Skip to content

Instantly share code, notes, and snippets.

@jvanmetre

jvanmetre/jose.bundle.js

Last active February 20, 2024 19:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save jvanmetre/1b88eca035e5fb4318c5c548d0862bb8 to your computer and use it in GitHub Desktop.
Save jvanmetre/1b88eca035e5fb4318c5c548d0862bb8 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
jose.bundle.js
"use strict";
var __getOwnPropNames = Object.getOwnPropertyNames;
var __commonJS = (cb, mod) => function __require() {
return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
};
// node_modules/jose/dist/node/cjs/runtime/digest.js
var require_digest = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/digest.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var digest = (algorithm, data) => (0, node_crypto_1.createHash)(algorithm).update(data).digest();
exports2.default = digest;
}
});
// node_modules/jose/dist/node/cjs/lib/buffer_utils.js
var require_buffer_utils = __commonJS({
"node_modules/jose/dist/node/cjs/lib/buffer_utils.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.concatKdf = exports2.lengthAndInput = exports2.uint32be = exports2.uint64be = exports2.p2s = exports2.concat = exports2.decoder = exports2.encoder = void 0;
var digest_js_1 = require_digest();
exports2.encoder = new TextEncoder();
exports2.decoder = new TextDecoder();
var MAX_INT32 = 2 ** 32;
function concat(...buffers) {
const size = buffers.reduce((acc, { length }) => acc + length, 0);
const buf = new Uint8Array(size);
let i = 0;
for (const buffer of buffers) {
buf.set(buffer, i);
i += buffer.length;
}
return buf;
}
exports2.concat = concat;
function p2s(alg, p2sInput) {
return concat(exports2.encoder.encode(alg), new Uint8Array([0]), p2sInput);
}
exports2.p2s = p2s;
function writeUInt32BE(buf, value, offset) {
if (value < 0 || value >= MAX_INT32) {
throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`);
}
buf.set([value >>> 24, value >>> 16, value >>> 8, value & 255], offset);
}
function uint64be(value) {
const high = Math.floor(value / MAX_INT32);
const low = value % MAX_INT32;
const buf = new Uint8Array(8);
writeUInt32BE(buf, high, 0);
writeUInt32BE(buf, low, 4);
return buf;
}
exports2.uint64be = uint64be;
function uint32be(value) {
const buf = new Uint8Array(4);
writeUInt32BE(buf, value);
return buf;
}
exports2.uint32be = uint32be;
function lengthAndInput(input) {
return concat(uint32be(input.length), input);
}
exports2.lengthAndInput = lengthAndInput;
async function concatKdf(secret, bits, value) {
const iterations = Math.ceil((bits >> 3) / 32);
const res = new Uint8Array(iterations * 32);
for (let iter = 0; iter < iterations; iter++) {
const buf = new Uint8Array(4 + secret.length + value.length);
buf.set(uint32be(iter + 1));
buf.set(secret, 4);
buf.set(value, 4 + secret.length);
res.set(await (0, digest_js_1.default)("sha256", buf), iter * 32);
}
return res.slice(0, bits >> 3);
}
exports2.concatKdf = concatKdf;
}
});
// node_modules/jose/dist/node/cjs/runtime/base64url.js
var require_base64url = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/base64url.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.decode = exports2.encode = exports2.encodeBase64 = exports2.decodeBase64 = void 0;
var node_buffer_1 = requireNodeBuffer;
var buffer_utils_js_1 = require_buffer_utils();
function normalize(input) {
let encoded = input;
if (encoded instanceof Uint8Array) {
encoded = buffer_utils_js_1.decoder.decode(encoded);
}
return encoded;
}
var encode = (input) => node_buffer_1.Buffer.from(input).toString("base64url");
exports2.encode = encode;
var decodeBase64 = (input) => new Uint8Array(node_buffer_1.Buffer.from(input, "base64"));
exports2.decodeBase64 = decodeBase64;
var encodeBase64 = (input) => node_buffer_1.Buffer.from(input).toString("base64");
exports2.encodeBase64 = encodeBase64;
var decode = (input) => new Uint8Array(node_buffer_1.Buffer.from(normalize(input), "base64"));
exports2.decode = decode;
}
});
// node_modules/jose/dist/node/cjs/util/errors.js
var require_errors = __commonJS({
"node_modules/jose/dist/node/cjs/util/errors.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.JWSSignatureVerificationFailed = exports2.JWKSTimeout = exports2.JWKSMultipleMatchingKeys = exports2.JWKSNoMatchingKey = exports2.JWKSInvalid = exports2.JWKInvalid = exports2.JWTInvalid = exports2.JWSInvalid = exports2.JWEInvalid = exports2.JWEDecryptionFailed = exports2.JOSENotSupported = exports2.JOSEAlgNotAllowed = exports2.JWTExpired = exports2.JWTClaimValidationFailed = exports2.JOSEError = void 0;
var JOSEError = class extends Error {
static get code() {
return "ERR_JOSE_GENERIC";
}
code = "ERR_JOSE_GENERIC";
constructor(message) {
super(message);
this.name = this.constructor.name;
Error.captureStackTrace?.(this, this.constructor);
}
};
exports2.JOSEError = JOSEError;
var JWTClaimValidationFailed = class extends JOSEError {
static get code() {
return "ERR_JWT_CLAIM_VALIDATION_FAILED";
}
code = "ERR_JWT_CLAIM_VALIDATION_FAILED";
claim;
reason;
constructor(message, claim = "unspecified", reason = "unspecified") {
super(message);
this.claim = claim;
this.reason = reason;
}
};
exports2.JWTClaimValidationFailed = JWTClaimValidationFailed;
var JWTExpired = class extends JOSEError {
static get code() {
return "ERR_JWT_EXPIRED";
}
code = "ERR_JWT_EXPIRED";
claim;
reason;
constructor(message, claim = "unspecified", reason = "unspecified") {
super(message);
this.claim = claim;
this.reason = reason;
}
};
exports2.JWTExpired = JWTExpired;
var JOSEAlgNotAllowed = class extends JOSEError {
static get code() {
return "ERR_JOSE_ALG_NOT_ALLOWED";
}
code = "ERR_JOSE_ALG_NOT_ALLOWED";
};
exports2.JOSEAlgNotAllowed = JOSEAlgNotAllowed;
var JOSENotSupported = class extends JOSEError {
static get code() {
return "ERR_JOSE_NOT_SUPPORTED";
}
code = "ERR_JOSE_NOT_SUPPORTED";
};
exports2.JOSENotSupported = JOSENotSupported;
var JWEDecryptionFailed = class extends JOSEError {
static get code() {
return "ERR_JWE_DECRYPTION_FAILED";
}
code = "ERR_JWE_DECRYPTION_FAILED";
message = "decryption operation failed";
};
exports2.JWEDecryptionFailed = JWEDecryptionFailed;
var JWEInvalid = class extends JOSEError {
static get code() {
return "ERR_JWE_INVALID";
}
code = "ERR_JWE_INVALID";
};
exports2.JWEInvalid = JWEInvalid;
var JWSInvalid = class extends JOSEError {
static get code() {
return "ERR_JWS_INVALID";
}
code = "ERR_JWS_INVALID";
};
exports2.JWSInvalid = JWSInvalid;
var JWTInvalid = class extends JOSEError {
static get code() {
return "ERR_JWT_INVALID";
}
code = "ERR_JWT_INVALID";
};
exports2.JWTInvalid = JWTInvalid;
var JWKInvalid = class extends JOSEError {
static get code() {
return "ERR_JWK_INVALID";
}
code = "ERR_JWK_INVALID";
};
exports2.JWKInvalid = JWKInvalid;
var JWKSInvalid = class extends JOSEError {
static get code() {
return "ERR_JWKS_INVALID";
}
code = "ERR_JWKS_INVALID";
};
exports2.JWKSInvalid = JWKSInvalid;
var JWKSNoMatchingKey = class extends JOSEError {
static get code() {
return "ERR_JWKS_NO_MATCHING_KEY";
}
code = "ERR_JWKS_NO_MATCHING_KEY";
message = "no applicable key found in the JSON Web Key Set";
};
exports2.JWKSNoMatchingKey = JWKSNoMatchingKey;
var JWKSMultipleMatchingKeys = class extends JOSEError {
[Symbol.asyncIterator];
static get code() {
return "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
}
code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS";
message = "multiple matching keys found in the JSON Web Key Set";
};
exports2.JWKSMultipleMatchingKeys = JWKSMultipleMatchingKeys;
var JWKSTimeout = class extends JOSEError {
static get code() {
return "ERR_JWKS_TIMEOUT";
}
code = "ERR_JWKS_TIMEOUT";
message = "request timed out";
};
exports2.JWKSTimeout = JWKSTimeout;
var JWSSignatureVerificationFailed = class extends JOSEError {
static get code() {
return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
}
code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED";
message = "signature verification failed";
};
exports2.JWSSignatureVerificationFailed = JWSSignatureVerificationFailed;
}
});
// node_modules/jose/dist/node/cjs/runtime/random.js
var require_random = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/random.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.default = void 0;
var node_crypto_1 = requireNodeCrypto;
Object.defineProperty(exports2, "default", { enumerable: true, get: function() {
return node_crypto_1.randomFillSync;
} });
}
});
// node_modules/jose/dist/node/cjs/lib/iv.js
var require_iv = __commonJS({
"node_modules/jose/dist/node/cjs/lib/iv.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.bitLength = void 0;
var errors_js_1 = require_errors();
var random_js_1 = require_random();
function bitLength(alg) {
switch (alg) {
case "A128GCM":
case "A128GCMKW":
case "A192GCM":
case "A192GCMKW":
case "A256GCM":
case "A256GCMKW":
return 96;
case "A128CBC-HS256":
case "A192CBC-HS384":
case "A256CBC-HS512":
return 128;
default:
throw new errors_js_1.JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
}
}
exports2.bitLength = bitLength;
exports2.default = (alg) => (0, random_js_1.default)(new Uint8Array(bitLength(alg) >> 3));
}
});
// node_modules/jose/dist/node/cjs/lib/check_iv_length.js
var require_check_iv_length = __commonJS({
"node_modules/jose/dist/node/cjs/lib/check_iv_length.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var errors_js_1 = require_errors();
var iv_js_1 = require_iv();
var checkIvLength = (enc, iv) => {
if (iv.length << 3 !== (0, iv_js_1.bitLength)(enc)) {
throw new errors_js_1.JWEInvalid("Invalid Initialization Vector length");
}
};
exports2.default = checkIvLength;
}
});
// node_modules/jose/dist/node/cjs/runtime/is_key_object.js
var require_is_key_object = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/is_key_object.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var util = requireNodeUtil;
exports2.default = (obj) => util.types.isKeyObject(obj);
}
});
// node_modules/jose/dist/node/cjs/runtime/check_cek_length.js
var require_check_cek_length = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/check_cek_length.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var errors_js_1 = require_errors();
var is_key_object_js_1 = require_is_key_object();
var checkCekLength = (enc, cek) => {
let expected;
switch (enc) {
case "A128CBC-HS256":
case "A192CBC-HS384":
case "A256CBC-HS512":
expected = parseInt(enc.slice(-3), 10);
break;
case "A128GCM":
case "A192GCM":
case "A256GCM":
expected = parseInt(enc.slice(1, 4), 10);
break;
default:
throw new errors_js_1.JOSENotSupported(`Content Encryption Algorithm ${enc} is not supported either by JOSE or your javascript runtime`);
}
if (cek instanceof Uint8Array) {
const actual = cek.byteLength << 3;
if (actual !== expected) {
throw new errors_js_1.JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
}
return;
}
if ((0, is_key_object_js_1.default)(cek) && cek.type === "secret") {
const actual = cek.symmetricKeySize << 3;
if (actual !== expected) {
throw new errors_js_1.JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
}
return;
}
throw new TypeError("Invalid Content Encryption Key type");
};
exports2.default = checkCekLength;
}
});
// node_modules/jose/dist/node/cjs/runtime/timing_safe_equal.js
var require_timing_safe_equal = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/timing_safe_equal.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var timingSafeEqual = node_crypto_1.timingSafeEqual;
exports2.default = timingSafeEqual;
}
});
// node_modules/jose/dist/node/cjs/runtime/cbc_tag.js
var require_cbc_tag = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/cbc_tag.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var buffer_utils_js_1 = require_buffer_utils();
function cbcTag(aad, iv, ciphertext, macSize, macKey, keySize) {
const macData = (0, buffer_utils_js_1.concat)(aad, iv, ciphertext, (0, buffer_utils_js_1.uint64be)(aad.length << 3));
const hmac = (0, node_crypto_1.createHmac)(`sha${macSize}`, macKey);
hmac.update(macData);
return hmac.digest().slice(0, keySize >> 3);
}
exports2.default = cbcTag;
}
});
// node_modules/jose/dist/node/cjs/runtime/webcrypto.js
var require_webcrypto = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/webcrypto.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.isCryptoKey = void 0;
var crypto = requireNodeCrypto;
var util = requireNodeUtil;
var webcrypto = crypto.webcrypto;
exports2.default = webcrypto;
var isCryptoKey = (key) => util.types.isCryptoKey(key);
exports2.isCryptoKey = isCryptoKey;
}
});
// node_modules/jose/dist/node/cjs/lib/crypto_key.js
var require_crypto_key = __commonJS({
"node_modules/jose/dist/node/cjs/lib/crypto_key.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.checkEncCryptoKey = exports2.checkSigCryptoKey = void 0;
function unusable(name, prop = "algorithm.name") {
return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`);
}
function isAlgorithm(algorithm, name) {
return algorithm.name === name;
}
function getHashLength(hash) {
return parseInt(hash.name.slice(4), 10);
}
function getNamedCurve(alg) {
switch (alg) {
case "ES256":
return "P-256";
case "ES384":
return "P-384";
case "ES512":
return "P-521";
default:
throw new Error("unreachable");
}
}
function checkUsage(key, usages) {
if (usages.length && !usages.some((expected) => key.usages.includes(expected))) {
let msg = "CryptoKey does not support this operation, its usages must include ";
if (usages.length > 2) {
const last = usages.pop();
msg += `one of ${usages.join(", ")}, or ${last}.`;
} else if (usages.length === 2) {
msg += `one of ${usages[0]} or ${usages[1]}.`;
} else {
msg += `${usages[0]}.`;
}
throw new TypeError(msg);
}
}
function checkSigCryptoKey(key, alg, ...usages) {
switch (alg) {
case "HS256":
case "HS384":
case "HS512": {
if (!isAlgorithm(key.algorithm, "HMAC"))
throw unusable("HMAC");
const expected = parseInt(alg.slice(2), 10);
const actual = getHashLength(key.algorithm.hash);
if (actual !== expected)
throw unusable(`SHA-${expected}`, "algorithm.hash");
break;
}
case "RS256":
case "RS384":
case "RS512": {
if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5"))
throw unusable("RSASSA-PKCS1-v1_5");
const expected = parseInt(alg.slice(2), 10);
const actual = getHashLength(key.algorithm.hash);
if (actual !== expected)
throw unusable(`SHA-${expected}`, "algorithm.hash");
break;
}
case "PS256":
case "PS384":
case "PS512": {
if (!isAlgorithm(key.algorithm, "RSA-PSS"))
throw unusable("RSA-PSS");
const expected = parseInt(alg.slice(2), 10);
const actual = getHashLength(key.algorithm.hash);
if (actual !== expected)
throw unusable(`SHA-${expected}`, "algorithm.hash");
break;
}
case "EdDSA": {
if (key.algorithm.name !== "Ed25519" && key.algorithm.name !== "Ed448") {
throw unusable("Ed25519 or Ed448");
}
break;
}
case "ES256":
case "ES384":
case "ES512": {
if (!isAlgorithm(key.algorithm, "ECDSA"))
throw unusable("ECDSA");
const expected = getNamedCurve(alg);
const actual = key.algorithm.namedCurve;
if (actual !== expected)
throw unusable(expected, "algorithm.namedCurve");
break;
}
default:
throw new TypeError("CryptoKey does not support this operation");
}
checkUsage(key, usages);
}
exports2.checkSigCryptoKey = checkSigCryptoKey;
function checkEncCryptoKey(key, alg, ...usages) {
switch (alg) {
case "A128GCM":
case "A192GCM":
case "A256GCM": {
if (!isAlgorithm(key.algorithm, "AES-GCM"))
throw unusable("AES-GCM");
const expected = parseInt(alg.slice(1, 4), 10);
const actual = key.algorithm.length;
if (actual !== expected)
throw unusable(expected, "algorithm.length");
break;
}
case "A128KW":
case "A192KW":
case "A256KW": {
if (!isAlgorithm(key.algorithm, "AES-KW"))
throw unusable("AES-KW");
const expected = parseInt(alg.slice(1, 4), 10);
const actual = key.algorithm.length;
if (actual !== expected)
throw unusable(expected, "algorithm.length");
break;
}
case "ECDH": {
switch (key.algorithm.name) {
case "ECDH":
case "X25519":
case "X448":
break;
default:
throw unusable("ECDH, X25519, or X448");
}
break;
}
case "PBES2-HS256+A128KW":
case "PBES2-HS384+A192KW":
case "PBES2-HS512+A256KW":
if (!isAlgorithm(key.algorithm, "PBKDF2"))
throw unusable("PBKDF2");
break;
case "RSA-OAEP":
case "RSA-OAEP-256":
case "RSA-OAEP-384":
case "RSA-OAEP-512": {
if (!isAlgorithm(key.algorithm, "RSA-OAEP"))
throw unusable("RSA-OAEP");
const expected = parseInt(alg.slice(9), 10) || 1;
const actual = getHashLength(key.algorithm.hash);
if (actual !== expected)
throw unusable(`SHA-${expected}`, "algorithm.hash");
break;
}
default:
throw new TypeError("CryptoKey does not support this operation");
}
checkUsage(key, usages);
}
exports2.checkEncCryptoKey = checkEncCryptoKey;
}
});
// node_modules/jose/dist/node/cjs/lib/invalid_key_input.js
var require_invalid_key_input = __commonJS({
"node_modules/jose/dist/node/cjs/lib/invalid_key_input.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.withAlg = void 0;
function message(msg, actual, ...types) {
if (types.length > 2) {
const last = types.pop();
msg += `one of type ${types.join(", ")}, or ${last}.`;
} else if (types.length === 2) {
msg += `one of type ${types[0]} or ${types[1]}.`;
} else {
msg += `of type ${types[0]}.`;
}
if (actual == null) {
msg += ` Received ${actual}`;
} else if (typeof actual === "function" && actual.name) {
msg += ` Received function ${actual.name}`;
} else if (typeof actual === "object" && actual != null) {
if (actual.constructor?.name) {
msg += ` Received an instance of ${actual.constructor.name}`;
}
}
return msg;
}
exports2.default = (actual, ...types) => {
return message("Key must be ", actual, ...types);
};
function withAlg(alg, actual, ...types) {
return message(`Key for the ${alg} algorithm must be `, actual, ...types);
}
exports2.withAlg = withAlg;
}
});
// node_modules/jose/dist/node/cjs/runtime/ciphers.js
var require_ciphers = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/ciphers.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var ciphers;
exports2.default = (algorithm) => {
ciphers ||= new Set((0, node_crypto_1.getCiphers)());
return ciphers.has(algorithm);
};
}
});
// node_modules/jose/dist/node/cjs/runtime/is_key_like.js
var require_is_key_like = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/is_key_like.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.types = void 0;
var webcrypto_js_1 = require_webcrypto();
var is_key_object_js_1 = require_is_key_object();
exports2.default = (key) => (0, is_key_object_js_1.default)(key) || (0, webcrypto_js_1.isCryptoKey)(key);
var types = ["KeyObject"];
exports2.types = types;
if (globalThis.CryptoKey || webcrypto_js_1.default?.CryptoKey) {
types.push("CryptoKey");
}
}
});
// node_modules/jose/dist/node/cjs/runtime/decrypt.js
var require_decrypt = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/decrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var check_iv_length_js_1 = require_check_iv_length();
var check_cek_length_js_1 = require_check_cek_length();
var buffer_utils_js_1 = require_buffer_utils();
var errors_js_1 = require_errors();
var timing_safe_equal_js_1 = require_timing_safe_equal();
var cbc_tag_js_1 = require_cbc_tag();
var webcrypto_js_1 = require_webcrypto();
var crypto_key_js_1 = require_crypto_key();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var ciphers_js_1 = require_ciphers();
var is_key_like_js_1 = require_is_key_like();
function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {
const keySize = parseInt(enc.slice(1, 4), 10);
if ((0, is_key_object_js_1.default)(cek)) {
cek = cek.export();
}
const encKey = cek.subarray(keySize >> 3);
const macKey = cek.subarray(0, keySize >> 3);
const macSize = parseInt(enc.slice(-3), 10);
const algorithm = `aes-${keySize}-cbc`;
if (!(0, ciphers_js_1.default)(algorithm)) {
throw new errors_js_1.JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`);
}
const expectedTag = (0, cbc_tag_js_1.default)(aad, iv, ciphertext, macSize, macKey, keySize);
let macCheckPassed;
try {
macCheckPassed = (0, timing_safe_equal_js_1.default)(tag, expectedTag);
} catch {
}
if (!macCheckPassed) {
throw new errors_js_1.JWEDecryptionFailed();
}
let plaintext;
try {
const decipher = (0, node_crypto_1.createDecipheriv)(algorithm, encKey, iv);
plaintext = (0, buffer_utils_js_1.concat)(decipher.update(ciphertext), decipher.final());
} catch {
}
if (!plaintext) {
throw new errors_js_1.JWEDecryptionFailed();
}
return plaintext;
}
function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {
const keySize = parseInt(enc.slice(1, 4), 10);
const algorithm = `aes-${keySize}-gcm`;
if (!(0, ciphers_js_1.default)(algorithm)) {
throw new errors_js_1.JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`);
}
try {
const decipher = (0, node_crypto_1.createDecipheriv)(algorithm, cek, iv, { authTagLength: 16 });
decipher.setAuthTag(tag);
if (aad.byteLength) {
decipher.setAAD(aad, { plaintextLength: ciphertext.length });
}
const plaintext = decipher.update(ciphertext);
decipher.final();
return plaintext;
} catch {
throw new errors_js_1.JWEDecryptionFailed();
}
}
var decrypt = (enc, cek, ciphertext, iv, tag, aad) => {
let key;
if ((0, webcrypto_js_1.isCryptoKey)(cek)) {
(0, crypto_key_js_1.checkEncCryptoKey)(cek, enc, "decrypt");
key = node_crypto_1.KeyObject.from(cek);
} else if (cek instanceof Uint8Array || (0, is_key_object_js_1.default)(cek)) {
key = cek;
} else {
throw new TypeError((0, invalid_key_input_js_1.default)(cek, ...is_key_like_js_1.types, "Uint8Array"));
}
if (!iv) {
throw new errors_js_1.JWEInvalid("JWE Initialization Vector missing");
}
if (!tag) {
throw new errors_js_1.JWEInvalid("JWE Authentication Tag missing");
}
(0, check_cek_length_js_1.default)(enc, key);
(0, check_iv_length_js_1.default)(enc, iv);
switch (enc) {
case "A128CBC-HS256":
case "A192CBC-HS384":
case "A256CBC-HS512":
return cbcDecrypt(enc, key, ciphertext, iv, tag, aad);
case "A128GCM":
case "A192GCM":
case "A256GCM":
return gcmDecrypt(enc, key, ciphertext, iv, tag, aad);
default:
throw new errors_js_1.JOSENotSupported("Unsupported JWE Content Encryption Algorithm");
}
};
exports2.default = decrypt;
}
});
// node_modules/jose/dist/node/cjs/lib/is_disjoint.js
var require_is_disjoint = __commonJS({
"node_modules/jose/dist/node/cjs/lib/is_disjoint.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var isDisjoint = (...headers) => {
const sources = headers.filter(Boolean);
if (sources.length === 0 || sources.length === 1) {
return true;
}
let acc;
for (const header of sources) {
const parameters = Object.keys(header);
if (!acc || acc.size === 0) {
acc = new Set(parameters);
continue;
}
for (const parameter of parameters) {
if (acc.has(parameter)) {
return false;
}
acc.add(parameter);
}
}
return true;
};
exports2.default = isDisjoint;
}
});
// node_modules/jose/dist/node/cjs/lib/is_object.js
var require_is_object = __commonJS({
"node_modules/jose/dist/node/cjs/lib/is_object.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
function isObjectLike(value) {
return typeof value === "object" && value !== null;
}
function isObject(input) {
if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") {
return false;
}
if (Object.getPrototypeOf(input) === null) {
return true;
}
let proto = input;
while (Object.getPrototypeOf(proto) !== null) {
proto = Object.getPrototypeOf(proto);
}
return Object.getPrototypeOf(input) === proto;
}
exports2.default = isObject;
}
});
// node_modules/jose/dist/node/cjs/runtime/aeskw.js
var require_aeskw = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/aeskw.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.unwrap = exports2.wrap = void 0;
var node_buffer_1 = requireNodeBuffer;
var node_crypto_1 = requireNodeCrypto;
var errors_js_1 = require_errors();
var buffer_utils_js_1 = require_buffer_utils();
var webcrypto_js_1 = require_webcrypto();
var crypto_key_js_1 = require_crypto_key();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var ciphers_js_1 = require_ciphers();
var is_key_like_js_1 = require_is_key_like();
function checkKeySize(key, alg) {
if (key.symmetricKeySize << 3 !== parseInt(alg.slice(1, 4), 10)) {
throw new TypeError(`Invalid key size for alg: ${alg}`);
}
}
function ensureKeyObject(key, alg, usage) {
if ((0, is_key_object_js_1.default)(key)) {
return key;
}
if (key instanceof Uint8Array) {
return (0, node_crypto_1.createSecretKey)(key);
}
if ((0, webcrypto_js_1.isCryptoKey)(key)) {
(0, crypto_key_js_1.checkEncCryptoKey)(key, alg, usage);
return node_crypto_1.KeyObject.from(key);
}
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, "Uint8Array"));
}
var wrap = (alg, key, cek) => {
const size = parseInt(alg.slice(1, 4), 10);
const algorithm = `aes${size}-wrap`;
if (!(0, ciphers_js_1.default)(algorithm)) {
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
const keyObject = ensureKeyObject(key, alg, "wrapKey");
checkKeySize(keyObject, alg);
const cipher = (0, node_crypto_1.createCipheriv)(algorithm, keyObject, node_buffer_1.Buffer.alloc(8, 166));
return (0, buffer_utils_js_1.concat)(cipher.update(cek), cipher.final());
};
exports2.wrap = wrap;
var unwrap = (alg, key, encryptedKey) => {
const size = parseInt(alg.slice(1, 4), 10);
const algorithm = `aes${size}-wrap`;
if (!(0, ciphers_js_1.default)(algorithm)) {
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
const keyObject = ensureKeyObject(key, alg, "unwrapKey");
checkKeySize(keyObject, alg);
const cipher = (0, node_crypto_1.createDecipheriv)(algorithm, keyObject, node_buffer_1.Buffer.alloc(8, 166));
return (0, buffer_utils_js_1.concat)(cipher.update(encryptedKey), cipher.final());
};
exports2.unwrap = unwrap;
}
});
// node_modules/jose/dist/node/cjs/runtime/get_named_curve.js
var require_get_named_curve = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/get_named_curve.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.weakMap = void 0;
var node_crypto_1 = requireNodeCrypto;
var errors_js_1 = require_errors();
var webcrypto_js_1 = require_webcrypto();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var is_key_like_js_1 = require_is_key_like();
exports2.weakMap = /* @__PURE__ */ new WeakMap();
var namedCurveToJOSE = (namedCurve) => {
switch (namedCurve) {
case "prime256v1":
return "P-256";
case "secp384r1":
return "P-384";
case "secp521r1":
return "P-521";
case "secp256k1":
return "secp256k1";
default:
throw new errors_js_1.JOSENotSupported("Unsupported key curve for this operation");
}
};
var getNamedCurve = (kee, raw) => {
let key;
if ((0, webcrypto_js_1.isCryptoKey)(kee)) {
key = node_crypto_1.KeyObject.from(kee);
} else if ((0, is_key_object_js_1.default)(kee)) {
key = kee;
} else {
throw new TypeError((0, invalid_key_input_js_1.default)(kee, ...is_key_like_js_1.types));
}
if (key.type === "secret") {
throw new TypeError('only "private" or "public" type keys can be used for this operation');
}
switch (key.asymmetricKeyType) {
case "ed25519":
case "ed448":
return `Ed${key.asymmetricKeyType.slice(2)}`;
case "x25519":
case "x448":
return `X${key.asymmetricKeyType.slice(1)}`;
case "ec": {
const namedCurve = key.asymmetricKeyDetails.namedCurve;
if (raw) {
return namedCurve;
}
return namedCurveToJOSE(namedCurve);
}
default:
throw new TypeError("Invalid asymmetric key type for this operation");
}
};
exports2.default = getNamedCurve;
}
});
// node_modules/jose/dist/node/cjs/runtime/ecdhes.js
var require_ecdhes = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/ecdhes.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.ecdhAllowed = exports2.generateEpk = exports2.deriveKey = void 0;
var node_crypto_1 = requireNodeCrypto;
var node_util_1 = requireNodeUtil;
var get_named_curve_js_1 = require_get_named_curve();
var buffer_utils_js_1 = require_buffer_utils();
var errors_js_1 = require_errors();
var webcrypto_js_1 = require_webcrypto();
var crypto_key_js_1 = require_crypto_key();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var is_key_like_js_1 = require_is_key_like();
var generateKeyPair = (0, node_util_1.promisify)(node_crypto_1.generateKeyPair);
async function deriveKey(publicKee, privateKee, algorithm, keyLength, apu = new Uint8Array(0), apv = new Uint8Array(0)) {
let publicKey;
if ((0, webcrypto_js_1.isCryptoKey)(publicKee)) {
(0, crypto_key_js_1.checkEncCryptoKey)(publicKee, "ECDH");
publicKey = node_crypto_1.KeyObject.from(publicKee);
} else if ((0, is_key_object_js_1.default)(publicKee)) {
publicKey = publicKee;
} else {
throw new TypeError((0, invalid_key_input_js_1.default)(publicKee, ...is_key_like_js_1.types));
}
let privateKey;
if ((0, webcrypto_js_1.isCryptoKey)(privateKee)) {
(0, crypto_key_js_1.checkEncCryptoKey)(privateKee, "ECDH", "deriveBits");
privateKey = node_crypto_1.KeyObject.from(privateKee);
} else if ((0, is_key_object_js_1.default)(privateKee)) {
privateKey = privateKee;
} else {
throw new TypeError((0, invalid_key_input_js_1.default)(privateKee, ...is_key_like_js_1.types));
}
const value = (0, buffer_utils_js_1.concat)((0, buffer_utils_js_1.lengthAndInput)(buffer_utils_js_1.encoder.encode(algorithm)), (0, buffer_utils_js_1.lengthAndInput)(apu), (0, buffer_utils_js_1.lengthAndInput)(apv), (0, buffer_utils_js_1.uint32be)(keyLength));
const sharedSecret = (0, node_crypto_1.diffieHellman)({ privateKey, publicKey });
return (0, buffer_utils_js_1.concatKdf)(sharedSecret, keyLength, value);
}
exports2.deriveKey = deriveKey;
async function generateEpk(kee) {
let key;
if ((0, webcrypto_js_1.isCryptoKey)(kee)) {
key = node_crypto_1.KeyObject.from(kee);
} else if ((0, is_key_object_js_1.default)(kee)) {
key = kee;
} else {
throw new TypeError((0, invalid_key_input_js_1.default)(kee, ...is_key_like_js_1.types));
}
switch (key.asymmetricKeyType) {
case "x25519":
return generateKeyPair("x25519");
case "x448": {
return generateKeyPair("x448");
}
case "ec": {
const namedCurve = (0, get_named_curve_js_1.default)(key);
return generateKeyPair("ec", { namedCurve });
}
default:
throw new errors_js_1.JOSENotSupported("Invalid or unsupported EPK");
}
}
exports2.generateEpk = generateEpk;
var ecdhAllowed = (key) => ["P-256", "P-384", "P-521", "X25519", "X448"].includes((0, get_named_curve_js_1.default)(key));
exports2.ecdhAllowed = ecdhAllowed;
}
});
// node_modules/jose/dist/node/cjs/lib/check_p2s.js
var require_check_p2s = __commonJS({
"node_modules/jose/dist/node/cjs/lib/check_p2s.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var errors_js_1 = require_errors();
function checkP2s(p2s) {
if (!(p2s instanceof Uint8Array) || p2s.length < 8) {
throw new errors_js_1.JWEInvalid("PBES2 Salt Input must be 8 or more octets");
}
}
exports2.default = checkP2s;
}
});
// node_modules/jose/dist/node/cjs/runtime/pbes2kw.js
var require_pbes2kw = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/pbes2kw.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.decrypt = exports2.encrypt = void 0;
var node_util_1 = requireNodeUtil;
var node_crypto_1 = requireNodeCrypto;
var random_js_1 = require_random();
var buffer_utils_js_1 = require_buffer_utils();
var base64url_js_1 = require_base64url();
var aeskw_js_1 = require_aeskw();
var check_p2s_js_1 = require_check_p2s();
var webcrypto_js_1 = require_webcrypto();
var crypto_key_js_1 = require_crypto_key();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var is_key_like_js_1 = require_is_key_like();
var pbkdf2 = (0, node_util_1.promisify)(node_crypto_1.pbkdf2);
function getPassword(key, alg) {
if ((0, is_key_object_js_1.default)(key)) {
return key.export();
}
if (key instanceof Uint8Array) {
return key;
}
if ((0, webcrypto_js_1.isCryptoKey)(key)) {
(0, crypto_key_js_1.checkEncCryptoKey)(key, alg, "deriveBits", "deriveKey");
return node_crypto_1.KeyObject.from(key).export();
}
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, "Uint8Array"));
}
var encrypt = async (alg, key, cek, p2c = 2048, p2s = (0, random_js_1.default)(new Uint8Array(16))) => {
(0, check_p2s_js_1.default)(p2s);
const salt = (0, buffer_utils_js_1.p2s)(alg, p2s);
const keylen = parseInt(alg.slice(13, 16), 10) >> 3;
const password = getPassword(key, alg);
const derivedKey = await pbkdf2(password, salt, p2c, keylen, `sha${alg.slice(8, 11)}`);
const encryptedKey = await (0, aeskw_js_1.wrap)(alg.slice(-6), derivedKey, cek);
return { encryptedKey, p2c, p2s: (0, base64url_js_1.encode)(p2s) };
};
exports2.encrypt = encrypt;
var decrypt = async (alg, key, encryptedKey, p2c, p2s) => {
(0, check_p2s_js_1.default)(p2s);
const salt = (0, buffer_utils_js_1.p2s)(alg, p2s);
const keylen = parseInt(alg.slice(13, 16), 10) >> 3;
const password = getPassword(key, alg);
const derivedKey = await pbkdf2(password, salt, p2c, keylen, `sha${alg.slice(8, 11)}`);
return (0, aeskw_js_1.unwrap)(alg.slice(-6), derivedKey, encryptedKey);
};
exports2.decrypt = decrypt;
}
});
// node_modules/jose/dist/node/cjs/runtime/check_key_length.js
var require_check_key_length = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/check_key_length.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.default = (key, alg) => {
const { modulusLength } = key.asymmetricKeyDetails;
if (typeof modulusLength !== "number" || modulusLength < 2048) {
throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
}
};
}
});
// node_modules/jose/dist/node/cjs/runtime/rsaes.js
var require_rsaes = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/rsaes.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.decrypt = exports2.encrypt = void 0;
var node_crypto_1 = requireNodeCrypto;
var node_util_1 = requireNodeUtil;
var check_key_length_js_1 = require_check_key_length();
var webcrypto_js_1 = require_webcrypto();
var crypto_key_js_1 = require_crypto_key();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var is_key_like_js_1 = require_is_key_like();
var checkKey = (key, alg) => {
if (key.asymmetricKeyType !== "rsa") {
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa");
}
(0, check_key_length_js_1.default)(key, alg);
};
var RSA1_5 = (0, node_util_1.deprecate)(() => node_crypto_1.constants.RSA_PKCS1_PADDING, 'The RSA1_5 "alg" (JWE Algorithm) is deprecated and will be removed in the next major revision.');
var resolvePadding = (alg) => {
switch (alg) {
case "RSA-OAEP":
case "RSA-OAEP-256":
case "RSA-OAEP-384":
case "RSA-OAEP-512":
return node_crypto_1.constants.RSA_PKCS1_OAEP_PADDING;
case "RSA1_5":
return RSA1_5();
default:
return void 0;
}
};
var resolveOaepHash = (alg) => {
switch (alg) {
case "RSA-OAEP":
return "sha1";
case "RSA-OAEP-256":
return "sha256";
case "RSA-OAEP-384":
return "sha384";
case "RSA-OAEP-512":
return "sha512";
default:
return void 0;
}
};
function ensureKeyObject(key, alg, ...usages) {
if ((0, is_key_object_js_1.default)(key)) {
return key;
}
if ((0, webcrypto_js_1.isCryptoKey)(key)) {
(0, crypto_key_js_1.checkEncCryptoKey)(key, alg, ...usages);
return node_crypto_1.KeyObject.from(key);
}
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types));
}
var encrypt = (alg, key, cek) => {
const padding = resolvePadding(alg);
const oaepHash = resolveOaepHash(alg);
const keyObject = ensureKeyObject(key, alg, "wrapKey", "encrypt");
checkKey(keyObject, alg);
return (0, node_crypto_1.publicEncrypt)({ key: keyObject, oaepHash, padding }, cek);
};
exports2.encrypt = encrypt;
var decrypt = (alg, key, encryptedKey) => {
const padding = resolvePadding(alg);
const oaepHash = resolveOaepHash(alg);
const keyObject = ensureKeyObject(key, alg, "unwrapKey", "decrypt");
checkKey(keyObject, alg);
return (0, node_crypto_1.privateDecrypt)({ key: keyObject, oaepHash, padding }, encryptedKey);
};
exports2.decrypt = decrypt;
}
});
// node_modules/jose/dist/node/cjs/lib/cek.js
var require_cek = __commonJS({
"node_modules/jose/dist/node/cjs/lib/cek.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.bitLength = void 0;
var errors_js_1 = require_errors();
var random_js_1 = require_random();
function bitLength(alg) {
switch (alg) {
case "A128GCM":
return 128;
case "A192GCM":
return 192;
case "A256GCM":
case "A128CBC-HS256":
return 256;
case "A192CBC-HS384":
return 384;
case "A256CBC-HS512":
return 512;
default:
throw new errors_js_1.JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`);
}
}
exports2.bitLength = bitLength;
exports2.default = (alg) => (0, random_js_1.default)(new Uint8Array(bitLength(alg) >> 3));
}
});
// node_modules/jose/dist/node/cjs/runtime/asn1.js
var require_asn1 = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/asn1.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.fromX509 = exports2.fromSPKI = exports2.fromPKCS8 = exports2.toPKCS8 = exports2.toSPKI = void 0;
var node_crypto_1 = requireNodeCrypto;
var node_buffer_1 = requireNodeBuffer;
var webcrypto_js_1 = require_webcrypto();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var is_key_like_js_1 = require_is_key_like();
var genericExport = (keyType, keyFormat, key) => {
let keyObject;
if ((0, webcrypto_js_1.isCryptoKey)(key)) {
if (!key.extractable) {
throw new TypeError("CryptoKey is not extractable");
}
keyObject = node_crypto_1.KeyObject.from(key);
} else if ((0, is_key_object_js_1.default)(key)) {
keyObject = key;
} else {
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types));
}
if (keyObject.type !== keyType) {
throw new TypeError(`key is not a ${keyType} key`);
}
return keyObject.export({ format: "pem", type: keyFormat });
};
var toSPKI = (key) => {
return genericExport("public", "spki", key);
};
exports2.toSPKI = toSPKI;
var toPKCS8 = (key) => {
return genericExport("private", "pkcs8", key);
};
exports2.toPKCS8 = toPKCS8;
var fromPKCS8 = (pem) => (0, node_crypto_1.createPrivateKey)({
key: node_buffer_1.Buffer.from(pem.replace(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, ""), "base64"),
type: "pkcs8",
format: "der"
});
exports2.fromPKCS8 = fromPKCS8;
var fromSPKI = (pem) => (0, node_crypto_1.createPublicKey)({
key: node_buffer_1.Buffer.from(pem.replace(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, ""), "base64"),
type: "spki",
format: "der"
});
exports2.fromSPKI = fromSPKI;
var fromX509 = (pem) => (0, node_crypto_1.createPublicKey)({
key: pem,
type: "spki",
format: "pem"
});
exports2.fromX509 = fromX509;
}
});
// node_modules/jose/dist/node/cjs/runtime/jwk_to_key.js
var require_jwk_to_key = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/jwk_to_key.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var parse = (jwk) => {
return (jwk.d ? node_crypto_1.createPrivateKey : node_crypto_1.createPublicKey)({ format: "jwk", key: jwk });
};
exports2.default = parse;
}
});
// node_modules/jose/dist/node/cjs/key/import.js
var require_import = __commonJS({
"node_modules/jose/dist/node/cjs/key/import.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.importJWK = exports2.importPKCS8 = exports2.importX509 = exports2.importSPKI = void 0;
var base64url_js_1 = require_base64url();
var asn1_js_1 = require_asn1();
var jwk_to_key_js_1 = require_jwk_to_key();
var errors_js_1 = require_errors();
var is_object_js_1 = require_is_object();
async function importSPKI(spki, alg, options) {
if (typeof spki !== "string" || spki.indexOf("-----BEGIN PUBLIC KEY-----") !== 0) {
throw new TypeError('"spki" must be SPKI formatted string');
}
return (0, asn1_js_1.fromSPKI)(spki, alg, options);
}
exports2.importSPKI = importSPKI;
async function importX509(x509, alg, options) {
if (typeof x509 !== "string" || x509.indexOf("-----BEGIN CERTIFICATE-----") !== 0) {
throw new TypeError('"x509" must be X.509 formatted string');
}
return (0, asn1_js_1.fromX509)(x509, alg, options);
}
exports2.importX509 = importX509;
async function importPKCS8(pkcs8, alg, options) {
if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) {
throw new TypeError('"pkcs8" must be PKCS#8 formatted string');
}
return (0, asn1_js_1.fromPKCS8)(pkcs8, alg, options);
}
exports2.importPKCS8 = importPKCS8;
async function importJWK(jwk, alg) {
if (!(0, is_object_js_1.default)(jwk)) {
throw new TypeError("JWK must be an object");
}
alg ||= jwk.alg;
switch (jwk.kty) {
case "oct":
if (typeof jwk.k !== "string" || !jwk.k) {
throw new TypeError('missing "k" (Key Value) Parameter value');
}
return (0, base64url_js_1.decode)(jwk.k);
case "RSA":
if (jwk.oth !== void 0) {
throw new errors_js_1.JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported');
}
case "EC":
case "OKP":
return (0, jwk_to_key_js_1.default)({ ...jwk, alg });
default:
throw new errors_js_1.JOSENotSupported('Unsupported "kty" (Key Type) Parameter value');
}
}
exports2.importJWK = importJWK;
}
});
// node_modules/jose/dist/node/cjs/lib/check_key_type.js
var require_check_key_type = __commonJS({
"node_modules/jose/dist/node/cjs/lib/check_key_type.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var invalid_key_input_js_1 = require_invalid_key_input();
var is_key_like_js_1 = require_is_key_like();
var symmetricTypeCheck = (alg, key) => {
if (key instanceof Uint8Array)
return;
if (!(0, is_key_like_js_1.default)(key)) {
throw new TypeError((0, invalid_key_input_js_1.withAlg)(alg, key, ...is_key_like_js_1.types, "Uint8Array"));
}
if (key.type !== "secret") {
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for symmetric algorithms must be of type "secret"`);
}
};
var asymmetricTypeCheck = (alg, key, usage) => {
if (!(0, is_key_like_js_1.default)(key)) {
throw new TypeError((0, invalid_key_input_js_1.withAlg)(alg, key, ...is_key_like_js_1.types));
}
if (key.type === "secret") {
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`);
}
if (usage === "sign" && key.type === "public") {
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`);
}
if (usage === "decrypt" && key.type === "public") {
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`);
}
if (key.algorithm && usage === "verify" && key.type === "private") {
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`);
}
if (key.algorithm && usage === "encrypt" && key.type === "private") {
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`);
}
};
var checkKeyType = (alg, key, usage) => {
const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg);
if (symmetric) {
symmetricTypeCheck(alg, key);
} else {
asymmetricTypeCheck(alg, key, usage);
}
};
exports2.default = checkKeyType;
}
});
// node_modules/jose/dist/node/cjs/runtime/encrypt.js
var require_encrypt = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/encrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var check_iv_length_js_1 = require_check_iv_length();
var check_cek_length_js_1 = require_check_cek_length();
var buffer_utils_js_1 = require_buffer_utils();
var cbc_tag_js_1 = require_cbc_tag();
var webcrypto_js_1 = require_webcrypto();
var crypto_key_js_1 = require_crypto_key();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var errors_js_1 = require_errors();
var ciphers_js_1 = require_ciphers();
var is_key_like_js_1 = require_is_key_like();
function cbcEncrypt(enc, plaintext, cek, iv, aad) {
const keySize = parseInt(enc.slice(1, 4), 10);
if ((0, is_key_object_js_1.default)(cek)) {
cek = cek.export();
}
const encKey = cek.subarray(keySize >> 3);
const macKey = cek.subarray(0, keySize >> 3);
const algorithm = `aes-${keySize}-cbc`;
if (!(0, ciphers_js_1.default)(algorithm)) {
throw new errors_js_1.JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`);
}
const cipher = (0, node_crypto_1.createCipheriv)(algorithm, encKey, iv);
const ciphertext = (0, buffer_utils_js_1.concat)(cipher.update(plaintext), cipher.final());
const macSize = parseInt(enc.slice(-3), 10);
const tag = (0, cbc_tag_js_1.default)(aad, iv, ciphertext, macSize, macKey, keySize);
return { ciphertext, tag };
}
function gcmEncrypt(enc, plaintext, cek, iv, aad) {
const keySize = parseInt(enc.slice(1, 4), 10);
const algorithm = `aes-${keySize}-gcm`;
if (!(0, ciphers_js_1.default)(algorithm)) {
throw new errors_js_1.JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`);
}
const cipher = (0, node_crypto_1.createCipheriv)(algorithm, cek, iv, { authTagLength: 16 });
if (aad.byteLength) {
cipher.setAAD(aad, { plaintextLength: plaintext.length });
}
const ciphertext = cipher.update(plaintext);
cipher.final();
const tag = cipher.getAuthTag();
return { ciphertext, tag };
}
var encrypt = (enc, plaintext, cek, iv, aad) => {
let key;
if ((0, webcrypto_js_1.isCryptoKey)(cek)) {
(0, crypto_key_js_1.checkEncCryptoKey)(cek, enc, "encrypt");
key = node_crypto_1.KeyObject.from(cek);
} else if (cek instanceof Uint8Array || (0, is_key_object_js_1.default)(cek)) {
key = cek;
} else {
throw new TypeError((0, invalid_key_input_js_1.default)(cek, ...is_key_like_js_1.types, "Uint8Array"));
}
(0, check_cek_length_js_1.default)(enc, key);
(0, check_iv_length_js_1.default)(enc, iv);
switch (enc) {
case "A128CBC-HS256":
case "A192CBC-HS384":
case "A256CBC-HS512":
return cbcEncrypt(enc, plaintext, key, iv, aad);
case "A128GCM":
case "A192GCM":
case "A256GCM":
return gcmEncrypt(enc, plaintext, key, iv, aad);
default:
throw new errors_js_1.JOSENotSupported("Unsupported JWE Content Encryption Algorithm");
}
};
exports2.default = encrypt;
}
});
// node_modules/jose/dist/node/cjs/lib/aesgcmkw.js
var require_aesgcmkw = __commonJS({
"node_modules/jose/dist/node/cjs/lib/aesgcmkw.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.unwrap = exports2.wrap = void 0;
var encrypt_js_12 = require_encrypt();
var decrypt_js_12 = require_decrypt();
var iv_js_1 = require_iv();
var base64url_js_1 = require_base64url();
async function wrap(alg, key, cek, iv) {
const jweAlgorithm = alg.slice(0, 7);
iv ||= (0, iv_js_1.default)(jweAlgorithm);
const { ciphertext: encryptedKey, tag } = await (0, encrypt_js_12.default)(jweAlgorithm, cek, key, iv, new Uint8Array(0));
return { encryptedKey, iv: (0, base64url_js_1.encode)(iv), tag: (0, base64url_js_1.encode)(tag) };
}
exports2.wrap = wrap;
async function unwrap(alg, key, encryptedKey, iv, tag) {
const jweAlgorithm = alg.slice(0, 7);
return (0, decrypt_js_12.default)(jweAlgorithm, key, encryptedKey, iv, tag, new Uint8Array(0));
}
exports2.unwrap = unwrap;
}
});
// node_modules/jose/dist/node/cjs/lib/decrypt_key_management.js
var require_decrypt_key_management = __commonJS({
"node_modules/jose/dist/node/cjs/lib/decrypt_key_management.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var aeskw_js_1 = require_aeskw();
var ECDH = require_ecdhes();
var pbes2kw_js_1 = require_pbes2kw();
var rsaes_js_1 = require_rsaes();
var base64url_js_1 = require_base64url();
var errors_js_1 = require_errors();
var cek_js_1 = require_cek();
var import_js_12 = require_import();
var check_key_type_js_1 = require_check_key_type();
var is_object_js_1 = require_is_object();
var aesgcmkw_js_1 = require_aesgcmkw();
async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
(0, check_key_type_js_1.default)(alg, key, "decrypt");
switch (alg) {
case "dir": {
if (encryptedKey !== void 0)
throw new errors_js_1.JWEInvalid("Encountered unexpected JWE Encrypted Key");
return key;
}
case "ECDH-ES":
if (encryptedKey !== void 0)
throw new errors_js_1.JWEInvalid("Encountered unexpected JWE Encrypted Key");
case "ECDH-ES+A128KW":
case "ECDH-ES+A192KW":
case "ECDH-ES+A256KW": {
if (!(0, is_object_js_1.default)(joseHeader.epk))
throw new errors_js_1.JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
if (!ECDH.ecdhAllowed(key))
throw new errors_js_1.JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
const epk = await (0, import_js_12.importJWK)(joseHeader.epk, alg);
let partyUInfo;
let partyVInfo;
if (joseHeader.apu !== void 0) {
if (typeof joseHeader.apu !== "string")
throw new errors_js_1.JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
try {
partyUInfo = (0, base64url_js_1.decode)(joseHeader.apu);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the apu");
}
}
if (joseHeader.apv !== void 0) {
if (typeof joseHeader.apv !== "string")
throw new errors_js_1.JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
try {
partyVInfo = (0, base64url_js_1.decode)(joseHeader.apv);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the apv");
}
}
const sharedSecret = await ECDH.deriveKey(epk, key, alg === "ECDH-ES" ? joseHeader.enc : alg, alg === "ECDH-ES" ? (0, cek_js_1.bitLength)(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);
if (alg === "ECDH-ES")
return sharedSecret;
if (encryptedKey === void 0)
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing");
return (0, aeskw_js_1.unwrap)(alg.slice(-6), sharedSecret, encryptedKey);
}
case "RSA1_5":
case "RSA-OAEP":
case "RSA-OAEP-256":
case "RSA-OAEP-384":
case "RSA-OAEP-512": {
if (encryptedKey === void 0)
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing");
return (0, rsaes_js_1.decrypt)(alg, key, encryptedKey);
}
case "PBES2-HS256+A128KW":
case "PBES2-HS384+A192KW":
case "PBES2-HS512+A256KW": {
if (encryptedKey === void 0)
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing");
if (typeof joseHeader.p2c !== "number")
throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
const p2cLimit = options?.maxPBES2Count || 1e4;
if (joseHeader.p2c > p2cLimit)
throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
if (typeof joseHeader.p2s !== "string")
throw new errors_js_1.JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
let p2s;
try {
p2s = (0, base64url_js_1.decode)(joseHeader.p2s);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the p2s");
}
return (0, pbes2kw_js_1.decrypt)(alg, key, encryptedKey, joseHeader.p2c, p2s);
}
case "A128KW":
case "A192KW":
case "A256KW": {
if (encryptedKey === void 0)
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing");
return (0, aeskw_js_1.unwrap)(alg, key, encryptedKey);
}
case "A128GCMKW":
case "A192GCMKW":
case "A256GCMKW": {
if (encryptedKey === void 0)
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing");
if (typeof joseHeader.iv !== "string")
throw new errors_js_1.JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
if (typeof joseHeader.tag !== "string")
throw new errors_js_1.JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
let iv;
try {
iv = (0, base64url_js_1.decode)(joseHeader.iv);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the iv");
}
let tag;
try {
tag = (0, base64url_js_1.decode)(joseHeader.tag);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the tag");
}
return (0, aesgcmkw_js_1.unwrap)(alg, key, encryptedKey, iv, tag);
}
default: {
throw new errors_js_1.JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value');
}
}
}
exports2.default = decryptKeyManagement;
}
});
// node_modules/jose/dist/node/cjs/lib/validate_crit.js
var require_validate_crit = __commonJS({
"node_modules/jose/dist/node/cjs/lib/validate_crit.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var errors_js_1 = require_errors();
function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) {
if (joseHeader.crit !== void 0 && protectedHeader.crit === void 0) {
throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected');
}
if (!protectedHeader || protectedHeader.crit === void 0) {
return /* @__PURE__ */ new Set();
}
if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) {
throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present');
}
let recognized;
if (recognizedOption !== void 0) {
recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]);
} else {
recognized = recognizedDefault;
}
for (const parameter of protectedHeader.crit) {
if (!recognized.has(parameter)) {
throw new errors_js_1.JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`);
}
if (joseHeader[parameter] === void 0) {
throw new Err(`Extension Header Parameter "${parameter}" is missing`);
}
if (recognized.get(parameter) && protectedHeader[parameter] === void 0) {
throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`);
}
}
return new Set(protectedHeader.crit);
}
exports2.default = validateCrit;
}
});
// node_modules/jose/dist/node/cjs/lib/validate_algorithms.js
var require_validate_algorithms = __commonJS({
"node_modules/jose/dist/node/cjs/lib/validate_algorithms.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var validateAlgorithms = (option, algorithms) => {
if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) {
throw new TypeError(`"${option}" option must be an array of strings`);
}
if (!algorithms) {
return void 0;
}
return new Set(algorithms);
};
exports2.default = validateAlgorithms;
}
});
// node_modules/jose/dist/node/cjs/jwe/flattened/decrypt.js
var require_decrypt2 = __commonJS({
"node_modules/jose/dist/node/cjs/jwe/flattened/decrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.flattenedDecrypt = void 0;
var base64url_js_1 = require_base64url();
var decrypt_js_12 = require_decrypt();
var errors_js_1 = require_errors();
var is_disjoint_js_1 = require_is_disjoint();
var is_object_js_1 = require_is_object();
var decrypt_key_management_js_1 = require_decrypt_key_management();
var buffer_utils_js_1 = require_buffer_utils();
var cek_js_1 = require_cek();
var validate_crit_js_1 = require_validate_crit();
var validate_algorithms_js_1 = require_validate_algorithms();
async function flattenedDecrypt(jwe, key, options) {
if (!(0, is_object_js_1.default)(jwe)) {
throw new errors_js_1.JWEInvalid("Flattened JWE must be an object");
}
if (jwe.protected === void 0 && jwe.header === void 0 && jwe.unprotected === void 0) {
throw new errors_js_1.JWEInvalid("JOSE Header missing");
}
if (jwe.iv !== void 0 && typeof jwe.iv !== "string") {
throw new errors_js_1.JWEInvalid("JWE Initialization Vector incorrect type");
}
if (typeof jwe.ciphertext !== "string") {
throw new errors_js_1.JWEInvalid("JWE Ciphertext missing or incorrect type");
}
if (jwe.tag !== void 0 && typeof jwe.tag !== "string") {
throw new errors_js_1.JWEInvalid("JWE Authentication Tag incorrect type");
}
if (jwe.protected !== void 0 && typeof jwe.protected !== "string") {
throw new errors_js_1.JWEInvalid("JWE Protected Header incorrect type");
}
if (jwe.encrypted_key !== void 0 && typeof jwe.encrypted_key !== "string") {
throw new errors_js_1.JWEInvalid("JWE Encrypted Key incorrect type");
}
if (jwe.aad !== void 0 && typeof jwe.aad !== "string") {
throw new errors_js_1.JWEInvalid("JWE AAD incorrect type");
}
if (jwe.header !== void 0 && !(0, is_object_js_1.default)(jwe.header)) {
throw new errors_js_1.JWEInvalid("JWE Shared Unprotected Header incorrect type");
}
if (jwe.unprotected !== void 0 && !(0, is_object_js_1.default)(jwe.unprotected)) {
throw new errors_js_1.JWEInvalid("JWE Per-Recipient Unprotected Header incorrect type");
}
let parsedProt;
if (jwe.protected) {
try {
const protectedHeader2 = (0, base64url_js_1.decode)(jwe.protected);
parsedProt = JSON.parse(buffer_utils_js_1.decoder.decode(protectedHeader2));
} catch {
throw new errors_js_1.JWEInvalid("JWE Protected Header is invalid");
}
}
if (!(0, is_disjoint_js_1.default)(parsedProt, jwe.header, jwe.unprotected)) {
throw new errors_js_1.JWEInvalid("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint");
}
const joseHeader = {
...parsedProt,
...jwe.header,
...jwe.unprotected
};
(0, validate_crit_js_1.default)(errors_js_1.JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, parsedProt, joseHeader);
if (joseHeader.zip !== void 0) {
throw new errors_js_1.JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
}
const { alg, enc } = joseHeader;
if (typeof alg !== "string" || !alg) {
throw new errors_js_1.JWEInvalid("missing JWE Algorithm (alg) in JWE Header");
}
if (typeof enc !== "string" || !enc) {
throw new errors_js_1.JWEInvalid("missing JWE Encryption Algorithm (enc) in JWE Header");
}
const keyManagementAlgorithms = options && (0, validate_algorithms_js_1.default)("keyManagementAlgorithms", options.keyManagementAlgorithms);
const contentEncryptionAlgorithms = options && (0, validate_algorithms_js_1.default)("contentEncryptionAlgorithms", options.contentEncryptionAlgorithms);
if (keyManagementAlgorithms && !keyManagementAlgorithms.has(alg) || !keyManagementAlgorithms && alg.startsWith("PBES2")) {
throw new errors_js_1.JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
}
if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) {
throw new errors_js_1.JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter value not allowed');
}
let encryptedKey;
if (jwe.encrypted_key !== void 0) {
try {
encryptedKey = (0, base64url_js_1.decode)(jwe.encrypted_key);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the encrypted_key");
}
}
let resolvedKey = false;
if (typeof key === "function") {
key = await key(parsedProt, jwe);
resolvedKey = true;
}
let cek;
try {
cek = await (0, decrypt_key_management_js_1.default)(alg, key, encryptedKey, joseHeader, options);
} catch (err) {
if (err instanceof TypeError || err instanceof errors_js_1.JWEInvalid || err instanceof errors_js_1.JOSENotSupported) {
throw err;
}
cek = (0, cek_js_1.default)(enc);
}
let iv;
let tag;
if (jwe.iv !== void 0) {
try {
iv = (0, base64url_js_1.decode)(jwe.iv);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the iv");
}
}
if (jwe.tag !== void 0) {
try {
tag = (0, base64url_js_1.decode)(jwe.tag);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the tag");
}
}
const protectedHeader = buffer_utils_js_1.encoder.encode(jwe.protected ?? "");
let additionalData;
if (jwe.aad !== void 0) {
additionalData = (0, buffer_utils_js_1.concat)(protectedHeader, buffer_utils_js_1.encoder.encode("."), buffer_utils_js_1.encoder.encode(jwe.aad));
} else {
additionalData = protectedHeader;
}
let ciphertext;
try {
ciphertext = (0, base64url_js_1.decode)(jwe.ciphertext);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the ciphertext");
}
const plaintext = await (0, decrypt_js_12.default)(enc, cek, ciphertext, iv, tag, additionalData);
const result = { plaintext };
if (jwe.protected !== void 0) {
result.protectedHeader = parsedProt;
}
if (jwe.aad !== void 0) {
try {
result.additionalAuthenticatedData = (0, base64url_js_1.decode)(jwe.aad);
} catch {
throw new errors_js_1.JWEInvalid("Failed to base64url decode the aad");
}
}
if (jwe.unprotected !== void 0) {
result.sharedUnprotectedHeader = jwe.unprotected;
}
if (jwe.header !== void 0) {
result.unprotectedHeader = jwe.header;
}
if (resolvedKey) {
return { ...result, key };
}
return result;
}
exports2.flattenedDecrypt = flattenedDecrypt;
}
});
// node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js
var require_decrypt3 = __commonJS({
"node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.compactDecrypt = void 0;
var decrypt_js_12 = require_decrypt2();
var errors_js_1 = require_errors();
var buffer_utils_js_1 = require_buffer_utils();
async function compactDecrypt(jwe, key, options) {
if (jwe instanceof Uint8Array) {
jwe = buffer_utils_js_1.decoder.decode(jwe);
}
if (typeof jwe !== "string") {
throw new errors_js_1.JWEInvalid("Compact JWE must be a string or Uint8Array");
}
const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length } = jwe.split(".");
if (length !== 5) {
throw new errors_js_1.JWEInvalid("Invalid Compact JWE");
}
const decrypted = await (0, decrypt_js_12.flattenedDecrypt)({
ciphertext,
iv: iv || void 0,
protected: protectedHeader,
tag: tag || void 0,
encrypted_key: encryptedKey || void 0
}, key, options);
const result = { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader };
if (typeof key === "function") {
return { ...result, key: decrypted.key };
}
return result;
}
exports2.compactDecrypt = compactDecrypt;
}
});
// node_modules/jose/dist/node/cjs/jwe/general/decrypt.js
var require_decrypt4 = __commonJS({
"node_modules/jose/dist/node/cjs/jwe/general/decrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.generalDecrypt = void 0;
var decrypt_js_12 = require_decrypt2();
var errors_js_1 = require_errors();
var is_object_js_1 = require_is_object();
async function generalDecrypt(jwe, key, options) {
if (!(0, is_object_js_1.default)(jwe)) {
throw new errors_js_1.JWEInvalid("General JWE must be an object");
}
if (!Array.isArray(jwe.recipients) || !jwe.recipients.every(is_object_js_1.default)) {
throw new errors_js_1.JWEInvalid("JWE Recipients missing or incorrect type");
}
if (!jwe.recipients.length) {
throw new errors_js_1.JWEInvalid("JWE Recipients has no members");
}
for (const recipient of jwe.recipients) {
try {
return await (0, decrypt_js_12.flattenedDecrypt)({
aad: jwe.aad,
ciphertext: jwe.ciphertext,
encrypted_key: recipient.encrypted_key,
header: recipient.header,
iv: jwe.iv,
protected: jwe.protected,
tag: jwe.tag,
unprotected: jwe.unprotected
}, key, options);
} catch {
}
}
throw new errors_js_1.JWEDecryptionFailed();
}
exports2.generalDecrypt = generalDecrypt;
}
});
// node_modules/jose/dist/node/cjs/runtime/key_to_jwk.js
var require_key_to_jwk = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/key_to_jwk.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var base64url_js_1 = require_base64url();
var errors_js_1 = require_errors();
var webcrypto_js_1 = require_webcrypto();
var is_key_object_js_1 = require_is_key_object();
var invalid_key_input_js_1 = require_invalid_key_input();
var is_key_like_js_1 = require_is_key_like();
var keyToJWK = (key) => {
let keyObject;
if ((0, webcrypto_js_1.isCryptoKey)(key)) {
if (!key.extractable) {
throw new TypeError("CryptoKey is not extractable");
}
keyObject = node_crypto_1.KeyObject.from(key);
} else if ((0, is_key_object_js_1.default)(key)) {
keyObject = key;
} else if (key instanceof Uint8Array) {
return {
kty: "oct",
k: (0, base64url_js_1.encode)(key)
};
} else {
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, "Uint8Array"));
}
if (keyObject.type !== "secret" && !["rsa", "ec", "ed25519", "x25519", "ed448", "x448"].includes(keyObject.asymmetricKeyType)) {
throw new errors_js_1.JOSENotSupported("Unsupported key asymmetricKeyType");
}
return keyObject.export({ format: "jwk" });
};
exports2.default = keyToJWK;
}
});
// node_modules/jose/dist/node/cjs/key/export.js
var require_export = __commonJS({
"node_modules/jose/dist/node/cjs/key/export.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.exportJWK = exports2.exportPKCS8 = exports2.exportSPKI = void 0;
var asn1_js_1 = require_asn1();
var asn1_js_2 = require_asn1();
var key_to_jwk_js_1 = require_key_to_jwk();
async function exportSPKI(key) {
return (0, asn1_js_1.toSPKI)(key);
}
exports2.exportSPKI = exportSPKI;
async function exportPKCS8(key) {
return (0, asn1_js_2.toPKCS8)(key);
}
exports2.exportPKCS8 = exportPKCS8;
async function exportJWK(key) {
return (0, key_to_jwk_js_1.default)(key);
}
exports2.exportJWK = exportJWK;
}
});
// node_modules/jose/dist/node/cjs/lib/encrypt_key_management.js
var require_encrypt_key_management = __commonJS({
"node_modules/jose/dist/node/cjs/lib/encrypt_key_management.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var aeskw_js_1 = require_aeskw();
var ECDH = require_ecdhes();
var pbes2kw_js_1 = require_pbes2kw();
var rsaes_js_1 = require_rsaes();
var base64url_js_1 = require_base64url();
var cek_js_1 = require_cek();
var errors_js_1 = require_errors();
var export_js_12 = require_export();
var check_key_type_js_1 = require_check_key_type();
var aesgcmkw_js_1 = require_aesgcmkw();
async function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {
let encryptedKey;
let parameters;
let cek;
(0, check_key_type_js_1.default)(alg, key, "encrypt");
switch (alg) {
case "dir": {
cek = key;
break;
}
case "ECDH-ES":
case "ECDH-ES+A128KW":
case "ECDH-ES+A192KW":
case "ECDH-ES+A256KW": {
if (!ECDH.ecdhAllowed(key)) {
throw new errors_js_1.JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime");
}
const { apu, apv } = providedParameters;
let { epk: ephemeralKey } = providedParameters;
ephemeralKey ||= (await ECDH.generateEpk(key)).privateKey;
const { x, y, crv, kty } = await (0, export_js_12.exportJWK)(ephemeralKey);
const sharedSecret = await ECDH.deriveKey(key, ephemeralKey, alg === "ECDH-ES" ? enc : alg, alg === "ECDH-ES" ? (0, cek_js_1.bitLength)(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv);
parameters = { epk: { x, crv, kty } };
if (kty === "EC")
parameters.epk.y = y;
if (apu)
parameters.apu = (0, base64url_js_1.encode)(apu);
if (apv)
parameters.apv = (0, base64url_js_1.encode)(apv);
if (alg === "ECDH-ES") {
cek = sharedSecret;
break;
}
cek = providedCek || (0, cek_js_1.default)(enc);
const kwAlg = alg.slice(-6);
encryptedKey = await (0, aeskw_js_1.wrap)(kwAlg, sharedSecret, cek);
break;
}
case "RSA1_5":
case "RSA-OAEP":
case "RSA-OAEP-256":
case "RSA-OAEP-384":
case "RSA-OAEP-512": {
cek = providedCek || (0, cek_js_1.default)(enc);
encryptedKey = await (0, rsaes_js_1.encrypt)(alg, key, cek);
break;
}
case "PBES2-HS256+A128KW":
case "PBES2-HS384+A192KW":
case "PBES2-HS512+A256KW": {
cek = providedCek || (0, cek_js_1.default)(enc);
const { p2c, p2s } = providedParameters;
({ encryptedKey, ...parameters } = await (0, pbes2kw_js_1.encrypt)(alg, key, cek, p2c, p2s));
break;
}
case "A128KW":
case "A192KW":
case "A256KW": {
cek = providedCek || (0, cek_js_1.default)(enc);
encryptedKey = await (0, aeskw_js_1.wrap)(alg, key, cek);
break;
}
case "A128GCMKW":
case "A192GCMKW":
case "A256GCMKW": {
cek = providedCek || (0, cek_js_1.default)(enc);
const { iv } = providedParameters;
({ encryptedKey, ...parameters } = await (0, aesgcmkw_js_1.wrap)(alg, key, cek, iv));
break;
}
default: {
throw new errors_js_1.JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value');
}
}
return { cek, encryptedKey, parameters };
}
exports2.default = encryptKeyManagement;
}
});
// node_modules/jose/dist/node/cjs/jwe/flattened/encrypt.js
var require_encrypt2 = __commonJS({
"node_modules/jose/dist/node/cjs/jwe/flattened/encrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.FlattenedEncrypt = exports2.unprotected = void 0;
var base64url_js_1 = require_base64url();
var encrypt_js_12 = require_encrypt();
var iv_js_1 = require_iv();
var encrypt_key_management_js_1 = require_encrypt_key_management();
var errors_js_1 = require_errors();
var is_disjoint_js_1 = require_is_disjoint();
var buffer_utils_js_1 = require_buffer_utils();
var validate_crit_js_1 = require_validate_crit();
exports2.unprotected = Symbol();
var FlattenedEncrypt = class {
_plaintext;
_protectedHeader;
_sharedUnprotectedHeader;
_unprotectedHeader;
_aad;
_cek;
_iv;
_keyManagementParameters;
constructor(plaintext) {
if (!(plaintext instanceof Uint8Array)) {
throw new TypeError("plaintext must be an instance of Uint8Array");
}
this._plaintext = plaintext;
}
setKeyManagementParameters(parameters) {
if (this._keyManagementParameters) {
throw new TypeError("setKeyManagementParameters can only be called once");
}
this._keyManagementParameters = parameters;
return this;
}
setProtectedHeader(protectedHeader) {
if (this._protectedHeader) {
throw new TypeError("setProtectedHeader can only be called once");
}
this._protectedHeader = protectedHeader;
return this;
}
setSharedUnprotectedHeader(sharedUnprotectedHeader) {
if (this._sharedUnprotectedHeader) {
throw new TypeError("setSharedUnprotectedHeader can only be called once");
}
this._sharedUnprotectedHeader = sharedUnprotectedHeader;
return this;
}
setUnprotectedHeader(unprotectedHeader) {
if (this._unprotectedHeader) {
throw new TypeError("setUnprotectedHeader can only be called once");
}
this._unprotectedHeader = unprotectedHeader;
return this;
}
setAdditionalAuthenticatedData(aad) {
this._aad = aad;
return this;
}
setContentEncryptionKey(cek) {
if (this._cek) {
throw new TypeError("setContentEncryptionKey can only be called once");
}
this._cek = cek;
return this;
}
setInitializationVector(iv) {
if (this._iv) {
throw new TypeError("setInitializationVector can only be called once");
}
this._iv = iv;
return this;
}
async encrypt(key, options) {
if (!this._protectedHeader && !this._unprotectedHeader && !this._sharedUnprotectedHeader) {
throw new errors_js_1.JWEInvalid("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()");
}
if (!(0, is_disjoint_js_1.default)(this._protectedHeader, this._unprotectedHeader, this._sharedUnprotectedHeader)) {
throw new errors_js_1.JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");
}
const joseHeader = {
...this._protectedHeader,
...this._unprotectedHeader,
...this._sharedUnprotectedHeader
};
(0, validate_crit_js_1.default)(errors_js_1.JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, this._protectedHeader, joseHeader);
if (joseHeader.zip !== void 0) {
throw new errors_js_1.JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
}
const { alg, enc } = joseHeader;
if (typeof alg !== "string" || !alg) {
throw new errors_js_1.JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
}
if (typeof enc !== "string" || !enc) {
throw new errors_js_1.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
}
let encryptedKey;
if (alg === "dir") {
if (this._cek) {
throw new TypeError("setContentEncryptionKey cannot be called when using Direct Encryption");
}
} else if (alg === "ECDH-ES") {
if (this._cek) {
throw new TypeError("setContentEncryptionKey cannot be called when using Direct Key Agreement");
}
}
let cek;
{
let parameters;
({ cek, encryptedKey, parameters } = await (0, encrypt_key_management_js_1.default)(alg, enc, key, this._cek, this._keyManagementParameters));
if (parameters) {
if (options && exports2.unprotected in options) {
if (!this._unprotectedHeader) {
this.setUnprotectedHeader(parameters);
} else {
this._unprotectedHeader = { ...this._unprotectedHeader, ...parameters };
}
} else {
if (!this._protectedHeader) {
this.setProtectedHeader(parameters);
} else {
this._protectedHeader = { ...this._protectedHeader, ...parameters };
}
}
}
}
this._iv ||= (0, iv_js_1.default)(enc);
let additionalData;
let protectedHeader;
let aadMember;
if (this._protectedHeader) {
protectedHeader = buffer_utils_js_1.encoder.encode((0, base64url_js_1.encode)(JSON.stringify(this._protectedHeader)));
} else {
protectedHeader = buffer_utils_js_1.encoder.encode("");
}
if (this._aad) {
aadMember = (0, base64url_js_1.encode)(this._aad);
additionalData = (0, buffer_utils_js_1.concat)(protectedHeader, buffer_utils_js_1.encoder.encode("."), buffer_utils_js_1.encoder.encode(aadMember));
} else {
additionalData = protectedHeader;
}
const { ciphertext, tag } = await (0, encrypt_js_12.default)(enc, this._plaintext, cek, this._iv, additionalData);
const jwe = {
ciphertext: (0, base64url_js_1.encode)(ciphertext),
iv: (0, base64url_js_1.encode)(this._iv),
tag: (0, base64url_js_1.encode)(tag)
};
if (encryptedKey) {
jwe.encrypted_key = (0, base64url_js_1.encode)(encryptedKey);
}
if (aadMember) {
jwe.aad = aadMember;
}
if (this._protectedHeader) {
jwe.protected = buffer_utils_js_1.decoder.decode(protectedHeader);
}
if (this._sharedUnprotectedHeader) {
jwe.unprotected = this._sharedUnprotectedHeader;
}
if (this._unprotectedHeader) {
jwe.header = this._unprotectedHeader;
}
return jwe;
}
};
exports2.FlattenedEncrypt = FlattenedEncrypt;
}
});
// node_modules/jose/dist/node/cjs/jwe/general/encrypt.js
var require_encrypt3 = __commonJS({
"node_modules/jose/dist/node/cjs/jwe/general/encrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.GeneralEncrypt = void 0;
var encrypt_js_12 = require_encrypt2();
var errors_js_1 = require_errors();
var cek_js_1 = require_cek();
var is_disjoint_js_1 = require_is_disjoint();
var encrypt_key_management_js_1 = require_encrypt_key_management();
var base64url_js_1 = require_base64url();
var validate_crit_js_1 = require_validate_crit();
var IndividualRecipient = class {
parent;
unprotectedHeader;
key;
options;
constructor(enc, key, options) {
this.parent = enc;
this.key = key;
this.options = options;
}
setUnprotectedHeader(unprotectedHeader) {
if (this.unprotectedHeader) {
throw new TypeError("setUnprotectedHeader can only be called once");
}
this.unprotectedHeader = unprotectedHeader;
return this;
}
addRecipient(...args) {
return this.parent.addRecipient(...args);
}
encrypt(...args) {
return this.parent.encrypt(...args);
}
done() {
return this.parent;
}
};
var GeneralEncrypt = class {
_plaintext;
_recipients = [];
_protectedHeader;
_unprotectedHeader;
_aad;
constructor(plaintext) {
this._plaintext = plaintext;
}
addRecipient(key, options) {
const recipient = new IndividualRecipient(this, key, { crit: options?.crit });
this._recipients.push(recipient);
return recipient;
}
setProtectedHeader(protectedHeader) {
if (this._protectedHeader) {
throw new TypeError("setProtectedHeader can only be called once");
}
this._protectedHeader = protectedHeader;
return this;
}
setSharedUnprotectedHeader(sharedUnprotectedHeader) {
if (this._unprotectedHeader) {
throw new TypeError("setSharedUnprotectedHeader can only be called once");
}
this._unprotectedHeader = sharedUnprotectedHeader;
return this;
}
setAdditionalAuthenticatedData(aad) {
this._aad = aad;
return this;
}
async encrypt() {
if (!this._recipients.length) {
throw new errors_js_1.JWEInvalid("at least one recipient must be added");
}
if (this._recipients.length === 1) {
const [recipient] = this._recipients;
const flattened = await new encrypt_js_12.FlattenedEncrypt(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(recipient.unprotectedHeader).encrypt(recipient.key, { ...recipient.options });
const jwe2 = {
ciphertext: flattened.ciphertext,
iv: flattened.iv,
recipients: [{}],
tag: flattened.tag
};
if (flattened.aad)
jwe2.aad = flattened.aad;
if (flattened.protected)
jwe2.protected = flattened.protected;
if (flattened.unprotected)
jwe2.unprotected = flattened.unprotected;
if (flattened.encrypted_key)
jwe2.recipients[0].encrypted_key = flattened.encrypted_key;
if (flattened.header)
jwe2.recipients[0].header = flattened.header;
return jwe2;
}
let enc;
for (let i = 0; i < this._recipients.length; i++) {
const recipient = this._recipients[i];
if (!(0, is_disjoint_js_1.default)(this._protectedHeader, this._unprotectedHeader, recipient.unprotectedHeader)) {
throw new errors_js_1.JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint");
}
const joseHeader = {
...this._protectedHeader,
...this._unprotectedHeader,
...recipient.unprotectedHeader
};
const { alg } = joseHeader;
if (typeof alg !== "string" || !alg) {
throw new errors_js_1.JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
}
if (alg === "dir" || alg === "ECDH-ES") {
throw new errors_js_1.JWEInvalid('"dir" and "ECDH-ES" alg may only be used with a single recipient');
}
if (typeof joseHeader.enc !== "string" || !joseHeader.enc) {
throw new errors_js_1.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
}
if (!enc) {
enc = joseHeader.enc;
} else if (enc !== joseHeader.enc) {
throw new errors_js_1.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');
}
(0, validate_crit_js_1.default)(errors_js_1.JWEInvalid, /* @__PURE__ */ new Map(), recipient.options.crit, this._protectedHeader, joseHeader);
if (joseHeader.zip !== void 0) {
throw new errors_js_1.JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
}
}
const cek = (0, cek_js_1.default)(enc);
const jwe = {
ciphertext: "",
iv: "",
recipients: [],
tag: ""
};
for (let i = 0; i < this._recipients.length; i++) {
const recipient = this._recipients[i];
const target = {};
jwe.recipients.push(target);
const joseHeader = {
...this._protectedHeader,
...this._unprotectedHeader,
...recipient.unprotectedHeader
};
const p2c = joseHeader.alg.startsWith("PBES2") ? 2048 + i : void 0;
if (i === 0) {
const flattened = await new encrypt_js_12.FlattenedEncrypt(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(cek).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(recipient.unprotectedHeader).setKeyManagementParameters({ p2c }).encrypt(recipient.key, {
...recipient.options,
[encrypt_js_12.unprotected]: true
});
jwe.ciphertext = flattened.ciphertext;
jwe.iv = flattened.iv;
jwe.tag = flattened.tag;
if (flattened.aad)
jwe.aad = flattened.aad;
if (flattened.protected)
jwe.protected = flattened.protected;
if (flattened.unprotected)
jwe.unprotected = flattened.unprotected;
target.encrypted_key = flattened.encrypted_key;
if (flattened.header)
target.header = flattened.header;
continue;
}
const { encryptedKey, parameters } = await (0, encrypt_key_management_js_1.default)(recipient.unprotectedHeader?.alg || this._protectedHeader?.alg || this._unprotectedHeader?.alg, enc, recipient.key, cek, { p2c });
target.encrypted_key = (0, base64url_js_1.encode)(encryptedKey);
if (recipient.unprotectedHeader || parameters)
target.header = { ...recipient.unprotectedHeader, ...parameters };
}
return jwe;
}
};
exports2.GeneralEncrypt = GeneralEncrypt;
}
});
// node_modules/jose/dist/node/cjs/runtime/dsa_digest.js
var require_dsa_digest = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/dsa_digest.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var errors_js_1 = require_errors();
function dsaDigest(alg) {
switch (alg) {
case "PS256":
case "RS256":
case "ES256":
case "ES256K":
return "sha256";
case "PS384":
case "RS384":
case "ES384":
return "sha384";
case "PS512":
case "RS512":
case "ES512":
return "sha512";
case "EdDSA":
return void 0;
default:
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
}
exports2.default = dsaDigest;
}
});
// node_modules/jose/dist/node/cjs/runtime/node_key.js
var require_node_key = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/node_key.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var get_named_curve_js_1 = require_get_named_curve();
var errors_js_1 = require_errors();
var check_key_length_js_1 = require_check_key_length();
var PSS = {
padding: node_crypto_1.constants.RSA_PKCS1_PSS_PADDING,
saltLength: node_crypto_1.constants.RSA_PSS_SALTLEN_DIGEST
};
var ecCurveAlgMap = /* @__PURE__ */ new Map([
["ES256", "P-256"],
["ES256K", "secp256k1"],
["ES384", "P-384"],
["ES512", "P-521"]
]);
function keyForCrypto(alg, key) {
switch (alg) {
case "EdDSA":
if (!["ed25519", "ed448"].includes(key.asymmetricKeyType)) {
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448");
}
return key;
case "RS256":
case "RS384":
case "RS512":
if (key.asymmetricKeyType !== "rsa") {
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa");
}
(0, check_key_length_js_1.default)(key, alg);
return key;
case "PS256":
case "PS384":
case "PS512":
if (key.asymmetricKeyType === "rsa-pss") {
const { hashAlgorithm, mgf1HashAlgorithm, saltLength } = key.asymmetricKeyDetails;
const length = parseInt(alg.slice(-3), 10);
if (hashAlgorithm !== void 0 && (hashAlgorithm !== `sha${length}` || mgf1HashAlgorithm !== hashAlgorithm)) {
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${alg}`);
}
if (saltLength !== void 0 && saltLength > length >> 3) {
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${alg}`);
}
} else if (key.asymmetricKeyType !== "rsa") {
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss");
}
(0, check_key_length_js_1.default)(key, alg);
return { key, ...PSS };
case "ES256":
case "ES256K":
case "ES384":
case "ES512": {
if (key.asymmetricKeyType !== "ec") {
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec");
}
const actual = (0, get_named_curve_js_1.default)(key);
const expected = ecCurveAlgMap.get(alg);
if (actual !== expected) {
throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${expected}, got ${actual}`);
}
return { dsaEncoding: "ieee-p1363", key };
}
default:
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
}
exports2.default = keyForCrypto;
}
});
// node_modules/jose/dist/node/cjs/runtime/hmac_digest.js
var require_hmac_digest = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/hmac_digest.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var errors_js_1 = require_errors();
function hmacDigest(alg) {
switch (alg) {
case "HS256":
return "sha256";
case "HS384":
return "sha384";
case "HS512":
return "sha512";
default:
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
}
exports2.default = hmacDigest;
}
});
// node_modules/jose/dist/node/cjs/runtime/get_sign_verify_key.js
var require_get_sign_verify_key = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/get_sign_verify_key.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var node_crypto_1 = requireNodeCrypto;
var webcrypto_js_1 = require_webcrypto();
var crypto_key_js_1 = require_crypto_key();
var invalid_key_input_js_1 = require_invalid_key_input();
var is_key_like_js_1 = require_is_key_like();
function getSignVerifyKey(alg, key, usage) {
if (key instanceof Uint8Array) {
if (!alg.startsWith("HS")) {
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types));
}
return (0, node_crypto_1.createSecretKey)(key);
}
if (key instanceof node_crypto_1.KeyObject) {
return key;
}
if ((0, webcrypto_js_1.isCryptoKey)(key)) {
(0, crypto_key_js_1.checkSigCryptoKey)(key, alg, usage);
return node_crypto_1.KeyObject.from(key);
}
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, "Uint8Array"));
}
exports2.default = getSignVerifyKey;
}
});
// node_modules/jose/dist/node/cjs/runtime/sign.js
var require_sign = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/sign.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var crypto = requireNodeCrypto;
var node_util_1 = requireNodeUtil;
var dsa_digest_js_1 = require_dsa_digest();
var hmac_digest_js_1 = require_hmac_digest();
var node_key_js_1 = require_node_key();
var get_sign_verify_key_js_1 = require_get_sign_verify_key();
var oneShotSign = (0, node_util_1.promisify)(crypto.sign);
var sign = async (alg, key, data) => {
const keyObject = (0, get_sign_verify_key_js_1.default)(alg, key, "sign");
if (alg.startsWith("HS")) {
const hmac = crypto.createHmac((0, hmac_digest_js_1.default)(alg), keyObject);
hmac.update(data);
return hmac.digest();
}
return oneShotSign((0, dsa_digest_js_1.default)(alg), data, (0, node_key_js_1.default)(alg, keyObject));
};
exports2.default = sign;
}
});
// node_modules/jose/dist/node/cjs/runtime/verify.js
var require_verify = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/verify.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var crypto = requireNodeCrypto;
var node_util_1 = requireNodeUtil;
var dsa_digest_js_1 = require_dsa_digest();
var node_key_js_1 = require_node_key();
var sign_js_12 = require_sign();
var get_sign_verify_key_js_1 = require_get_sign_verify_key();
var oneShotVerify = (0, node_util_1.promisify)(crypto.verify);
var verify = async (alg, key, signature, data) => {
const keyObject = (0, get_sign_verify_key_js_1.default)(alg, key, "verify");
if (alg.startsWith("HS")) {
const expected = await (0, sign_js_12.default)(alg, keyObject, data);
const actual = signature;
try {
return crypto.timingSafeEqual(actual, expected);
} catch {
return false;
}
}
const algorithm = (0, dsa_digest_js_1.default)(alg);
const keyInput = (0, node_key_js_1.default)(alg, keyObject);
try {
return await oneShotVerify(algorithm, data, keyInput, signature);
} catch {
return false;
}
};
exports2.default = verify;
}
});
// node_modules/jose/dist/node/cjs/jws/flattened/verify.js
var require_verify2 = __commonJS({
"node_modules/jose/dist/node/cjs/jws/flattened/verify.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.flattenedVerify = void 0;
var base64url_js_1 = require_base64url();
var verify_js_12 = require_verify();
var errors_js_1 = require_errors();
var buffer_utils_js_1 = require_buffer_utils();
var is_disjoint_js_1 = require_is_disjoint();
var is_object_js_1 = require_is_object();
var check_key_type_js_1 = require_check_key_type();
var validate_crit_js_1 = require_validate_crit();
var validate_algorithms_js_1 = require_validate_algorithms();
async function flattenedVerify(jws, key, options) {
if (!(0, is_object_js_1.default)(jws)) {
throw new errors_js_1.JWSInvalid("Flattened JWS must be an object");
}
if (jws.protected === void 0 && jws.header === void 0) {
throw new errors_js_1.JWSInvalid('Flattened JWS must have either of the "protected" or "header" members');
}
if (jws.protected !== void 0 && typeof jws.protected !== "string") {
throw new errors_js_1.JWSInvalid("JWS Protected Header incorrect type");
}
if (jws.payload === void 0) {
throw new errors_js_1.JWSInvalid("JWS Payload missing");
}
if (typeof jws.signature !== "string") {
throw new errors_js_1.JWSInvalid("JWS Signature missing or incorrect type");
}
if (jws.header !== void 0 && !(0, is_object_js_1.default)(jws.header)) {
throw new errors_js_1.JWSInvalid("JWS Unprotected Header incorrect type");
}
let parsedProt = {};
if (jws.protected) {
try {
const protectedHeader = (0, base64url_js_1.decode)(jws.protected);
parsedProt = JSON.parse(buffer_utils_js_1.decoder.decode(protectedHeader));
} catch {
throw new errors_js_1.JWSInvalid("JWS Protected Header is invalid");
}
}
if (!(0, is_disjoint_js_1.default)(parsedProt, jws.header)) {
throw new errors_js_1.JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
}
const joseHeader = {
...parsedProt,
...jws.header
};
const extensions = (0, validate_crit_js_1.default)(errors_js_1.JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader);
let b64 = true;
if (extensions.has("b64")) {
b64 = parsedProt.b64;
if (typeof b64 !== "boolean") {
throw new errors_js_1.JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
}
}
const { alg } = joseHeader;
if (typeof alg !== "string" || !alg) {
throw new errors_js_1.JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
}
const algorithms = options && (0, validate_algorithms_js_1.default)("algorithms", options.algorithms);
if (algorithms && !algorithms.has(alg)) {
throw new errors_js_1.JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
}
if (b64) {
if (typeof jws.payload !== "string") {
throw new errors_js_1.JWSInvalid("JWS Payload must be a string");
}
} else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) {
throw new errors_js_1.JWSInvalid("JWS Payload must be a string or an Uint8Array instance");
}
let resolvedKey = false;
if (typeof key === "function") {
key = await key(parsedProt, jws);
resolvedKey = true;
}
(0, check_key_type_js_1.default)(alg, key, "verify");
const data = (0, buffer_utils_js_1.concat)(buffer_utils_js_1.encoder.encode(jws.protected ?? ""), buffer_utils_js_1.encoder.encode("."), typeof jws.payload === "string" ? buffer_utils_js_1.encoder.encode(jws.payload) : jws.payload);
let signature;
try {
signature = (0, base64url_js_1.decode)(jws.signature);
} catch {
throw new errors_js_1.JWSInvalid("Failed to base64url decode the signature");
}
const verified = await (0, verify_js_12.default)(alg, key, signature, data);
if (!verified) {
throw new errors_js_1.JWSSignatureVerificationFailed();
}
let payload;
if (b64) {
try {
payload = (0, base64url_js_1.decode)(jws.payload);
} catch {
throw new errors_js_1.JWSInvalid("Failed to base64url decode the payload");
}
} else if (typeof jws.payload === "string") {
payload = buffer_utils_js_1.encoder.encode(jws.payload);
} else {
payload = jws.payload;
}
const result = { payload };
if (jws.protected !== void 0) {
result.protectedHeader = parsedProt;
}
if (jws.header !== void 0) {
result.unprotectedHeader = jws.header;
}
if (resolvedKey) {
return { ...result, key };
}
return result;
}
exports2.flattenedVerify = flattenedVerify;
}
});
// node_modules/jose/dist/node/cjs/jws/compact/verify.js
var require_verify3 = __commonJS({
"node_modules/jose/dist/node/cjs/jws/compact/verify.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.compactVerify = void 0;
var verify_js_12 = require_verify2();
var errors_js_1 = require_errors();
var buffer_utils_js_1 = require_buffer_utils();
async function compactVerify(jws, key, options) {
if (jws instanceof Uint8Array) {
jws = buffer_utils_js_1.decoder.decode(jws);
}
if (typeof jws !== "string") {
throw new errors_js_1.JWSInvalid("Compact JWS must be a string or Uint8Array");
}
const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split(".");
if (length !== 3) {
throw new errors_js_1.JWSInvalid("Invalid Compact JWS");
}
const verified = await (0, verify_js_12.flattenedVerify)({ payload, protected: protectedHeader, signature }, key, options);
const result = { payload: verified.payload, protectedHeader: verified.protectedHeader };
if (typeof key === "function") {
return { ...result, key: verified.key };
}
return result;
}
exports2.compactVerify = compactVerify;
}
});
// node_modules/jose/dist/node/cjs/jws/general/verify.js
var require_verify4 = __commonJS({
"node_modules/jose/dist/node/cjs/jws/general/verify.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.generalVerify = void 0;
var verify_js_12 = require_verify2();
var errors_js_1 = require_errors();
var is_object_js_1 = require_is_object();
async function generalVerify(jws, key, options) {
if (!(0, is_object_js_1.default)(jws)) {
throw new errors_js_1.JWSInvalid("General JWS must be an object");
}
if (!Array.isArray(jws.signatures) || !jws.signatures.every(is_object_js_1.default)) {
throw new errors_js_1.JWSInvalid("JWS Signatures missing or incorrect type");
}
for (const signature of jws.signatures) {
try {
return await (0, verify_js_12.flattenedVerify)({
header: signature.header,
payload: jws.payload,
protected: signature.protected,
signature: signature.signature
}, key, options);
} catch {
}
}
throw new errors_js_1.JWSSignatureVerificationFailed();
}
exports2.generalVerify = generalVerify;
}
});
// node_modules/jose/dist/node/cjs/lib/epoch.js
var require_epoch = __commonJS({
"node_modules/jose/dist/node/cjs/lib/epoch.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.default = (date) => Math.floor(date.getTime() / 1e3);
}
});
// node_modules/jose/dist/node/cjs/lib/secs.js
var require_secs = __commonJS({
"node_modules/jose/dist/node/cjs/lib/secs.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var minute = 60;
var hour = minute * 60;
var day = hour * 24;
var week = day * 7;
var year = day * 365.25;
var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i;
exports2.default = (str) => {
const matched = REGEX.exec(str);
if (!matched || matched[4] && matched[1]) {
throw new TypeError("Invalid time period format");
}
const value = parseFloat(matched[2]);
const unit = matched[3].toLowerCase();
let numericDate;
switch (unit) {
case "sec":
case "secs":
case "second":
case "seconds":
case "s":
numericDate = Math.round(value);
break;
case "minute":
case "minutes":
case "min":
case "mins":
case "m":
numericDate = Math.round(value * minute);
break;
case "hour":
case "hours":
case "hr":
case "hrs":
case "h":
numericDate = Math.round(value * hour);
break;
case "day":
case "days":
case "d":
numericDate = Math.round(value * day);
break;
case "week":
case "weeks":
case "w":
numericDate = Math.round(value * week);
break;
default:
numericDate = Math.round(value * year);
break;
}
if (matched[1] === "-" || matched[4] === "ago") {
return -numericDate;
}
return numericDate;
};
}
});
// node_modules/jose/dist/node/cjs/lib/jwt_claims_set.js
var require_jwt_claims_set = __commonJS({
"node_modules/jose/dist/node/cjs/lib/jwt_claims_set.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var errors_js_1 = require_errors();
var buffer_utils_js_1 = require_buffer_utils();
var epoch_js_1 = require_epoch();
var secs_js_1 = require_secs();
var is_object_js_1 = require_is_object();
var normalizeTyp = (value) => value.toLowerCase().replace(/^application\//, "");
var checkAudiencePresence = (audPayload, audOption) => {
if (typeof audPayload === "string") {
return audOption.includes(audPayload);
}
if (Array.isArray(audPayload)) {
return audOption.some(Set.prototype.has.bind(new Set(audPayload)));
}
return false;
};
exports2.default = (protectedHeader, encodedPayload, options = {}) => {
const { typ } = options;
if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) {
throw new errors_js_1.JWTClaimValidationFailed('unexpected "typ" JWT header value', "typ", "check_failed");
}
let payload;
try {
payload = JSON.parse(buffer_utils_js_1.decoder.decode(encodedPayload));
} catch {
}
if (!(0, is_object_js_1.default)(payload)) {
throw new errors_js_1.JWTInvalid("JWT Claims Set must be a top-level JSON object");
}
const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options;
const presenceCheck = [...requiredClaims];
if (maxTokenAge !== void 0)
presenceCheck.push("iat");
if (audience !== void 0)
presenceCheck.push("aud");
if (subject !== void 0)
presenceCheck.push("sub");
if (issuer !== void 0)
presenceCheck.push("iss");
for (const claim of new Set(presenceCheck.reverse())) {
if (!(claim in payload)) {
throw new errors_js_1.JWTClaimValidationFailed(`missing required "${claim}" claim`, claim, "missing");
}
}
if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) {
throw new errors_js_1.JWTClaimValidationFailed('unexpected "iss" claim value', "iss", "check_failed");
}
if (subject && payload.sub !== subject) {
throw new errors_js_1.JWTClaimValidationFailed('unexpected "sub" claim value', "sub", "check_failed");
}
if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) {
throw new errors_js_1.JWTClaimValidationFailed('unexpected "aud" claim value', "aud", "check_failed");
}
let tolerance;
switch (typeof options.clockTolerance) {
case "string":
tolerance = (0, secs_js_1.default)(options.clockTolerance);
break;
case "number":
tolerance = options.clockTolerance;
break;
case "undefined":
tolerance = 0;
break;
default:
throw new TypeError("Invalid clockTolerance option type");
}
const { currentDate } = options;
const now = (0, epoch_js_1.default)(currentDate || /* @__PURE__ */ new Date());
if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") {
throw new errors_js_1.JWTClaimValidationFailed('"iat" claim must be a number', "iat", "invalid");
}
if (payload.nbf !== void 0) {
if (typeof payload.nbf !== "number") {
throw new errors_js_1.JWTClaimValidationFailed('"nbf" claim must be a number', "nbf", "invalid");
}
if (payload.nbf > now + tolerance) {
throw new errors_js_1.JWTClaimValidationFailed('"nbf" claim timestamp check failed', "nbf", "check_failed");
}
}
if (payload.exp !== void 0) {
if (typeof payload.exp !== "number") {
throw new errors_js_1.JWTClaimValidationFailed('"exp" claim must be a number', "exp", "invalid");
}
if (payload.exp <= now - tolerance) {
throw new errors_js_1.JWTExpired('"exp" claim timestamp check failed', "exp", "check_failed");
}
}
if (maxTokenAge) {
const age = now - payload.iat;
const max = typeof maxTokenAge === "number" ? maxTokenAge : (0, secs_js_1.default)(maxTokenAge);
if (age - tolerance > max) {
throw new errors_js_1.JWTExpired('"iat" claim timestamp check failed (too far in the past)', "iat", "check_failed");
}
if (age < 0 - tolerance) {
throw new errors_js_1.JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', "iat", "check_failed");
}
}
return payload;
};
}
});
// node_modules/jose/dist/node/cjs/jwt/verify.js
var require_verify5 = __commonJS({
"node_modules/jose/dist/node/cjs/jwt/verify.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.jwtVerify = void 0;
var verify_js_12 = require_verify3();
var jwt_claims_set_js_1 = require_jwt_claims_set();
var errors_js_1 = require_errors();
async function jwtVerify(jwt, key, options) {
const verified = await (0, verify_js_12.compactVerify)(jwt, key, options);
if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) {
throw new errors_js_1.JWTInvalid("JWTs MUST NOT use unencoded payload");
}
const payload = (0, jwt_claims_set_js_1.default)(verified.protectedHeader, verified.payload, options);
const result = { payload, protectedHeader: verified.protectedHeader };
if (typeof key === "function") {
return { ...result, key: verified.key };
}
return result;
}
exports2.jwtVerify = jwtVerify;
}
});
// node_modules/jose/dist/node/cjs/jwt/decrypt.js
var require_decrypt5 = __commonJS({
"node_modules/jose/dist/node/cjs/jwt/decrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.jwtDecrypt = void 0;
var decrypt_js_12 = require_decrypt3();
var jwt_claims_set_js_1 = require_jwt_claims_set();
var errors_js_1 = require_errors();
async function jwtDecrypt(jwt, key, options) {
const decrypted = await (0, decrypt_js_12.compactDecrypt)(jwt, key, options);
const payload = (0, jwt_claims_set_js_1.default)(decrypted.protectedHeader, decrypted.plaintext, options);
const { protectedHeader } = decrypted;
if (protectedHeader.iss !== void 0 && protectedHeader.iss !== payload.iss) {
throw new errors_js_1.JWTClaimValidationFailed('replicated "iss" claim header parameter mismatch', "iss", "mismatch");
}
if (protectedHeader.sub !== void 0 && protectedHeader.sub !== payload.sub) {
throw new errors_js_1.JWTClaimValidationFailed('replicated "sub" claim header parameter mismatch', "sub", "mismatch");
}
if (protectedHeader.aud !== void 0 && JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)) {
throw new errors_js_1.JWTClaimValidationFailed('replicated "aud" claim header parameter mismatch', "aud", "mismatch");
}
const result = { payload, protectedHeader };
if (typeof key === "function") {
return { ...result, key: decrypted.key };
}
return result;
}
exports2.jwtDecrypt = jwtDecrypt;
}
});
// node_modules/jose/dist/node/cjs/jwe/compact/encrypt.js
var require_encrypt4 = __commonJS({
"node_modules/jose/dist/node/cjs/jwe/compact/encrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.CompactEncrypt = void 0;
var encrypt_js_12 = require_encrypt2();
var CompactEncrypt = class {
_flattened;
constructor(plaintext) {
this._flattened = new encrypt_js_12.FlattenedEncrypt(plaintext);
}
setContentEncryptionKey(cek) {
this._flattened.setContentEncryptionKey(cek);
return this;
}
setInitializationVector(iv) {
this._flattened.setInitializationVector(iv);
return this;
}
setProtectedHeader(protectedHeader) {
this._flattened.setProtectedHeader(protectedHeader);
return this;
}
setKeyManagementParameters(parameters) {
this._flattened.setKeyManagementParameters(parameters);
return this;
}
async encrypt(key, options) {
const jwe = await this._flattened.encrypt(key, options);
return [jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join(".");
}
};
exports2.CompactEncrypt = CompactEncrypt;
}
});
// node_modules/jose/dist/node/cjs/jws/flattened/sign.js
var require_sign2 = __commonJS({
"node_modules/jose/dist/node/cjs/jws/flattened/sign.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.FlattenedSign = void 0;
var base64url_js_1 = require_base64url();
var sign_js_12 = require_sign();
var is_disjoint_js_1 = require_is_disjoint();
var errors_js_1 = require_errors();
var buffer_utils_js_1 = require_buffer_utils();
var check_key_type_js_1 = require_check_key_type();
var validate_crit_js_1 = require_validate_crit();
var FlattenedSign = class {
_payload;
_protectedHeader;
_unprotectedHeader;
constructor(payload) {
if (!(payload instanceof Uint8Array)) {
throw new TypeError("payload must be an instance of Uint8Array");
}
this._payload = payload;
}
setProtectedHeader(protectedHeader) {
if (this._protectedHeader) {
throw new TypeError("setProtectedHeader can only be called once");
}
this._protectedHeader = protectedHeader;
return this;
}
setUnprotectedHeader(unprotectedHeader) {
if (this._unprotectedHeader) {
throw new TypeError("setUnprotectedHeader can only be called once");
}
this._unprotectedHeader = unprotectedHeader;
return this;
}
async sign(key, options) {
if (!this._protectedHeader && !this._unprotectedHeader) {
throw new errors_js_1.JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()");
}
if (!(0, is_disjoint_js_1.default)(this._protectedHeader, this._unprotectedHeader)) {
throw new errors_js_1.JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint");
}
const joseHeader = {
...this._protectedHeader,
...this._unprotectedHeader
};
const extensions = (0, validate_crit_js_1.default)(errors_js_1.JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this._protectedHeader, joseHeader);
let b64 = true;
if (extensions.has("b64")) {
b64 = this._protectedHeader.b64;
if (typeof b64 !== "boolean") {
throw new errors_js_1.JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean');
}
}
const { alg } = joseHeader;
if (typeof alg !== "string" || !alg) {
throw new errors_js_1.JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid');
}
(0, check_key_type_js_1.default)(alg, key, "sign");
let payload = this._payload;
if (b64) {
payload = buffer_utils_js_1.encoder.encode((0, base64url_js_1.encode)(payload));
}
let protectedHeader;
if (this._protectedHeader) {
protectedHeader = buffer_utils_js_1.encoder.encode((0, base64url_js_1.encode)(JSON.stringify(this._protectedHeader)));
} else {
protectedHeader = buffer_utils_js_1.encoder.encode("");
}
const data = (0, buffer_utils_js_1.concat)(protectedHeader, buffer_utils_js_1.encoder.encode("."), payload);
const signature = await (0, sign_js_12.default)(alg, key, data);
const jws = {
signature: (0, base64url_js_1.encode)(signature),
payload: ""
};
if (b64) {
jws.payload = buffer_utils_js_1.decoder.decode(payload);
}
if (this._unprotectedHeader) {
jws.header = this._unprotectedHeader;
}
if (this._protectedHeader) {
jws.protected = buffer_utils_js_1.decoder.decode(protectedHeader);
}
return jws;
}
};
exports2.FlattenedSign = FlattenedSign;
}
});
// node_modules/jose/dist/node/cjs/jws/compact/sign.js
var require_sign3 = __commonJS({
"node_modules/jose/dist/node/cjs/jws/compact/sign.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.CompactSign = void 0;
var sign_js_12 = require_sign2();
var CompactSign = class {
_flattened;
constructor(payload) {
this._flattened = new sign_js_12.FlattenedSign(payload);
}
setProtectedHeader(protectedHeader) {
this._flattened.setProtectedHeader(protectedHeader);
return this;
}
async sign(key, options) {
const jws = await this._flattened.sign(key, options);
if (jws.payload === void 0) {
throw new TypeError("use the flattened module for creating JWS with b64: false");
}
return `${jws.protected}.${jws.payload}.${jws.signature}`;
}
};
exports2.CompactSign = CompactSign;
}
});
// node_modules/jose/dist/node/cjs/jws/general/sign.js
var require_sign4 = __commonJS({
"node_modules/jose/dist/node/cjs/jws/general/sign.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.GeneralSign = void 0;
var sign_js_12 = require_sign2();
var errors_js_1 = require_errors();
var IndividualSignature = class {
parent;
protectedHeader;
unprotectedHeader;
options;
key;
constructor(sig, key, options) {
this.parent = sig;
this.key = key;
this.options = options;
}
setProtectedHeader(protectedHeader) {
if (this.protectedHeader) {
throw new TypeError("setProtectedHeader can only be called once");
}
this.protectedHeader = protectedHeader;
return this;
}
setUnprotectedHeader(unprotectedHeader) {
if (this.unprotectedHeader) {
throw new TypeError("setUnprotectedHeader can only be called once");
}
this.unprotectedHeader = unprotectedHeader;
return this;
}
addSignature(...args) {
return this.parent.addSignature(...args);
}
sign(...args) {
return this.parent.sign(...args);
}
done() {
return this.parent;
}
};
var GeneralSign = class {
_payload;
_signatures = [];
constructor(payload) {
this._payload = payload;
}
addSignature(key, options) {
const signature = new IndividualSignature(this, key, options);
this._signatures.push(signature);
return signature;
}
async sign() {
if (!this._signatures.length) {
throw new errors_js_1.JWSInvalid("at least one signature must be added");
}
const jws = {
signatures: [],
payload: ""
};
for (let i = 0; i < this._signatures.length; i++) {
const signature = this._signatures[i];
const flattened = new sign_js_12.FlattenedSign(this._payload);
flattened.setProtectedHeader(signature.protectedHeader);
flattened.setUnprotectedHeader(signature.unprotectedHeader);
const { payload, ...rest } = await flattened.sign(signature.key, signature.options);
if (i === 0) {
jws.payload = payload;
} else if (jws.payload !== payload) {
throw new errors_js_1.JWSInvalid("inconsistent use of JWS Unencoded Payload (RFC7797)");
}
jws.signatures.push(rest);
}
return jws;
}
};
exports2.GeneralSign = GeneralSign;
}
});
// node_modules/jose/dist/node/cjs/jwt/produce.js
var require_produce = __commonJS({
"node_modules/jose/dist/node/cjs/jwt/produce.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.ProduceJWT = void 0;
var epoch_js_1 = require_epoch();
var is_object_js_1 = require_is_object();
var secs_js_1 = require_secs();
function validateInput(label, input) {
if (!Number.isFinite(input)) {
throw new TypeError(`Invalid ${label} input`);
}
return input;
}
var ProduceJWT = class {
_payload;
constructor(payload = {}) {
if (!(0, is_object_js_1.default)(payload)) {
throw new TypeError("JWT Claims Set MUST be an object");
}
this._payload = payload;
}
setIssuer(issuer) {
this._payload = { ...this._payload, iss: issuer };
return this;
}
setSubject(subject) {
this._payload = { ...this._payload, sub: subject };
return this;
}
setAudience(audience) {
this._payload = { ...this._payload, aud: audience };
return this;
}
setJti(jwtId) {
this._payload = { ...this._payload, jti: jwtId };
return this;
}
setNotBefore(input) {
if (typeof input === "number") {
this._payload = { ...this._payload, nbf: validateInput("setNotBefore", input) };
} else if (input instanceof Date) {
this._payload = { ...this._payload, nbf: validateInput("setNotBefore", (0, epoch_js_1.default)(input)) };
} else {
this._payload = { ...this._payload, nbf: (0, epoch_js_1.default)(/* @__PURE__ */ new Date()) + (0, secs_js_1.default)(input) };
}
return this;
}
setExpirationTime(input) {
if (typeof input === "number") {
this._payload = { ...this._payload, exp: validateInput("setExpirationTime", input) };
} else if (input instanceof Date) {
this._payload = { ...this._payload, exp: validateInput("setExpirationTime", (0, epoch_js_1.default)(input)) };
} else {
this._payload = { ...this._payload, exp: (0, epoch_js_1.default)(/* @__PURE__ */ new Date()) + (0, secs_js_1.default)(input) };
}
return this;
}
setIssuedAt(input) {
if (typeof input === "undefined") {
this._payload = { ...this._payload, iat: (0, epoch_js_1.default)(/* @__PURE__ */ new Date()) };
} else if (input instanceof Date) {
this._payload = { ...this._payload, iat: validateInput("setIssuedAt", (0, epoch_js_1.default)(input)) };
} else if (typeof input === "string") {
this._payload = {
...this._payload,
iat: validateInput("setIssuedAt", (0, epoch_js_1.default)(/* @__PURE__ */ new Date()) + (0, secs_js_1.default)(input))
};
} else {
this._payload = { ...this._payload, iat: validateInput("setIssuedAt", input) };
}
return this;
}
};
exports2.ProduceJWT = ProduceJWT;
}
});
// node_modules/jose/dist/node/cjs/jwt/sign.js
var require_sign5 = __commonJS({
"node_modules/jose/dist/node/cjs/jwt/sign.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.SignJWT = void 0;
var sign_js_12 = require_sign3();
var errors_js_1 = require_errors();
var buffer_utils_js_1 = require_buffer_utils();
var produce_js_1 = require_produce();
var SignJWT = class extends produce_js_1.ProduceJWT {
_protectedHeader;
setProtectedHeader(protectedHeader) {
this._protectedHeader = protectedHeader;
return this;
}
async sign(key, options) {
const sig = new sign_js_12.CompactSign(buffer_utils_js_1.encoder.encode(JSON.stringify(this._payload)));
sig.setProtectedHeader(this._protectedHeader);
if (Array.isArray(this._protectedHeader?.crit) && this._protectedHeader.crit.includes("b64") && this._protectedHeader.b64 === false) {
throw new errors_js_1.JWTInvalid("JWTs MUST NOT use unencoded payload");
}
return sig.sign(key, options);
}
};
exports2.SignJWT = SignJWT;
}
});
// node_modules/jose/dist/node/cjs/jwt/encrypt.js
var require_encrypt5 = __commonJS({
"node_modules/jose/dist/node/cjs/jwt/encrypt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.EncryptJWT = void 0;
var encrypt_js_12 = require_encrypt4();
var buffer_utils_js_1 = require_buffer_utils();
var produce_js_1 = require_produce();
var EncryptJWT = class extends produce_js_1.ProduceJWT {
_cek;
_iv;
_keyManagementParameters;
_protectedHeader;
_replicateIssuerAsHeader;
_replicateSubjectAsHeader;
_replicateAudienceAsHeader;
setProtectedHeader(protectedHeader) {
if (this._protectedHeader) {
throw new TypeError("setProtectedHeader can only be called once");
}
this._protectedHeader = protectedHeader;
return this;
}
setKeyManagementParameters(parameters) {
if (this._keyManagementParameters) {
throw new TypeError("setKeyManagementParameters can only be called once");
}
this._keyManagementParameters = parameters;
return this;
}
setContentEncryptionKey(cek) {
if (this._cek) {
throw new TypeError("setContentEncryptionKey can only be called once");
}
this._cek = cek;
return this;
}
setInitializationVector(iv) {
if (this._iv) {
throw new TypeError("setInitializationVector can only be called once");
}
this._iv = iv;
return this;
}
replicateIssuerAsHeader() {
this._replicateIssuerAsHeader = true;
return this;
}
replicateSubjectAsHeader() {
this._replicateSubjectAsHeader = true;
return this;
}
replicateAudienceAsHeader() {
this._replicateAudienceAsHeader = true;
return this;
}
async encrypt(key, options) {
const enc = new encrypt_js_12.CompactEncrypt(buffer_utils_js_1.encoder.encode(JSON.stringify(this._payload)));
if (this._replicateIssuerAsHeader) {
this._protectedHeader = { ...this._protectedHeader, iss: this._payload.iss };
}
if (this._replicateSubjectAsHeader) {
this._protectedHeader = { ...this._protectedHeader, sub: this._payload.sub };
}
if (this._replicateAudienceAsHeader) {
this._protectedHeader = { ...this._protectedHeader, aud: this._payload.aud };
}
enc.setProtectedHeader(this._protectedHeader);
if (this._iv) {
enc.setInitializationVector(this._iv);
}
if (this._cek) {
enc.setContentEncryptionKey(this._cek);
}
if (this._keyManagementParameters) {
enc.setKeyManagementParameters(this._keyManagementParameters);
}
return enc.encrypt(key, options);
}
};
exports2.EncryptJWT = EncryptJWT;
}
});
// node_modules/jose/dist/node/cjs/jwk/thumbprint.js
var require_thumbprint = __commonJS({
"node_modules/jose/dist/node/cjs/jwk/thumbprint.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.calculateJwkThumbprintUri = exports2.calculateJwkThumbprint = void 0;
var digest_js_1 = require_digest();
var base64url_js_1 = require_base64url();
var errors_js_1 = require_errors();
var buffer_utils_js_1 = require_buffer_utils();
var is_object_js_1 = require_is_object();
var check = (value, description) => {
if (typeof value !== "string" || !value) {
throw new errors_js_1.JWKInvalid(`${description} missing or invalid`);
}
};
async function calculateJwkThumbprint(jwk, digestAlgorithm) {
if (!(0, is_object_js_1.default)(jwk)) {
throw new TypeError("JWK must be an object");
}
digestAlgorithm ??= "sha256";
if (digestAlgorithm !== "sha256" && digestAlgorithm !== "sha384" && digestAlgorithm !== "sha512") {
throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"');
}
let components;
switch (jwk.kty) {
case "EC":
check(jwk.crv, '"crv" (Curve) Parameter');
check(jwk.x, '"x" (X Coordinate) Parameter');
check(jwk.y, '"y" (Y Coordinate) Parameter');
components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
break;
case "OKP":
check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
check(jwk.x, '"x" (Public Key) Parameter');
components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
break;
case "RSA":
check(jwk.e, '"e" (Exponent) Parameter');
check(jwk.n, '"n" (Modulus) Parameter');
components = { e: jwk.e, kty: jwk.kty, n: jwk.n };
break;
case "oct":
check(jwk.k, '"k" (Key Value) Parameter');
components = { k: jwk.k, kty: jwk.kty };
break;
default:
throw new errors_js_1.JOSENotSupported('"kty" (Key Type) Parameter missing or unsupported');
}
const data = buffer_utils_js_1.encoder.encode(JSON.stringify(components));
return (0, base64url_js_1.encode)(await (0, digest_js_1.default)(digestAlgorithm, data));
}
exports2.calculateJwkThumbprint = calculateJwkThumbprint;
async function calculateJwkThumbprintUri(jwk, digestAlgorithm) {
digestAlgorithm ??= "sha256";
const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm);
return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`;
}
exports2.calculateJwkThumbprintUri = calculateJwkThumbprintUri;
}
});
// node_modules/jose/dist/node/cjs/jwk/embedded.js
var require_embedded = __commonJS({
"node_modules/jose/dist/node/cjs/jwk/embedded.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.EmbeddedJWK = void 0;
var import_js_12 = require_import();
var is_object_js_1 = require_is_object();
var errors_js_1 = require_errors();
async function EmbeddedJWK(protectedHeader, token) {
const joseHeader = {
...protectedHeader,
...token?.header
};
if (!(0, is_object_js_1.default)(joseHeader.jwk)) {
throw new errors_js_1.JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a JSON object');
}
const key = await (0, import_js_12.importJWK)({ ...joseHeader.jwk, ext: true }, joseHeader.alg);
if (key instanceof Uint8Array || key.type !== "public") {
throw new errors_js_1.JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a public key');
}
return key;
}
exports2.EmbeddedJWK = EmbeddedJWK;
}
});
// node_modules/jose/dist/node/cjs/jwks/local.js
var require_local = __commonJS({
"node_modules/jose/dist/node/cjs/jwks/local.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.createLocalJWKSet = exports2.LocalJWKSet = exports2.isJWKSLike = void 0;
var import_js_12 = require_import();
var errors_js_1 = require_errors();
var is_object_js_1 = require_is_object();
function getKtyFromAlg(alg) {
switch (typeof alg === "string" && alg.slice(0, 2)) {
case "RS":
case "PS":
return "RSA";
case "ES":
return "EC";
case "Ed":
return "OKP";
default:
throw new errors_js_1.JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set');
}
}
function isJWKSLike(jwks) {
return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike);
}
exports2.isJWKSLike = isJWKSLike;
function isJWKLike(key) {
return (0, is_object_js_1.default)(key);
}
function clone(obj) {
if (typeof structuredClone === "function") {
return structuredClone(obj);
}
return JSON.parse(JSON.stringify(obj));
}
var LocalJWKSet = class {
_jwks;
_cached = /* @__PURE__ */ new WeakMap();
constructor(jwks) {
if (!isJWKSLike(jwks)) {
throw new errors_js_1.JWKSInvalid("JSON Web Key Set malformed");
}
this._jwks = clone(jwks);
}
async getKey(protectedHeader, token) {
const { alg, kid } = { ...protectedHeader, ...token?.header };
const kty = getKtyFromAlg(alg);
const candidates = this._jwks.keys.filter((jwk2) => {
let candidate = kty === jwk2.kty;
if (candidate && typeof kid === "string") {
candidate = kid === jwk2.kid;
}
if (candidate && typeof jwk2.alg === "string") {
candidate = alg === jwk2.alg;
}
if (candidate && typeof jwk2.use === "string") {
candidate = jwk2.use === "sig";
}
if (candidate && Array.isArray(jwk2.key_ops)) {
candidate = jwk2.key_ops.includes("verify");
}
if (candidate && alg === "EdDSA") {
candidate = jwk2.crv === "Ed25519" || jwk2.crv === "Ed448";
}
if (candidate) {
switch (alg) {
case "ES256":
candidate = jwk2.crv === "P-256";
break;
case "ES256K":
candidate = jwk2.crv === "secp256k1";
break;
case "ES384":
candidate = jwk2.crv === "P-384";
break;
case "ES512":
candidate = jwk2.crv === "P-521";
break;
}
}
return candidate;
});
const { 0: jwk, length } = candidates;
if (length === 0) {
throw new errors_js_1.JWKSNoMatchingKey();
}
if (length !== 1) {
const error = new errors_js_1.JWKSMultipleMatchingKeys();
const { _cached } = this;
error[Symbol.asyncIterator] = async function* () {
for (const jwk2 of candidates) {
try {
yield await importWithAlgCache(_cached, jwk2, alg);
} catch {
}
}
};
throw error;
}
return importWithAlgCache(this._cached, jwk, alg);
}
};
exports2.LocalJWKSet = LocalJWKSet;
async function importWithAlgCache(cache, jwk, alg) {
const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk);
if (cached[alg] === void 0) {
const key = await (0, import_js_12.importJWK)({ ...jwk, ext: true }, alg);
if (key instanceof Uint8Array || key.type !== "public") {
throw new errors_js_1.JWKSInvalid("JSON Web Key Set members must be public keys");
}
cached[alg] = key;
}
return cached[alg];
}
function createLocalJWKSet(jwks) {
const set = new LocalJWKSet(jwks);
return async (protectedHeader, token) => set.getKey(protectedHeader, token);
}
exports2.createLocalJWKSet = createLocalJWKSet;
}
});
// node_modules/jose/dist/node/cjs/jwt/unsecured.js
var require_unsecured = __commonJS({
"node_modules/jose/dist/node/cjs/jwt/unsecured.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.UnsecuredJWT = void 0;
var base64url = require_base64url();
var buffer_utils_js_1 = require_buffer_utils();
var errors_js_1 = require_errors();
var jwt_claims_set_js_1 = require_jwt_claims_set();
var produce_js_1 = require_produce();
var UnsecuredJWT = class extends produce_js_1.ProduceJWT {
encode() {
const header = base64url.encode(JSON.stringify({ alg: "none" }));
const payload = base64url.encode(JSON.stringify(this._payload));
return `${header}.${payload}.`;
}
static decode(jwt, options) {
if (typeof jwt !== "string") {
throw new errors_js_1.JWTInvalid("Unsecured JWT must be a string");
}
const { 0: encodedHeader, 1: encodedPayload, 2: signature, length } = jwt.split(".");
if (length !== 3 || signature !== "") {
throw new errors_js_1.JWTInvalid("Invalid Unsecured JWT");
}
let header;
try {
header = JSON.parse(buffer_utils_js_1.decoder.decode(base64url.decode(encodedHeader)));
if (header.alg !== "none")
throw new Error();
} catch {
throw new errors_js_1.JWTInvalid("Invalid Unsecured JWT");
}
const payload = (0, jwt_claims_set_js_1.default)(header, base64url.decode(encodedPayload), options);
return { payload, header };
}
};
exports2.UnsecuredJWT = UnsecuredJWT;
}
});
// node_modules/jose/dist/node/cjs/util/base64url.js
var require_base64url2 = __commonJS({
"node_modules/jose/dist/node/cjs/util/base64url.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.decode = exports2.encode = void 0;
var base64url = require_base64url();
exports2.encode = base64url.encode;
exports2.decode = base64url.decode;
}
});
// node_modules/jose/dist/node/cjs/util/decode_protected_header.js
var require_decode_protected_header = __commonJS({
"node_modules/jose/dist/node/cjs/util/decode_protected_header.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.decodeProtectedHeader = void 0;
var base64url_js_1 = require_base64url2();
var buffer_utils_js_1 = require_buffer_utils();
var is_object_js_1 = require_is_object();
function decodeProtectedHeader(token) {
let protectedB64u;
if (typeof token === "string") {
const parts = token.split(".");
if (parts.length === 3 || parts.length === 5) {
;
[protectedB64u] = parts;
}
} else if (typeof token === "object" && token) {
if ("protected" in token) {
protectedB64u = token.protected;
} else {
throw new TypeError("Token does not contain a Protected Header");
}
}
try {
if (typeof protectedB64u !== "string" || !protectedB64u) {
throw new Error();
}
const result = JSON.parse(buffer_utils_js_1.decoder.decode((0, base64url_js_1.decode)(protectedB64u)));
if (!(0, is_object_js_1.default)(result)) {
throw new Error();
}
return result;
} catch {
throw new TypeError("Invalid Token or Protected Header formatting");
}
}
exports2.decodeProtectedHeader = decodeProtectedHeader;
}
});
// node_modules/jose/dist/node/cjs/util/decode_jwt.js
var require_decode_jwt = __commonJS({
"node_modules/jose/dist/node/cjs/util/decode_jwt.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.decodeJwt = void 0;
var base64url_js_1 = require_base64url2();
var buffer_utils_js_1 = require_buffer_utils();
var is_object_js_1 = require_is_object();
var errors_js_1 = require_errors();
function decodeJwt(jwt) {
if (typeof jwt !== "string")
throw new errors_js_1.JWTInvalid("JWTs must use Compact JWS serialization, JWT must be a string");
const { 1: payload, length } = jwt.split(".");
if (length === 5)
throw new errors_js_1.JWTInvalid("Only JWTs using Compact JWS serialization can be decoded");
if (length !== 3)
throw new errors_js_1.JWTInvalid("Invalid JWT");
if (!payload)
throw new errors_js_1.JWTInvalid("JWTs must contain a payload");
let decoded;
try {
decoded = (0, base64url_js_1.decode)(payload);
} catch {
throw new errors_js_1.JWTInvalid("Failed to base64url decode the payload");
}
let result;
try {
result = JSON.parse(buffer_utils_js_1.decoder.decode(decoded));
} catch {
throw new errors_js_1.JWTInvalid("Failed to parse the decoded payload as JSON");
}
if (!(0, is_object_js_1.default)(result))
throw new errors_js_1.JWTInvalid("Invalid JWT Claims Set");
return result;
}
exports2.decodeJwt = decodeJwt;
}
});
// node_modules/jose/dist/node/cjs/runtime/generate.js
var require_generate = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/generate.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.generateKeyPair = exports2.generateSecret = void 0;
var node_crypto_1 = requireNodeCrypto;
var node_util_1 = requireNodeUtil;
var random_js_1 = require_random();
var errors_js_1 = require_errors();
var generate = (0, node_util_1.promisify)(node_crypto_1.generateKeyPair);
async function generateSecret(alg, options) {
let length;
switch (alg) {
case "HS256":
case "HS384":
case "HS512":
case "A128CBC-HS256":
case "A192CBC-HS384":
case "A256CBC-HS512":
length = parseInt(alg.slice(-3), 10);
break;
case "A128KW":
case "A192KW":
case "A256KW":
case "A128GCMKW":
case "A192GCMKW":
case "A256GCMKW":
case "A128GCM":
case "A192GCM":
case "A256GCM":
length = parseInt(alg.slice(1, 4), 10);
break;
default:
throw new errors_js_1.JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
}
return (0, node_crypto_1.createSecretKey)((0, random_js_1.default)(new Uint8Array(length >> 3)));
}
exports2.generateSecret = generateSecret;
async function generateKeyPair(alg, options) {
switch (alg) {
case "RS256":
case "RS384":
case "RS512":
case "PS256":
case "PS384":
case "PS512":
case "RSA-OAEP":
case "RSA-OAEP-256":
case "RSA-OAEP-384":
case "RSA-OAEP-512":
case "RSA1_5": {
const modulusLength = options?.modulusLength ?? 2048;
if (typeof modulusLength !== "number" || modulusLength < 2048) {
throw new errors_js_1.JOSENotSupported("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used");
}
const keypair = await generate("rsa", {
modulusLength,
publicExponent: 65537
});
return keypair;
}
case "ES256":
return generate("ec", { namedCurve: "P-256" });
case "ES256K":
return generate("ec", { namedCurve: "secp256k1" });
case "ES384":
return generate("ec", { namedCurve: "P-384" });
case "ES512":
return generate("ec", { namedCurve: "P-521" });
case "EdDSA": {
switch (options?.crv) {
case void 0:
case "Ed25519":
return generate("ed25519");
case "Ed448":
return generate("ed448");
default:
throw new errors_js_1.JOSENotSupported("Invalid or unsupported crv option provided, supported values are Ed25519 and Ed448");
}
}
case "ECDH-ES":
case "ECDH-ES+A128KW":
case "ECDH-ES+A192KW":
case "ECDH-ES+A256KW": {
const crv = options?.crv ?? "P-256";
switch (crv) {
case void 0:
case "P-256":
case "P-384":
case "P-521":
return generate("ec", { namedCurve: crv });
case "X25519":
return generate("x25519");
case "X448":
return generate("x448");
default:
throw new errors_js_1.JOSENotSupported("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448");
}
}
default:
throw new errors_js_1.JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
}
}
exports2.generateKeyPair = generateKeyPair;
}
});
// node_modules/jose/dist/node/cjs/key/generate_key_pair.js
var require_generate_key_pair = __commonJS({
"node_modules/jose/dist/node/cjs/key/generate_key_pair.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.generateKeyPair = void 0;
var generate_js_1 = require_generate();
async function generateKeyPair(alg, options) {
return (0, generate_js_1.generateKeyPair)(alg, options);
}
exports2.generateKeyPair = generateKeyPair;
}
});
// node_modules/jose/dist/node/cjs/key/generate_secret.js
var require_generate_secret = __commonJS({
"node_modules/jose/dist/node/cjs/key/generate_secret.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.generateSecret = void 0;
var generate_js_1 = require_generate();
async function generateSecret(alg, options) {
return (0, generate_js_1.generateSecret)(alg, options);
}
exports2.generateSecret = generateSecret;
}
});
// node_modules/jose/dist/node/cjs/runtime/runtime.js
var require_runtime = __commonJS({
"node_modules/jose/dist/node/cjs/runtime/runtime.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
exports2.default = "node:crypto";
}
});
// node_modules/jose/dist/node/cjs/util/runtime.js
var require_runtime2 = __commonJS({
"node_modules/jose/dist/node/cjs/util/runtime.js"(exports2) {
"use strict";
Object.defineProperty(exports2, "__esModule", { value: true });
var runtime_js_12 = require_runtime();
exports2.default = runtime_js_12.default;
}
});
// node_modules/jose/dist/node/cjs/index.js
Object.defineProperty(exports, "__esModule", { value: true });
exports.cryptoRuntime = exports.base64url = exports.generateSecret = exports.generateKeyPair = exports.errors = exports.decodeJwt = exports.decodeProtectedHeader = exports.importJWK = exports.importX509 = exports.importPKCS8 = exports.importSPKI = exports.exportJWK = exports.exportSPKI = exports.exportPKCS8 = exports.UnsecuredJWT = exports.createLocalJWKSet = exports.EmbeddedJWK = exports.calculateJwkThumbprintUri = exports.calculateJwkThumbprint = exports.EncryptJWT = exports.SignJWT = exports.GeneralSign = exports.FlattenedSign = exports.CompactSign = exports.FlattenedEncrypt = exports.CompactEncrypt = exports.jwtDecrypt = exports.jwtVerify = exports.generalVerify = exports.flattenedVerify = exports.compactVerify = exports.GeneralEncrypt = exports.generalDecrypt = exports.flattenedDecrypt = exports.compactDecrypt = void 0;
var decrypt_js_1 = require_decrypt3();
Object.defineProperty(exports, "compactDecrypt", { enumerable: true, get: function() {
return decrypt_js_1.compactDecrypt;
} });
var decrypt_js_2 = require_decrypt2();
Object.defineProperty(exports, "flattenedDecrypt", { enumerable: true, get: function() {
return decrypt_js_2.flattenedDecrypt;
} });
var decrypt_js_3 = require_decrypt4();
Object.defineProperty(exports, "generalDecrypt", { enumerable: true, get: function() {
return decrypt_js_3.generalDecrypt;
} });
var encrypt_js_1 = require_encrypt3();
Object.defineProperty(exports, "GeneralEncrypt", { enumerable: true, get: function() {
return encrypt_js_1.GeneralEncrypt;
} });
var verify_js_1 = require_verify3();
Object.defineProperty(exports, "compactVerify", { enumerable: true, get: function() {
return verify_js_1.compactVerify;
} });
var verify_js_2 = require_verify2();
Object.defineProperty(exports, "flattenedVerify", { enumerable: true, get: function() {
return verify_js_2.flattenedVerify;
} });
var verify_js_3 = require_verify4();
Object.defineProperty(exports, "generalVerify", { enumerable: true, get: function() {
return verify_js_3.generalVerify;
} });
var verify_js_4 = require_verify5();
Object.defineProperty(exports, "jwtVerify", { enumerable: true, get: function() {
return verify_js_4.jwtVerify;
} });
var decrypt_js_4 = require_decrypt5();
Object.defineProperty(exports, "jwtDecrypt", { enumerable: true, get: function() {
return decrypt_js_4.jwtDecrypt;
} });
var encrypt_js_2 = require_encrypt4();
Object.defineProperty(exports, "CompactEncrypt", { enumerable: true, get: function() {
return encrypt_js_2.CompactEncrypt;
} });
var encrypt_js_3 = require_encrypt2();
Object.defineProperty(exports, "FlattenedEncrypt", { enumerable: true, get: function() {
return encrypt_js_3.FlattenedEncrypt;
} });
var sign_js_1 = require_sign3();
Object.defineProperty(exports, "CompactSign", { enumerable: true, get: function() {
return sign_js_1.CompactSign;
} });
var sign_js_2 = require_sign2();
Object.defineProperty(exports, "FlattenedSign", { enumerable: true, get: function() {
return sign_js_2.FlattenedSign;
} });
var sign_js_3 = require_sign4();
Object.defineProperty(exports, "GeneralSign", { enumerable: true, get: function() {
return sign_js_3.GeneralSign;
} });
var sign_js_4 = require_sign5();
Object.defineProperty(exports, "SignJWT", { enumerable: true, get: function() {
return sign_js_4.SignJWT;
} });
var encrypt_js_4 = require_encrypt5();
Object.defineProperty(exports, "EncryptJWT", { enumerable: true, get: function() {
return encrypt_js_4.EncryptJWT;
} });
var thumbprint_js_1 = require_thumbprint();
Object.defineProperty(exports, "calculateJwkThumbprint", { enumerable: true, get: function() {
return thumbprint_js_1.calculateJwkThumbprint;
} });
Object.defineProperty(exports, "calculateJwkThumbprintUri", { enumerable: true, get: function() {
return thumbprint_js_1.calculateJwkThumbprintUri;
} });
var embedded_js_1 = require_embedded();
Object.defineProperty(exports, "EmbeddedJWK", { enumerable: true, get: function() {
return embedded_js_1.EmbeddedJWK;
} });
var local_js_1 = require_local();
Object.defineProperty(exports, "createLocalJWKSet", { enumerable: true, get: function() {
return local_js_1.createLocalJWKSet;
} });
var unsecured_js_1 = require_unsecured();
Object.defineProperty(exports, "UnsecuredJWT", { enumerable: true, get: function() {
return unsecured_js_1.UnsecuredJWT;
} });
var export_js_1 = require_export();
Object.defineProperty(exports, "exportPKCS8", { enumerable: true, get: function() {
return export_js_1.exportPKCS8;
} });
Object.defineProperty(exports, "exportSPKI", { enumerable: true, get: function() {
return export_js_1.exportSPKI;
} });
Object.defineProperty(exports, "exportJWK", { enumerable: true, get: function() {
return export_js_1.exportJWK;
} });
var import_js_1 = require_import();
Object.defineProperty(exports, "importSPKI", { enumerable: true, get: function() {
return import_js_1.importSPKI;
} });
Object.defineProperty(exports, "importPKCS8", { enumerable: true, get: function() {
return import_js_1.importPKCS8;
} });
Object.defineProperty(exports, "importX509", { enumerable: true, get: function() {
return import_js_1.importX509;
} });
Object.defineProperty(exports, "importJWK", { enumerable: true, get: function() {
return import_js_1.importJWK;
} });
var decode_protected_header_js_1 = require_decode_protected_header();
Object.defineProperty(exports, "decodeProtectedHeader", { enumerable: true, get: function() {
return decode_protected_header_js_1.decodeProtectedHeader;
} });
var decode_jwt_js_1 = require_decode_jwt();
Object.defineProperty(exports, "decodeJwt", { enumerable: true, get: function() {
return decode_jwt_js_1.decodeJwt;
} });
exports.errors = require_errors();
var generate_key_pair_js_1 = require_generate_key_pair();
Object.defineProperty(exports, "generateKeyPair", { enumerable: true, get: function() {
return generate_key_pair_js_1.generateKeyPair;
} });
var generate_secret_js_1 = require_generate_secret();
Object.defineProperty(exports, "generateSecret", { enumerable: true, get: function() {
return generate_secret_js_1.generateSecret;
} });
exports.base64url = require_base64url2();
var runtime_js_1 = require_runtime2();
Object.defineProperty(exports, "cryptoRuntime", { enumerable: true, get: function() {
return runtime_js_1.default;
} });
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment