Last active
February 20, 2024 19:21
-
-
Save jvanmetre/1b88eca035e5fb4318c5c548d0862bb8 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"use strict"; | |
var __getOwnPropNames = Object.getOwnPropertyNames; | |
var __commonJS = (cb, mod) => function __require() { | |
return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports; | |
}; | |
// node_modules/jose/dist/node/cjs/runtime/digest.js | |
var require_digest = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/digest.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var digest = (algorithm, data) => (0, node_crypto_1.createHash)(algorithm).update(data).digest(); | |
exports2.default = digest; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/buffer_utils.js | |
var require_buffer_utils = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/buffer_utils.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.concatKdf = exports2.lengthAndInput = exports2.uint32be = exports2.uint64be = exports2.p2s = exports2.concat = exports2.decoder = exports2.encoder = void 0; | |
var digest_js_1 = require_digest(); | |
exports2.encoder = new TextEncoder(); | |
exports2.decoder = new TextDecoder(); | |
var MAX_INT32 = 2 ** 32; | |
function concat(...buffers) { | |
const size = buffers.reduce((acc, { length }) => acc + length, 0); | |
const buf = new Uint8Array(size); | |
let i = 0; | |
for (const buffer of buffers) { | |
buf.set(buffer, i); | |
i += buffer.length; | |
} | |
return buf; | |
} | |
exports2.concat = concat; | |
function p2s(alg, p2sInput) { | |
return concat(exports2.encoder.encode(alg), new Uint8Array([0]), p2sInput); | |
} | |
exports2.p2s = p2s; | |
function writeUInt32BE(buf, value, offset) { | |
if (value < 0 || value >= MAX_INT32) { | |
throw new RangeError(`value must be >= 0 and <= ${MAX_INT32 - 1}. Received ${value}`); | |
} | |
buf.set([value >>> 24, value >>> 16, value >>> 8, value & 255], offset); | |
} | |
function uint64be(value) { | |
const high = Math.floor(value / MAX_INT32); | |
const low = value % MAX_INT32; | |
const buf = new Uint8Array(8); | |
writeUInt32BE(buf, high, 0); | |
writeUInt32BE(buf, low, 4); | |
return buf; | |
} | |
exports2.uint64be = uint64be; | |
function uint32be(value) { | |
const buf = new Uint8Array(4); | |
writeUInt32BE(buf, value); | |
return buf; | |
} | |
exports2.uint32be = uint32be; | |
function lengthAndInput(input) { | |
return concat(uint32be(input.length), input); | |
} | |
exports2.lengthAndInput = lengthAndInput; | |
async function concatKdf(secret, bits, value) { | |
const iterations = Math.ceil((bits >> 3) / 32); | |
const res = new Uint8Array(iterations * 32); | |
for (let iter = 0; iter < iterations; iter++) { | |
const buf = new Uint8Array(4 + secret.length + value.length); | |
buf.set(uint32be(iter + 1)); | |
buf.set(secret, 4); | |
buf.set(value, 4 + secret.length); | |
res.set(await (0, digest_js_1.default)("sha256", buf), iter * 32); | |
} | |
return res.slice(0, bits >> 3); | |
} | |
exports2.concatKdf = concatKdf; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/base64url.js | |
var require_base64url = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/base64url.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.decode = exports2.encode = exports2.encodeBase64 = exports2.decodeBase64 = void 0; | |
var node_buffer_1 = requireNodeBuffer; | |
var buffer_utils_js_1 = require_buffer_utils(); | |
function normalize(input) { | |
let encoded = input; | |
if (encoded instanceof Uint8Array) { | |
encoded = buffer_utils_js_1.decoder.decode(encoded); | |
} | |
return encoded; | |
} | |
var encode = (input) => node_buffer_1.Buffer.from(input).toString("base64url"); | |
exports2.encode = encode; | |
var decodeBase64 = (input) => new Uint8Array(node_buffer_1.Buffer.from(input, "base64")); | |
exports2.decodeBase64 = decodeBase64; | |
var encodeBase64 = (input) => node_buffer_1.Buffer.from(input).toString("base64"); | |
exports2.encodeBase64 = encodeBase64; | |
var decode = (input) => new Uint8Array(node_buffer_1.Buffer.from(normalize(input), "base64")); | |
exports2.decode = decode; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/util/errors.js | |
var require_errors = __commonJS({ | |
"node_modules/jose/dist/node/cjs/util/errors.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.JWSSignatureVerificationFailed = exports2.JWKSTimeout = exports2.JWKSMultipleMatchingKeys = exports2.JWKSNoMatchingKey = exports2.JWKSInvalid = exports2.JWKInvalid = exports2.JWTInvalid = exports2.JWSInvalid = exports2.JWEInvalid = exports2.JWEDecryptionFailed = exports2.JOSENotSupported = exports2.JOSEAlgNotAllowed = exports2.JWTExpired = exports2.JWTClaimValidationFailed = exports2.JOSEError = void 0; | |
var JOSEError = class extends Error { | |
static get code() { | |
return "ERR_JOSE_GENERIC"; | |
} | |
code = "ERR_JOSE_GENERIC"; | |
constructor(message) { | |
super(message); | |
this.name = this.constructor.name; | |
Error.captureStackTrace?.(this, this.constructor); | |
} | |
}; | |
exports2.JOSEError = JOSEError; | |
var JWTClaimValidationFailed = class extends JOSEError { | |
static get code() { | |
return "ERR_JWT_CLAIM_VALIDATION_FAILED"; | |
} | |
code = "ERR_JWT_CLAIM_VALIDATION_FAILED"; | |
claim; | |
reason; | |
constructor(message, claim = "unspecified", reason = "unspecified") { | |
super(message); | |
this.claim = claim; | |
this.reason = reason; | |
} | |
}; | |
exports2.JWTClaimValidationFailed = JWTClaimValidationFailed; | |
var JWTExpired = class extends JOSEError { | |
static get code() { | |
return "ERR_JWT_EXPIRED"; | |
} | |
code = "ERR_JWT_EXPIRED"; | |
claim; | |
reason; | |
constructor(message, claim = "unspecified", reason = "unspecified") { | |
super(message); | |
this.claim = claim; | |
this.reason = reason; | |
} | |
}; | |
exports2.JWTExpired = JWTExpired; | |
var JOSEAlgNotAllowed = class extends JOSEError { | |
static get code() { | |
return "ERR_JOSE_ALG_NOT_ALLOWED"; | |
} | |
code = "ERR_JOSE_ALG_NOT_ALLOWED"; | |
}; | |
exports2.JOSEAlgNotAllowed = JOSEAlgNotAllowed; | |
var JOSENotSupported = class extends JOSEError { | |
static get code() { | |
return "ERR_JOSE_NOT_SUPPORTED"; | |
} | |
code = "ERR_JOSE_NOT_SUPPORTED"; | |
}; | |
exports2.JOSENotSupported = JOSENotSupported; | |
var JWEDecryptionFailed = class extends JOSEError { | |
static get code() { | |
return "ERR_JWE_DECRYPTION_FAILED"; | |
} | |
code = "ERR_JWE_DECRYPTION_FAILED"; | |
message = "decryption operation failed"; | |
}; | |
exports2.JWEDecryptionFailed = JWEDecryptionFailed; | |
var JWEInvalid = class extends JOSEError { | |
static get code() { | |
return "ERR_JWE_INVALID"; | |
} | |
code = "ERR_JWE_INVALID"; | |
}; | |
exports2.JWEInvalid = JWEInvalid; | |
var JWSInvalid = class extends JOSEError { | |
static get code() { | |
return "ERR_JWS_INVALID"; | |
} | |
code = "ERR_JWS_INVALID"; | |
}; | |
exports2.JWSInvalid = JWSInvalid; | |
var JWTInvalid = class extends JOSEError { | |
static get code() { | |
return "ERR_JWT_INVALID"; | |
} | |
code = "ERR_JWT_INVALID"; | |
}; | |
exports2.JWTInvalid = JWTInvalid; | |
var JWKInvalid = class extends JOSEError { | |
static get code() { | |
return "ERR_JWK_INVALID"; | |
} | |
code = "ERR_JWK_INVALID"; | |
}; | |
exports2.JWKInvalid = JWKInvalid; | |
var JWKSInvalid = class extends JOSEError { | |
static get code() { | |
return "ERR_JWKS_INVALID"; | |
} | |
code = "ERR_JWKS_INVALID"; | |
}; | |
exports2.JWKSInvalid = JWKSInvalid; | |
var JWKSNoMatchingKey = class extends JOSEError { | |
static get code() { | |
return "ERR_JWKS_NO_MATCHING_KEY"; | |
} | |
code = "ERR_JWKS_NO_MATCHING_KEY"; | |
message = "no applicable key found in the JSON Web Key Set"; | |
}; | |
exports2.JWKSNoMatchingKey = JWKSNoMatchingKey; | |
var JWKSMultipleMatchingKeys = class extends JOSEError { | |
[Symbol.asyncIterator]; | |
static get code() { | |
return "ERR_JWKS_MULTIPLE_MATCHING_KEYS"; | |
} | |
code = "ERR_JWKS_MULTIPLE_MATCHING_KEYS"; | |
message = "multiple matching keys found in the JSON Web Key Set"; | |
}; | |
exports2.JWKSMultipleMatchingKeys = JWKSMultipleMatchingKeys; | |
var JWKSTimeout = class extends JOSEError { | |
static get code() { | |
return "ERR_JWKS_TIMEOUT"; | |
} | |
code = "ERR_JWKS_TIMEOUT"; | |
message = "request timed out"; | |
}; | |
exports2.JWKSTimeout = JWKSTimeout; | |
var JWSSignatureVerificationFailed = class extends JOSEError { | |
static get code() { | |
return "ERR_JWS_SIGNATURE_VERIFICATION_FAILED"; | |
} | |
code = "ERR_JWS_SIGNATURE_VERIFICATION_FAILED"; | |
message = "signature verification failed"; | |
}; | |
exports2.JWSSignatureVerificationFailed = JWSSignatureVerificationFailed; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/random.js | |
var require_random = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/random.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.default = void 0; | |
var node_crypto_1 = requireNodeCrypto; | |
Object.defineProperty(exports2, "default", { enumerable: true, get: function() { | |
return node_crypto_1.randomFillSync; | |
} }); | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/iv.js | |
var require_iv = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/iv.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.bitLength = void 0; | |
var errors_js_1 = require_errors(); | |
var random_js_1 = require_random(); | |
function bitLength(alg) { | |
switch (alg) { | |
case "A128GCM": | |
case "A128GCMKW": | |
case "A192GCM": | |
case "A192GCMKW": | |
case "A256GCM": | |
case "A256GCMKW": | |
return 96; | |
case "A128CBC-HS256": | |
case "A192CBC-HS384": | |
case "A256CBC-HS512": | |
return 128; | |
default: | |
throw new errors_js_1.JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`); | |
} | |
} | |
exports2.bitLength = bitLength; | |
exports2.default = (alg) => (0, random_js_1.default)(new Uint8Array(bitLength(alg) >> 3)); | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/check_iv_length.js | |
var require_check_iv_length = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/check_iv_length.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var errors_js_1 = require_errors(); | |
var iv_js_1 = require_iv(); | |
var checkIvLength = (enc, iv) => { | |
if (iv.length << 3 !== (0, iv_js_1.bitLength)(enc)) { | |
throw new errors_js_1.JWEInvalid("Invalid Initialization Vector length"); | |
} | |
}; | |
exports2.default = checkIvLength; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/is_key_object.js | |
var require_is_key_object = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/is_key_object.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var util = requireNodeUtil; | |
exports2.default = (obj) => util.types.isKeyObject(obj); | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/check_cek_length.js | |
var require_check_cek_length = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/check_cek_length.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var errors_js_1 = require_errors(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var checkCekLength = (enc, cek) => { | |
let expected; | |
switch (enc) { | |
case "A128CBC-HS256": | |
case "A192CBC-HS384": | |
case "A256CBC-HS512": | |
expected = parseInt(enc.slice(-3), 10); | |
break; | |
case "A128GCM": | |
case "A192GCM": | |
case "A256GCM": | |
expected = parseInt(enc.slice(1, 4), 10); | |
break; | |
default: | |
throw new errors_js_1.JOSENotSupported(`Content Encryption Algorithm ${enc} is not supported either by JOSE or your javascript runtime`); | |
} | |
if (cek instanceof Uint8Array) { | |
const actual = cek.byteLength << 3; | |
if (actual !== expected) { | |
throw new errors_js_1.JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`); | |
} | |
return; | |
} | |
if ((0, is_key_object_js_1.default)(cek) && cek.type === "secret") { | |
const actual = cek.symmetricKeySize << 3; | |
if (actual !== expected) { | |
throw new errors_js_1.JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`); | |
} | |
return; | |
} | |
throw new TypeError("Invalid Content Encryption Key type"); | |
}; | |
exports2.default = checkCekLength; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/timing_safe_equal.js | |
var require_timing_safe_equal = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/timing_safe_equal.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var timingSafeEqual = node_crypto_1.timingSafeEqual; | |
exports2.default = timingSafeEqual; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/cbc_tag.js | |
var require_cbc_tag = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/cbc_tag.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var buffer_utils_js_1 = require_buffer_utils(); | |
function cbcTag(aad, iv, ciphertext, macSize, macKey, keySize) { | |
const macData = (0, buffer_utils_js_1.concat)(aad, iv, ciphertext, (0, buffer_utils_js_1.uint64be)(aad.length << 3)); | |
const hmac = (0, node_crypto_1.createHmac)(`sha${macSize}`, macKey); | |
hmac.update(macData); | |
return hmac.digest().slice(0, keySize >> 3); | |
} | |
exports2.default = cbcTag; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/webcrypto.js | |
var require_webcrypto = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/webcrypto.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.isCryptoKey = void 0; | |
var crypto = requireNodeCrypto; | |
var util = requireNodeUtil; | |
var webcrypto = crypto.webcrypto; | |
exports2.default = webcrypto; | |
var isCryptoKey = (key) => util.types.isCryptoKey(key); | |
exports2.isCryptoKey = isCryptoKey; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/crypto_key.js | |
var require_crypto_key = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/crypto_key.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.checkEncCryptoKey = exports2.checkSigCryptoKey = void 0; | |
function unusable(name, prop = "algorithm.name") { | |
return new TypeError(`CryptoKey does not support this operation, its ${prop} must be ${name}`); | |
} | |
function isAlgorithm(algorithm, name) { | |
return algorithm.name === name; | |
} | |
function getHashLength(hash) { | |
return parseInt(hash.name.slice(4), 10); | |
} | |
function getNamedCurve(alg) { | |
switch (alg) { | |
case "ES256": | |
return "P-256"; | |
case "ES384": | |
return "P-384"; | |
case "ES512": | |
return "P-521"; | |
default: | |
throw new Error("unreachable"); | |
} | |
} | |
function checkUsage(key, usages) { | |
if (usages.length && !usages.some((expected) => key.usages.includes(expected))) { | |
let msg = "CryptoKey does not support this operation, its usages must include "; | |
if (usages.length > 2) { | |
const last = usages.pop(); | |
msg += `one of ${usages.join(", ")}, or ${last}.`; | |
} else if (usages.length === 2) { | |
msg += `one of ${usages[0]} or ${usages[1]}.`; | |
} else { | |
msg += `${usages[0]}.`; | |
} | |
throw new TypeError(msg); | |
} | |
} | |
function checkSigCryptoKey(key, alg, ...usages) { | |
switch (alg) { | |
case "HS256": | |
case "HS384": | |
case "HS512": { | |
if (!isAlgorithm(key.algorithm, "HMAC")) | |
throw unusable("HMAC"); | |
const expected = parseInt(alg.slice(2), 10); | |
const actual = getHashLength(key.algorithm.hash); | |
if (actual !== expected) | |
throw unusable(`SHA-${expected}`, "algorithm.hash"); | |
break; | |
} | |
case "RS256": | |
case "RS384": | |
case "RS512": { | |
if (!isAlgorithm(key.algorithm, "RSASSA-PKCS1-v1_5")) | |
throw unusable("RSASSA-PKCS1-v1_5"); | |
const expected = parseInt(alg.slice(2), 10); | |
const actual = getHashLength(key.algorithm.hash); | |
if (actual !== expected) | |
throw unusable(`SHA-${expected}`, "algorithm.hash"); | |
break; | |
} | |
case "PS256": | |
case "PS384": | |
case "PS512": { | |
if (!isAlgorithm(key.algorithm, "RSA-PSS")) | |
throw unusable("RSA-PSS"); | |
const expected = parseInt(alg.slice(2), 10); | |
const actual = getHashLength(key.algorithm.hash); | |
if (actual !== expected) | |
throw unusable(`SHA-${expected}`, "algorithm.hash"); | |
break; | |
} | |
case "EdDSA": { | |
if (key.algorithm.name !== "Ed25519" && key.algorithm.name !== "Ed448") { | |
throw unusable("Ed25519 or Ed448"); | |
} | |
break; | |
} | |
case "ES256": | |
case "ES384": | |
case "ES512": { | |
if (!isAlgorithm(key.algorithm, "ECDSA")) | |
throw unusable("ECDSA"); | |
const expected = getNamedCurve(alg); | |
const actual = key.algorithm.namedCurve; | |
if (actual !== expected) | |
throw unusable(expected, "algorithm.namedCurve"); | |
break; | |
} | |
default: | |
throw new TypeError("CryptoKey does not support this operation"); | |
} | |
checkUsage(key, usages); | |
} | |
exports2.checkSigCryptoKey = checkSigCryptoKey; | |
function checkEncCryptoKey(key, alg, ...usages) { | |
switch (alg) { | |
case "A128GCM": | |
case "A192GCM": | |
case "A256GCM": { | |
if (!isAlgorithm(key.algorithm, "AES-GCM")) | |
throw unusable("AES-GCM"); | |
const expected = parseInt(alg.slice(1, 4), 10); | |
const actual = key.algorithm.length; | |
if (actual !== expected) | |
throw unusable(expected, "algorithm.length"); | |
break; | |
} | |
case "A128KW": | |
case "A192KW": | |
case "A256KW": { | |
if (!isAlgorithm(key.algorithm, "AES-KW")) | |
throw unusable("AES-KW"); | |
const expected = parseInt(alg.slice(1, 4), 10); | |
const actual = key.algorithm.length; | |
if (actual !== expected) | |
throw unusable(expected, "algorithm.length"); | |
break; | |
} | |
case "ECDH": { | |
switch (key.algorithm.name) { | |
case "ECDH": | |
case "X25519": | |
case "X448": | |
break; | |
default: | |
throw unusable("ECDH, X25519, or X448"); | |
} | |
break; | |
} | |
case "PBES2-HS256+A128KW": | |
case "PBES2-HS384+A192KW": | |
case "PBES2-HS512+A256KW": | |
if (!isAlgorithm(key.algorithm, "PBKDF2")) | |
throw unusable("PBKDF2"); | |
break; | |
case "RSA-OAEP": | |
case "RSA-OAEP-256": | |
case "RSA-OAEP-384": | |
case "RSA-OAEP-512": { | |
if (!isAlgorithm(key.algorithm, "RSA-OAEP")) | |
throw unusable("RSA-OAEP"); | |
const expected = parseInt(alg.slice(9), 10) || 1; | |
const actual = getHashLength(key.algorithm.hash); | |
if (actual !== expected) | |
throw unusable(`SHA-${expected}`, "algorithm.hash"); | |
break; | |
} | |
default: | |
throw new TypeError("CryptoKey does not support this operation"); | |
} | |
checkUsage(key, usages); | |
} | |
exports2.checkEncCryptoKey = checkEncCryptoKey; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/invalid_key_input.js | |
var require_invalid_key_input = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/invalid_key_input.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.withAlg = void 0; | |
function message(msg, actual, ...types) { | |
if (types.length > 2) { | |
const last = types.pop(); | |
msg += `one of type ${types.join(", ")}, or ${last}.`; | |
} else if (types.length === 2) { | |
msg += `one of type ${types[0]} or ${types[1]}.`; | |
} else { | |
msg += `of type ${types[0]}.`; | |
} | |
if (actual == null) { | |
msg += ` Received ${actual}`; | |
} else if (typeof actual === "function" && actual.name) { | |
msg += ` Received function ${actual.name}`; | |
} else if (typeof actual === "object" && actual != null) { | |
if (actual.constructor?.name) { | |
msg += ` Received an instance of ${actual.constructor.name}`; | |
} | |
} | |
return msg; | |
} | |
exports2.default = (actual, ...types) => { | |
return message("Key must be ", actual, ...types); | |
}; | |
function withAlg(alg, actual, ...types) { | |
return message(`Key for the ${alg} algorithm must be `, actual, ...types); | |
} | |
exports2.withAlg = withAlg; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/ciphers.js | |
var require_ciphers = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/ciphers.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var ciphers; | |
exports2.default = (algorithm) => { | |
ciphers ||= new Set((0, node_crypto_1.getCiphers)()); | |
return ciphers.has(algorithm); | |
}; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/is_key_like.js | |
var require_is_key_like = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/is_key_like.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.types = void 0; | |
var webcrypto_js_1 = require_webcrypto(); | |
var is_key_object_js_1 = require_is_key_object(); | |
exports2.default = (key) => (0, is_key_object_js_1.default)(key) || (0, webcrypto_js_1.isCryptoKey)(key); | |
var types = ["KeyObject"]; | |
exports2.types = types; | |
if (globalThis.CryptoKey || webcrypto_js_1.default?.CryptoKey) { | |
types.push("CryptoKey"); | |
} | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/decrypt.js | |
var require_decrypt = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/decrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var check_iv_length_js_1 = require_check_iv_length(); | |
var check_cek_length_js_1 = require_check_cek_length(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var errors_js_1 = require_errors(); | |
var timing_safe_equal_js_1 = require_timing_safe_equal(); | |
var cbc_tag_js_1 = require_cbc_tag(); | |
var webcrypto_js_1 = require_webcrypto(); | |
var crypto_key_js_1 = require_crypto_key(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var ciphers_js_1 = require_ciphers(); | |
var is_key_like_js_1 = require_is_key_like(); | |
function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) { | |
const keySize = parseInt(enc.slice(1, 4), 10); | |
if ((0, is_key_object_js_1.default)(cek)) { | |
cek = cek.export(); | |
} | |
const encKey = cek.subarray(keySize >> 3); | |
const macKey = cek.subarray(0, keySize >> 3); | |
const macSize = parseInt(enc.slice(-3), 10); | |
const algorithm = `aes-${keySize}-cbc`; | |
if (!(0, ciphers_js_1.default)(algorithm)) { | |
throw new errors_js_1.JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`); | |
} | |
const expectedTag = (0, cbc_tag_js_1.default)(aad, iv, ciphertext, macSize, macKey, keySize); | |
let macCheckPassed; | |
try { | |
macCheckPassed = (0, timing_safe_equal_js_1.default)(tag, expectedTag); | |
} catch { | |
} | |
if (!macCheckPassed) { | |
throw new errors_js_1.JWEDecryptionFailed(); | |
} | |
let plaintext; | |
try { | |
const decipher = (0, node_crypto_1.createDecipheriv)(algorithm, encKey, iv); | |
plaintext = (0, buffer_utils_js_1.concat)(decipher.update(ciphertext), decipher.final()); | |
} catch { | |
} | |
if (!plaintext) { | |
throw new errors_js_1.JWEDecryptionFailed(); | |
} | |
return plaintext; | |
} | |
function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) { | |
const keySize = parseInt(enc.slice(1, 4), 10); | |
const algorithm = `aes-${keySize}-gcm`; | |
if (!(0, ciphers_js_1.default)(algorithm)) { | |
throw new errors_js_1.JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`); | |
} | |
try { | |
const decipher = (0, node_crypto_1.createDecipheriv)(algorithm, cek, iv, { authTagLength: 16 }); | |
decipher.setAuthTag(tag); | |
if (aad.byteLength) { | |
decipher.setAAD(aad, { plaintextLength: ciphertext.length }); | |
} | |
const plaintext = decipher.update(ciphertext); | |
decipher.final(); | |
return plaintext; | |
} catch { | |
throw new errors_js_1.JWEDecryptionFailed(); | |
} | |
} | |
var decrypt = (enc, cek, ciphertext, iv, tag, aad) => { | |
let key; | |
if ((0, webcrypto_js_1.isCryptoKey)(cek)) { | |
(0, crypto_key_js_1.checkEncCryptoKey)(cek, enc, "decrypt"); | |
key = node_crypto_1.KeyObject.from(cek); | |
} else if (cek instanceof Uint8Array || (0, is_key_object_js_1.default)(cek)) { | |
key = cek; | |
} else { | |
throw new TypeError((0, invalid_key_input_js_1.default)(cek, ...is_key_like_js_1.types, "Uint8Array")); | |
} | |
if (!iv) { | |
throw new errors_js_1.JWEInvalid("JWE Initialization Vector missing"); | |
} | |
if (!tag) { | |
throw new errors_js_1.JWEInvalid("JWE Authentication Tag missing"); | |
} | |
(0, check_cek_length_js_1.default)(enc, key); | |
(0, check_iv_length_js_1.default)(enc, iv); | |
switch (enc) { | |
case "A128CBC-HS256": | |
case "A192CBC-HS384": | |
case "A256CBC-HS512": | |
return cbcDecrypt(enc, key, ciphertext, iv, tag, aad); | |
case "A128GCM": | |
case "A192GCM": | |
case "A256GCM": | |
return gcmDecrypt(enc, key, ciphertext, iv, tag, aad); | |
default: | |
throw new errors_js_1.JOSENotSupported("Unsupported JWE Content Encryption Algorithm"); | |
} | |
}; | |
exports2.default = decrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/is_disjoint.js | |
var require_is_disjoint = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/is_disjoint.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var isDisjoint = (...headers) => { | |
const sources = headers.filter(Boolean); | |
if (sources.length === 0 || sources.length === 1) { | |
return true; | |
} | |
let acc; | |
for (const header of sources) { | |
const parameters = Object.keys(header); | |
if (!acc || acc.size === 0) { | |
acc = new Set(parameters); | |
continue; | |
} | |
for (const parameter of parameters) { | |
if (acc.has(parameter)) { | |
return false; | |
} | |
acc.add(parameter); | |
} | |
} | |
return true; | |
}; | |
exports2.default = isDisjoint; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/is_object.js | |
var require_is_object = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/is_object.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
function isObjectLike(value) { | |
return typeof value === "object" && value !== null; | |
} | |
function isObject(input) { | |
if (!isObjectLike(input) || Object.prototype.toString.call(input) !== "[object Object]") { | |
return false; | |
} | |
if (Object.getPrototypeOf(input) === null) { | |
return true; | |
} | |
let proto = input; | |
while (Object.getPrototypeOf(proto) !== null) { | |
proto = Object.getPrototypeOf(proto); | |
} | |
return Object.getPrototypeOf(input) === proto; | |
} | |
exports2.default = isObject; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/aeskw.js | |
var require_aeskw = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/aeskw.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.unwrap = exports2.wrap = void 0; | |
var node_buffer_1 = requireNodeBuffer; | |
var node_crypto_1 = requireNodeCrypto; | |
var errors_js_1 = require_errors(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var webcrypto_js_1 = require_webcrypto(); | |
var crypto_key_js_1 = require_crypto_key(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var ciphers_js_1 = require_ciphers(); | |
var is_key_like_js_1 = require_is_key_like(); | |
function checkKeySize(key, alg) { | |
if (key.symmetricKeySize << 3 !== parseInt(alg.slice(1, 4), 10)) { | |
throw new TypeError(`Invalid key size for alg: ${alg}`); | |
} | |
} | |
function ensureKeyObject(key, alg, usage) { | |
if ((0, is_key_object_js_1.default)(key)) { | |
return key; | |
} | |
if (key instanceof Uint8Array) { | |
return (0, node_crypto_1.createSecretKey)(key); | |
} | |
if ((0, webcrypto_js_1.isCryptoKey)(key)) { | |
(0, crypto_key_js_1.checkEncCryptoKey)(key, alg, usage); | |
return node_crypto_1.KeyObject.from(key); | |
} | |
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, "Uint8Array")); | |
} | |
var wrap = (alg, key, cek) => { | |
const size = parseInt(alg.slice(1, 4), 10); | |
const algorithm = `aes${size}-wrap`; | |
if (!(0, ciphers_js_1.default)(algorithm)) { | |
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`); | |
} | |
const keyObject = ensureKeyObject(key, alg, "wrapKey"); | |
checkKeySize(keyObject, alg); | |
const cipher = (0, node_crypto_1.createCipheriv)(algorithm, keyObject, node_buffer_1.Buffer.alloc(8, 166)); | |
return (0, buffer_utils_js_1.concat)(cipher.update(cek), cipher.final()); | |
}; | |
exports2.wrap = wrap; | |
var unwrap = (alg, key, encryptedKey) => { | |
const size = parseInt(alg.slice(1, 4), 10); | |
const algorithm = `aes${size}-wrap`; | |
if (!(0, ciphers_js_1.default)(algorithm)) { | |
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`); | |
} | |
const keyObject = ensureKeyObject(key, alg, "unwrapKey"); | |
checkKeySize(keyObject, alg); | |
const cipher = (0, node_crypto_1.createDecipheriv)(algorithm, keyObject, node_buffer_1.Buffer.alloc(8, 166)); | |
return (0, buffer_utils_js_1.concat)(cipher.update(encryptedKey), cipher.final()); | |
}; | |
exports2.unwrap = unwrap; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/get_named_curve.js | |
var require_get_named_curve = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/get_named_curve.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.weakMap = void 0; | |
var node_crypto_1 = requireNodeCrypto; | |
var errors_js_1 = require_errors(); | |
var webcrypto_js_1 = require_webcrypto(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var is_key_like_js_1 = require_is_key_like(); | |
exports2.weakMap = /* @__PURE__ */ new WeakMap(); | |
var namedCurveToJOSE = (namedCurve) => { | |
switch (namedCurve) { | |
case "prime256v1": | |
return "P-256"; | |
case "secp384r1": | |
return "P-384"; | |
case "secp521r1": | |
return "P-521"; | |
case "secp256k1": | |
return "secp256k1"; | |
default: | |
throw new errors_js_1.JOSENotSupported("Unsupported key curve for this operation"); | |
} | |
}; | |
var getNamedCurve = (kee, raw) => { | |
let key; | |
if ((0, webcrypto_js_1.isCryptoKey)(kee)) { | |
key = node_crypto_1.KeyObject.from(kee); | |
} else if ((0, is_key_object_js_1.default)(kee)) { | |
key = kee; | |
} else { | |
throw new TypeError((0, invalid_key_input_js_1.default)(kee, ...is_key_like_js_1.types)); | |
} | |
if (key.type === "secret") { | |
throw new TypeError('only "private" or "public" type keys can be used for this operation'); | |
} | |
switch (key.asymmetricKeyType) { | |
case "ed25519": | |
case "ed448": | |
return `Ed${key.asymmetricKeyType.slice(2)}`; | |
case "x25519": | |
case "x448": | |
return `X${key.asymmetricKeyType.slice(1)}`; | |
case "ec": { | |
const namedCurve = key.asymmetricKeyDetails.namedCurve; | |
if (raw) { | |
return namedCurve; | |
} | |
return namedCurveToJOSE(namedCurve); | |
} | |
default: | |
throw new TypeError("Invalid asymmetric key type for this operation"); | |
} | |
}; | |
exports2.default = getNamedCurve; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/ecdhes.js | |
var require_ecdhes = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/ecdhes.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.ecdhAllowed = exports2.generateEpk = exports2.deriveKey = void 0; | |
var node_crypto_1 = requireNodeCrypto; | |
var node_util_1 = requireNodeUtil; | |
var get_named_curve_js_1 = require_get_named_curve(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var errors_js_1 = require_errors(); | |
var webcrypto_js_1 = require_webcrypto(); | |
var crypto_key_js_1 = require_crypto_key(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var is_key_like_js_1 = require_is_key_like(); | |
var generateKeyPair = (0, node_util_1.promisify)(node_crypto_1.generateKeyPair); | |
async function deriveKey(publicKee, privateKee, algorithm, keyLength, apu = new Uint8Array(0), apv = new Uint8Array(0)) { | |
let publicKey; | |
if ((0, webcrypto_js_1.isCryptoKey)(publicKee)) { | |
(0, crypto_key_js_1.checkEncCryptoKey)(publicKee, "ECDH"); | |
publicKey = node_crypto_1.KeyObject.from(publicKee); | |
} else if ((0, is_key_object_js_1.default)(publicKee)) { | |
publicKey = publicKee; | |
} else { | |
throw new TypeError((0, invalid_key_input_js_1.default)(publicKee, ...is_key_like_js_1.types)); | |
} | |
let privateKey; | |
if ((0, webcrypto_js_1.isCryptoKey)(privateKee)) { | |
(0, crypto_key_js_1.checkEncCryptoKey)(privateKee, "ECDH", "deriveBits"); | |
privateKey = node_crypto_1.KeyObject.from(privateKee); | |
} else if ((0, is_key_object_js_1.default)(privateKee)) { | |
privateKey = privateKee; | |
} else { | |
throw new TypeError((0, invalid_key_input_js_1.default)(privateKee, ...is_key_like_js_1.types)); | |
} | |
const value = (0, buffer_utils_js_1.concat)((0, buffer_utils_js_1.lengthAndInput)(buffer_utils_js_1.encoder.encode(algorithm)), (0, buffer_utils_js_1.lengthAndInput)(apu), (0, buffer_utils_js_1.lengthAndInput)(apv), (0, buffer_utils_js_1.uint32be)(keyLength)); | |
const sharedSecret = (0, node_crypto_1.diffieHellman)({ privateKey, publicKey }); | |
return (0, buffer_utils_js_1.concatKdf)(sharedSecret, keyLength, value); | |
} | |
exports2.deriveKey = deriveKey; | |
async function generateEpk(kee) { | |
let key; | |
if ((0, webcrypto_js_1.isCryptoKey)(kee)) { | |
key = node_crypto_1.KeyObject.from(kee); | |
} else if ((0, is_key_object_js_1.default)(kee)) { | |
key = kee; | |
} else { | |
throw new TypeError((0, invalid_key_input_js_1.default)(kee, ...is_key_like_js_1.types)); | |
} | |
switch (key.asymmetricKeyType) { | |
case "x25519": | |
return generateKeyPair("x25519"); | |
case "x448": { | |
return generateKeyPair("x448"); | |
} | |
case "ec": { | |
const namedCurve = (0, get_named_curve_js_1.default)(key); | |
return generateKeyPair("ec", { namedCurve }); | |
} | |
default: | |
throw new errors_js_1.JOSENotSupported("Invalid or unsupported EPK"); | |
} | |
} | |
exports2.generateEpk = generateEpk; | |
var ecdhAllowed = (key) => ["P-256", "P-384", "P-521", "X25519", "X448"].includes((0, get_named_curve_js_1.default)(key)); | |
exports2.ecdhAllowed = ecdhAllowed; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/check_p2s.js | |
var require_check_p2s = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/check_p2s.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var errors_js_1 = require_errors(); | |
function checkP2s(p2s) { | |
if (!(p2s instanceof Uint8Array) || p2s.length < 8) { | |
throw new errors_js_1.JWEInvalid("PBES2 Salt Input must be 8 or more octets"); | |
} | |
} | |
exports2.default = checkP2s; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/pbes2kw.js | |
var require_pbes2kw = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/pbes2kw.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.decrypt = exports2.encrypt = void 0; | |
var node_util_1 = requireNodeUtil; | |
var node_crypto_1 = requireNodeCrypto; | |
var random_js_1 = require_random(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var base64url_js_1 = require_base64url(); | |
var aeskw_js_1 = require_aeskw(); | |
var check_p2s_js_1 = require_check_p2s(); | |
var webcrypto_js_1 = require_webcrypto(); | |
var crypto_key_js_1 = require_crypto_key(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var is_key_like_js_1 = require_is_key_like(); | |
var pbkdf2 = (0, node_util_1.promisify)(node_crypto_1.pbkdf2); | |
function getPassword(key, alg) { | |
if ((0, is_key_object_js_1.default)(key)) { | |
return key.export(); | |
} | |
if (key instanceof Uint8Array) { | |
return key; | |
} | |
if ((0, webcrypto_js_1.isCryptoKey)(key)) { | |
(0, crypto_key_js_1.checkEncCryptoKey)(key, alg, "deriveBits", "deriveKey"); | |
return node_crypto_1.KeyObject.from(key).export(); | |
} | |
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, "Uint8Array")); | |
} | |
var encrypt = async (alg, key, cek, p2c = 2048, p2s = (0, random_js_1.default)(new Uint8Array(16))) => { | |
(0, check_p2s_js_1.default)(p2s); | |
const salt = (0, buffer_utils_js_1.p2s)(alg, p2s); | |
const keylen = parseInt(alg.slice(13, 16), 10) >> 3; | |
const password = getPassword(key, alg); | |
const derivedKey = await pbkdf2(password, salt, p2c, keylen, `sha${alg.slice(8, 11)}`); | |
const encryptedKey = await (0, aeskw_js_1.wrap)(alg.slice(-6), derivedKey, cek); | |
return { encryptedKey, p2c, p2s: (0, base64url_js_1.encode)(p2s) }; | |
}; | |
exports2.encrypt = encrypt; | |
var decrypt = async (alg, key, encryptedKey, p2c, p2s) => { | |
(0, check_p2s_js_1.default)(p2s); | |
const salt = (0, buffer_utils_js_1.p2s)(alg, p2s); | |
const keylen = parseInt(alg.slice(13, 16), 10) >> 3; | |
const password = getPassword(key, alg); | |
const derivedKey = await pbkdf2(password, salt, p2c, keylen, `sha${alg.slice(8, 11)}`); | |
return (0, aeskw_js_1.unwrap)(alg.slice(-6), derivedKey, encryptedKey); | |
}; | |
exports2.decrypt = decrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/check_key_length.js | |
var require_check_key_length = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/check_key_length.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.default = (key, alg) => { | |
const { modulusLength } = key.asymmetricKeyDetails; | |
if (typeof modulusLength !== "number" || modulusLength < 2048) { | |
throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`); | |
} | |
}; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/rsaes.js | |
var require_rsaes = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/rsaes.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.decrypt = exports2.encrypt = void 0; | |
var node_crypto_1 = requireNodeCrypto; | |
var node_util_1 = requireNodeUtil; | |
var check_key_length_js_1 = require_check_key_length(); | |
var webcrypto_js_1 = require_webcrypto(); | |
var crypto_key_js_1 = require_crypto_key(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var is_key_like_js_1 = require_is_key_like(); | |
var checkKey = (key, alg) => { | |
if (key.asymmetricKeyType !== "rsa") { | |
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa"); | |
} | |
(0, check_key_length_js_1.default)(key, alg); | |
}; | |
var RSA1_5 = (0, node_util_1.deprecate)(() => node_crypto_1.constants.RSA_PKCS1_PADDING, 'The RSA1_5 "alg" (JWE Algorithm) is deprecated and will be removed in the next major revision.'); | |
var resolvePadding = (alg) => { | |
switch (alg) { | |
case "RSA-OAEP": | |
case "RSA-OAEP-256": | |
case "RSA-OAEP-384": | |
case "RSA-OAEP-512": | |
return node_crypto_1.constants.RSA_PKCS1_OAEP_PADDING; | |
case "RSA1_5": | |
return RSA1_5(); | |
default: | |
return void 0; | |
} | |
}; | |
var resolveOaepHash = (alg) => { | |
switch (alg) { | |
case "RSA-OAEP": | |
return "sha1"; | |
case "RSA-OAEP-256": | |
return "sha256"; | |
case "RSA-OAEP-384": | |
return "sha384"; | |
case "RSA-OAEP-512": | |
return "sha512"; | |
default: | |
return void 0; | |
} | |
}; | |
function ensureKeyObject(key, alg, ...usages) { | |
if ((0, is_key_object_js_1.default)(key)) { | |
return key; | |
} | |
if ((0, webcrypto_js_1.isCryptoKey)(key)) { | |
(0, crypto_key_js_1.checkEncCryptoKey)(key, alg, ...usages); | |
return node_crypto_1.KeyObject.from(key); | |
} | |
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types)); | |
} | |
var encrypt = (alg, key, cek) => { | |
const padding = resolvePadding(alg); | |
const oaepHash = resolveOaepHash(alg); | |
const keyObject = ensureKeyObject(key, alg, "wrapKey", "encrypt"); | |
checkKey(keyObject, alg); | |
return (0, node_crypto_1.publicEncrypt)({ key: keyObject, oaepHash, padding }, cek); | |
}; | |
exports2.encrypt = encrypt; | |
var decrypt = (alg, key, encryptedKey) => { | |
const padding = resolvePadding(alg); | |
const oaepHash = resolveOaepHash(alg); | |
const keyObject = ensureKeyObject(key, alg, "unwrapKey", "decrypt"); | |
checkKey(keyObject, alg); | |
return (0, node_crypto_1.privateDecrypt)({ key: keyObject, oaepHash, padding }, encryptedKey); | |
}; | |
exports2.decrypt = decrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/cek.js | |
var require_cek = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/cek.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.bitLength = void 0; | |
var errors_js_1 = require_errors(); | |
var random_js_1 = require_random(); | |
function bitLength(alg) { | |
switch (alg) { | |
case "A128GCM": | |
return 128; | |
case "A192GCM": | |
return 192; | |
case "A256GCM": | |
case "A128CBC-HS256": | |
return 256; | |
case "A192CBC-HS384": | |
return 384; | |
case "A256CBC-HS512": | |
return 512; | |
default: | |
throw new errors_js_1.JOSENotSupported(`Unsupported JWE Algorithm: ${alg}`); | |
} | |
} | |
exports2.bitLength = bitLength; | |
exports2.default = (alg) => (0, random_js_1.default)(new Uint8Array(bitLength(alg) >> 3)); | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/asn1.js | |
var require_asn1 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/asn1.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.fromX509 = exports2.fromSPKI = exports2.fromPKCS8 = exports2.toPKCS8 = exports2.toSPKI = void 0; | |
var node_crypto_1 = requireNodeCrypto; | |
var node_buffer_1 = requireNodeBuffer; | |
var webcrypto_js_1 = require_webcrypto(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var is_key_like_js_1 = require_is_key_like(); | |
var genericExport = (keyType, keyFormat, key) => { | |
let keyObject; | |
if ((0, webcrypto_js_1.isCryptoKey)(key)) { | |
if (!key.extractable) { | |
throw new TypeError("CryptoKey is not extractable"); | |
} | |
keyObject = node_crypto_1.KeyObject.from(key); | |
} else if ((0, is_key_object_js_1.default)(key)) { | |
keyObject = key; | |
} else { | |
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types)); | |
} | |
if (keyObject.type !== keyType) { | |
throw new TypeError(`key is not a ${keyType} key`); | |
} | |
return keyObject.export({ format: "pem", type: keyFormat }); | |
}; | |
var toSPKI = (key) => { | |
return genericExport("public", "spki", key); | |
}; | |
exports2.toSPKI = toSPKI; | |
var toPKCS8 = (key) => { | |
return genericExport("private", "pkcs8", key); | |
}; | |
exports2.toPKCS8 = toPKCS8; | |
var fromPKCS8 = (pem) => (0, node_crypto_1.createPrivateKey)({ | |
key: node_buffer_1.Buffer.from(pem.replace(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, ""), "base64"), | |
type: "pkcs8", | |
format: "der" | |
}); | |
exports2.fromPKCS8 = fromPKCS8; | |
var fromSPKI = (pem) => (0, node_crypto_1.createPublicKey)({ | |
key: node_buffer_1.Buffer.from(pem.replace(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, ""), "base64"), | |
type: "spki", | |
format: "der" | |
}); | |
exports2.fromSPKI = fromSPKI; | |
var fromX509 = (pem) => (0, node_crypto_1.createPublicKey)({ | |
key: pem, | |
type: "spki", | |
format: "pem" | |
}); | |
exports2.fromX509 = fromX509; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/jwk_to_key.js | |
var require_jwk_to_key = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/jwk_to_key.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var parse = (jwk) => { | |
return (jwk.d ? node_crypto_1.createPrivateKey : node_crypto_1.createPublicKey)({ format: "jwk", key: jwk }); | |
}; | |
exports2.default = parse; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/key/import.js | |
var require_import = __commonJS({ | |
"node_modules/jose/dist/node/cjs/key/import.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.importJWK = exports2.importPKCS8 = exports2.importX509 = exports2.importSPKI = void 0; | |
var base64url_js_1 = require_base64url(); | |
var asn1_js_1 = require_asn1(); | |
var jwk_to_key_js_1 = require_jwk_to_key(); | |
var errors_js_1 = require_errors(); | |
var is_object_js_1 = require_is_object(); | |
async function importSPKI(spki, alg, options) { | |
if (typeof spki !== "string" || spki.indexOf("-----BEGIN PUBLIC KEY-----") !== 0) { | |
throw new TypeError('"spki" must be SPKI formatted string'); | |
} | |
return (0, asn1_js_1.fromSPKI)(spki, alg, options); | |
} | |
exports2.importSPKI = importSPKI; | |
async function importX509(x509, alg, options) { | |
if (typeof x509 !== "string" || x509.indexOf("-----BEGIN CERTIFICATE-----") !== 0) { | |
throw new TypeError('"x509" must be X.509 formatted string'); | |
} | |
return (0, asn1_js_1.fromX509)(x509, alg, options); | |
} | |
exports2.importX509 = importX509; | |
async function importPKCS8(pkcs8, alg, options) { | |
if (typeof pkcs8 !== "string" || pkcs8.indexOf("-----BEGIN PRIVATE KEY-----") !== 0) { | |
throw new TypeError('"pkcs8" must be PKCS#8 formatted string'); | |
} | |
return (0, asn1_js_1.fromPKCS8)(pkcs8, alg, options); | |
} | |
exports2.importPKCS8 = importPKCS8; | |
async function importJWK(jwk, alg) { | |
if (!(0, is_object_js_1.default)(jwk)) { | |
throw new TypeError("JWK must be an object"); | |
} | |
alg ||= jwk.alg; | |
switch (jwk.kty) { | |
case "oct": | |
if (typeof jwk.k !== "string" || !jwk.k) { | |
throw new TypeError('missing "k" (Key Value) Parameter value'); | |
} | |
return (0, base64url_js_1.decode)(jwk.k); | |
case "RSA": | |
if (jwk.oth !== void 0) { | |
throw new errors_js_1.JOSENotSupported('RSA JWK "oth" (Other Primes Info) Parameter value is not supported'); | |
} | |
case "EC": | |
case "OKP": | |
return (0, jwk_to_key_js_1.default)({ ...jwk, alg }); | |
default: | |
throw new errors_js_1.JOSENotSupported('Unsupported "kty" (Key Type) Parameter value'); | |
} | |
} | |
exports2.importJWK = importJWK; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/check_key_type.js | |
var require_check_key_type = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/check_key_type.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var is_key_like_js_1 = require_is_key_like(); | |
var symmetricTypeCheck = (alg, key) => { | |
if (key instanceof Uint8Array) | |
return; | |
if (!(0, is_key_like_js_1.default)(key)) { | |
throw new TypeError((0, invalid_key_input_js_1.withAlg)(alg, key, ...is_key_like_js_1.types, "Uint8Array")); | |
} | |
if (key.type !== "secret") { | |
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for symmetric algorithms must be of type "secret"`); | |
} | |
}; | |
var asymmetricTypeCheck = (alg, key, usage) => { | |
if (!(0, is_key_like_js_1.default)(key)) { | |
throw new TypeError((0, invalid_key_input_js_1.withAlg)(alg, key, ...is_key_like_js_1.types)); | |
} | |
if (key.type === "secret") { | |
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithms must not be of type "secret"`); | |
} | |
if (usage === "sign" && key.type === "public") { | |
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithm signing must be of type "private"`); | |
} | |
if (usage === "decrypt" && key.type === "public") { | |
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithm decryption must be of type "private"`); | |
} | |
if (key.algorithm && usage === "verify" && key.type === "private") { | |
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithm verifying must be of type "public"`); | |
} | |
if (key.algorithm && usage === "encrypt" && key.type === "private") { | |
throw new TypeError(`${is_key_like_js_1.types.join(" or ")} instances for asymmetric algorithm encryption must be of type "public"`); | |
} | |
}; | |
var checkKeyType = (alg, key, usage) => { | |
const symmetric = alg.startsWith("HS") || alg === "dir" || alg.startsWith("PBES2") || /^A\d{3}(?:GCM)?KW$/.test(alg); | |
if (symmetric) { | |
symmetricTypeCheck(alg, key); | |
} else { | |
asymmetricTypeCheck(alg, key, usage); | |
} | |
}; | |
exports2.default = checkKeyType; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/encrypt.js | |
var require_encrypt = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/encrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var check_iv_length_js_1 = require_check_iv_length(); | |
var check_cek_length_js_1 = require_check_cek_length(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var cbc_tag_js_1 = require_cbc_tag(); | |
var webcrypto_js_1 = require_webcrypto(); | |
var crypto_key_js_1 = require_crypto_key(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var errors_js_1 = require_errors(); | |
var ciphers_js_1 = require_ciphers(); | |
var is_key_like_js_1 = require_is_key_like(); | |
function cbcEncrypt(enc, plaintext, cek, iv, aad) { | |
const keySize = parseInt(enc.slice(1, 4), 10); | |
if ((0, is_key_object_js_1.default)(cek)) { | |
cek = cek.export(); | |
} | |
const encKey = cek.subarray(keySize >> 3); | |
const macKey = cek.subarray(0, keySize >> 3); | |
const algorithm = `aes-${keySize}-cbc`; | |
if (!(0, ciphers_js_1.default)(algorithm)) { | |
throw new errors_js_1.JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`); | |
} | |
const cipher = (0, node_crypto_1.createCipheriv)(algorithm, encKey, iv); | |
const ciphertext = (0, buffer_utils_js_1.concat)(cipher.update(plaintext), cipher.final()); | |
const macSize = parseInt(enc.slice(-3), 10); | |
const tag = (0, cbc_tag_js_1.default)(aad, iv, ciphertext, macSize, macKey, keySize); | |
return { ciphertext, tag }; | |
} | |
function gcmEncrypt(enc, plaintext, cek, iv, aad) { | |
const keySize = parseInt(enc.slice(1, 4), 10); | |
const algorithm = `aes-${keySize}-gcm`; | |
if (!(0, ciphers_js_1.default)(algorithm)) { | |
throw new errors_js_1.JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`); | |
} | |
const cipher = (0, node_crypto_1.createCipheriv)(algorithm, cek, iv, { authTagLength: 16 }); | |
if (aad.byteLength) { | |
cipher.setAAD(aad, { plaintextLength: plaintext.length }); | |
} | |
const ciphertext = cipher.update(plaintext); | |
cipher.final(); | |
const tag = cipher.getAuthTag(); | |
return { ciphertext, tag }; | |
} | |
var encrypt = (enc, plaintext, cek, iv, aad) => { | |
let key; | |
if ((0, webcrypto_js_1.isCryptoKey)(cek)) { | |
(0, crypto_key_js_1.checkEncCryptoKey)(cek, enc, "encrypt"); | |
key = node_crypto_1.KeyObject.from(cek); | |
} else if (cek instanceof Uint8Array || (0, is_key_object_js_1.default)(cek)) { | |
key = cek; | |
} else { | |
throw new TypeError((0, invalid_key_input_js_1.default)(cek, ...is_key_like_js_1.types, "Uint8Array")); | |
} | |
(0, check_cek_length_js_1.default)(enc, key); | |
(0, check_iv_length_js_1.default)(enc, iv); | |
switch (enc) { | |
case "A128CBC-HS256": | |
case "A192CBC-HS384": | |
case "A256CBC-HS512": | |
return cbcEncrypt(enc, plaintext, key, iv, aad); | |
case "A128GCM": | |
case "A192GCM": | |
case "A256GCM": | |
return gcmEncrypt(enc, plaintext, key, iv, aad); | |
default: | |
throw new errors_js_1.JOSENotSupported("Unsupported JWE Content Encryption Algorithm"); | |
} | |
}; | |
exports2.default = encrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/aesgcmkw.js | |
var require_aesgcmkw = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/aesgcmkw.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.unwrap = exports2.wrap = void 0; | |
var encrypt_js_12 = require_encrypt(); | |
var decrypt_js_12 = require_decrypt(); | |
var iv_js_1 = require_iv(); | |
var base64url_js_1 = require_base64url(); | |
async function wrap(alg, key, cek, iv) { | |
const jweAlgorithm = alg.slice(0, 7); | |
iv ||= (0, iv_js_1.default)(jweAlgorithm); | |
const { ciphertext: encryptedKey, tag } = await (0, encrypt_js_12.default)(jweAlgorithm, cek, key, iv, new Uint8Array(0)); | |
return { encryptedKey, iv: (0, base64url_js_1.encode)(iv), tag: (0, base64url_js_1.encode)(tag) }; | |
} | |
exports2.wrap = wrap; | |
async function unwrap(alg, key, encryptedKey, iv, tag) { | |
const jweAlgorithm = alg.slice(0, 7); | |
return (0, decrypt_js_12.default)(jweAlgorithm, key, encryptedKey, iv, tag, new Uint8Array(0)); | |
} | |
exports2.unwrap = unwrap; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/decrypt_key_management.js | |
var require_decrypt_key_management = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/decrypt_key_management.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var aeskw_js_1 = require_aeskw(); | |
var ECDH = require_ecdhes(); | |
var pbes2kw_js_1 = require_pbes2kw(); | |
var rsaes_js_1 = require_rsaes(); | |
var base64url_js_1 = require_base64url(); | |
var errors_js_1 = require_errors(); | |
var cek_js_1 = require_cek(); | |
var import_js_12 = require_import(); | |
var check_key_type_js_1 = require_check_key_type(); | |
var is_object_js_1 = require_is_object(); | |
var aesgcmkw_js_1 = require_aesgcmkw(); | |
async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) { | |
(0, check_key_type_js_1.default)(alg, key, "decrypt"); | |
switch (alg) { | |
case "dir": { | |
if (encryptedKey !== void 0) | |
throw new errors_js_1.JWEInvalid("Encountered unexpected JWE Encrypted Key"); | |
return key; | |
} | |
case "ECDH-ES": | |
if (encryptedKey !== void 0) | |
throw new errors_js_1.JWEInvalid("Encountered unexpected JWE Encrypted Key"); | |
case "ECDH-ES+A128KW": | |
case "ECDH-ES+A192KW": | |
case "ECDH-ES+A256KW": { | |
if (!(0, is_object_js_1.default)(joseHeader.epk)) | |
throw new errors_js_1.JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`); | |
if (!ECDH.ecdhAllowed(key)) | |
throw new errors_js_1.JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime"); | |
const epk = await (0, import_js_12.importJWK)(joseHeader.epk, alg); | |
let partyUInfo; | |
let partyVInfo; | |
if (joseHeader.apu !== void 0) { | |
if (typeof joseHeader.apu !== "string") | |
throw new errors_js_1.JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`); | |
try { | |
partyUInfo = (0, base64url_js_1.decode)(joseHeader.apu); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the apu"); | |
} | |
} | |
if (joseHeader.apv !== void 0) { | |
if (typeof joseHeader.apv !== "string") | |
throw new errors_js_1.JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`); | |
try { | |
partyVInfo = (0, base64url_js_1.decode)(joseHeader.apv); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the apv"); | |
} | |
} | |
const sharedSecret = await ECDH.deriveKey(epk, key, alg === "ECDH-ES" ? joseHeader.enc : alg, alg === "ECDH-ES" ? (0, cek_js_1.bitLength)(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo); | |
if (alg === "ECDH-ES") | |
return sharedSecret; | |
if (encryptedKey === void 0) | |
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing"); | |
return (0, aeskw_js_1.unwrap)(alg.slice(-6), sharedSecret, encryptedKey); | |
} | |
case "RSA1_5": | |
case "RSA-OAEP": | |
case "RSA-OAEP-256": | |
case "RSA-OAEP-384": | |
case "RSA-OAEP-512": { | |
if (encryptedKey === void 0) | |
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing"); | |
return (0, rsaes_js_1.decrypt)(alg, key, encryptedKey); | |
} | |
case "PBES2-HS256+A128KW": | |
case "PBES2-HS384+A192KW": | |
case "PBES2-HS512+A256KW": { | |
if (encryptedKey === void 0) | |
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing"); | |
if (typeof joseHeader.p2c !== "number") | |
throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`); | |
const p2cLimit = options?.maxPBES2Count || 1e4; | |
if (joseHeader.p2c > p2cLimit) | |
throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`); | |
if (typeof joseHeader.p2s !== "string") | |
throw new errors_js_1.JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`); | |
let p2s; | |
try { | |
p2s = (0, base64url_js_1.decode)(joseHeader.p2s); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the p2s"); | |
} | |
return (0, pbes2kw_js_1.decrypt)(alg, key, encryptedKey, joseHeader.p2c, p2s); | |
} | |
case "A128KW": | |
case "A192KW": | |
case "A256KW": { | |
if (encryptedKey === void 0) | |
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing"); | |
return (0, aeskw_js_1.unwrap)(alg, key, encryptedKey); | |
} | |
case "A128GCMKW": | |
case "A192GCMKW": | |
case "A256GCMKW": { | |
if (encryptedKey === void 0) | |
throw new errors_js_1.JWEInvalid("JWE Encrypted Key missing"); | |
if (typeof joseHeader.iv !== "string") | |
throw new errors_js_1.JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`); | |
if (typeof joseHeader.tag !== "string") | |
throw new errors_js_1.JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`); | |
let iv; | |
try { | |
iv = (0, base64url_js_1.decode)(joseHeader.iv); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the iv"); | |
} | |
let tag; | |
try { | |
tag = (0, base64url_js_1.decode)(joseHeader.tag); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the tag"); | |
} | |
return (0, aesgcmkw_js_1.unwrap)(alg, key, encryptedKey, iv, tag); | |
} | |
default: { | |
throw new errors_js_1.JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value'); | |
} | |
} | |
} | |
exports2.default = decryptKeyManagement; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/validate_crit.js | |
var require_validate_crit = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/validate_crit.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var errors_js_1 = require_errors(); | |
function validateCrit(Err, recognizedDefault, recognizedOption, protectedHeader, joseHeader) { | |
if (joseHeader.crit !== void 0 && protectedHeader.crit === void 0) { | |
throw new Err('"crit" (Critical) Header Parameter MUST be integrity protected'); | |
} | |
if (!protectedHeader || protectedHeader.crit === void 0) { | |
return /* @__PURE__ */ new Set(); | |
} | |
if (!Array.isArray(protectedHeader.crit) || protectedHeader.crit.length === 0 || protectedHeader.crit.some((input) => typeof input !== "string" || input.length === 0)) { | |
throw new Err('"crit" (Critical) Header Parameter MUST be an array of non-empty strings when present'); | |
} | |
let recognized; | |
if (recognizedOption !== void 0) { | |
recognized = new Map([...Object.entries(recognizedOption), ...recognizedDefault.entries()]); | |
} else { | |
recognized = recognizedDefault; | |
} | |
for (const parameter of protectedHeader.crit) { | |
if (!recognized.has(parameter)) { | |
throw new errors_js_1.JOSENotSupported(`Extension Header Parameter "${parameter}" is not recognized`); | |
} | |
if (joseHeader[parameter] === void 0) { | |
throw new Err(`Extension Header Parameter "${parameter}" is missing`); | |
} | |
if (recognized.get(parameter) && protectedHeader[parameter] === void 0) { | |
throw new Err(`Extension Header Parameter "${parameter}" MUST be integrity protected`); | |
} | |
} | |
return new Set(protectedHeader.crit); | |
} | |
exports2.default = validateCrit; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/validate_algorithms.js | |
var require_validate_algorithms = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/validate_algorithms.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var validateAlgorithms = (option, algorithms) => { | |
if (algorithms !== void 0 && (!Array.isArray(algorithms) || algorithms.some((s) => typeof s !== "string"))) { | |
throw new TypeError(`"${option}" option must be an array of strings`); | |
} | |
if (!algorithms) { | |
return void 0; | |
} | |
return new Set(algorithms); | |
}; | |
exports2.default = validateAlgorithms; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwe/flattened/decrypt.js | |
var require_decrypt2 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwe/flattened/decrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.flattenedDecrypt = void 0; | |
var base64url_js_1 = require_base64url(); | |
var decrypt_js_12 = require_decrypt(); | |
var errors_js_1 = require_errors(); | |
var is_disjoint_js_1 = require_is_disjoint(); | |
var is_object_js_1 = require_is_object(); | |
var decrypt_key_management_js_1 = require_decrypt_key_management(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var cek_js_1 = require_cek(); | |
var validate_crit_js_1 = require_validate_crit(); | |
var validate_algorithms_js_1 = require_validate_algorithms(); | |
async function flattenedDecrypt(jwe, key, options) { | |
if (!(0, is_object_js_1.default)(jwe)) { | |
throw new errors_js_1.JWEInvalid("Flattened JWE must be an object"); | |
} | |
if (jwe.protected === void 0 && jwe.header === void 0 && jwe.unprotected === void 0) { | |
throw new errors_js_1.JWEInvalid("JOSE Header missing"); | |
} | |
if (jwe.iv !== void 0 && typeof jwe.iv !== "string") { | |
throw new errors_js_1.JWEInvalid("JWE Initialization Vector incorrect type"); | |
} | |
if (typeof jwe.ciphertext !== "string") { | |
throw new errors_js_1.JWEInvalid("JWE Ciphertext missing or incorrect type"); | |
} | |
if (jwe.tag !== void 0 && typeof jwe.tag !== "string") { | |
throw new errors_js_1.JWEInvalid("JWE Authentication Tag incorrect type"); | |
} | |
if (jwe.protected !== void 0 && typeof jwe.protected !== "string") { | |
throw new errors_js_1.JWEInvalid("JWE Protected Header incorrect type"); | |
} | |
if (jwe.encrypted_key !== void 0 && typeof jwe.encrypted_key !== "string") { | |
throw new errors_js_1.JWEInvalid("JWE Encrypted Key incorrect type"); | |
} | |
if (jwe.aad !== void 0 && typeof jwe.aad !== "string") { | |
throw new errors_js_1.JWEInvalid("JWE AAD incorrect type"); | |
} | |
if (jwe.header !== void 0 && !(0, is_object_js_1.default)(jwe.header)) { | |
throw new errors_js_1.JWEInvalid("JWE Shared Unprotected Header incorrect type"); | |
} | |
if (jwe.unprotected !== void 0 && !(0, is_object_js_1.default)(jwe.unprotected)) { | |
throw new errors_js_1.JWEInvalid("JWE Per-Recipient Unprotected Header incorrect type"); | |
} | |
let parsedProt; | |
if (jwe.protected) { | |
try { | |
const protectedHeader2 = (0, base64url_js_1.decode)(jwe.protected); | |
parsedProt = JSON.parse(buffer_utils_js_1.decoder.decode(protectedHeader2)); | |
} catch { | |
throw new errors_js_1.JWEInvalid("JWE Protected Header is invalid"); | |
} | |
} | |
if (!(0, is_disjoint_js_1.default)(parsedProt, jwe.header, jwe.unprotected)) { | |
throw new errors_js_1.JWEInvalid("JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint"); | |
} | |
const joseHeader = { | |
...parsedProt, | |
...jwe.header, | |
...jwe.unprotected | |
}; | |
(0, validate_crit_js_1.default)(errors_js_1.JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, parsedProt, joseHeader); | |
if (joseHeader.zip !== void 0) { | |
throw new errors_js_1.JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.'); | |
} | |
const { alg, enc } = joseHeader; | |
if (typeof alg !== "string" || !alg) { | |
throw new errors_js_1.JWEInvalid("missing JWE Algorithm (alg) in JWE Header"); | |
} | |
if (typeof enc !== "string" || !enc) { | |
throw new errors_js_1.JWEInvalid("missing JWE Encryption Algorithm (enc) in JWE Header"); | |
} | |
const keyManagementAlgorithms = options && (0, validate_algorithms_js_1.default)("keyManagementAlgorithms", options.keyManagementAlgorithms); | |
const contentEncryptionAlgorithms = options && (0, validate_algorithms_js_1.default)("contentEncryptionAlgorithms", options.contentEncryptionAlgorithms); | |
if (keyManagementAlgorithms && !keyManagementAlgorithms.has(alg) || !keyManagementAlgorithms && alg.startsWith("PBES2")) { | |
throw new errors_js_1.JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed'); | |
} | |
if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) { | |
throw new errors_js_1.JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter value not allowed'); | |
} | |
let encryptedKey; | |
if (jwe.encrypted_key !== void 0) { | |
try { | |
encryptedKey = (0, base64url_js_1.decode)(jwe.encrypted_key); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the encrypted_key"); | |
} | |
} | |
let resolvedKey = false; | |
if (typeof key === "function") { | |
key = await key(parsedProt, jwe); | |
resolvedKey = true; | |
} | |
let cek; | |
try { | |
cek = await (0, decrypt_key_management_js_1.default)(alg, key, encryptedKey, joseHeader, options); | |
} catch (err) { | |
if (err instanceof TypeError || err instanceof errors_js_1.JWEInvalid || err instanceof errors_js_1.JOSENotSupported) { | |
throw err; | |
} | |
cek = (0, cek_js_1.default)(enc); | |
} | |
let iv; | |
let tag; | |
if (jwe.iv !== void 0) { | |
try { | |
iv = (0, base64url_js_1.decode)(jwe.iv); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the iv"); | |
} | |
} | |
if (jwe.tag !== void 0) { | |
try { | |
tag = (0, base64url_js_1.decode)(jwe.tag); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the tag"); | |
} | |
} | |
const protectedHeader = buffer_utils_js_1.encoder.encode(jwe.protected ?? ""); | |
let additionalData; | |
if (jwe.aad !== void 0) { | |
additionalData = (0, buffer_utils_js_1.concat)(protectedHeader, buffer_utils_js_1.encoder.encode("."), buffer_utils_js_1.encoder.encode(jwe.aad)); | |
} else { | |
additionalData = protectedHeader; | |
} | |
let ciphertext; | |
try { | |
ciphertext = (0, base64url_js_1.decode)(jwe.ciphertext); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the ciphertext"); | |
} | |
const plaintext = await (0, decrypt_js_12.default)(enc, cek, ciphertext, iv, tag, additionalData); | |
const result = { plaintext }; | |
if (jwe.protected !== void 0) { | |
result.protectedHeader = parsedProt; | |
} | |
if (jwe.aad !== void 0) { | |
try { | |
result.additionalAuthenticatedData = (0, base64url_js_1.decode)(jwe.aad); | |
} catch { | |
throw new errors_js_1.JWEInvalid("Failed to base64url decode the aad"); | |
} | |
} | |
if (jwe.unprotected !== void 0) { | |
result.sharedUnprotectedHeader = jwe.unprotected; | |
} | |
if (jwe.header !== void 0) { | |
result.unprotectedHeader = jwe.header; | |
} | |
if (resolvedKey) { | |
return { ...result, key }; | |
} | |
return result; | |
} | |
exports2.flattenedDecrypt = flattenedDecrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js | |
var require_decrypt3 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwe/compact/decrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.compactDecrypt = void 0; | |
var decrypt_js_12 = require_decrypt2(); | |
var errors_js_1 = require_errors(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
async function compactDecrypt(jwe, key, options) { | |
if (jwe instanceof Uint8Array) { | |
jwe = buffer_utils_js_1.decoder.decode(jwe); | |
} | |
if (typeof jwe !== "string") { | |
throw new errors_js_1.JWEInvalid("Compact JWE must be a string or Uint8Array"); | |
} | |
const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length } = jwe.split("."); | |
if (length !== 5) { | |
throw new errors_js_1.JWEInvalid("Invalid Compact JWE"); | |
} | |
const decrypted = await (0, decrypt_js_12.flattenedDecrypt)({ | |
ciphertext, | |
iv: iv || void 0, | |
protected: protectedHeader, | |
tag: tag || void 0, | |
encrypted_key: encryptedKey || void 0 | |
}, key, options); | |
const result = { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader }; | |
if (typeof key === "function") { | |
return { ...result, key: decrypted.key }; | |
} | |
return result; | |
} | |
exports2.compactDecrypt = compactDecrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwe/general/decrypt.js | |
var require_decrypt4 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwe/general/decrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.generalDecrypt = void 0; | |
var decrypt_js_12 = require_decrypt2(); | |
var errors_js_1 = require_errors(); | |
var is_object_js_1 = require_is_object(); | |
async function generalDecrypt(jwe, key, options) { | |
if (!(0, is_object_js_1.default)(jwe)) { | |
throw new errors_js_1.JWEInvalid("General JWE must be an object"); | |
} | |
if (!Array.isArray(jwe.recipients) || !jwe.recipients.every(is_object_js_1.default)) { | |
throw new errors_js_1.JWEInvalid("JWE Recipients missing or incorrect type"); | |
} | |
if (!jwe.recipients.length) { | |
throw new errors_js_1.JWEInvalid("JWE Recipients has no members"); | |
} | |
for (const recipient of jwe.recipients) { | |
try { | |
return await (0, decrypt_js_12.flattenedDecrypt)({ | |
aad: jwe.aad, | |
ciphertext: jwe.ciphertext, | |
encrypted_key: recipient.encrypted_key, | |
header: recipient.header, | |
iv: jwe.iv, | |
protected: jwe.protected, | |
tag: jwe.tag, | |
unprotected: jwe.unprotected | |
}, key, options); | |
} catch { | |
} | |
} | |
throw new errors_js_1.JWEDecryptionFailed(); | |
} | |
exports2.generalDecrypt = generalDecrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/key_to_jwk.js | |
var require_key_to_jwk = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/key_to_jwk.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var base64url_js_1 = require_base64url(); | |
var errors_js_1 = require_errors(); | |
var webcrypto_js_1 = require_webcrypto(); | |
var is_key_object_js_1 = require_is_key_object(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var is_key_like_js_1 = require_is_key_like(); | |
var keyToJWK = (key) => { | |
let keyObject; | |
if ((0, webcrypto_js_1.isCryptoKey)(key)) { | |
if (!key.extractable) { | |
throw new TypeError("CryptoKey is not extractable"); | |
} | |
keyObject = node_crypto_1.KeyObject.from(key); | |
} else if ((0, is_key_object_js_1.default)(key)) { | |
keyObject = key; | |
} else if (key instanceof Uint8Array) { | |
return { | |
kty: "oct", | |
k: (0, base64url_js_1.encode)(key) | |
}; | |
} else { | |
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, "Uint8Array")); | |
} | |
if (keyObject.type !== "secret" && !["rsa", "ec", "ed25519", "x25519", "ed448", "x448"].includes(keyObject.asymmetricKeyType)) { | |
throw new errors_js_1.JOSENotSupported("Unsupported key asymmetricKeyType"); | |
} | |
return keyObject.export({ format: "jwk" }); | |
}; | |
exports2.default = keyToJWK; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/key/export.js | |
var require_export = __commonJS({ | |
"node_modules/jose/dist/node/cjs/key/export.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.exportJWK = exports2.exportPKCS8 = exports2.exportSPKI = void 0; | |
var asn1_js_1 = require_asn1(); | |
var asn1_js_2 = require_asn1(); | |
var key_to_jwk_js_1 = require_key_to_jwk(); | |
async function exportSPKI(key) { | |
return (0, asn1_js_1.toSPKI)(key); | |
} | |
exports2.exportSPKI = exportSPKI; | |
async function exportPKCS8(key) { | |
return (0, asn1_js_2.toPKCS8)(key); | |
} | |
exports2.exportPKCS8 = exportPKCS8; | |
async function exportJWK(key) { | |
return (0, key_to_jwk_js_1.default)(key); | |
} | |
exports2.exportJWK = exportJWK; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/encrypt_key_management.js | |
var require_encrypt_key_management = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/encrypt_key_management.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var aeskw_js_1 = require_aeskw(); | |
var ECDH = require_ecdhes(); | |
var pbes2kw_js_1 = require_pbes2kw(); | |
var rsaes_js_1 = require_rsaes(); | |
var base64url_js_1 = require_base64url(); | |
var cek_js_1 = require_cek(); | |
var errors_js_1 = require_errors(); | |
var export_js_12 = require_export(); | |
var check_key_type_js_1 = require_check_key_type(); | |
var aesgcmkw_js_1 = require_aesgcmkw(); | |
async function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) { | |
let encryptedKey; | |
let parameters; | |
let cek; | |
(0, check_key_type_js_1.default)(alg, key, "encrypt"); | |
switch (alg) { | |
case "dir": { | |
cek = key; | |
break; | |
} | |
case "ECDH-ES": | |
case "ECDH-ES+A128KW": | |
case "ECDH-ES+A192KW": | |
case "ECDH-ES+A256KW": { | |
if (!ECDH.ecdhAllowed(key)) { | |
throw new errors_js_1.JOSENotSupported("ECDH with the provided key is not allowed or not supported by your javascript runtime"); | |
} | |
const { apu, apv } = providedParameters; | |
let { epk: ephemeralKey } = providedParameters; | |
ephemeralKey ||= (await ECDH.generateEpk(key)).privateKey; | |
const { x, y, crv, kty } = await (0, export_js_12.exportJWK)(ephemeralKey); | |
const sharedSecret = await ECDH.deriveKey(key, ephemeralKey, alg === "ECDH-ES" ? enc : alg, alg === "ECDH-ES" ? (0, cek_js_1.bitLength)(enc) : parseInt(alg.slice(-5, -2), 10), apu, apv); | |
parameters = { epk: { x, crv, kty } }; | |
if (kty === "EC") | |
parameters.epk.y = y; | |
if (apu) | |
parameters.apu = (0, base64url_js_1.encode)(apu); | |
if (apv) | |
parameters.apv = (0, base64url_js_1.encode)(apv); | |
if (alg === "ECDH-ES") { | |
cek = sharedSecret; | |
break; | |
} | |
cek = providedCek || (0, cek_js_1.default)(enc); | |
const kwAlg = alg.slice(-6); | |
encryptedKey = await (0, aeskw_js_1.wrap)(kwAlg, sharedSecret, cek); | |
break; | |
} | |
case "RSA1_5": | |
case "RSA-OAEP": | |
case "RSA-OAEP-256": | |
case "RSA-OAEP-384": | |
case "RSA-OAEP-512": { | |
cek = providedCek || (0, cek_js_1.default)(enc); | |
encryptedKey = await (0, rsaes_js_1.encrypt)(alg, key, cek); | |
break; | |
} | |
case "PBES2-HS256+A128KW": | |
case "PBES2-HS384+A192KW": | |
case "PBES2-HS512+A256KW": { | |
cek = providedCek || (0, cek_js_1.default)(enc); | |
const { p2c, p2s } = providedParameters; | |
({ encryptedKey, ...parameters } = await (0, pbes2kw_js_1.encrypt)(alg, key, cek, p2c, p2s)); | |
break; | |
} | |
case "A128KW": | |
case "A192KW": | |
case "A256KW": { | |
cek = providedCek || (0, cek_js_1.default)(enc); | |
encryptedKey = await (0, aeskw_js_1.wrap)(alg, key, cek); | |
break; | |
} | |
case "A128GCMKW": | |
case "A192GCMKW": | |
case "A256GCMKW": { | |
cek = providedCek || (0, cek_js_1.default)(enc); | |
const { iv } = providedParameters; | |
({ encryptedKey, ...parameters } = await (0, aesgcmkw_js_1.wrap)(alg, key, cek, iv)); | |
break; | |
} | |
default: { | |
throw new errors_js_1.JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value'); | |
} | |
} | |
return { cek, encryptedKey, parameters }; | |
} | |
exports2.default = encryptKeyManagement; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwe/flattened/encrypt.js | |
var require_encrypt2 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwe/flattened/encrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.FlattenedEncrypt = exports2.unprotected = void 0; | |
var base64url_js_1 = require_base64url(); | |
var encrypt_js_12 = require_encrypt(); | |
var iv_js_1 = require_iv(); | |
var encrypt_key_management_js_1 = require_encrypt_key_management(); | |
var errors_js_1 = require_errors(); | |
var is_disjoint_js_1 = require_is_disjoint(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var validate_crit_js_1 = require_validate_crit(); | |
exports2.unprotected = Symbol(); | |
var FlattenedEncrypt = class { | |
_plaintext; | |
_protectedHeader; | |
_sharedUnprotectedHeader; | |
_unprotectedHeader; | |
_aad; | |
_cek; | |
_iv; | |
_keyManagementParameters; | |
constructor(plaintext) { | |
if (!(plaintext instanceof Uint8Array)) { | |
throw new TypeError("plaintext must be an instance of Uint8Array"); | |
} | |
this._plaintext = plaintext; | |
} | |
setKeyManagementParameters(parameters) { | |
if (this._keyManagementParameters) { | |
throw new TypeError("setKeyManagementParameters can only be called once"); | |
} | |
this._keyManagementParameters = parameters; | |
return this; | |
} | |
setProtectedHeader(protectedHeader) { | |
if (this._protectedHeader) { | |
throw new TypeError("setProtectedHeader can only be called once"); | |
} | |
this._protectedHeader = protectedHeader; | |
return this; | |
} | |
setSharedUnprotectedHeader(sharedUnprotectedHeader) { | |
if (this._sharedUnprotectedHeader) { | |
throw new TypeError("setSharedUnprotectedHeader can only be called once"); | |
} | |
this._sharedUnprotectedHeader = sharedUnprotectedHeader; | |
return this; | |
} | |
setUnprotectedHeader(unprotectedHeader) { | |
if (this._unprotectedHeader) { | |
throw new TypeError("setUnprotectedHeader can only be called once"); | |
} | |
this._unprotectedHeader = unprotectedHeader; | |
return this; | |
} | |
setAdditionalAuthenticatedData(aad) { | |
this._aad = aad; | |
return this; | |
} | |
setContentEncryptionKey(cek) { | |
if (this._cek) { | |
throw new TypeError("setContentEncryptionKey can only be called once"); | |
} | |
this._cek = cek; | |
return this; | |
} | |
setInitializationVector(iv) { | |
if (this._iv) { | |
throw new TypeError("setInitializationVector can only be called once"); | |
} | |
this._iv = iv; | |
return this; | |
} | |
async encrypt(key, options) { | |
if (!this._protectedHeader && !this._unprotectedHeader && !this._sharedUnprotectedHeader) { | |
throw new errors_js_1.JWEInvalid("either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()"); | |
} | |
if (!(0, is_disjoint_js_1.default)(this._protectedHeader, this._unprotectedHeader, this._sharedUnprotectedHeader)) { | |
throw new errors_js_1.JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint"); | |
} | |
const joseHeader = { | |
...this._protectedHeader, | |
...this._unprotectedHeader, | |
...this._sharedUnprotectedHeader | |
}; | |
(0, validate_crit_js_1.default)(errors_js_1.JWEInvalid, /* @__PURE__ */ new Map(), options?.crit, this._protectedHeader, joseHeader); | |
if (joseHeader.zip !== void 0) { | |
throw new errors_js_1.JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.'); | |
} | |
const { alg, enc } = joseHeader; | |
if (typeof alg !== "string" || !alg) { | |
throw new errors_js_1.JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid'); | |
} | |
if (typeof enc !== "string" || !enc) { | |
throw new errors_js_1.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid'); | |
} | |
let encryptedKey; | |
if (alg === "dir") { | |
if (this._cek) { | |
throw new TypeError("setContentEncryptionKey cannot be called when using Direct Encryption"); | |
} | |
} else if (alg === "ECDH-ES") { | |
if (this._cek) { | |
throw new TypeError("setContentEncryptionKey cannot be called when using Direct Key Agreement"); | |
} | |
} | |
let cek; | |
{ | |
let parameters; | |
({ cek, encryptedKey, parameters } = await (0, encrypt_key_management_js_1.default)(alg, enc, key, this._cek, this._keyManagementParameters)); | |
if (parameters) { | |
if (options && exports2.unprotected in options) { | |
if (!this._unprotectedHeader) { | |
this.setUnprotectedHeader(parameters); | |
} else { | |
this._unprotectedHeader = { ...this._unprotectedHeader, ...parameters }; | |
} | |
} else { | |
if (!this._protectedHeader) { | |
this.setProtectedHeader(parameters); | |
} else { | |
this._protectedHeader = { ...this._protectedHeader, ...parameters }; | |
} | |
} | |
} | |
} | |
this._iv ||= (0, iv_js_1.default)(enc); | |
let additionalData; | |
let protectedHeader; | |
let aadMember; | |
if (this._protectedHeader) { | |
protectedHeader = buffer_utils_js_1.encoder.encode((0, base64url_js_1.encode)(JSON.stringify(this._protectedHeader))); | |
} else { | |
protectedHeader = buffer_utils_js_1.encoder.encode(""); | |
} | |
if (this._aad) { | |
aadMember = (0, base64url_js_1.encode)(this._aad); | |
additionalData = (0, buffer_utils_js_1.concat)(protectedHeader, buffer_utils_js_1.encoder.encode("."), buffer_utils_js_1.encoder.encode(aadMember)); | |
} else { | |
additionalData = protectedHeader; | |
} | |
const { ciphertext, tag } = await (0, encrypt_js_12.default)(enc, this._plaintext, cek, this._iv, additionalData); | |
const jwe = { | |
ciphertext: (0, base64url_js_1.encode)(ciphertext), | |
iv: (0, base64url_js_1.encode)(this._iv), | |
tag: (0, base64url_js_1.encode)(tag) | |
}; | |
if (encryptedKey) { | |
jwe.encrypted_key = (0, base64url_js_1.encode)(encryptedKey); | |
} | |
if (aadMember) { | |
jwe.aad = aadMember; | |
} | |
if (this._protectedHeader) { | |
jwe.protected = buffer_utils_js_1.decoder.decode(protectedHeader); | |
} | |
if (this._sharedUnprotectedHeader) { | |
jwe.unprotected = this._sharedUnprotectedHeader; | |
} | |
if (this._unprotectedHeader) { | |
jwe.header = this._unprotectedHeader; | |
} | |
return jwe; | |
} | |
}; | |
exports2.FlattenedEncrypt = FlattenedEncrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwe/general/encrypt.js | |
var require_encrypt3 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwe/general/encrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.GeneralEncrypt = void 0; | |
var encrypt_js_12 = require_encrypt2(); | |
var errors_js_1 = require_errors(); | |
var cek_js_1 = require_cek(); | |
var is_disjoint_js_1 = require_is_disjoint(); | |
var encrypt_key_management_js_1 = require_encrypt_key_management(); | |
var base64url_js_1 = require_base64url(); | |
var validate_crit_js_1 = require_validate_crit(); | |
var IndividualRecipient = class { | |
parent; | |
unprotectedHeader; | |
key; | |
options; | |
constructor(enc, key, options) { | |
this.parent = enc; | |
this.key = key; | |
this.options = options; | |
} | |
setUnprotectedHeader(unprotectedHeader) { | |
if (this.unprotectedHeader) { | |
throw new TypeError("setUnprotectedHeader can only be called once"); | |
} | |
this.unprotectedHeader = unprotectedHeader; | |
return this; | |
} | |
addRecipient(...args) { | |
return this.parent.addRecipient(...args); | |
} | |
encrypt(...args) { | |
return this.parent.encrypt(...args); | |
} | |
done() { | |
return this.parent; | |
} | |
}; | |
var GeneralEncrypt = class { | |
_plaintext; | |
_recipients = []; | |
_protectedHeader; | |
_unprotectedHeader; | |
_aad; | |
constructor(plaintext) { | |
this._plaintext = plaintext; | |
} | |
addRecipient(key, options) { | |
const recipient = new IndividualRecipient(this, key, { crit: options?.crit }); | |
this._recipients.push(recipient); | |
return recipient; | |
} | |
setProtectedHeader(protectedHeader) { | |
if (this._protectedHeader) { | |
throw new TypeError("setProtectedHeader can only be called once"); | |
} | |
this._protectedHeader = protectedHeader; | |
return this; | |
} | |
setSharedUnprotectedHeader(sharedUnprotectedHeader) { | |
if (this._unprotectedHeader) { | |
throw new TypeError("setSharedUnprotectedHeader can only be called once"); | |
} | |
this._unprotectedHeader = sharedUnprotectedHeader; | |
return this; | |
} | |
setAdditionalAuthenticatedData(aad) { | |
this._aad = aad; | |
return this; | |
} | |
async encrypt() { | |
if (!this._recipients.length) { | |
throw new errors_js_1.JWEInvalid("at least one recipient must be added"); | |
} | |
if (this._recipients.length === 1) { | |
const [recipient] = this._recipients; | |
const flattened = await new encrypt_js_12.FlattenedEncrypt(this._plaintext).setAdditionalAuthenticatedData(this._aad).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(recipient.unprotectedHeader).encrypt(recipient.key, { ...recipient.options }); | |
const jwe2 = { | |
ciphertext: flattened.ciphertext, | |
iv: flattened.iv, | |
recipients: [{}], | |
tag: flattened.tag | |
}; | |
if (flattened.aad) | |
jwe2.aad = flattened.aad; | |
if (flattened.protected) | |
jwe2.protected = flattened.protected; | |
if (flattened.unprotected) | |
jwe2.unprotected = flattened.unprotected; | |
if (flattened.encrypted_key) | |
jwe2.recipients[0].encrypted_key = flattened.encrypted_key; | |
if (flattened.header) | |
jwe2.recipients[0].header = flattened.header; | |
return jwe2; | |
} | |
let enc; | |
for (let i = 0; i < this._recipients.length; i++) { | |
const recipient = this._recipients[i]; | |
if (!(0, is_disjoint_js_1.default)(this._protectedHeader, this._unprotectedHeader, recipient.unprotectedHeader)) { | |
throw new errors_js_1.JWEInvalid("JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint"); | |
} | |
const joseHeader = { | |
...this._protectedHeader, | |
...this._unprotectedHeader, | |
...recipient.unprotectedHeader | |
}; | |
const { alg } = joseHeader; | |
if (typeof alg !== "string" || !alg) { | |
throw new errors_js_1.JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid'); | |
} | |
if (alg === "dir" || alg === "ECDH-ES") { | |
throw new errors_js_1.JWEInvalid('"dir" and "ECDH-ES" alg may only be used with a single recipient'); | |
} | |
if (typeof joseHeader.enc !== "string" || !joseHeader.enc) { | |
throw new errors_js_1.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid'); | |
} | |
if (!enc) { | |
enc = joseHeader.enc; | |
} else if (enc !== joseHeader.enc) { | |
throw new errors_js_1.JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients'); | |
} | |
(0, validate_crit_js_1.default)(errors_js_1.JWEInvalid, /* @__PURE__ */ new Map(), recipient.options.crit, this._protectedHeader, joseHeader); | |
if (joseHeader.zip !== void 0) { | |
throw new errors_js_1.JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.'); | |
} | |
} | |
const cek = (0, cek_js_1.default)(enc); | |
const jwe = { | |
ciphertext: "", | |
iv: "", | |
recipients: [], | |
tag: "" | |
}; | |
for (let i = 0; i < this._recipients.length; i++) { | |
const recipient = this._recipients[i]; | |
const target = {}; | |
jwe.recipients.push(target); | |
const joseHeader = { | |
...this._protectedHeader, | |
...this._unprotectedHeader, | |
...recipient.unprotectedHeader | |
}; | |
const p2c = joseHeader.alg.startsWith("PBES2") ? 2048 + i : void 0; | |
if (i === 0) { | |
const flattened = await new encrypt_js_12.FlattenedEncrypt(this._plaintext).setAdditionalAuthenticatedData(this._aad).setContentEncryptionKey(cek).setProtectedHeader(this._protectedHeader).setSharedUnprotectedHeader(this._unprotectedHeader).setUnprotectedHeader(recipient.unprotectedHeader).setKeyManagementParameters({ p2c }).encrypt(recipient.key, { | |
...recipient.options, | |
[encrypt_js_12.unprotected]: true | |
}); | |
jwe.ciphertext = flattened.ciphertext; | |
jwe.iv = flattened.iv; | |
jwe.tag = flattened.tag; | |
if (flattened.aad) | |
jwe.aad = flattened.aad; | |
if (flattened.protected) | |
jwe.protected = flattened.protected; | |
if (flattened.unprotected) | |
jwe.unprotected = flattened.unprotected; | |
target.encrypted_key = flattened.encrypted_key; | |
if (flattened.header) | |
target.header = flattened.header; | |
continue; | |
} | |
const { encryptedKey, parameters } = await (0, encrypt_key_management_js_1.default)(recipient.unprotectedHeader?.alg || this._protectedHeader?.alg || this._unprotectedHeader?.alg, enc, recipient.key, cek, { p2c }); | |
target.encrypted_key = (0, base64url_js_1.encode)(encryptedKey); | |
if (recipient.unprotectedHeader || parameters) | |
target.header = { ...recipient.unprotectedHeader, ...parameters }; | |
} | |
return jwe; | |
} | |
}; | |
exports2.GeneralEncrypt = GeneralEncrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/dsa_digest.js | |
var require_dsa_digest = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/dsa_digest.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var errors_js_1 = require_errors(); | |
function dsaDigest(alg) { | |
switch (alg) { | |
case "PS256": | |
case "RS256": | |
case "ES256": | |
case "ES256K": | |
return "sha256"; | |
case "PS384": | |
case "RS384": | |
case "ES384": | |
return "sha384"; | |
case "PS512": | |
case "RS512": | |
case "ES512": | |
return "sha512"; | |
case "EdDSA": | |
return void 0; | |
default: | |
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`); | |
} | |
} | |
exports2.default = dsaDigest; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/node_key.js | |
var require_node_key = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/node_key.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var get_named_curve_js_1 = require_get_named_curve(); | |
var errors_js_1 = require_errors(); | |
var check_key_length_js_1 = require_check_key_length(); | |
var PSS = { | |
padding: node_crypto_1.constants.RSA_PKCS1_PSS_PADDING, | |
saltLength: node_crypto_1.constants.RSA_PSS_SALTLEN_DIGEST | |
}; | |
var ecCurveAlgMap = /* @__PURE__ */ new Map([ | |
["ES256", "P-256"], | |
["ES256K", "secp256k1"], | |
["ES384", "P-384"], | |
["ES512", "P-521"] | |
]); | |
function keyForCrypto(alg, key) { | |
switch (alg) { | |
case "EdDSA": | |
if (!["ed25519", "ed448"].includes(key.asymmetricKeyType)) { | |
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448"); | |
} | |
return key; | |
case "RS256": | |
case "RS384": | |
case "RS512": | |
if (key.asymmetricKeyType !== "rsa") { | |
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa"); | |
} | |
(0, check_key_length_js_1.default)(key, alg); | |
return key; | |
case "PS256": | |
case "PS384": | |
case "PS512": | |
if (key.asymmetricKeyType === "rsa-pss") { | |
const { hashAlgorithm, mgf1HashAlgorithm, saltLength } = key.asymmetricKeyDetails; | |
const length = parseInt(alg.slice(-3), 10); | |
if (hashAlgorithm !== void 0 && (hashAlgorithm !== `sha${length}` || mgf1HashAlgorithm !== hashAlgorithm)) { | |
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${alg}`); | |
} | |
if (saltLength !== void 0 && saltLength > length >> 3) { | |
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${alg}`); | |
} | |
} else if (key.asymmetricKeyType !== "rsa") { | |
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss"); | |
} | |
(0, check_key_length_js_1.default)(key, alg); | |
return { key, ...PSS }; | |
case "ES256": | |
case "ES256K": | |
case "ES384": | |
case "ES512": { | |
if (key.asymmetricKeyType !== "ec") { | |
throw new TypeError("Invalid key for this operation, its asymmetricKeyType must be ec"); | |
} | |
const actual = (0, get_named_curve_js_1.default)(key); | |
const expected = ecCurveAlgMap.get(alg); | |
if (actual !== expected) { | |
throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${expected}, got ${actual}`); | |
} | |
return { dsaEncoding: "ieee-p1363", key }; | |
} | |
default: | |
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`); | |
} | |
} | |
exports2.default = keyForCrypto; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/hmac_digest.js | |
var require_hmac_digest = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/hmac_digest.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var errors_js_1 = require_errors(); | |
function hmacDigest(alg) { | |
switch (alg) { | |
case "HS256": | |
return "sha256"; | |
case "HS384": | |
return "sha384"; | |
case "HS512": | |
return "sha512"; | |
default: | |
throw new errors_js_1.JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`); | |
} | |
} | |
exports2.default = hmacDigest; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/get_sign_verify_key.js | |
var require_get_sign_verify_key = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/get_sign_verify_key.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var node_crypto_1 = requireNodeCrypto; | |
var webcrypto_js_1 = require_webcrypto(); | |
var crypto_key_js_1 = require_crypto_key(); | |
var invalid_key_input_js_1 = require_invalid_key_input(); | |
var is_key_like_js_1 = require_is_key_like(); | |
function getSignVerifyKey(alg, key, usage) { | |
if (key instanceof Uint8Array) { | |
if (!alg.startsWith("HS")) { | |
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types)); | |
} | |
return (0, node_crypto_1.createSecretKey)(key); | |
} | |
if (key instanceof node_crypto_1.KeyObject) { | |
return key; | |
} | |
if ((0, webcrypto_js_1.isCryptoKey)(key)) { | |
(0, crypto_key_js_1.checkSigCryptoKey)(key, alg, usage); | |
return node_crypto_1.KeyObject.from(key); | |
} | |
throw new TypeError((0, invalid_key_input_js_1.default)(key, ...is_key_like_js_1.types, "Uint8Array")); | |
} | |
exports2.default = getSignVerifyKey; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/sign.js | |
var require_sign = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/sign.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var crypto = requireNodeCrypto; | |
var node_util_1 = requireNodeUtil; | |
var dsa_digest_js_1 = require_dsa_digest(); | |
var hmac_digest_js_1 = require_hmac_digest(); | |
var node_key_js_1 = require_node_key(); | |
var get_sign_verify_key_js_1 = require_get_sign_verify_key(); | |
var oneShotSign = (0, node_util_1.promisify)(crypto.sign); | |
var sign = async (alg, key, data) => { | |
const keyObject = (0, get_sign_verify_key_js_1.default)(alg, key, "sign"); | |
if (alg.startsWith("HS")) { | |
const hmac = crypto.createHmac((0, hmac_digest_js_1.default)(alg), keyObject); | |
hmac.update(data); | |
return hmac.digest(); | |
} | |
return oneShotSign((0, dsa_digest_js_1.default)(alg), data, (0, node_key_js_1.default)(alg, keyObject)); | |
}; | |
exports2.default = sign; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/verify.js | |
var require_verify = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/verify.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var crypto = requireNodeCrypto; | |
var node_util_1 = requireNodeUtil; | |
var dsa_digest_js_1 = require_dsa_digest(); | |
var node_key_js_1 = require_node_key(); | |
var sign_js_12 = require_sign(); | |
var get_sign_verify_key_js_1 = require_get_sign_verify_key(); | |
var oneShotVerify = (0, node_util_1.promisify)(crypto.verify); | |
var verify = async (alg, key, signature, data) => { | |
const keyObject = (0, get_sign_verify_key_js_1.default)(alg, key, "verify"); | |
if (alg.startsWith("HS")) { | |
const expected = await (0, sign_js_12.default)(alg, keyObject, data); | |
const actual = signature; | |
try { | |
return crypto.timingSafeEqual(actual, expected); | |
} catch { | |
return false; | |
} | |
} | |
const algorithm = (0, dsa_digest_js_1.default)(alg); | |
const keyInput = (0, node_key_js_1.default)(alg, keyObject); | |
try { | |
return await oneShotVerify(algorithm, data, keyInput, signature); | |
} catch { | |
return false; | |
} | |
}; | |
exports2.default = verify; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jws/flattened/verify.js | |
var require_verify2 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jws/flattened/verify.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.flattenedVerify = void 0; | |
var base64url_js_1 = require_base64url(); | |
var verify_js_12 = require_verify(); | |
var errors_js_1 = require_errors(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var is_disjoint_js_1 = require_is_disjoint(); | |
var is_object_js_1 = require_is_object(); | |
var check_key_type_js_1 = require_check_key_type(); | |
var validate_crit_js_1 = require_validate_crit(); | |
var validate_algorithms_js_1 = require_validate_algorithms(); | |
async function flattenedVerify(jws, key, options) { | |
if (!(0, is_object_js_1.default)(jws)) { | |
throw new errors_js_1.JWSInvalid("Flattened JWS must be an object"); | |
} | |
if (jws.protected === void 0 && jws.header === void 0) { | |
throw new errors_js_1.JWSInvalid('Flattened JWS must have either of the "protected" or "header" members'); | |
} | |
if (jws.protected !== void 0 && typeof jws.protected !== "string") { | |
throw new errors_js_1.JWSInvalid("JWS Protected Header incorrect type"); | |
} | |
if (jws.payload === void 0) { | |
throw new errors_js_1.JWSInvalid("JWS Payload missing"); | |
} | |
if (typeof jws.signature !== "string") { | |
throw new errors_js_1.JWSInvalid("JWS Signature missing or incorrect type"); | |
} | |
if (jws.header !== void 0 && !(0, is_object_js_1.default)(jws.header)) { | |
throw new errors_js_1.JWSInvalid("JWS Unprotected Header incorrect type"); | |
} | |
let parsedProt = {}; | |
if (jws.protected) { | |
try { | |
const protectedHeader = (0, base64url_js_1.decode)(jws.protected); | |
parsedProt = JSON.parse(buffer_utils_js_1.decoder.decode(protectedHeader)); | |
} catch { | |
throw new errors_js_1.JWSInvalid("JWS Protected Header is invalid"); | |
} | |
} | |
if (!(0, is_disjoint_js_1.default)(parsedProt, jws.header)) { | |
throw new errors_js_1.JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint"); | |
} | |
const joseHeader = { | |
...parsedProt, | |
...jws.header | |
}; | |
const extensions = (0, validate_crit_js_1.default)(errors_js_1.JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, parsedProt, joseHeader); | |
let b64 = true; | |
if (extensions.has("b64")) { | |
b64 = parsedProt.b64; | |
if (typeof b64 !== "boolean") { | |
throw new errors_js_1.JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean'); | |
} | |
} | |
const { alg } = joseHeader; | |
if (typeof alg !== "string" || !alg) { | |
throw new errors_js_1.JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid'); | |
} | |
const algorithms = options && (0, validate_algorithms_js_1.default)("algorithms", options.algorithms); | |
if (algorithms && !algorithms.has(alg)) { | |
throw new errors_js_1.JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed'); | |
} | |
if (b64) { | |
if (typeof jws.payload !== "string") { | |
throw new errors_js_1.JWSInvalid("JWS Payload must be a string"); | |
} | |
} else if (typeof jws.payload !== "string" && !(jws.payload instanceof Uint8Array)) { | |
throw new errors_js_1.JWSInvalid("JWS Payload must be a string or an Uint8Array instance"); | |
} | |
let resolvedKey = false; | |
if (typeof key === "function") { | |
key = await key(parsedProt, jws); | |
resolvedKey = true; | |
} | |
(0, check_key_type_js_1.default)(alg, key, "verify"); | |
const data = (0, buffer_utils_js_1.concat)(buffer_utils_js_1.encoder.encode(jws.protected ?? ""), buffer_utils_js_1.encoder.encode("."), typeof jws.payload === "string" ? buffer_utils_js_1.encoder.encode(jws.payload) : jws.payload); | |
let signature; | |
try { | |
signature = (0, base64url_js_1.decode)(jws.signature); | |
} catch { | |
throw new errors_js_1.JWSInvalid("Failed to base64url decode the signature"); | |
} | |
const verified = await (0, verify_js_12.default)(alg, key, signature, data); | |
if (!verified) { | |
throw new errors_js_1.JWSSignatureVerificationFailed(); | |
} | |
let payload; | |
if (b64) { | |
try { | |
payload = (0, base64url_js_1.decode)(jws.payload); | |
} catch { | |
throw new errors_js_1.JWSInvalid("Failed to base64url decode the payload"); | |
} | |
} else if (typeof jws.payload === "string") { | |
payload = buffer_utils_js_1.encoder.encode(jws.payload); | |
} else { | |
payload = jws.payload; | |
} | |
const result = { payload }; | |
if (jws.protected !== void 0) { | |
result.protectedHeader = parsedProt; | |
} | |
if (jws.header !== void 0) { | |
result.unprotectedHeader = jws.header; | |
} | |
if (resolvedKey) { | |
return { ...result, key }; | |
} | |
return result; | |
} | |
exports2.flattenedVerify = flattenedVerify; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jws/compact/verify.js | |
var require_verify3 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jws/compact/verify.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.compactVerify = void 0; | |
var verify_js_12 = require_verify2(); | |
var errors_js_1 = require_errors(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
async function compactVerify(jws, key, options) { | |
if (jws instanceof Uint8Array) { | |
jws = buffer_utils_js_1.decoder.decode(jws); | |
} | |
if (typeof jws !== "string") { | |
throw new errors_js_1.JWSInvalid("Compact JWS must be a string or Uint8Array"); | |
} | |
const { 0: protectedHeader, 1: payload, 2: signature, length } = jws.split("."); | |
if (length !== 3) { | |
throw new errors_js_1.JWSInvalid("Invalid Compact JWS"); | |
} | |
const verified = await (0, verify_js_12.flattenedVerify)({ payload, protected: protectedHeader, signature }, key, options); | |
const result = { payload: verified.payload, protectedHeader: verified.protectedHeader }; | |
if (typeof key === "function") { | |
return { ...result, key: verified.key }; | |
} | |
return result; | |
} | |
exports2.compactVerify = compactVerify; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jws/general/verify.js | |
var require_verify4 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jws/general/verify.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.generalVerify = void 0; | |
var verify_js_12 = require_verify2(); | |
var errors_js_1 = require_errors(); | |
var is_object_js_1 = require_is_object(); | |
async function generalVerify(jws, key, options) { | |
if (!(0, is_object_js_1.default)(jws)) { | |
throw new errors_js_1.JWSInvalid("General JWS must be an object"); | |
} | |
if (!Array.isArray(jws.signatures) || !jws.signatures.every(is_object_js_1.default)) { | |
throw new errors_js_1.JWSInvalid("JWS Signatures missing or incorrect type"); | |
} | |
for (const signature of jws.signatures) { | |
try { | |
return await (0, verify_js_12.flattenedVerify)({ | |
header: signature.header, | |
payload: jws.payload, | |
protected: signature.protected, | |
signature: signature.signature | |
}, key, options); | |
} catch { | |
} | |
} | |
throw new errors_js_1.JWSSignatureVerificationFailed(); | |
} | |
exports2.generalVerify = generalVerify; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/epoch.js | |
var require_epoch = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/epoch.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.default = (date) => Math.floor(date.getTime() / 1e3); | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/secs.js | |
var require_secs = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/secs.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var minute = 60; | |
var hour = minute * 60; | |
var day = hour * 24; | |
var week = day * 7; | |
var year = day * 365.25; | |
var REGEX = /^(\+|\-)? ?(\d+|\d+\.\d+) ?(seconds?|secs?|s|minutes?|mins?|m|hours?|hrs?|h|days?|d|weeks?|w|years?|yrs?|y)(?: (ago|from now))?$/i; | |
exports2.default = (str) => { | |
const matched = REGEX.exec(str); | |
if (!matched || matched[4] && matched[1]) { | |
throw new TypeError("Invalid time period format"); | |
} | |
const value = parseFloat(matched[2]); | |
const unit = matched[3].toLowerCase(); | |
let numericDate; | |
switch (unit) { | |
case "sec": | |
case "secs": | |
case "second": | |
case "seconds": | |
case "s": | |
numericDate = Math.round(value); | |
break; | |
case "minute": | |
case "minutes": | |
case "min": | |
case "mins": | |
case "m": | |
numericDate = Math.round(value * minute); | |
break; | |
case "hour": | |
case "hours": | |
case "hr": | |
case "hrs": | |
case "h": | |
numericDate = Math.round(value * hour); | |
break; | |
case "day": | |
case "days": | |
case "d": | |
numericDate = Math.round(value * day); | |
break; | |
case "week": | |
case "weeks": | |
case "w": | |
numericDate = Math.round(value * week); | |
break; | |
default: | |
numericDate = Math.round(value * year); | |
break; | |
} | |
if (matched[1] === "-" || matched[4] === "ago") { | |
return -numericDate; | |
} | |
return numericDate; | |
}; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/lib/jwt_claims_set.js | |
var require_jwt_claims_set = __commonJS({ | |
"node_modules/jose/dist/node/cjs/lib/jwt_claims_set.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var errors_js_1 = require_errors(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var epoch_js_1 = require_epoch(); | |
var secs_js_1 = require_secs(); | |
var is_object_js_1 = require_is_object(); | |
var normalizeTyp = (value) => value.toLowerCase().replace(/^application\//, ""); | |
var checkAudiencePresence = (audPayload, audOption) => { | |
if (typeof audPayload === "string") { | |
return audOption.includes(audPayload); | |
} | |
if (Array.isArray(audPayload)) { | |
return audOption.some(Set.prototype.has.bind(new Set(audPayload))); | |
} | |
return false; | |
}; | |
exports2.default = (protectedHeader, encodedPayload, options = {}) => { | |
const { typ } = options; | |
if (typ && (typeof protectedHeader.typ !== "string" || normalizeTyp(protectedHeader.typ) !== normalizeTyp(typ))) { | |
throw new errors_js_1.JWTClaimValidationFailed('unexpected "typ" JWT header value', "typ", "check_failed"); | |
} | |
let payload; | |
try { | |
payload = JSON.parse(buffer_utils_js_1.decoder.decode(encodedPayload)); | |
} catch { | |
} | |
if (!(0, is_object_js_1.default)(payload)) { | |
throw new errors_js_1.JWTInvalid("JWT Claims Set must be a top-level JSON object"); | |
} | |
const { requiredClaims = [], issuer, subject, audience, maxTokenAge } = options; | |
const presenceCheck = [...requiredClaims]; | |
if (maxTokenAge !== void 0) | |
presenceCheck.push("iat"); | |
if (audience !== void 0) | |
presenceCheck.push("aud"); | |
if (subject !== void 0) | |
presenceCheck.push("sub"); | |
if (issuer !== void 0) | |
presenceCheck.push("iss"); | |
for (const claim of new Set(presenceCheck.reverse())) { | |
if (!(claim in payload)) { | |
throw new errors_js_1.JWTClaimValidationFailed(`missing required "${claim}" claim`, claim, "missing"); | |
} | |
} | |
if (issuer && !(Array.isArray(issuer) ? issuer : [issuer]).includes(payload.iss)) { | |
throw new errors_js_1.JWTClaimValidationFailed('unexpected "iss" claim value', "iss", "check_failed"); | |
} | |
if (subject && payload.sub !== subject) { | |
throw new errors_js_1.JWTClaimValidationFailed('unexpected "sub" claim value', "sub", "check_failed"); | |
} | |
if (audience && !checkAudiencePresence(payload.aud, typeof audience === "string" ? [audience] : audience)) { | |
throw new errors_js_1.JWTClaimValidationFailed('unexpected "aud" claim value', "aud", "check_failed"); | |
} | |
let tolerance; | |
switch (typeof options.clockTolerance) { | |
case "string": | |
tolerance = (0, secs_js_1.default)(options.clockTolerance); | |
break; | |
case "number": | |
tolerance = options.clockTolerance; | |
break; | |
case "undefined": | |
tolerance = 0; | |
break; | |
default: | |
throw new TypeError("Invalid clockTolerance option type"); | |
} | |
const { currentDate } = options; | |
const now = (0, epoch_js_1.default)(currentDate || /* @__PURE__ */ new Date()); | |
if ((payload.iat !== void 0 || maxTokenAge) && typeof payload.iat !== "number") { | |
throw new errors_js_1.JWTClaimValidationFailed('"iat" claim must be a number', "iat", "invalid"); | |
} | |
if (payload.nbf !== void 0) { | |
if (typeof payload.nbf !== "number") { | |
throw new errors_js_1.JWTClaimValidationFailed('"nbf" claim must be a number', "nbf", "invalid"); | |
} | |
if (payload.nbf > now + tolerance) { | |
throw new errors_js_1.JWTClaimValidationFailed('"nbf" claim timestamp check failed', "nbf", "check_failed"); | |
} | |
} | |
if (payload.exp !== void 0) { | |
if (typeof payload.exp !== "number") { | |
throw new errors_js_1.JWTClaimValidationFailed('"exp" claim must be a number', "exp", "invalid"); | |
} | |
if (payload.exp <= now - tolerance) { | |
throw new errors_js_1.JWTExpired('"exp" claim timestamp check failed', "exp", "check_failed"); | |
} | |
} | |
if (maxTokenAge) { | |
const age = now - payload.iat; | |
const max = typeof maxTokenAge === "number" ? maxTokenAge : (0, secs_js_1.default)(maxTokenAge); | |
if (age - tolerance > max) { | |
throw new errors_js_1.JWTExpired('"iat" claim timestamp check failed (too far in the past)', "iat", "check_failed"); | |
} | |
if (age < 0 - tolerance) { | |
throw new errors_js_1.JWTClaimValidationFailed('"iat" claim timestamp check failed (it should be in the past)', "iat", "check_failed"); | |
} | |
} | |
return payload; | |
}; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwt/verify.js | |
var require_verify5 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwt/verify.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.jwtVerify = void 0; | |
var verify_js_12 = require_verify3(); | |
var jwt_claims_set_js_1 = require_jwt_claims_set(); | |
var errors_js_1 = require_errors(); | |
async function jwtVerify(jwt, key, options) { | |
const verified = await (0, verify_js_12.compactVerify)(jwt, key, options); | |
if (verified.protectedHeader.crit?.includes("b64") && verified.protectedHeader.b64 === false) { | |
throw new errors_js_1.JWTInvalid("JWTs MUST NOT use unencoded payload"); | |
} | |
const payload = (0, jwt_claims_set_js_1.default)(verified.protectedHeader, verified.payload, options); | |
const result = { payload, protectedHeader: verified.protectedHeader }; | |
if (typeof key === "function") { | |
return { ...result, key: verified.key }; | |
} | |
return result; | |
} | |
exports2.jwtVerify = jwtVerify; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwt/decrypt.js | |
var require_decrypt5 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwt/decrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.jwtDecrypt = void 0; | |
var decrypt_js_12 = require_decrypt3(); | |
var jwt_claims_set_js_1 = require_jwt_claims_set(); | |
var errors_js_1 = require_errors(); | |
async function jwtDecrypt(jwt, key, options) { | |
const decrypted = await (0, decrypt_js_12.compactDecrypt)(jwt, key, options); | |
const payload = (0, jwt_claims_set_js_1.default)(decrypted.protectedHeader, decrypted.plaintext, options); | |
const { protectedHeader } = decrypted; | |
if (protectedHeader.iss !== void 0 && protectedHeader.iss !== payload.iss) { | |
throw new errors_js_1.JWTClaimValidationFailed('replicated "iss" claim header parameter mismatch', "iss", "mismatch"); | |
} | |
if (protectedHeader.sub !== void 0 && protectedHeader.sub !== payload.sub) { | |
throw new errors_js_1.JWTClaimValidationFailed('replicated "sub" claim header parameter mismatch', "sub", "mismatch"); | |
} | |
if (protectedHeader.aud !== void 0 && JSON.stringify(protectedHeader.aud) !== JSON.stringify(payload.aud)) { | |
throw new errors_js_1.JWTClaimValidationFailed('replicated "aud" claim header parameter mismatch', "aud", "mismatch"); | |
} | |
const result = { payload, protectedHeader }; | |
if (typeof key === "function") { | |
return { ...result, key: decrypted.key }; | |
} | |
return result; | |
} | |
exports2.jwtDecrypt = jwtDecrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwe/compact/encrypt.js | |
var require_encrypt4 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwe/compact/encrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.CompactEncrypt = void 0; | |
var encrypt_js_12 = require_encrypt2(); | |
var CompactEncrypt = class { | |
_flattened; | |
constructor(plaintext) { | |
this._flattened = new encrypt_js_12.FlattenedEncrypt(plaintext); | |
} | |
setContentEncryptionKey(cek) { | |
this._flattened.setContentEncryptionKey(cek); | |
return this; | |
} | |
setInitializationVector(iv) { | |
this._flattened.setInitializationVector(iv); | |
return this; | |
} | |
setProtectedHeader(protectedHeader) { | |
this._flattened.setProtectedHeader(protectedHeader); | |
return this; | |
} | |
setKeyManagementParameters(parameters) { | |
this._flattened.setKeyManagementParameters(parameters); | |
return this; | |
} | |
async encrypt(key, options) { | |
const jwe = await this._flattened.encrypt(key, options); | |
return [jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join("."); | |
} | |
}; | |
exports2.CompactEncrypt = CompactEncrypt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jws/flattened/sign.js | |
var require_sign2 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jws/flattened/sign.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.FlattenedSign = void 0; | |
var base64url_js_1 = require_base64url(); | |
var sign_js_12 = require_sign(); | |
var is_disjoint_js_1 = require_is_disjoint(); | |
var errors_js_1 = require_errors(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var check_key_type_js_1 = require_check_key_type(); | |
var validate_crit_js_1 = require_validate_crit(); | |
var FlattenedSign = class { | |
_payload; | |
_protectedHeader; | |
_unprotectedHeader; | |
constructor(payload) { | |
if (!(payload instanceof Uint8Array)) { | |
throw new TypeError("payload must be an instance of Uint8Array"); | |
} | |
this._payload = payload; | |
} | |
setProtectedHeader(protectedHeader) { | |
if (this._protectedHeader) { | |
throw new TypeError("setProtectedHeader can only be called once"); | |
} | |
this._protectedHeader = protectedHeader; | |
return this; | |
} | |
setUnprotectedHeader(unprotectedHeader) { | |
if (this._unprotectedHeader) { | |
throw new TypeError("setUnprotectedHeader can only be called once"); | |
} | |
this._unprotectedHeader = unprotectedHeader; | |
return this; | |
} | |
async sign(key, options) { | |
if (!this._protectedHeader && !this._unprotectedHeader) { | |
throw new errors_js_1.JWSInvalid("either setProtectedHeader or setUnprotectedHeader must be called before #sign()"); | |
} | |
if (!(0, is_disjoint_js_1.default)(this._protectedHeader, this._unprotectedHeader)) { | |
throw new errors_js_1.JWSInvalid("JWS Protected and JWS Unprotected Header Parameter names must be disjoint"); | |
} | |
const joseHeader = { | |
...this._protectedHeader, | |
...this._unprotectedHeader | |
}; | |
const extensions = (0, validate_crit_js_1.default)(errors_js_1.JWSInvalid, /* @__PURE__ */ new Map([["b64", true]]), options?.crit, this._protectedHeader, joseHeader); | |
let b64 = true; | |
if (extensions.has("b64")) { | |
b64 = this._protectedHeader.b64; | |
if (typeof b64 !== "boolean") { | |
throw new errors_js_1.JWSInvalid('The "b64" (base64url-encode payload) Header Parameter must be a boolean'); | |
} | |
} | |
const { alg } = joseHeader; | |
if (typeof alg !== "string" || !alg) { | |
throw new errors_js_1.JWSInvalid('JWS "alg" (Algorithm) Header Parameter missing or invalid'); | |
} | |
(0, check_key_type_js_1.default)(alg, key, "sign"); | |
let payload = this._payload; | |
if (b64) { | |
payload = buffer_utils_js_1.encoder.encode((0, base64url_js_1.encode)(payload)); | |
} | |
let protectedHeader; | |
if (this._protectedHeader) { | |
protectedHeader = buffer_utils_js_1.encoder.encode((0, base64url_js_1.encode)(JSON.stringify(this._protectedHeader))); | |
} else { | |
protectedHeader = buffer_utils_js_1.encoder.encode(""); | |
} | |
const data = (0, buffer_utils_js_1.concat)(protectedHeader, buffer_utils_js_1.encoder.encode("."), payload); | |
const signature = await (0, sign_js_12.default)(alg, key, data); | |
const jws = { | |
signature: (0, base64url_js_1.encode)(signature), | |
payload: "" | |
}; | |
if (b64) { | |
jws.payload = buffer_utils_js_1.decoder.decode(payload); | |
} | |
if (this._unprotectedHeader) { | |
jws.header = this._unprotectedHeader; | |
} | |
if (this._protectedHeader) { | |
jws.protected = buffer_utils_js_1.decoder.decode(protectedHeader); | |
} | |
return jws; | |
} | |
}; | |
exports2.FlattenedSign = FlattenedSign; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jws/compact/sign.js | |
var require_sign3 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jws/compact/sign.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.CompactSign = void 0; | |
var sign_js_12 = require_sign2(); | |
var CompactSign = class { | |
_flattened; | |
constructor(payload) { | |
this._flattened = new sign_js_12.FlattenedSign(payload); | |
} | |
setProtectedHeader(protectedHeader) { | |
this._flattened.setProtectedHeader(protectedHeader); | |
return this; | |
} | |
async sign(key, options) { | |
const jws = await this._flattened.sign(key, options); | |
if (jws.payload === void 0) { | |
throw new TypeError("use the flattened module for creating JWS with b64: false"); | |
} | |
return `${jws.protected}.${jws.payload}.${jws.signature}`; | |
} | |
}; | |
exports2.CompactSign = CompactSign; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jws/general/sign.js | |
var require_sign4 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jws/general/sign.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.GeneralSign = void 0; | |
var sign_js_12 = require_sign2(); | |
var errors_js_1 = require_errors(); | |
var IndividualSignature = class { | |
parent; | |
protectedHeader; | |
unprotectedHeader; | |
options; | |
key; | |
constructor(sig, key, options) { | |
this.parent = sig; | |
this.key = key; | |
this.options = options; | |
} | |
setProtectedHeader(protectedHeader) { | |
if (this.protectedHeader) { | |
throw new TypeError("setProtectedHeader can only be called once"); | |
} | |
this.protectedHeader = protectedHeader; | |
return this; | |
} | |
setUnprotectedHeader(unprotectedHeader) { | |
if (this.unprotectedHeader) { | |
throw new TypeError("setUnprotectedHeader can only be called once"); | |
} | |
this.unprotectedHeader = unprotectedHeader; | |
return this; | |
} | |
addSignature(...args) { | |
return this.parent.addSignature(...args); | |
} | |
sign(...args) { | |
return this.parent.sign(...args); | |
} | |
done() { | |
return this.parent; | |
} | |
}; | |
var GeneralSign = class { | |
_payload; | |
_signatures = []; | |
constructor(payload) { | |
this._payload = payload; | |
} | |
addSignature(key, options) { | |
const signature = new IndividualSignature(this, key, options); | |
this._signatures.push(signature); | |
return signature; | |
} | |
async sign() { | |
if (!this._signatures.length) { | |
throw new errors_js_1.JWSInvalid("at least one signature must be added"); | |
} | |
const jws = { | |
signatures: [], | |
payload: "" | |
}; | |
for (let i = 0; i < this._signatures.length; i++) { | |
const signature = this._signatures[i]; | |
const flattened = new sign_js_12.FlattenedSign(this._payload); | |
flattened.setProtectedHeader(signature.protectedHeader); | |
flattened.setUnprotectedHeader(signature.unprotectedHeader); | |
const { payload, ...rest } = await flattened.sign(signature.key, signature.options); | |
if (i === 0) { | |
jws.payload = payload; | |
} else if (jws.payload !== payload) { | |
throw new errors_js_1.JWSInvalid("inconsistent use of JWS Unencoded Payload (RFC7797)"); | |
} | |
jws.signatures.push(rest); | |
} | |
return jws; | |
} | |
}; | |
exports2.GeneralSign = GeneralSign; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwt/produce.js | |
var require_produce = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwt/produce.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.ProduceJWT = void 0; | |
var epoch_js_1 = require_epoch(); | |
var is_object_js_1 = require_is_object(); | |
var secs_js_1 = require_secs(); | |
function validateInput(label, input) { | |
if (!Number.isFinite(input)) { | |
throw new TypeError(`Invalid ${label} input`); | |
} | |
return input; | |
} | |
var ProduceJWT = class { | |
_payload; | |
constructor(payload = {}) { | |
if (!(0, is_object_js_1.default)(payload)) { | |
throw new TypeError("JWT Claims Set MUST be an object"); | |
} | |
this._payload = payload; | |
} | |
setIssuer(issuer) { | |
this._payload = { ...this._payload, iss: issuer }; | |
return this; | |
} | |
setSubject(subject) { | |
this._payload = { ...this._payload, sub: subject }; | |
return this; | |
} | |
setAudience(audience) { | |
this._payload = { ...this._payload, aud: audience }; | |
return this; | |
} | |
setJti(jwtId) { | |
this._payload = { ...this._payload, jti: jwtId }; | |
return this; | |
} | |
setNotBefore(input) { | |
if (typeof input === "number") { | |
this._payload = { ...this._payload, nbf: validateInput("setNotBefore", input) }; | |
} else if (input instanceof Date) { | |
this._payload = { ...this._payload, nbf: validateInput("setNotBefore", (0, epoch_js_1.default)(input)) }; | |
} else { | |
this._payload = { ...this._payload, nbf: (0, epoch_js_1.default)(/* @__PURE__ */ new Date()) + (0, secs_js_1.default)(input) }; | |
} | |
return this; | |
} | |
setExpirationTime(input) { | |
if (typeof input === "number") { | |
this._payload = { ...this._payload, exp: validateInput("setExpirationTime", input) }; | |
} else if (input instanceof Date) { | |
this._payload = { ...this._payload, exp: validateInput("setExpirationTime", (0, epoch_js_1.default)(input)) }; | |
} else { | |
this._payload = { ...this._payload, exp: (0, epoch_js_1.default)(/* @__PURE__ */ new Date()) + (0, secs_js_1.default)(input) }; | |
} | |
return this; | |
} | |
setIssuedAt(input) { | |
if (typeof input === "undefined") { | |
this._payload = { ...this._payload, iat: (0, epoch_js_1.default)(/* @__PURE__ */ new Date()) }; | |
} else if (input instanceof Date) { | |
this._payload = { ...this._payload, iat: validateInput("setIssuedAt", (0, epoch_js_1.default)(input)) }; | |
} else if (typeof input === "string") { | |
this._payload = { | |
...this._payload, | |
iat: validateInput("setIssuedAt", (0, epoch_js_1.default)(/* @__PURE__ */ new Date()) + (0, secs_js_1.default)(input)) | |
}; | |
} else { | |
this._payload = { ...this._payload, iat: validateInput("setIssuedAt", input) }; | |
} | |
return this; | |
} | |
}; | |
exports2.ProduceJWT = ProduceJWT; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwt/sign.js | |
var require_sign5 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwt/sign.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.SignJWT = void 0; | |
var sign_js_12 = require_sign3(); | |
var errors_js_1 = require_errors(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var produce_js_1 = require_produce(); | |
var SignJWT = class extends produce_js_1.ProduceJWT { | |
_protectedHeader; | |
setProtectedHeader(protectedHeader) { | |
this._protectedHeader = protectedHeader; | |
return this; | |
} | |
async sign(key, options) { | |
const sig = new sign_js_12.CompactSign(buffer_utils_js_1.encoder.encode(JSON.stringify(this._payload))); | |
sig.setProtectedHeader(this._protectedHeader); | |
if (Array.isArray(this._protectedHeader?.crit) && this._protectedHeader.crit.includes("b64") && this._protectedHeader.b64 === false) { | |
throw new errors_js_1.JWTInvalid("JWTs MUST NOT use unencoded payload"); | |
} | |
return sig.sign(key, options); | |
} | |
}; | |
exports2.SignJWT = SignJWT; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwt/encrypt.js | |
var require_encrypt5 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwt/encrypt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.EncryptJWT = void 0; | |
var encrypt_js_12 = require_encrypt4(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var produce_js_1 = require_produce(); | |
var EncryptJWT = class extends produce_js_1.ProduceJWT { | |
_cek; | |
_iv; | |
_keyManagementParameters; | |
_protectedHeader; | |
_replicateIssuerAsHeader; | |
_replicateSubjectAsHeader; | |
_replicateAudienceAsHeader; | |
setProtectedHeader(protectedHeader) { | |
if (this._protectedHeader) { | |
throw new TypeError("setProtectedHeader can only be called once"); | |
} | |
this._protectedHeader = protectedHeader; | |
return this; | |
} | |
setKeyManagementParameters(parameters) { | |
if (this._keyManagementParameters) { | |
throw new TypeError("setKeyManagementParameters can only be called once"); | |
} | |
this._keyManagementParameters = parameters; | |
return this; | |
} | |
setContentEncryptionKey(cek) { | |
if (this._cek) { | |
throw new TypeError("setContentEncryptionKey can only be called once"); | |
} | |
this._cek = cek; | |
return this; | |
} | |
setInitializationVector(iv) { | |
if (this._iv) { | |
throw new TypeError("setInitializationVector can only be called once"); | |
} | |
this._iv = iv; | |
return this; | |
} | |
replicateIssuerAsHeader() { | |
this._replicateIssuerAsHeader = true; | |
return this; | |
} | |
replicateSubjectAsHeader() { | |
this._replicateSubjectAsHeader = true; | |
return this; | |
} | |
replicateAudienceAsHeader() { | |
this._replicateAudienceAsHeader = true; | |
return this; | |
} | |
async encrypt(key, options) { | |
const enc = new encrypt_js_12.CompactEncrypt(buffer_utils_js_1.encoder.encode(JSON.stringify(this._payload))); | |
if (this._replicateIssuerAsHeader) { | |
this._protectedHeader = { ...this._protectedHeader, iss: this._payload.iss }; | |
} | |
if (this._replicateSubjectAsHeader) { | |
this._protectedHeader = { ...this._protectedHeader, sub: this._payload.sub }; | |
} | |
if (this._replicateAudienceAsHeader) { | |
this._protectedHeader = { ...this._protectedHeader, aud: this._payload.aud }; | |
} | |
enc.setProtectedHeader(this._protectedHeader); | |
if (this._iv) { | |
enc.setInitializationVector(this._iv); | |
} | |
if (this._cek) { | |
enc.setContentEncryptionKey(this._cek); | |
} | |
if (this._keyManagementParameters) { | |
enc.setKeyManagementParameters(this._keyManagementParameters); | |
} | |
return enc.encrypt(key, options); | |
} | |
}; | |
exports2.EncryptJWT = EncryptJWT; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwk/thumbprint.js | |
var require_thumbprint = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwk/thumbprint.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.calculateJwkThumbprintUri = exports2.calculateJwkThumbprint = void 0; | |
var digest_js_1 = require_digest(); | |
var base64url_js_1 = require_base64url(); | |
var errors_js_1 = require_errors(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var is_object_js_1 = require_is_object(); | |
var check = (value, description) => { | |
if (typeof value !== "string" || !value) { | |
throw new errors_js_1.JWKInvalid(`${description} missing or invalid`); | |
} | |
}; | |
async function calculateJwkThumbprint(jwk, digestAlgorithm) { | |
if (!(0, is_object_js_1.default)(jwk)) { | |
throw new TypeError("JWK must be an object"); | |
} | |
digestAlgorithm ??= "sha256"; | |
if (digestAlgorithm !== "sha256" && digestAlgorithm !== "sha384" && digestAlgorithm !== "sha512") { | |
throw new TypeError('digestAlgorithm must one of "sha256", "sha384", or "sha512"'); | |
} | |
let components; | |
switch (jwk.kty) { | |
case "EC": | |
check(jwk.crv, '"crv" (Curve) Parameter'); | |
check(jwk.x, '"x" (X Coordinate) Parameter'); | |
check(jwk.y, '"y" (Y Coordinate) Parameter'); | |
components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y }; | |
break; | |
case "OKP": | |
check(jwk.crv, '"crv" (Subtype of Key Pair) Parameter'); | |
check(jwk.x, '"x" (Public Key) Parameter'); | |
components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x }; | |
break; | |
case "RSA": | |
check(jwk.e, '"e" (Exponent) Parameter'); | |
check(jwk.n, '"n" (Modulus) Parameter'); | |
components = { e: jwk.e, kty: jwk.kty, n: jwk.n }; | |
break; | |
case "oct": | |
check(jwk.k, '"k" (Key Value) Parameter'); | |
components = { k: jwk.k, kty: jwk.kty }; | |
break; | |
default: | |
throw new errors_js_1.JOSENotSupported('"kty" (Key Type) Parameter missing or unsupported'); | |
} | |
const data = buffer_utils_js_1.encoder.encode(JSON.stringify(components)); | |
return (0, base64url_js_1.encode)(await (0, digest_js_1.default)(digestAlgorithm, data)); | |
} | |
exports2.calculateJwkThumbprint = calculateJwkThumbprint; | |
async function calculateJwkThumbprintUri(jwk, digestAlgorithm) { | |
digestAlgorithm ??= "sha256"; | |
const thumbprint = await calculateJwkThumbprint(jwk, digestAlgorithm); | |
return `urn:ietf:params:oauth:jwk-thumbprint:sha-${digestAlgorithm.slice(-3)}:${thumbprint}`; | |
} | |
exports2.calculateJwkThumbprintUri = calculateJwkThumbprintUri; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwk/embedded.js | |
var require_embedded = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwk/embedded.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.EmbeddedJWK = void 0; | |
var import_js_12 = require_import(); | |
var is_object_js_1 = require_is_object(); | |
var errors_js_1 = require_errors(); | |
async function EmbeddedJWK(protectedHeader, token) { | |
const joseHeader = { | |
...protectedHeader, | |
...token?.header | |
}; | |
if (!(0, is_object_js_1.default)(joseHeader.jwk)) { | |
throw new errors_js_1.JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a JSON object'); | |
} | |
const key = await (0, import_js_12.importJWK)({ ...joseHeader.jwk, ext: true }, joseHeader.alg); | |
if (key instanceof Uint8Array || key.type !== "public") { | |
throw new errors_js_1.JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a public key'); | |
} | |
return key; | |
} | |
exports2.EmbeddedJWK = EmbeddedJWK; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwks/local.js | |
var require_local = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwks/local.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.createLocalJWKSet = exports2.LocalJWKSet = exports2.isJWKSLike = void 0; | |
var import_js_12 = require_import(); | |
var errors_js_1 = require_errors(); | |
var is_object_js_1 = require_is_object(); | |
function getKtyFromAlg(alg) { | |
switch (typeof alg === "string" && alg.slice(0, 2)) { | |
case "RS": | |
case "PS": | |
return "RSA"; | |
case "ES": | |
return "EC"; | |
case "Ed": | |
return "OKP"; | |
default: | |
throw new errors_js_1.JOSENotSupported('Unsupported "alg" value for a JSON Web Key Set'); | |
} | |
} | |
function isJWKSLike(jwks) { | |
return jwks && typeof jwks === "object" && Array.isArray(jwks.keys) && jwks.keys.every(isJWKLike); | |
} | |
exports2.isJWKSLike = isJWKSLike; | |
function isJWKLike(key) { | |
return (0, is_object_js_1.default)(key); | |
} | |
function clone(obj) { | |
if (typeof structuredClone === "function") { | |
return structuredClone(obj); | |
} | |
return JSON.parse(JSON.stringify(obj)); | |
} | |
var LocalJWKSet = class { | |
_jwks; | |
_cached = /* @__PURE__ */ new WeakMap(); | |
constructor(jwks) { | |
if (!isJWKSLike(jwks)) { | |
throw new errors_js_1.JWKSInvalid("JSON Web Key Set malformed"); | |
} | |
this._jwks = clone(jwks); | |
} | |
async getKey(protectedHeader, token) { | |
const { alg, kid } = { ...protectedHeader, ...token?.header }; | |
const kty = getKtyFromAlg(alg); | |
const candidates = this._jwks.keys.filter((jwk2) => { | |
let candidate = kty === jwk2.kty; | |
if (candidate && typeof kid === "string") { | |
candidate = kid === jwk2.kid; | |
} | |
if (candidate && typeof jwk2.alg === "string") { | |
candidate = alg === jwk2.alg; | |
} | |
if (candidate && typeof jwk2.use === "string") { | |
candidate = jwk2.use === "sig"; | |
} | |
if (candidate && Array.isArray(jwk2.key_ops)) { | |
candidate = jwk2.key_ops.includes("verify"); | |
} | |
if (candidate && alg === "EdDSA") { | |
candidate = jwk2.crv === "Ed25519" || jwk2.crv === "Ed448"; | |
} | |
if (candidate) { | |
switch (alg) { | |
case "ES256": | |
candidate = jwk2.crv === "P-256"; | |
break; | |
case "ES256K": | |
candidate = jwk2.crv === "secp256k1"; | |
break; | |
case "ES384": | |
candidate = jwk2.crv === "P-384"; | |
break; | |
case "ES512": | |
candidate = jwk2.crv === "P-521"; | |
break; | |
} | |
} | |
return candidate; | |
}); | |
const { 0: jwk, length } = candidates; | |
if (length === 0) { | |
throw new errors_js_1.JWKSNoMatchingKey(); | |
} | |
if (length !== 1) { | |
const error = new errors_js_1.JWKSMultipleMatchingKeys(); | |
const { _cached } = this; | |
error[Symbol.asyncIterator] = async function* () { | |
for (const jwk2 of candidates) { | |
try { | |
yield await importWithAlgCache(_cached, jwk2, alg); | |
} catch { | |
} | |
} | |
}; | |
throw error; | |
} | |
return importWithAlgCache(this._cached, jwk, alg); | |
} | |
}; | |
exports2.LocalJWKSet = LocalJWKSet; | |
async function importWithAlgCache(cache, jwk, alg) { | |
const cached = cache.get(jwk) || cache.set(jwk, {}).get(jwk); | |
if (cached[alg] === void 0) { | |
const key = await (0, import_js_12.importJWK)({ ...jwk, ext: true }, alg); | |
if (key instanceof Uint8Array || key.type !== "public") { | |
throw new errors_js_1.JWKSInvalid("JSON Web Key Set members must be public keys"); | |
} | |
cached[alg] = key; | |
} | |
return cached[alg]; | |
} | |
function createLocalJWKSet(jwks) { | |
const set = new LocalJWKSet(jwks); | |
return async (protectedHeader, token) => set.getKey(protectedHeader, token); | |
} | |
exports2.createLocalJWKSet = createLocalJWKSet; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/jwt/unsecured.js | |
var require_unsecured = __commonJS({ | |
"node_modules/jose/dist/node/cjs/jwt/unsecured.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.UnsecuredJWT = void 0; | |
var base64url = require_base64url(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var errors_js_1 = require_errors(); | |
var jwt_claims_set_js_1 = require_jwt_claims_set(); | |
var produce_js_1 = require_produce(); | |
var UnsecuredJWT = class extends produce_js_1.ProduceJWT { | |
encode() { | |
const header = base64url.encode(JSON.stringify({ alg: "none" })); | |
const payload = base64url.encode(JSON.stringify(this._payload)); | |
return `${header}.${payload}.`; | |
} | |
static decode(jwt, options) { | |
if (typeof jwt !== "string") { | |
throw new errors_js_1.JWTInvalid("Unsecured JWT must be a string"); | |
} | |
const { 0: encodedHeader, 1: encodedPayload, 2: signature, length } = jwt.split("."); | |
if (length !== 3 || signature !== "") { | |
throw new errors_js_1.JWTInvalid("Invalid Unsecured JWT"); | |
} | |
let header; | |
try { | |
header = JSON.parse(buffer_utils_js_1.decoder.decode(base64url.decode(encodedHeader))); | |
if (header.alg !== "none") | |
throw new Error(); | |
} catch { | |
throw new errors_js_1.JWTInvalid("Invalid Unsecured JWT"); | |
} | |
const payload = (0, jwt_claims_set_js_1.default)(header, base64url.decode(encodedPayload), options); | |
return { payload, header }; | |
} | |
}; | |
exports2.UnsecuredJWT = UnsecuredJWT; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/util/base64url.js | |
var require_base64url2 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/util/base64url.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.decode = exports2.encode = void 0; | |
var base64url = require_base64url(); | |
exports2.encode = base64url.encode; | |
exports2.decode = base64url.decode; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/util/decode_protected_header.js | |
var require_decode_protected_header = __commonJS({ | |
"node_modules/jose/dist/node/cjs/util/decode_protected_header.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.decodeProtectedHeader = void 0; | |
var base64url_js_1 = require_base64url2(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var is_object_js_1 = require_is_object(); | |
function decodeProtectedHeader(token) { | |
let protectedB64u; | |
if (typeof token === "string") { | |
const parts = token.split("."); | |
if (parts.length === 3 || parts.length === 5) { | |
; | |
[protectedB64u] = parts; | |
} | |
} else if (typeof token === "object" && token) { | |
if ("protected" in token) { | |
protectedB64u = token.protected; | |
} else { | |
throw new TypeError("Token does not contain a Protected Header"); | |
} | |
} | |
try { | |
if (typeof protectedB64u !== "string" || !protectedB64u) { | |
throw new Error(); | |
} | |
const result = JSON.parse(buffer_utils_js_1.decoder.decode((0, base64url_js_1.decode)(protectedB64u))); | |
if (!(0, is_object_js_1.default)(result)) { | |
throw new Error(); | |
} | |
return result; | |
} catch { | |
throw new TypeError("Invalid Token or Protected Header formatting"); | |
} | |
} | |
exports2.decodeProtectedHeader = decodeProtectedHeader; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/util/decode_jwt.js | |
var require_decode_jwt = __commonJS({ | |
"node_modules/jose/dist/node/cjs/util/decode_jwt.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.decodeJwt = void 0; | |
var base64url_js_1 = require_base64url2(); | |
var buffer_utils_js_1 = require_buffer_utils(); | |
var is_object_js_1 = require_is_object(); | |
var errors_js_1 = require_errors(); | |
function decodeJwt(jwt) { | |
if (typeof jwt !== "string") | |
throw new errors_js_1.JWTInvalid("JWTs must use Compact JWS serialization, JWT must be a string"); | |
const { 1: payload, length } = jwt.split("."); | |
if (length === 5) | |
throw new errors_js_1.JWTInvalid("Only JWTs using Compact JWS serialization can be decoded"); | |
if (length !== 3) | |
throw new errors_js_1.JWTInvalid("Invalid JWT"); | |
if (!payload) | |
throw new errors_js_1.JWTInvalid("JWTs must contain a payload"); | |
let decoded; | |
try { | |
decoded = (0, base64url_js_1.decode)(payload); | |
} catch { | |
throw new errors_js_1.JWTInvalid("Failed to base64url decode the payload"); | |
} | |
let result; | |
try { | |
result = JSON.parse(buffer_utils_js_1.decoder.decode(decoded)); | |
} catch { | |
throw new errors_js_1.JWTInvalid("Failed to parse the decoded payload as JSON"); | |
} | |
if (!(0, is_object_js_1.default)(result)) | |
throw new errors_js_1.JWTInvalid("Invalid JWT Claims Set"); | |
return result; | |
} | |
exports2.decodeJwt = decodeJwt; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/generate.js | |
var require_generate = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/generate.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.generateKeyPair = exports2.generateSecret = void 0; | |
var node_crypto_1 = requireNodeCrypto; | |
var node_util_1 = requireNodeUtil; | |
var random_js_1 = require_random(); | |
var errors_js_1 = require_errors(); | |
var generate = (0, node_util_1.promisify)(node_crypto_1.generateKeyPair); | |
async function generateSecret(alg, options) { | |
let length; | |
switch (alg) { | |
case "HS256": | |
case "HS384": | |
case "HS512": | |
case "A128CBC-HS256": | |
case "A192CBC-HS384": | |
case "A256CBC-HS512": | |
length = parseInt(alg.slice(-3), 10); | |
break; | |
case "A128KW": | |
case "A192KW": | |
case "A256KW": | |
case "A128GCMKW": | |
case "A192GCMKW": | |
case "A256GCMKW": | |
case "A128GCM": | |
case "A192GCM": | |
case "A256GCM": | |
length = parseInt(alg.slice(1, 4), 10); | |
break; | |
default: | |
throw new errors_js_1.JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value'); | |
} | |
return (0, node_crypto_1.createSecretKey)((0, random_js_1.default)(new Uint8Array(length >> 3))); | |
} | |
exports2.generateSecret = generateSecret; | |
async function generateKeyPair(alg, options) { | |
switch (alg) { | |
case "RS256": | |
case "RS384": | |
case "RS512": | |
case "PS256": | |
case "PS384": | |
case "PS512": | |
case "RSA-OAEP": | |
case "RSA-OAEP-256": | |
case "RSA-OAEP-384": | |
case "RSA-OAEP-512": | |
case "RSA1_5": { | |
const modulusLength = options?.modulusLength ?? 2048; | |
if (typeof modulusLength !== "number" || modulusLength < 2048) { | |
throw new errors_js_1.JOSENotSupported("Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used"); | |
} | |
const keypair = await generate("rsa", { | |
modulusLength, | |
publicExponent: 65537 | |
}); | |
return keypair; | |
} | |
case "ES256": | |
return generate("ec", { namedCurve: "P-256" }); | |
case "ES256K": | |
return generate("ec", { namedCurve: "secp256k1" }); | |
case "ES384": | |
return generate("ec", { namedCurve: "P-384" }); | |
case "ES512": | |
return generate("ec", { namedCurve: "P-521" }); | |
case "EdDSA": { | |
switch (options?.crv) { | |
case void 0: | |
case "Ed25519": | |
return generate("ed25519"); | |
case "Ed448": | |
return generate("ed448"); | |
default: | |
throw new errors_js_1.JOSENotSupported("Invalid or unsupported crv option provided, supported values are Ed25519 and Ed448"); | |
} | |
} | |
case "ECDH-ES": | |
case "ECDH-ES+A128KW": | |
case "ECDH-ES+A192KW": | |
case "ECDH-ES+A256KW": { | |
const crv = options?.crv ?? "P-256"; | |
switch (crv) { | |
case void 0: | |
case "P-256": | |
case "P-384": | |
case "P-521": | |
return generate("ec", { namedCurve: crv }); | |
case "X25519": | |
return generate("x25519"); | |
case "X448": | |
return generate("x448"); | |
default: | |
throw new errors_js_1.JOSENotSupported("Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448"); | |
} | |
} | |
default: | |
throw new errors_js_1.JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value'); | |
} | |
} | |
exports2.generateKeyPair = generateKeyPair; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/key/generate_key_pair.js | |
var require_generate_key_pair = __commonJS({ | |
"node_modules/jose/dist/node/cjs/key/generate_key_pair.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.generateKeyPair = void 0; | |
var generate_js_1 = require_generate(); | |
async function generateKeyPair(alg, options) { | |
return (0, generate_js_1.generateKeyPair)(alg, options); | |
} | |
exports2.generateKeyPair = generateKeyPair; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/key/generate_secret.js | |
var require_generate_secret = __commonJS({ | |
"node_modules/jose/dist/node/cjs/key/generate_secret.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.generateSecret = void 0; | |
var generate_js_1 = require_generate(); | |
async function generateSecret(alg, options) { | |
return (0, generate_js_1.generateSecret)(alg, options); | |
} | |
exports2.generateSecret = generateSecret; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/runtime/runtime.js | |
var require_runtime = __commonJS({ | |
"node_modules/jose/dist/node/cjs/runtime/runtime.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
exports2.default = "node:crypto"; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/util/runtime.js | |
var require_runtime2 = __commonJS({ | |
"node_modules/jose/dist/node/cjs/util/runtime.js"(exports2) { | |
"use strict"; | |
Object.defineProperty(exports2, "__esModule", { value: true }); | |
var runtime_js_12 = require_runtime(); | |
exports2.default = runtime_js_12.default; | |
} | |
}); | |
// node_modules/jose/dist/node/cjs/index.js | |
Object.defineProperty(exports, "__esModule", { value: true }); | |
exports.cryptoRuntime = exports.base64url = exports.generateSecret = exports.generateKeyPair = exports.errors = exports.decodeJwt = exports.decodeProtectedHeader = exports.importJWK = exports.importX509 = exports.importPKCS8 = exports.importSPKI = exports.exportJWK = exports.exportSPKI = exports.exportPKCS8 = exports.UnsecuredJWT = exports.createLocalJWKSet = exports.EmbeddedJWK = exports.calculateJwkThumbprintUri = exports.calculateJwkThumbprint = exports.EncryptJWT = exports.SignJWT = exports.GeneralSign = exports.FlattenedSign = exports.CompactSign = exports.FlattenedEncrypt = exports.CompactEncrypt = exports.jwtDecrypt = exports.jwtVerify = exports.generalVerify = exports.flattenedVerify = exports.compactVerify = exports.GeneralEncrypt = exports.generalDecrypt = exports.flattenedDecrypt = exports.compactDecrypt = void 0; | |
var decrypt_js_1 = require_decrypt3(); | |
Object.defineProperty(exports, "compactDecrypt", { enumerable: true, get: function() { | |
return decrypt_js_1.compactDecrypt; | |
} }); | |
var decrypt_js_2 = require_decrypt2(); | |
Object.defineProperty(exports, "flattenedDecrypt", { enumerable: true, get: function() { | |
return decrypt_js_2.flattenedDecrypt; | |
} }); | |
var decrypt_js_3 = require_decrypt4(); | |
Object.defineProperty(exports, "generalDecrypt", { enumerable: true, get: function() { | |
return decrypt_js_3.generalDecrypt; | |
} }); | |
var encrypt_js_1 = require_encrypt3(); | |
Object.defineProperty(exports, "GeneralEncrypt", { enumerable: true, get: function() { | |
return encrypt_js_1.GeneralEncrypt; | |
} }); | |
var verify_js_1 = require_verify3(); | |
Object.defineProperty(exports, "compactVerify", { enumerable: true, get: function() { | |
return verify_js_1.compactVerify; | |
} }); | |
var verify_js_2 = require_verify2(); | |
Object.defineProperty(exports, "flattenedVerify", { enumerable: true, get: function() { | |
return verify_js_2.flattenedVerify; | |
} }); | |
var verify_js_3 = require_verify4(); | |
Object.defineProperty(exports, "generalVerify", { enumerable: true, get: function() { | |
return verify_js_3.generalVerify; | |
} }); | |
var verify_js_4 = require_verify5(); | |
Object.defineProperty(exports, "jwtVerify", { enumerable: true, get: function() { | |
return verify_js_4.jwtVerify; | |
} }); | |
var decrypt_js_4 = require_decrypt5(); | |
Object.defineProperty(exports, "jwtDecrypt", { enumerable: true, get: function() { | |
return decrypt_js_4.jwtDecrypt; | |
} }); | |
var encrypt_js_2 = require_encrypt4(); | |
Object.defineProperty(exports, "CompactEncrypt", { enumerable: true, get: function() { | |
return encrypt_js_2.CompactEncrypt; | |
} }); | |
var encrypt_js_3 = require_encrypt2(); | |
Object.defineProperty(exports, "FlattenedEncrypt", { enumerable: true, get: function() { | |
return encrypt_js_3.FlattenedEncrypt; | |
} }); | |
var sign_js_1 = require_sign3(); | |
Object.defineProperty(exports, "CompactSign", { enumerable: true, get: function() { | |
return sign_js_1.CompactSign; | |
} }); | |
var sign_js_2 = require_sign2(); | |
Object.defineProperty(exports, "FlattenedSign", { enumerable: true, get: function() { | |
return sign_js_2.FlattenedSign; | |
} }); | |
var sign_js_3 = require_sign4(); | |
Object.defineProperty(exports, "GeneralSign", { enumerable: true, get: function() { | |
return sign_js_3.GeneralSign; | |
} }); | |
var sign_js_4 = require_sign5(); | |
Object.defineProperty(exports, "SignJWT", { enumerable: true, get: function() { | |
return sign_js_4.SignJWT; | |
} }); | |
var encrypt_js_4 = require_encrypt5(); | |
Object.defineProperty(exports, "EncryptJWT", { enumerable: true, get: function() { | |
return encrypt_js_4.EncryptJWT; | |
} }); | |
var thumbprint_js_1 = require_thumbprint(); | |
Object.defineProperty(exports, "calculateJwkThumbprint", { enumerable: true, get: function() { | |
return thumbprint_js_1.calculateJwkThumbprint; | |
} }); | |
Object.defineProperty(exports, "calculateJwkThumbprintUri", { enumerable: true, get: function() { | |
return thumbprint_js_1.calculateJwkThumbprintUri; | |
} }); | |
var embedded_js_1 = require_embedded(); | |
Object.defineProperty(exports, "EmbeddedJWK", { enumerable: true, get: function() { | |
return embedded_js_1.EmbeddedJWK; | |
} }); | |
var local_js_1 = require_local(); | |
Object.defineProperty(exports, "createLocalJWKSet", { enumerable: true, get: function() { | |
return local_js_1.createLocalJWKSet; | |
} }); | |
var unsecured_js_1 = require_unsecured(); | |
Object.defineProperty(exports, "UnsecuredJWT", { enumerable: true, get: function() { | |
return unsecured_js_1.UnsecuredJWT; | |
} }); | |
var export_js_1 = require_export(); | |
Object.defineProperty(exports, "exportPKCS8", { enumerable: true, get: function() { | |
return export_js_1.exportPKCS8; | |
} }); | |
Object.defineProperty(exports, "exportSPKI", { enumerable: true, get: function() { | |
return export_js_1.exportSPKI; | |
} }); | |
Object.defineProperty(exports, "exportJWK", { enumerable: true, get: function() { | |
return export_js_1.exportJWK; | |
} }); | |
var import_js_1 = require_import(); | |
Object.defineProperty(exports, "importSPKI", { enumerable: true, get: function() { | |
return import_js_1.importSPKI; | |
} }); | |
Object.defineProperty(exports, "importPKCS8", { enumerable: true, get: function() { | |
return import_js_1.importPKCS8; | |
} }); | |
Object.defineProperty(exports, "importX509", { enumerable: true, get: function() { | |
return import_js_1.importX509; | |
} }); | |
Object.defineProperty(exports, "importJWK", { enumerable: true, get: function() { | |
return import_js_1.importJWK; | |
} }); | |
var decode_protected_header_js_1 = require_decode_protected_header(); | |
Object.defineProperty(exports, "decodeProtectedHeader", { enumerable: true, get: function() { | |
return decode_protected_header_js_1.decodeProtectedHeader; | |
} }); | |
var decode_jwt_js_1 = require_decode_jwt(); | |
Object.defineProperty(exports, "decodeJwt", { enumerable: true, get: function() { | |
return decode_jwt_js_1.decodeJwt; | |
} }); | |
exports.errors = require_errors(); | |
var generate_key_pair_js_1 = require_generate_key_pair(); | |
Object.defineProperty(exports, "generateKeyPair", { enumerable: true, get: function() { | |
return generate_key_pair_js_1.generateKeyPair; | |
} }); | |
var generate_secret_js_1 = require_generate_secret(); | |
Object.defineProperty(exports, "generateSecret", { enumerable: true, get: function() { | |
return generate_secret_js_1.generateSecret; | |
} }); | |
exports.base64url = require_base64url2(); | |
var runtime_js_1 = require_runtime2(); | |
Object.defineProperty(exports, "cryptoRuntime", { enumerable: true, get: function() { | |
return runtime_js_1.default; | |
} }); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment