jose - npm Package Compare versions

Comparing version 3.7.0 to 3.7.1

CHANGELOG.md

@@ -5,2 +5,9 @@ # Changelog
 
+## [3.7.1](https://github.com/panva/jose/compare/v3.7.0...v3.7.1) (2021-03-11)
+
+
+### Bug Fixes
+
+* swallow invalid signature encoding errors ([e0adf49](https://github.com/panva/jose/commit/e0adf49e5789f9fc23afb1e2bd3e330e34b46b78))
+
 ## [3.7.0](https://github.com/panva/jose/compare/v3.6.2...v3.7.0) (2021-03-02)
@@ -7,0 +14,0 @@

dist/browser/jwe/flattened/decrypt.js

@@ -18,2 +18,3 @@ import { JOSEAlgNotAllowed, JOSENotSupported, JWEInvalid } from '../../util/errors.js';
 export default async function flattenedDecrypt(jwe, key, options) {
+    var _a;
     if (!isObject(jwe)) {
@@ -105,3 +106,3 @@ throw new JWEInvalid('Flattened JWE must be an object');
     const tag = base64url(jwe.tag);
-    const protectedHeader = encoder.encode(jwe.protected || '');
+    const protectedHeader = encoder.encode((_a = jwe.protected) !== null && _a !== void 0 ? _a : '');
     let additionalData;
@@ -108,0 +109,0 @@ if (jwe.aad !== undefined) {

dist/browser/jws/flattened/verify.js

@@ -13,2 +13,3 @@ import { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';
 export default async function flattenedVerify(jws, key, options) {
+    var _a;
     if (!isObject(jws)) {
@@ -72,3 +73,3 @@ throw new JWSInvalid('Flattened JWS must be an object');
     checkKeyType(alg, key);
-    const data = concat(encoder.encode(jws.protected || ''), encoder.encode('.'), typeof jws.payload === 'string' ? encoder.encode(jws.payload) : jws.payload);
+    const data = concat(encoder.encode((_a = jws.protected) !== null && _a !== void 0 ? _a : ''), encoder.encode('.'), typeof jws.payload === 'string' ? encoder.encode(jws.payload) : jws.payload);
     const signature = base64url(jws.signature);
@@ -75,0 +76,0 @@ const verified = await verify(alg, key, signature, data);

dist/browser/runtime/generate.js

@@ -52,2 +52,3 @@ import crypto from './webcrypto.js';
 export async function generateKeyPair(alg, options) {
+    var _a;
     let algorithm;
@@ -106,3 +107,3 @@ let keyUsages;
         case 'ECDH-ES+A256KW':
-            algorithm = { name: 'ECDH', namedCurve: (options === null || options === void 0 ? void 0 : options.crv) || 'P-256' };
+            algorithm = { name: 'ECDH', namedCurve: (_a = options === null || options === void 0 ? void 0 : options.crv) !== null && _a !== void 0 ? _a : 'P-256' };
             keyUsages = ['deriveKey', 'deriveBits'];
@@ -109,0 +110,0 @@ break;

dist/browser/runtime/verify.js

@@ -16,4 +16,10 @@ import subtleAlgorithm from './subtle_dsa.js';
     checkKeyLength(alg, cryptoKey);
-    return crypto.subtle.verify(subtleAlgorithm(alg), cryptoKey, signature, data);
+    const algorithm = subtleAlgorithm(alg);
+    try {
+        return await crypto.subtle.verify(algorithm, cryptoKey, signature, data);
+    }
+    catch (_a) {
+        return false;
+    }
 };
 export default verify;

dist/node/cjs/jwe/flattened/decrypt.js

@@ -20,2 +20,3 @@ "use strict";
 async function flattenedDecrypt(jwe, key, options) {
+    var _a;
     if (!is_object_js_1.default(jwe)) {
@@ -107,3 +108,3 @@ throw new errors_js_1.JWEInvalid('Flattened JWE must be an object');
     const tag = base64url_js_1.decode(jwe.tag);
-    const protectedHeader = buffer_utils_js_1.encoder.encode(jwe.protected || '');
+    const protectedHeader = buffer_utils_js_1.encoder.encode((_a = jwe.protected) !== null && _a !== void 0 ? _a : '');
     let additionalData;
@@ -110,0 +111,0 @@ if (jwe.aad !== undefined) {

dist/node/cjs/jws/flattened/verify.js

@@ -15,2 +15,3 @@ "use strict";
 async function flattenedVerify(jws, key, options) {
+    var _a;
     if (!is_object_js_1.default(jws)) {
@@ -74,3 +75,3 @@ throw new errors_js_1.JWSInvalid('Flattened JWS must be an object');
     check_key_type_js_1.default(alg, key);
-    const data = buffer_utils_js_1.concat(buffer_utils_js_1.encoder.encode(jws.protected || ''), buffer_utils_js_1.encoder.encode('.'), typeof jws.payload === 'string' ? buffer_utils_js_1.encoder.encode(jws.payload) : jws.payload);
+    const data = buffer_utils_js_1.concat(buffer_utils_js_1.encoder.encode((_a = jws.protected) !== null && _a !== void 0 ? _a : ''), buffer_utils_js_1.encoder.encode('.'), typeof jws.payload === 'string' ? buffer_utils_js_1.encoder.encode(jws.payload) : jws.payload);
     const signature = base64url_js_1.decode(jws.signature);
@@ -77,0 +78,0 @@ const verified = await verify_js_1.default(alg, key, signature, data);

dist/node/cjs/runtime/generate.js

@@ -39,3 +39,3 @@ "use strict";
 async function generateKeyPair(alg, options) {
-    var _a;
+    var _a, _b;
     switch (alg) {
@@ -93,3 +93,3 @@ case 'RS256':
                 case 'P-521':
-                    return generate('ec', { namedCurve: (options === null || options === void 0 ? void 0 : options.crv) || 'P-256' });
+                    return generate('ec', { namedCurve: (_b = options === null || options === void 0 ? void 0 : options.crv) !== null && _b !== void 0 ? _b : 'P-256' });
                 case 'X25519':
@@ -96,0 +96,0 @@ return generate('x25519');

dist/node/cjs/runtime/verify.js

@@ -26,4 +26,10 @@ "use strict";
     }
-    return crypto_1.verify(algorithm, data, node_key_js_1.default(alg, key), signature);
+    const keyInput = node_key_js_1.default(alg, key);
+    try {
+        return crypto_1.verify(algorithm, data, keyInput, signature);
+    }
+    catch {
+        return false;
+    }
 };
 exports.default = verify;

dist/node/esm/jwe/flattened/decrypt.js

@@ -18,2 +18,3 @@ import { JOSEAlgNotAllowed, JOSENotSupported, JWEInvalid } from '../../util/errors.js';
 export default async function flattenedDecrypt(jwe, key, options) {
+    var _a;
     if (!isObject(jwe)) {
@@ -105,3 +106,3 @@ throw new JWEInvalid('Flattened JWE must be an object');
     const tag = base64url(jwe.tag);
-    const protectedHeader = encoder.encode(jwe.protected || '');
+    const protectedHeader = encoder.encode((_a = jwe.protected) !== null && _a !== void 0 ? _a : '');
     let additionalData;
@@ -108,0 +109,0 @@ if (jwe.aad !== undefined) {

dist/node/esm/jws/flattened/verify.js

@@ -13,2 +13,3 @@ import { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js';
 export default async function flattenedVerify(jws, key, options) {
+    var _a;
     if (!isObject(jws)) {
@@ -72,3 +73,3 @@ throw new JWSInvalid('Flattened JWS must be an object');
     checkKeyType(alg, key);
-    const data = concat(encoder.encode(jws.protected || ''), encoder.encode('.'), typeof jws.payload === 'string' ? encoder.encode(jws.payload) : jws.payload);
+    const data = concat(encoder.encode((_a = jws.protected) !== null && _a !== void 0 ? _a : ''), encoder.encode('.'), typeof jws.payload === 'string' ? encoder.encode(jws.payload) : jws.payload);
     const signature = base64url(jws.signature);
@@ -75,0 +76,0 @@ const verified = await verify(alg, key, signature, data);

dist/node/esm/runtime/generate.js

@@ -35,3 +35,3 @@ import { createSecretKey, generateKeyPair as generateKeyPairCb } from 'crypto';
 export async function generateKeyPair(alg, options) {
-    var _a;
+    var _a, _b;
     switch (alg) {
@@ -89,3 +89,3 @@ case 'RS256':
                 case 'P-521':
-                    return generate('ec', { namedCurve: (options === null || options === void 0 ? void 0 : options.crv) || 'P-256' });
+                    return generate('ec', { namedCurve: (_b = options === null || options === void 0 ? void 0 : options.crv) !== null && _b !== void 0 ? _b : 'P-256' });
                 case 'X25519':
@@ -92,0 +92,0 @@ return generate('x25519');

dist/node/esm/runtime/verify.js

@@ -24,4 +24,10 @@ import { verify as oneShotVerify, timingSafeEqual, KeyObject } from 'crypto';
     }
-    return oneShotVerify(algorithm, data, nodeKey(alg, key), signature);
+    const keyInput = nodeKey(alg, key);
+    try {
+        return oneShotVerify(algorithm, data, keyInput, signature);
+    }
+    catch {
+        return false;
+    }
 };
 export default verify;

dist/types/jwk/from_key_like.d.ts

@@ -22,4 +22,4 @@ import type { JWK, KeyLike } from '../types.d';
  * // usage
- * const privateJwk = fromKeyLike(privateKey)
- * const publicJwk = fromKeyLike(publicKey)
+ * const privateJwk = await fromKeyLike(privateKey)
+ * const publicJwk = await fromKeyLike(publicKey)
  *
@@ -26,0 +26,0 @@ * console.log(privateJwk)

package.json

 {
   "name": "jose",
-  "version": "3.7.0",
+  "version": "3.7.1",
   "description": "Universal 'JSON Web Almost Everything' - JWA, JWS, JWE, JWT, JWK with no dependencies",
@@ -5,0 +5,0 @@ "keywords": [

README.md

@@ -156,3 +156,2 @@ # jose
 - Promise-based API
-- experimental (non-blocking 🎉) Node.js libuv thread pool based runtime
 
@@ -159,0 +158,0 @@ #### v2.x docs?

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Total package byte prevSize

479775

increased by0.18%

Lines of code

10957

increased by0.23%

Worsened metrics

Number of lines in readme file

261

decreased by-0.38%

No dependency changes