ci,test: move more tests into the tap suite

.github/workflows/test.yml

@@ -78,22 +78,13 @@ jobs:
         uses: actions/github-script@v6
         with:
           script: core.setFailed('dist cache hit failed')
+      - name: Test (TAP)
+        run: npm run tap:node
+        if: ${{ !startsWith(steps.node.outputs.node-version, 'v12') }}
       - run: find test -type f -name '*.mjs' -print0 | xargs -0 sed -i -e "s/await import(/require(/g"
         if: ${{ startsWith(steps.node.outputs.node-version, 'v12') }}
-      - name: Test with Node.js crypto module
+      - name: Test (AVA)
         run: npm run test
-      - name: Test with Node.js crypto module w/ CryptoKey
-        run: npm run test-cryptokey
-        if: ${{ !startsWith(steps.node.outputs.node-version, 'v14') && !startsWith(steps.node.outputs.node-version, 'v12') }}
-      - name: Test with Node.js Web Cryptography API
-        run: npm run test-webcrypto
-        if: ${{ !startsWith(steps.node.outputs.node-version, 'v14') && !startsWith(steps.node.outputs.node-version, 'v12') }}
-      - name: Test with Node.js Web API
-        run: npm run test-webapi
-        if: ${{ !startsWith(steps.node.outputs.node-version, 'v14') && !startsWith(steps.node.outputs.node-version, 'v12') }}
-      - name: TAP Suite with both Node.js runtimes
-        run: npm run tap:node
-        if: ${{ !startsWith(steps.node.outputs.node-version, 'v14') && !startsWith(steps.node.outputs.node-version, 'v12') }}
 
   deno:
     needs:

.node_flags.sh

@@ -1,8 +1,9 @@
-NODE_VERSION=$(node -v)
+node -e 'process.exit(parseInt(process.versions.node, 10))' &> /dev/null
+NODE_VERSION=$?
 export NODE_OPTIONS='--no-warnings'
 
-if [[ $NODE_VERSION == "v16."* ]]; then
-  export NODE_OPTIONS+=' --experimental-global-webcrypto --experimental-fetch'
-elif [[ "$NODE_VERSION" == "v18."* ]]; then
+if [[ "$NODE_VERSION" -ge 18 ]]; then
   export NODE_OPTIONS+=' --experimental-global-webcrypto'
+elif [[ $NODE_VERSION -ge 16 ]]; then
+  export NODE_OPTIONS+=' --experimental-global-webcrypto --experimental-fetch'
 fi

package.json

@@ -67,12 +67,6 @@
       "import": "./dist/node/esm/*.js",
       "require": "./dist/node/cjs/*.js"
     },
-    "#dist/webcrypto/*": {
-      "import": "./dist/node/webcrypto/*.js"
-    },
-    "#dist/webcrypto": {
-      "import": "./dist/node/webcrypto/index.js"
-    },
     "#dist/webapi/*": {
       "import": "./dist/browser/*.js"
     },
@@ -108,15 +102,6 @@
   "scripts": {
     "build": "tsc",
     "build-all": "run-s clear build:*",
-    "build-fast-all": "run-s clear build-fast:*",
-    "build-fast:browser": "npm run-script runtime-browser && npm run-script -s esbuild-find | xargs -0 esbuild --log-level=warning --target=es2018 --outdir=dist/browser --format=esm && echo '{\"type\": \"module\"}'> dist/browser/package.json",
-    "build-fast:browser-bundle": "npm run-script build:browser-bundle",
-    "build-fast:browser-bundle-min": "npm run-script build:browser-bundle-min",
-    "build-fast:build:browser-umd": "npm run-script build:build:browser-umd",
-    "build-fast:deno": "npm run-script build:deno",
-    "build-fast:node-cjs": "npm run-script runtime-node && npm run-script -s esbuild-find | xargs -0 esbuild --log-level=warning --platform=node --target=node12 --outdir=dist/node/cjs --format=cjs",
-    "build-fast:node-esm": "npm run-script runtime-node && npm run-script -s esbuild-find | xargs -0 esbuild --log-level=warning --platform=node --target=node12 --outdir=dist/node/esm --format=esm && echo '{\"type\": \"module\"}'> dist/node/esm/package.json",
-    "build-fast:node-webcrypto": "npm run-script runtime-node-webcrypto && npm run-script -s esbuild-find | xargs -0 esbuild --log-level=warning --platform=node --target=esnext --outdir=dist/node/webcrypto --format=esm && echo '{\"type\": \"module\"}'> dist/node/webcrypto/package.json",
     "build:browser": "run-s runtime-browser 'build -- -p ./tsconfig/browser.json' && echo '{\"type\": \"module\"}'> dist/browser/package.json",
     "build:browser-bundle": "esbuild --bundle dist/browser/index.js --format=esm --target=es2018 --outfile=dist/browser/index.bundle.js",
     "build:browser-bundle-min": "esbuild --minify --bundle dist/browser/index.js --format=esm --target=es2018 --outfile=dist/browser/index.bundle.min.js",
@@ -125,25 +110,19 @@
     "build:types": "npm run-script build -- -p ./tsconfig/types.json && cd src && find . -name '*.d.ts' -maxdepth 2 -type f -exec rsync -R \"{}\" ../dist/types  \\; && cd .. && run-s -s types:find | xargs -0 sed -i.bak -e \"s/\\.js'/'/g\" -e \"s/\\.d'/'/g\" && npm run-script sedcleanup",
     "build:node-cjs": "run-s runtime-node 'build -- -p ./tsconfig/node-cjs.json'",
     "build:node-esm": "run-s runtime-node 'build -- -p ./tsconfig/node-esm.json' && echo '{\"type\": \"module\"}'> dist/node/esm/package.json",
-    "build:node-webcrypto": "run-s runtime-node-webcrypto 'build -- -p ./tsconfig/node-webcrypto.json' && echo '{\"type\": \"module\"}'> dist/node/webcrypto/package.json",
     "clear": "rm -Rf dist",
     "sedcleanup": "find . -name '*.bak' -type f -print0 | xargs -0 rm -f",
     "docs:generate": "typedoc",
-    "esbuild-find": "find src -type f -name '*.ts' -not -path '*/runtime/*/*' -not -name '*.d.ts' -print0",
     "runtime-browser": "run-s runtime:clear runtime:browser:* runtime:refs",
     "runtime-deno": "npm run-script runtime-browser && mkdir -p dist/deno && cp -R src/. dist/deno && rm -R dist/deno/runtime/browser dist/deno/runtime/node",
     "runtime-node": "run-s runtime:clear runtime:node:* runtime:refs",
-    "runtime-node-webcrypto": "run-s runtime:clear runtime:browser:* && cp ./src/runtime/node/webcrypto.ts ./src/runtime/ && cp ./src/runtime/node/fetch_jwks.ts ./src/runtime/ && cp ./src/runtime/node/base64url.ts ./src/runtime/ && cp ./src/runtime/node/zlib.ts ./src/runtime/ && run-s runtime:refs",
     "runtime:browser:copy": "cp ./src/runtime/browser/*.ts ./src/runtime",
     "runtime:clear": "run-s -s runtime:find | xargs -0 rm -f",
     "runtime:find": "find src/runtime -not -name '*.d.ts' -maxdepth 1 -type f -print0",
     "types:find": "find dist/types -name '*.d.ts' -type f -print0",
     "runtime:node:copy": "cp ./src/runtime/node/*.ts ./src/runtime",
     "runtime:refs": "run-s -s runtime:find | xargs -0 sed -i.bak -e \"s/'\\.\\.\\//'\\.\\//g\" -e \"s/'\\.\\/\\.\\./'../g\" && npm run-script sedcleanup",
     "test": "ava",
-    "test-cryptokey": "npm test -- --config ava.cryptokey.config.cjs",
-    "test-webapi": "npm test -- --config ava.webapi.config.cjs",
-    "test-webcrypto": "npm test -- --config ava.webcrypto.config.cjs",
     "format": "prettier --loglevel silent --write ./test ./tap ./src ./tools ./cookbook",
     "tap:browsers": "./tap/.browsers.sh",
     "tap:deno": "./tap/.deno.sh",

tap/.browsers.sh

@@ -3,7 +3,6 @@
   --log-level=warning \
   --format=esm \
   --bundle \
-  --minify-syntax \
   --target=esnext \
   --outfile=tap/run-browser.js \
   tap/run-browser.ts

tap/.edge-runtime.sh

@@ -3,7 +3,6 @@
   --log-level=warning \
   --format=esm \
   --bundle \
-  --minify-syntax \
   --target=esnext \
   --outfile=tap/run-edge-runtime.js \
   tap/run-edge-runtime.ts

tap/.electron.sh

@@ -3,10 +3,9 @@
   --log-level=warning \
   --format=esm \
   --bundle \
+  --platform=node \
   --external:electron \
   --external:#dist \
-  --platform=node \
-  --minify-syntax \
   --target=esnext \
   --outfile=tap/run-electron.js \
   tap/run-electron.ts

tap/.node.sh

@@ -3,10 +3,9 @@
   --log-level=warning \
   --format=esm \
   --bundle \
+  --platform=node \
   --external:#dist \
   --external:#dist/webapi \
-  --platform=node \
-  --minify-syntax \
   --target=esnext \
   --outfile=tap/run-node.mjs \
   tap/run-node.ts
@@ -16,7 +15,29 @@ source .node_flags.sh
 node tap/run-node.mjs '#dist'
 NODE_CRYPTO_API=$?
 
+node -e 'process.exit(parseInt(process.versions.node, 10))' &> /dev/null
+NODE_VERSION=$?
+
+if [[ "$NODE_VERSION" -le 14 ]]; then
+  exit $NODE_CRYPTO_API
+fi
+
 node tap/run-node.mjs '#dist/webapi'
 WEB_CRYPTO_API=$?
 
-test $WEB_CRYPTO_API -eq 0 && test $NODE_CRYPTO_API -eq 0
+node tap/run-node.mjs '#dist/hybrid'
+HYBRID=$?
+
+echo ""
+echo "node:crypto"
+test $WEB_CRYPTO_API -eq 0 && echo "  passed" || echo "  failed"
+
+echo ""
+echo "WebCryptoAPI"
+test $NODE_CRYPTO_API -eq 0 && echo "  passed" || echo "  failed"
+
+echo ""
+echo "node:crypto with CryptoKey"
+test $HYBRID -eq 0 && echo "  passed" || echo "  failed"
+
+test $WEB_CRYPTO_API -eq 0 && test $NODE_CRYPTO_API -eq 0 && test $HYBRID -eq 0

tap/.workers.sh

@@ -3,7 +3,6 @@
   --log-level=warning \
   --format=esm \
   --bundle \
-  --minify-syntax \
   --target=esnext \
   --outfile=tap/run-workers.js \
   tap/run-workers.ts

tap/aes.ts

@@ -1,6 +1,8 @@
 import type QUnit from 'qunit'
 import * as env from './env.js'
 import type * as jose from '../src/index.js'
+import random from './random.js'
+import roundtrip from './encrypt.js'
 
 export default (QUnit: QUnit, lib: typeof jose) => {
   const { module, test } = QUnit
@@ -16,37 +18,51 @@ export default (QUnit: QUnit, lib: typeof jose) => {
     ['A256CBC-HS512', true],
   ]
 
-  function title(vector: Vector) {
+  function title(vector: Vector, label = '') {
     const [enc, works] = vector
     let result = ''
     if (!works) {
       result = '[not supported] '
     }
     result += `${enc}`
+    if (label) {
+      result += ` ${label}`
+    }
     return result
   }
 
+  function secretsFor(enc: string) {
+    return [
+      lib.generateSecret(enc),
+      random(parseInt(enc.endsWith('GCM') ? enc.slice(1, 4) : enc.slice(-3)) >> 3),
+    ]
+  }
+
   for (const vector of algorithms) {
     const [enc, works] = vector
 
     const execute = async (t: typeof QUnit.assert) => {
-      const secret = await lib.generateSecret(enc)
-
-      const jwe = await new lib.FlattenedEncrypt(crypto.getRandomValues(new Uint8Array(32)))
-        .setProtectedHeader({ alg: 'dir', enc })
-        .setAdditionalAuthenticatedData(crypto.getRandomValues(new Uint8Array(32)))
-        .encrypt(secret)
+      for await (const secret of secretsFor(enc)) {
+        await roundtrip(t, lib, 'dir', enc, secret)
+      }
+    }
 
-      await lib.flattenedDecrypt(jwe, secret)
-      t.ok(1)
+    const emptyClearText = async (t: typeof QUnit.assert) => {
+      for await (const secret of secretsFor(enc)) {
+        await roundtrip(t, lib, 'dir', enc, secret, new Uint8Array())
+      }
     }
 
     if (works) {
       test(title(vector), execute)
+      test(title(vector, 'empty cleartext'), emptyClearText)
     } else {
       test(title(vector), async (t) => {
         await t.rejects(execute(t))
       })
+      test(title(vector, 'empty cleartext'), async (t) => {
+        await t.rejects(emptyClearText(t))
+      })
     }
   }
 }

tap/aeskw.ts

@@ -1,6 +1,8 @@
 import type QUnit from 'qunit'
 import * as env from './env.js'
 import type * as jose from '../src/index.js'
+import random from './random.js'
+import roundtrip from './encrypt.js'
 
 export default (QUnit: QUnit, lib: typeof jose) => {
   const { module, test } = QUnit
@@ -26,19 +28,17 @@ export default (QUnit: QUnit, lib: typeof jose) => {
     return result
   }
 
+  function secretsFor(alg: string) {
+    return [lib.generateSecret(alg), random(parseInt(alg.slice(1, 4), 10) >> 3)]
+  }
+
   for (const vector of algorithms) {
     const [alg, works] = vector
 
     const execute = async (t: typeof QUnit.assert) => {
-      const secret = await lib.generateSecret(alg)
-
-      const jwe = await new lib.FlattenedEncrypt(crypto.getRandomValues(new Uint8Array(32)))
-        .setProtectedHeader({ alg, enc: 'A256GCM' })
-        .setAdditionalAuthenticatedData(crypto.getRandomValues(new Uint8Array(32)))
-        .encrypt(secret)
-
-      await lib.flattenedDecrypt(jwe, secret)
-      t.ok(1)
+      for await (const secret of secretsFor(alg)) {
+        await roundtrip(t, lib, alg, 'A128GCM', secret)
+      }
     }
 
     if (works) {

tap/cookbook.ts

@@ -144,7 +144,7 @@ export default (QUnit: QUnit, lib: typeof jose) => {
       if (env.isElectron && vector.electron === false) {
         return false
       }
-      if (vector.input.zip && !env.isNodeCrypto) {
+      if (vector.input.zip && !env.hasZlib) {
         return false
       }
       return true

tap/ecdh.ts

@@ -1,47 +1,38 @@
 import type QUnit from 'qunit'
 import * as env from './env.js'
 import type * as jose from '../src/index.js'
+import roundtrip from './encrypt.js'
 
 export default (QUnit: QUnit, lib: typeof jose) => {
   const { module, test } = QUnit
   module('ecdh.ts')
 
-  type Vector = [string, jose.GenerateKeyPairOptions, boolean]
+  type Vector = [string, boolean] | [string, boolean, jose.GenerateKeyPairOptions]
   const algorithms: Vector[] = [
-    ['ECDH-ES', { crv: 'P-256' }, true],
-    ['ECDH-ES', { crv: 'P-384' }, true],
-    ['ECDH-ES', { crv: 'P-521' }, !env.isDeno],
-    ['ECDH-ES', { crv: 'secp256k1' }, false],
-    ['ECDH-ES', { crv: 'X25519' }, env.isNode || env.isElectron],
-    ['ECDH-ES', { crv: 'X448' }, env.isNode],
+    ['ECDH-ES', true],
+    ['ECDH-ES', true, { crv: 'P-384' }],
+    ['ECDH-ES', !env.isDeno, { crv: 'P-521' }],
+    ['ECDH-ES', false, { crv: 'secp256k1' }],
+    ['ECDH-ES', env.isNode || env.isElectron, { crv: 'X25519' }],
+    ['ECDH-ES', env.isNode, { crv: 'X448' }],
   ]
 
   function title(vector: Vector) {
-    const [alg, options, works] = vector
+    const [alg, works, options] = vector
     let result = ''
     if (!works) {
       result = '[not supported] '
     }
-    result += `${alg}`
-    if (alg === 'ECDH-ES') {
-      result += ` ${options.crv}`
-    }
+    result += `${alg} ${options?.crv || 'P-256'}`
     return result
   }
 
   for (const vector of algorithms) {
-    const [alg, options, works] = vector
+    const [alg, works, options] = vector
 
     const execute = async (t: typeof QUnit.assert) => {
-      const { privateKey, publicKey } = await lib.generateKeyPair(alg, options)
-
-      const jwe = await new lib.FlattenedEncrypt(crypto.getRandomValues(new Uint8Array(32)))
-        .setProtectedHeader({ alg, enc: 'A256GCM' })
-        .setAdditionalAuthenticatedData(crypto.getRandomValues(new Uint8Array(32)))
-        .encrypt(publicKey)
-
-      await lib.flattenedDecrypt(jwe, privateKey)
-      t.ok(1)
+      const kp = await lib.generateKeyPair(alg, options)
+      await roundtrip(t, lib, alg, 'A128GCM', kp)
     }
 
     if (works) {