-
-
Notifications
You must be signed in to change notification settings - Fork 313
/
sign.ts
160 lines (133 loc) · 4.38 KB
/
sign.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
/* eslint-disable no-underscore-dangle */
import isDisjoint from '../../lib/is_disjoint.js'
import { JWSInvalid } from '../../util/errors.js'
import { encoder, decoder, concat } from '../../lib/buffer_utils.js'
import { encode as base64url } from '../../runtime/base64url.js'
import sign from '../../runtime/sign.js'
import type { KeyLike, FlattenedJWS, JWSHeaderParameters, SignOptions } from '../../types'
import checkKeyType from '../../lib/check_key_type.js'
import validateCrit from '../../lib/validate_crit.js'
const checkExtensions = validateCrit.bind(undefined, JWSInvalid, new Map([['b64', true]]))
/**
* The FlattenedSign class is a utility for creating Flattened JWS objects.
*
* @example ESM import
* ```js
* import { FlattenedSign } from 'jose/jws/flattened/sign'
* ```
*
* @example CJS import
* ```js
* const { FlattenedSign } = require('jose/jws/flattened/sign')
* ```
*
* @example Usage
* ```js
* const encoder = new TextEncoder()
*
* const jws = await new FlattenedSign(encoder.encode('It’s a dangerous business, Frodo, going out your door.'))
* .setProtectedHeader({ alg: 'ES256' })
* .sign(privateKey)
* console.log(jws)
* ```
*/
class FlattenedSign {
private _payload: Uint8Array
private _protectedHeader!: JWSHeaderParameters
private _unprotectedHeader!: JWSHeaderParameters
/**
* @param payload Binary representation of the payload to sign.
*/
constructor(payload: Uint8Array) {
this._payload = payload
}
/**
* Sets the JWS Protected Header on the FlattenedSign object.
*
* @param protectedHeader JWS Protected Header.
*/
setProtectedHeader(protectedHeader: JWSHeaderParameters) {
if (this._protectedHeader) {
throw new TypeError('setProtectedHeader can only be called once')
}
this._protectedHeader = protectedHeader
return this
}
/**
* Sets the JWS Unprotected Header on the FlattenedSign object.
*
* @param unprotectedHeader JWS Unprotected Header.
*/
setUnprotectedHeader(unprotectedHeader: JWSHeaderParameters) {
if (this._unprotectedHeader) {
throw new TypeError('setUnprotectedHeader can only be called once')
}
this._unprotectedHeader = unprotectedHeader
return this
}
/**
* Signs and resolves the value of the Flattened JWS object.
*
* @param key Private Key or Secret to sign the JWS with.
* @param options JWS Sign options.
*/
async sign(key: KeyLike, options?: SignOptions): Promise<FlattenedJWS> {
if (!this._protectedHeader && !this._unprotectedHeader) {
throw new JWSInvalid(
'either setProtectedHeader or setUnprotectedHeader must be called before #sign()',
)
}
if (!isDisjoint(this._protectedHeader, this._unprotectedHeader)) {
throw new JWSInvalid(
'JWS Protected and JWS Unprotected Header Parameter names must be disjoint',
)
}
const joseHeader: JWSHeaderParameters = {
...this._protectedHeader,
...this._unprotectedHeader,
}
const extensions = checkExtensions(options?.crit, this._protectedHeader, joseHeader)
let b64: boolean = true
if (extensions.has('b64')) {
b64 = this._protectedHeader.b64!
if (typeof b64 !== 'boolean') {
throw new JWSInvalid(
'The "b64" (base64url-encode payload) Header Parameter must be a boolean',
)
}
}
const { alg } = joseHeader
if (typeof alg !== 'string' || !alg) {
throw new JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid')
}
checkKeyType(alg, key, 'sign')
let payload = this._payload
if (b64) {
payload = encoder.encode(base64url(payload))
}
let protectedHeader: Uint8Array
if (this._protectedHeader) {
protectedHeader = encoder.encode(base64url(JSON.stringify(this._protectedHeader)))
} else {
protectedHeader = encoder.encode('')
}
const data = concat(protectedHeader, encoder.encode('.'), payload)
const signature = await sign(alg, key, data)
const jws: FlattenedJWS = {
signature: base64url(signature),
}
if (b64) {
jws.payload = decoder.decode(payload)
}
if (this._unprotectedHeader) {
jws.header = this._unprotectedHeader
}
if (this._protectedHeader) {
jws.protected = decoder.decode(protectedHeader)
}
return jws
}
}
export { FlattenedSign }
export default FlattenedSign
export type { KeyLike, FlattenedJWS, JWSHeaderParameters }