-
-
Notifications
You must be signed in to change notification settings - Fork 311
/
sign.js
141 lines (114 loc) · 4.13 KB
/
sign.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
const base64url = require('../help/base64url')
const isDisjoint = require('../help/is_disjoint')
const isObject = require('../help/is_object')
const deepClone = require('../help/deep_clone')
const { JWSInvalid } = require('../errors')
const { sign } = require('../jwa')
const getKey = require('../help/get_key')
const serializers = require('./serializers')
const PROCESS_RECIPIENT = Symbol('PROCESS_RECIPIENT')
class Sign {
constructor (payload) {
if (typeof payload === 'string') {
payload = base64url.encode(payload)
} else if (Buffer.isBuffer(payload)) {
payload = base64url.encodeBuffer(payload)
this._binary = true
} else if (isObject(payload)) {
payload = base64url.JSON.encode(payload)
} else {
throw new TypeError('payload argument must be a Buffer, string or an object')
}
this._payload = payload
this._recipients = []
}
/*
* @public
*/
recipient (key, protectedHeader, unprotectedHeader) {
key = getKey(key)
if (protectedHeader !== undefined && !isObject(protectedHeader)) {
throw new TypeError('protectedHeader argument must be a plain object when provided')
}
if (unprotectedHeader !== undefined && !isObject(unprotectedHeader)) {
throw new TypeError('unprotectedHeader argument must be a plain object when provided')
}
if (!isDisjoint(protectedHeader, unprotectedHeader)) {
throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint')
}
this._recipients.push({
key,
protectedHeader: protectedHeader ? deepClone(protectedHeader) : undefined,
unprotectedHeader: unprotectedHeader ? deepClone(unprotectedHeader) : undefined
})
return this
}
/*
* @private
*/
[PROCESS_RECIPIENT] (recipient, first) {
const { key, protectedHeader, unprotectedHeader } = recipient
if (key.use === 'enc') {
throw new TypeError('a key with "use":"enc" is not usable for signing')
}
const joseHeader = {
protected: protectedHeader || {},
unprotected: unprotectedHeader || {}
}
let alg = joseHeader.protected.alg || joseHeader.unprotected.alg
if (!alg) {
alg = key.alg || [...key.algorithms('sign')][0]
if (recipient.protectedHeader) {
joseHeader.protected.alg = recipient.protectedHeader.alg = alg
} else {
joseHeader.protected = recipient.protectedHeader = { alg }
}
}
if (!alg) {
throw new JWSInvalid('could not resolve a usable "alg" for a recipient')
}
recipient.header = unprotectedHeader
recipient.protected = Object.keys(joseHeader.protected).length ? base64url.JSON.encode(joseHeader.protected) : ''
let toBeSigned
if (joseHeader.protected.crit && joseHeader.protected.crit.includes('b64')) {
if (this._b64 !== undefined && this._b64 !== joseHeader.protected.b64) {
throw new JWSInvalid('the "b64" Header Parameter value MUST be the same for all recipients')
} else {
this._b64 = joseHeader.protected.b64
}
if (first && !joseHeader.protected.b64) {
if (this._binary) {
this._payload = base64url.decodeToBuffer(this._payload)
} else {
this._payload = base64url.decode(this._payload)
}
}
toBeSigned = Buffer.concat([
Buffer.from(recipient.protected || ''),
Buffer.from('.'),
Buffer.isBuffer(this._payload) ? this._payload : Buffer.from(this._payload)
])
} else {
toBeSigned = `${recipient.protected || ''}.${this._payload}`
}
recipient.signature = base64url.encodeBuffer(sign(alg, key, toBeSigned))
}
/*
* @public
*/
sign (serialization) {
const serializer = serializers[serialization]
if (!serializer) {
throw new TypeError('serialization must be one of "compact", "flattened", "general"')
}
if (!this._recipients.length) {
throw new JWSInvalid('missing recipients')
}
serializer.validate(this, this._recipients)
this._recipients.forEach((recipient, i) => {
this[PROCESS_RECIPIENT](recipient, i === 0)
})
return serializer(this._payload, this._recipients)
}
}
module.exports = Sign