console.log(protectedHeader)
* ```
*/
export declare function decodeProtectedHeader(token: string | object): ProtectedHeaderParameters;

65

dist/types/util/errors.d.ts

@@ -0,20 +1,51 @@

/**
* A generic Error subclass that all other specific
* JOSE Error subclasses inherit from.
*/
export declare class JOSEError extends Error {
/**
* A unique error code for the particular error subclass.
*/
static get code(): string;
/**
* A unique error code for the particular error subclass.
*/
code: string;
constructor(message?: string);
}
/**
* An error subclass thrown when a JWT Claim Set member validation fails.
*/
export declare class JWTClaimValidationFailed extends JOSEError {
static get code(): 'ERR_JWT_CLAIM_VALIDATION_FAILED';
code: string;
/**
* The Claim for which the validation failed.
*/
claim: string;
/**
* Reason code for the validation failure.
*/
reason: string;
constructor(message: string, claim?: string, reason?: string);
}
/**
* An error subclass thrown when a JWT is expired.
*/
export declare class JWTExpired extends JOSEError implements JWTClaimValidationFailed {
static get code(): 'ERR_JWT_EXPIRED';
code: string;
/**
* The Claim for which the validation failed.
*/
claim: string;
/**
* Reason code for the validation failure.
*/
reason: string;
constructor(message: string, claim?: string, reason?: string);
}
/**
* An error subclass thrown when a JOSE Algorithm is not allowed per developer preference.
*/
export declare class JOSEAlgNotAllowed extends JOSEError {

@@ -24,2 +55,6 @@ static get code(): 'ERR_JOSE_ALG_NOT_ALLOWED';

}
/**
* An error subclass thrown when a particular feature or algorithm is not supported by this
* implementation or JOSE in general.
*/
export declare class JOSENotSupported extends JOSEError {

@@ -29,2 +64,5 @@ static get code(): 'ERR_JOSE_NOT_SUPPORTED';

}
/**
* An error subclass thrown when a JWE ciphertext decryption fails.
*/
export declare class JWEDecryptionFailed extends JOSEError {

@@ -35,2 +73,5 @@ static get code(): 'ERR_JWE_DECRYPTION_FAILED';

}
/**
* An error subclass thrown when a JWE is invalid.
*/
export declare class JWEInvalid extends JOSEError {

@@ -40,2 +81,5 @@ static get code(): 'ERR_JWE_INVALID';

}
/**
* An error subclass thrown when a JWS is invalid.
*/
export declare class JWSInvalid extends JOSEError {

@@ -45,2 +89,5 @@ static get code(): 'ERR_JWS_INVALID';

}
/**
* An error subclass thrown when a JWT is invalid.
*/
export declare class JWTInvalid extends JOSEError {

@@ -50,2 +97,5 @@ static get code(): 'ERR_JWT_INVALID';

}
/**
* An error subclass thrown when a JWK is invalid.
*/
export declare class JWKInvalid extends JOSEError {

@@ -55,2 +105,5 @@ static get code(): 'ERR_JWK_INVALID';

}
/**
* An error subclass thrown when a JWKS is invalid.
*/
export declare class JWKSInvalid extends JOSEError {

@@ -60,2 +113,5 @@ static get code(): 'ERR_JWKS_INVALID';

}
/**
* An error subclass thrown when no keys match from a JWKS.
*/
export declare class JWKSNoMatchingKey extends JOSEError {

@@ -66,2 +122,5 @@ static get code(): 'ERR_JWKS_NO_MATCHING_KEY';

}
/**
* An error subclass thrown when multiple keys match from a JWKS.
*/
export declare class JWKSMultipleMatchingKeys extends JOSEError {

@@ -72,2 +131,5 @@ static get code(): 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';

}
/**
* Timeout was reached when retrieving the JWKS response.
*/
export declare class JWKSTimeout extends JOSEError {

@@ -78,2 +140,5 @@ static get code(): 'ERR_JWKS_TIMEOUT';

}
/**
* An error subclass thrown when JWS signature verification fails.
*/
export declare class JWSSignatureVerificationFailed extends JOSEError {

@@ -80,0 +145,0 @@ static get code(): 'ERR_JWS_SIGNATURE_VERIFICATION_FAILED';

2

package.json
{
"name": "jose-node-esm-runtime",
"version": "4.5.3",
"version": "4.6.0",
"homepage": "https://github.com/panva/jose",

@@ -5,0 +5,0 @@ "repository": "panva/jose",

SocketSocket SOC 2 Logo

Product

  • Package Alerts
  • Integrations
  • Docs
  • Pricing
  • FAQ
  • Roadmap
  • Changelog

About

Packages

npm

Go

Maven

PyPI

Rubygems

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc