jose

Package Overview

Dependencies

Maintainers

Versions

Advanced tools

Install Socket

Detect and block malicious and high-risk dependencies

Install

jose - npm Package Compare versions

Comparing version 1.21.1 to 1.22.0

CHANGELOG.md

		@@ -5,2 +5,16 @@ # Change Log

		# [1.22.0](https://github.com/panva/jose/compare/v1.21.1...v1.22.0) (2020-01-29)


		### Features

		* keystore filtering by JWK Key thumbprint ([a9f6f71](https://github.com/panva/jose/commit/a9f6f7135005d6231d6f42d95c02414139a89d17))


		### Performance Improvements

		* base64url decode, JWT.verify, JWK.Key instance re-use ([470b4c7](https://github.com/panva/jose/commit/470b4c73154e1fcf8b92726d521940e5e11c9d94))



		## [1.21.1](https://github.com/panva/jose/compare/v1.21.0...v1.21.1) (2020-01-25)
		@@ -7,0 +21,0 @@

lib/help/base64url.js

		@@ -9,6 +9,2 @@ const { JOSEInvalidEncoding } = require('../errors')

		const toBase64 = (base64url) => {
		return base64url.replace(/-/g, '+').replace(/_/g, '/')
		}

		const encode = (input, encoding = 'utf8') => {
		@@ -27,3 +23,3 @@ return fromBase64(Buffer.from(input, encoding).toString('base64'))

		return Buffer.from(toBase64(input), 'base64')
		return Buffer.from(input, 'base64')
		}
		@@ -30,0 +26,0 @@

lib/jwa/aes_cbc_hmac_sha2.js

		@@ -1,2 +0,1 @@
		const { strict: assert } = require('assert')
		const { createCipheriv, createDecipheriv, getCiphers } = require('crypto')
		@@ -64,6 +63,2 @@
		const size = parseInt(jwaAlg.substr(1, 3), 10)

		assert(!JWA.encrypt.has(jwaAlg), `encrypt alg ${jwaAlg} already registered`)
		assert(!JWA.decrypt.has(jwaAlg), `decrypt alg ${jwaAlg} already registered`)

		const sign = JWA.sign.get(`HS${size * 2}`)
		@@ -70,0 +65,0 @@ if (getCiphers().includes(`aes-${size}-cbc`)) {

lib/jwa/aes_gcm_kw.js

		@@ -1,3 +0,1 @@
		const { strict: assert } = require('assert')

		const generateIV = require('../help/generate_iv')
		@@ -8,5 +6,2 @@ const base64url = require('../help/base64url')
		['A128GCMKW', 'A192GCMKW', 'A256GCMKW'].forEach((jwaAlg) => {
		assert(!JWA.keyManagementEncrypt.has(jwaAlg), `keyManagementEncrypt alg ${jwaAlg} already registered`)
		assert(!JWA.keyManagementDecrypt.has(jwaAlg), `keyManagementDecrypt alg ${jwaAlg} already registered`)

		const encAlg = jwaAlg.substr(0, 7)
		@@ -13,0 +8,0 @@ const size = parseInt(jwaAlg.substr(1, 3), 10)

lib/jwa/aes_gcm.js

		@@ -1,2 +0,1 @@
		const { strict: assert } = require('assert')
		const { createCipheriv, createDecipheriv, getCiphers } = require('crypto')
		@@ -50,6 +49,2 @@
		const size = parseInt(jwaAlg.substr(1, 3), 10)

		assert(!JWA.encrypt.has(jwaAlg), `encrypt alg ${jwaAlg} already registered`)
		assert(!JWA.decrypt.has(jwaAlg), `decrypt alg ${jwaAlg} already registered`)

		if (getCiphers().includes(`aes-${size}-gcm`)) {
		@@ -56,0 +51,0 @@ JWA.encrypt.set(jwaAlg, encrypt.bind(undefined, size))

lib/jwa/aes_kw.js

		@@ -1,2 +0,1 @@
		const { strict: assert } = require('assert')
		const { createCipheriv, createDecipheriv, getCiphers } = require('crypto')
		@@ -94,6 +93,2 @@
		const size = parseInt(jwaAlg.substr(1, 3), 10)

		assert(!JWA.keyManagementEncrypt.has(jwaAlg), `keyManagementEncrypt alg ${jwaAlg} already registered`)
		assert(!JWA.keyManagementDecrypt.has(jwaAlg), `keyManagementDecrypt alg ${jwaAlg} already registered`)

		if (getCiphers().includes(`aes${size}`)) {
		@@ -100,0 +95,0 @@ JWA.keyManagementEncrypt.set(jwaAlg, wrapKey.bind(undefined, size))

lib/jwa/ecdh/dir.js

		@@ -1,3 +0,1 @@
		const { strict: assert } = require('assert')

		const { KEYLENGTHS } = require('../../registry')
		@@ -26,5 +24,2 @@ const { generateSync } = require('../../jwk/generate')
		module.exports = (JWA, JWK) => {
		assert(!JWA.keyManagementEncrypt.has('ECDH-ES'), 'keyManagementEncrypt alg ECDH-ES already registered')
		assert(!JWA.keyManagementDecrypt.has('ECDH-ES'), 'keyManagementDecrypt alg ECDH-ES already registered')

		JWA.keyManagementEncrypt.set('ECDH-ES', wrapKey)
		@@ -31,0 +26,0 @@ JWA.keyManagementDecrypt.set('ECDH-ES', unwrapKey)

lib/jwa/ecdh/kw.js

		@@ -1,3 +0,1 @@
		const { strict: assert } = require('assert')

		const { KEYOBJECT } = require('../../help/consts')
		@@ -31,5 +29,2 @@ const { generateSync } = require('../../jwk/generate')
		['ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW'].forEach((jwaAlg) => {
		assert(!JWA.keyManagementEncrypt.has(jwaAlg), `keyManagementEncrypt alg ${jwaAlg} already registered`)
		assert(!JWA.keyManagementDecrypt.has(jwaAlg), `keyManagementDecrypt alg ${jwaAlg} already registered`)

		const kw = jwaAlg.substr(-6)
		@@ -36,0 +31,0 @@ const kwWrap = JWA.keyManagementEncrypt.get(kw)

lib/jwa/ecdsa.js

		@@ -1,2 +0,1 @@
		const { strict: assert } = require('assert')
		const { sign: signOneShot, verify: verifyOneShot, createSign, createVerify, getCurves } = require('crypto')
		@@ -13,10 +12,6 @@

		if (dsaEncodingSupported) { // >= 13.2.0
		if (dsaEncodingSupported) {
		sign = (jwaAlg, nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
		return signOneShot(nodeAlg, payload, { key: asInput(keyObject, false), dsaEncoding: 'ieee-p1363' })
		}
		} else if (signOneShot) { // >= 12.0.0
		sign = (jwaAlg, nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
		return derToJose(signOneShot(nodeAlg, payload, asInput(keyObject, false)), jwaAlg)
		}
		} else {
		@@ -28,3 +23,3 @@ sign = (jwaAlg, nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {

		if (dsaEncodingSupported) { // >= 13.2.0
		if (dsaEncodingSupported) {
		verify = (jwaAlg, nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		@@ -37,10 +32,2 @@ try {
		}
		} else if (verifyOneShot) { // >= 12.0.0
		verify = (jwaAlg, nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		try {
		return verifyOneShot(nodeAlg, payload, asInput(keyObject, true), joseToDer(signature, jwaAlg))
		} catch (err) {
		return false
		}
		}
		} else {
		@@ -90,6 +77,2 @@ verify = (jwaAlg, nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		const nodeAlg = resolveNodeAlg(jwaAlg)

		assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`)
		assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`)

		JWA.sign.set(jwaAlg, sign.bind(undefined, jwaAlg, nodeAlg))
		@@ -96,0 +79,0 @@ JWA.verify.set(jwaAlg, verify.bind(undefined, jwaAlg, nodeAlg))

lib/jwa/eddsa.js

		@@ -1,2 +0,1 @@
		const { strict: assert } = require('assert')
		const { sign: signOneShot, verify: verifyOneShot } = require('crypto')
		@@ -16,5 +15,2 @@
		module.exports = (JWA, JWK) => {
		assert(!JWA.sign.has('EdDSA'), 'sign alg EdDSA already registered')
		assert(!JWA.verify.has('EdDSA'), 'verify alg EdDSA already registered')

		if (edDSASupported) {
		@@ -21,0 +17,0 @@ JWA.sign.set('EdDSA', sign)

lib/jwa/hmac.js

		@@ -1,2 +0,1 @@
		const { strict: assert } = require('assert')
		const { createHmac } = require('crypto')
		@@ -27,6 +26,2 @@
		const hmacAlg = resolveNodeAlg(jwaAlg)

		assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`)
		assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`)

		JWA.sign.set(jwaAlg, sign.bind(undefined, jwaAlg, hmacAlg))
		@@ -33,0 +28,0 @@ JWA.verify.set(jwaAlg, verify.bind(undefined, jwaAlg, hmacAlg))

lib/jwa/index.js

		@@ -28,3 +28,18 @@ const { JWKKeySupport, JOSENotSupported } = require('../errors')

		const map = new WeakMap()

		const i = (ctx) => {
		if (!map.has(ctx)) {
		map.set(ctx, {})
		}
		return map.get(ctx)
		}

		const check = (key, op, alg) => {
		const cache = i(key)

		if (cache[`${op}${alg}`]) {
		return true
		}

		let label
		@@ -47,2 +62,4 @@ let keyOp
		}

		cache[`${op}${alg}`] = true
		}
		@@ -49,0 +66,0 @@

lib/jwa/none.js

		@@ -1,14 +0,7 @@
		const { strict: assert } = require('assert')

		const sign = (key, payload) => Buffer.from('')
		const sign = () => Buffer.from('')
		const verify = (key, payload, signature) => !signature.length

		module.exports = (JWA, JWK) => {
		const jwaAlg = 'none'

		assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`)
		assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`)

		JWA.sign.set(jwaAlg, sign)
		JWA.verify.set(jwaAlg, verify)
		JWA.sign.set('none', sign)
		JWA.verify.set('none', verify)
		}

lib/jwa/pbes2.js

		@@ -1,2 +0,1 @@
		const { strict: assert } = require('assert')
		const { pbkdf2Sync: pbkdf2, randomBytes } = require('crypto')
		@@ -45,5 +44,2 @@
		['PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW'].forEach((jwaAlg) => {
		assert(!JWA.keyManagementEncrypt.has(jwaAlg), `keyManagementEncrypt alg ${jwaAlg} already registered`)
		assert(!JWA.keyManagementDecrypt.has(jwaAlg), `keyManagementDecrypt alg ${jwaAlg} already registered`)

		const kw = jwaAlg.substr(-6)
		@@ -50,0 +46,0 @@ const kwWrap = JWA.keyManagementEncrypt.get(kw)

lib/jwa/rsaes.js

		@@ -1,2 +0,1 @@
		const { strict: assert } = require('assert')
		const { publicEncrypt, privateDecrypt, constants } = require('crypto')
		@@ -55,6 +54,2 @@
		const oaepHash = resolveOaepHash(jwaAlg)

		assert(!JWA.keyManagementEncrypt.has(jwaAlg), `keyManagementEncrypt alg ${jwaAlg} already registered`)
		assert(!JWA.keyManagementDecrypt.has(jwaAlg), `keyManagementDecrypt alg ${jwaAlg} already registered`)

		JWA.keyManagementEncrypt.set(jwaAlg, wrapKey.bind(undefined, padding, oaepHash))
		@@ -61,0 +56,0 @@ JWA.keyManagementDecrypt.set(jwaAlg, unwrapKey.bind(undefined, padding, oaepHash))

lib/jwa/rsassa_pss.js

		@@ -1,5 +0,2 @@
		const { strict: assert } = require('assert')
		const {
		sign: signOneShot,
		verify: verifyOneShot,
		createSign,
		@@ -14,40 +11,18 @@ createVerify,

		let sign, verify

		if (signOneShot) {
		sign = (nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
		return signOneShot(nodeAlg, payload, {
		key: asInput(keyObject, false),
		padding: constants.RSA_PKCS1_PSS_PADDING,
		saltLength: constants.RSA_PSS_SALTLEN_DIGEST
		})
		}
		} else {
		sign = (nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
		const key = asInput(keyObject, false)
		return createSign(nodeAlg).update(payload).sign({
		key,
		padding: constants.RSA_PKCS1_PSS_PADDING,
		saltLength: constants.RSA_PSS_SALTLEN_DIGEST
		})
		}
		const sign = (nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
		const key = asInput(keyObject, false)
		return createSign(nodeAlg).update(payload).sign({
		key,
		padding: constants.RSA_PKCS1_PSS_PADDING,
		saltLength: constants.RSA_PSS_SALTLEN_DIGEST
		})
		}

		if (verifyOneShot) {
		verify = (nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		return verifyOneShot(nodeAlg, payload, {
		key: asInput(keyObject, false),
		padding: constants.RSA_PKCS1_PSS_PADDING,
		saltLength: constants.RSA_PSS_SALTLEN_DIGEST
		}, signature)
		}
		} else {
		verify = (nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		const key = asInput(keyObject, true)
		return createVerify(nodeAlg).update(payload).verify({
		key,
		padding: constants.RSA_PKCS1_PSS_PADDING,
		saltLength: constants.RSA_PSS_SALTLEN_DIGEST
		}, signature)
		}
		const verify = (nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		const key = asInput(keyObject, true)
		return createVerify(nodeAlg).update(payload).verify({
		key,
		padding: constants.RSA_PKCS1_PSS_PADDING,
		saltLength: constants.RSA_PSS_SALTLEN_DIGEST
		}, signature)
		}
		@@ -64,6 +39,2 @@
		const nodeAlg = resolveNodeAlg(jwaAlg)

		assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`)
		assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`)

		JWA.sign.set(jwaAlg, sign.bind(undefined, nodeAlg))
		@@ -70,0 +41,0 @@ JWA.verify.set(jwaAlg, verify.bind(undefined, nodeAlg))

lib/jwa/rsassa.js

		@@ -1,3 +0,2 @@
		const { strict: assert } = require('assert')
		const { sign: signOneShot, verify: verifyOneShot, createSign, createVerify } = require('crypto')
		const { createSign, createVerify } = require('crypto')

		@@ -8,26 +7,12 @@ const { KEYOBJECT } = require('../help/consts')

		let sign, verify

		if (signOneShot) {
		sign = (nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
		return signOneShot(nodeAlg, payload, keyObject)
		}
		} else {
		sign = (nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
		return createSign(nodeAlg).update(payload).sign(asInput(keyObject, false))
		}
		const sign = (nodeAlg, { [KEYOBJECT]: keyObject }, payload) => {
		return createSign(nodeAlg).update(payload).sign(asInput(keyObject, false))
		}

		if (verifyOneShot) {
		verify = (nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		return verifyOneShot(nodeAlg, payload, keyObject, signature)
		const verify = (nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		try {
		return createVerify(nodeAlg).update(payload).verify(asInput(keyObject, true), signature)
		} catch (err) {
		return false
		}
		} else {
		verify = (nodeAlg, { [KEYOBJECT]: keyObject }, payload, signature) => {
		try {
		return createVerify(nodeAlg).update(payload).verify(asInput(keyObject, true), signature)
		} catch (err) {
		return false
		}
		}
		}
		@@ -44,6 +29,2 @@
		const nodeAlg = resolveNodeAlg(jwaAlg)

		assert(!JWA.sign.has(jwaAlg), `sign alg ${jwaAlg} already registered`)
		assert(!JWA.verify.has(jwaAlg), `verify alg ${jwaAlg} already registered`)

		JWA.sign.set(jwaAlg, sign.bind(undefined, nodeAlg))
		@@ -50,0 +31,0 @@ JWA.verify.set(jwaAlg, verify.bind(undefined, nodeAlg))

lib/jwe/decrypt.js

		@@ -58,4 +58,2 @@ const { inflateRawSync } = require('zlib')
		serialization = resolveSerialization(jwe)
		} else if (serialization !== resolveSerialization(jwe)) {
		throw new errors.JWEInvalid()
		}
		@@ -62,0 +60,0 @@

lib/jwks/keystore.js

		@@ -54,3 +54,3 @@ const { deprecate, inspect } = require('util')

		all ({ alg, kid, use, kty, key_ops: ops, x5t, 'x5t#S256': x5t256, crv } = {}) {
		all ({ alg, kid, thumbprint, use, kty, key_ops: ops, x5t, 'x5t#S256': x5t256, crv } = {}) {
		if (ops !== undefined && (!Array.isArray(ops) \|\| !ops.length \|\| ops.some(x => typeof x !== 'string'))) {
		@@ -69,2 +69,6 @@ throw new TypeError('`key_ops` must be a non-empty array of strings')

		if (candidate && thumbprint !== undefined && key.thumbprint !== thumbprint) {
		candidate = false
		}

		if (candidate && x5t !== undefined && key.x5t !== x5t) {
		@@ -71,0 +75,0 @@ candidate = false

lib/jws/index.js

		const Sign = require('./sign')
		const verify = require('./verify')
		const { verify } = require('./verify')

		@@ -4,0 +4,0 @@ const single = (serialization, payload, key, protectedHeader, unprotectedHeader) => {

lib/jws/verify.js

		@@ -12,3 +12,3 @@ const base64url = require('../help/base64url')
		validateCrit = validateCrit.bind(undefined, errors.JWSInvalid)
		const SINGLE_RECIPIENT = new Set(['compact', 'flattened'])
		const SINGLE_RECIPIENT = new Set(['compact', 'flattened', 'preparsed'])

		@@ -33,4 +33,2 @@ /*
		serialization = resolveSerialization(jws)
		} else if (serialization !== resolveSerialization(jws)) {
		throw new errors.JWSInvalid()
		}
		@@ -52,7 +50,19 @@

		let decoded

		if (SINGLE_RECIPIENT.has(serialization)) {
		if (serialization === 'compact') { // compact serialization format
		([prot, payload, signature] = jws.split('.'))
		} else { // flattened serialization format
		({ protected: prot, payload, signature, header } = jws)
		let parsedProt = {}

		switch (serialization) {
		case 'compact': // compact serialization format
		([prot, payload, signature] = jws.split('.'))
		break
		case 'flattened': // flattened serialization format
		({ protected: prot, payload, signature, header } = jws)
		break
		case 'preparsed': { // from the JWT module
		({ decoded } = jws);
		([prot, payload, signature] = jws.token.split('.'))
		break
		}
		}
		@@ -64,11 +74,8 @@

		let parsedProt = {}
		if (prot) {
		if (decoded) {
		parsedProt = decoded.header
		} else if (prot) {
		try {
		parsedProt = base64url.JSON.decode(prot)
		} catch (err) {
		if (err instanceof errors.JOSEError) {
		throw err
		}

		throw new errors.JWSInvalid('could not parse JWS protected header')
		@@ -132,2 +139,3 @@ }
		])

		if (!verify(alg, key, toBeVerified, base64url.decodeToBuffer(signature))) {
		@@ -139,3 +147,3 @@ throw new errors.JWSVerificationFailed()
		if (parse) {
		payload = base64url.JSON.decode.try(payload, encoding)
		payload = decoded ? decoded.payload : base64url.JSON.decode.try(payload, encoding)
		} else {
		@@ -177,2 +185,5 @@ payload = base64url.decodeToBuffer(payload)

		module.exports = jwsVerify.bind(undefined, false, undefined)
		module.exports = {
		bare: jwsVerify,
		verify: jwsVerify.bind(undefined, false, undefined)
		}

lib/jwt/verify.js

		@@ -5,4 +5,3 @@ const isObject = require('../help/is_object')
		const getKey = require('../help/get_key')
		const JWS = require('../jws')
		const { KeyStore } = require('../jwks')
		const { bare: verify } = require('../jws/verify')
		const { JWTClaimInvalid, JWTExpired } = require('../errors')
		@@ -229,5 +228,13 @@

		const decoded = decode(token, { complete: true })
		key = getKey(key, true)

		if (complete) {
		({ key } = verify(true, 'preparsed', { decoded, token }, key, { crit, algorithms, complete: true }))
		decoded.key = key
		} else {
		verify(true, 'preparsed', { decoded, token }, key, { crit, algorithms })
		}

		const unix = epoch(now)

		const decoded = decode(token, { complete: true })
		validateTypes(decoded, profile, options)
		@@ -297,11 +304,3 @@

		key = getKey(key, true)

		if (complete && key instanceof KeyStore) {
		({ key } = JWS.verify(token, key, { crit, algorithms, complete: true }))
		} else {
		JWS.verify(token, key, { crit, algorithms })
		}

		return complete ? { ...decoded, key } : decoded.payload
		return complete ? decoded : decoded.payload
		}

package.json

		{
		"name": "jose",
		"version": "1.21.1",
		"version": "1.22.0",
		"description": "JSON Web Almost Everything - JWA, JWS, JWE, JWK, JWT, JWKS for Node.js with minimal dependencies",
		@@ -11,2 +11,3 @@ "keywords": [
		"decrypt",
		"detached",
		"ec",
		@@ -34,5 +35,7 @@ "ecdsa",
		"okp",
		"payload",
		"rsa",
		"secp256k1",
		"sign",
		"signature",
		"validate",
		@@ -39,0 +42,0 @@ "verify"

README.md

		@@ -332,3 +332,3 @@ # jose
		operations but it is an entirely opt-in behaviour, downgrade attacks are prevented by the required
		use of a special `JWK.Key` instance that cannot be instantiated through the key import API
		use of a special `JWK.Key`-like object that cannot be instantiated through the key import API
		<sup>3</sup> RSA-OAEP-256 is only supported when Node.js >= 12.9.0 runtime is detected
		@@ -403,3 +403,3 @@
		[spec-okp]: https://tools.ietf.org/html/rfc8037
		[draft-secp256k1]: https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-03
		[draft-secp256k1]: https://tools.ietf.org/html/draft-ietf-cose-webauthn-algorithms-04
		[draft-ietf-oauth-access-token-jwt]: https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt
		@@ -406,0 +406,0 @@ [draft-jarm]: https://openid.net/specs/openid-financial-api-jarm.html

types/index.d.ts

		@@ -196,2 +196,3 @@ /// <reference types="node" />
		crv?: string;
		thumbprint?: string;
		}
		@@ -198,0 +199,0 @@

jose - npm Package Compare versions

New alerts

Fixed alerts

Worsened metrics