chore(release): 3.16.1

panva · Sep 8, 2021 · 649fe1d · 649fe1d
1 parent 10a18f2
commit 649fe1d
Show file tree

Hide file tree

Showing 417 changed files with 16,716 additions and 336 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [3.16.1](https://github.com/panva/jose/compare/v3.16.0...v3.16.1) (2021-09-08)
+
+
+### Bug Fixes
+
+* guard Sign payloads and Encrypt plaintext argument types ([10a18f2](https://github.com/panva/jose/commit/10a18f28a0f845e91579afab3573730c9b1ae478))
+
 ## [3.16.0](https://github.com/panva/jose/compare/v3.15.5...v3.16.0) (2021-09-07)
 
 

diff --git a/dist/browser/jwe/compact/decrypt.js b/dist/browser/jwe/compact/decrypt.js
@@ -0,0 +1,25 @@
+import decrypt from '../flattened/decrypt.js';
+import { JWEInvalid } from '../../util/errors.js';
+import { decoder } from '../../lib/buffer_utils.js';
+async function compactDecrypt(jwe, key, options) {
+    if (jwe instanceof Uint8Array) {
+        jwe = decoder.decode(jwe);
+    }
+    if (typeof jwe !== 'string') {
+        throw new JWEInvalid('Compact JWE must be a string or Uint8Array');
+    }
+    const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length, } = jwe.split('.');
+    if (length !== 5) {
+        throw new JWEInvalid('Invalid Compact JWE');
+    }
+    const decrypted = await decrypt({
+        ciphertext: (ciphertext || undefined),
+        iv: (iv || undefined),
+        protected: protectedHeader || undefined,
+        tag: (tag || undefined),
+        encrypted_key: encryptedKey || undefined,
+    }, key, options);
+    return { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader };
+}
+export { compactDecrypt };
+export default compactDecrypt;
diff --git a/dist/browser/jwe/compact/encrypt.js b/dist/browser/jwe/compact/encrypt.js
@@ -0,0 +1,28 @@
+import FlattenedEncrypt from '../flattened/encrypt.js';
+class CompactEncrypt {
+    constructor(plaintext) {
+        this._flattened = new FlattenedEncrypt(plaintext);
+    }
+    setContentEncryptionKey(cek) {
+        this._flattened.setContentEncryptionKey(cek);
+        return this;
+    }
+    setInitializationVector(iv) {
+        this._flattened.setInitializationVector(iv);
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        this._flattened.setProtectedHeader(protectedHeader);
+        return this;
+    }
+    setKeyManagementParameters(parameters) {
+        this._flattened.setKeyManagementParameters(parameters);
+        return this;
+    }
+    async encrypt(key, options) {
+        const jwe = await this._flattened.encrypt(key, options);
+        return [jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join('.');
+    }
+}
+export { CompactEncrypt };
+export default CompactEncrypt;
diff --git a/dist/browser/jwe/flattened/decrypt.js b/dist/browser/jwe/flattened/decrypt.js
@@ -0,0 +1,138 @@
+import { JOSEAlgNotAllowed, JOSENotSupported, JWEInvalid } from '../../util/errors.js';
+import isDisjoint from '../../lib/is_disjoint.js';
+import isObject from '../../lib/is_object.js';
+import { decode as base64url } from '../../runtime/base64url.js';
+import decrypt from '../../runtime/decrypt.js';
+import { inflate } from '../../runtime/zlib.js';
+import decryptKeyManagement from '../../lib/decrypt_key_management.js';
+import { encoder, decoder, concat } from '../../lib/buffer_utils.js';
+import cekFactory from '../../lib/cek.js';
+import random from '../../runtime/random.js';
+import validateCrit from '../../lib/validate_crit.js';
+import validateAlgorithms from '../../lib/validate_algorithms.js';
+const generateCek = cekFactory(random);
+const checkExtensions = validateCrit.bind(undefined, JWEInvalid, new Map());
+const checkAlgOption = validateAlgorithms.bind(undefined, 'keyManagementAlgorithms');
+const checkEncOption = validateAlgorithms.bind(undefined, 'contentEncryptionAlgorithms');
+async function flattenedDecrypt(jwe, key, options) {
+    var _a;
+    if (!isObject(jwe)) {
+        throw new JWEInvalid('Flattened JWE must be an object');
+    }
+    if (jwe.protected === undefined && jwe.header === undefined && jwe.unprotected === undefined) {
+        throw new JWEInvalid('JOSE Header missing');
+    }
+    if (typeof jwe.iv !== 'string') {
+        throw new JWEInvalid('JWE Initialization Vector missing or incorrect type');
+    }
+    if (typeof jwe.ciphertext !== 'string') {
+        throw new JWEInvalid('JWE Ciphertext missing or incorrect type');
+    }
+    if (typeof jwe.tag !== 'string') {
+        throw new JWEInvalid('JWE Authentication Tag missing or incorrect type');
+    }
+    if (jwe.protected !== undefined && typeof jwe.protected !== 'string') {
+        throw new JWEInvalid('JWE Protected Header incorrect type');
+    }
+    if (jwe.encrypted_key !== undefined && typeof jwe.encrypted_key !== 'string') {
+        throw new JWEInvalid('JWE Encrypted Key incorrect type');
+    }
+    if (jwe.aad !== undefined && typeof jwe.aad !== 'string') {
+        throw new JWEInvalid('JWE AAD incorrect type');
+    }
+    if (jwe.header !== undefined && !isObject(jwe.header)) {
+        throw new JWEInvalid('JWE Shared Unprotected Header incorrect type');
+    }
+    if (jwe.unprotected !== undefined && !isObject(jwe.unprotected)) {
+        throw new JWEInvalid('JWE Per-Recipient Unprotected Header incorrect type');
+    }
+    let parsedProt;
+    if (jwe.protected) {
+        const protectedHeader = base64url(jwe.protected);
+        try {
+            parsedProt = JSON.parse(decoder.decode(protectedHeader));
+        }
+        catch (_b) {
+            throw new JWEInvalid('JWE Protected Header is invalid');
+        }
+    }
+    if (!isDisjoint(parsedProt, jwe.header, jwe.unprotected)) {
+        throw new JWEInvalid('JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint');
+    }
+    const joseHeader = {
+        ...parsedProt,
+        ...jwe.header,
+        ...jwe.unprotected,
+    };
+    checkExtensions(options === null || options === void 0 ? void 0 : options.crit, parsedProt, joseHeader);
+    if (joseHeader.zip !== undefined) {
+        if (!parsedProt || !parsedProt.zip) {
+            throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header MUST be integrity protected');
+        }
+        if (joseHeader.zip !== 'DEF') {
+            throw new JOSENotSupported('unsupported JWE "zip" (Compression Algorithm) Header Parameter value');
+        }
+    }
+    const { alg, enc } = joseHeader;
+    if (typeof alg !== 'string' || !alg) {
+        throw new JWEInvalid('missing JWE Algorithm (alg) in JWE Header');
+    }
+    if (typeof enc !== 'string' || !enc) {
+        throw new JWEInvalid('missing JWE Encryption Algorithm (enc) in JWE Header');
+    }
+    const keyManagementAlgorithms = options && checkAlgOption(options.keyManagementAlgorithms);
+    const contentEncryptionAlgorithms = options && checkEncOption(options.contentEncryptionAlgorithms);
+    if (keyManagementAlgorithms && !keyManagementAlgorithms.has(alg)) {
+        throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter not allowed');
+    }
+    if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) {
+        throw new JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter not allowed');
+    }
+    let encryptedKey;
+    if (jwe.encrypted_key !== undefined) {
+        encryptedKey = base64url(jwe.encrypted_key);
+    }
+    if (typeof key === 'function') {
+        key = await key(parsedProt, jwe);
+    }
+    let cek;
+    try {
+        cek = await decryptKeyManagement(alg, key, encryptedKey, joseHeader);
+    }
+    catch (err) {
+        if (err instanceof TypeError) {
+            throw err;
+        }
+        cek = generateCek(enc);
+    }
+    const iv = base64url(jwe.iv);
+    const tag = base64url(jwe.tag);
+    const protectedHeader = encoder.encode((_a = jwe.protected) !== null && _a !== void 0 ? _a : '');
+    let additionalData;
+    if (jwe.aad !== undefined) {
+        additionalData = concat(protectedHeader, encoder.encode('.'), encoder.encode(jwe.aad));
+    }
+    else {
+        additionalData = protectedHeader;
+    }
+    let plaintext = await decrypt(enc, cek, base64url(jwe.ciphertext), iv, tag, additionalData);
+    if (joseHeader.zip === 'DEF') {
+        plaintext = await ((options === null || options === void 0 ? void 0 : options.inflateRaw) || inflate)(plaintext);
+    }
+    const result = { plaintext };
+    if (jwe.protected !== undefined) {
+        result.protectedHeader = parsedProt;
+    }
+    if (jwe.aad !== undefined) {
+        result.additionalAuthenticatedData = base64url(jwe.aad);
+    }
+    if (jwe.unprotected !== undefined) {
+        result.sharedUnprotectedHeader = jwe.unprotected;
+    }
+    if (jwe.header !== undefined) {
+        result.unprotectedHeader = jwe.header;
+    }
+    return result;
+}
+export { flattenedDecrypt };
+export default flattenedDecrypt;
diff --git a/dist/browser/jwe/flattened/encrypt.js b/dist/browser/jwe/flattened/encrypt.js
@@ -0,0 +1,169 @@
+import ivFactory from '../../lib/iv.js';
+import { encode as base64url } from '../../runtime/base64url.js';
+import random from '../../runtime/random.js';
+import encrypt from '../../runtime/encrypt.js';
+import { deflate } from '../../runtime/zlib.js';
+import encryptKeyManagement from '../../lib/encrypt_key_management.js';
+import { JOSENotSupported, JWEInvalid } from '../../util/errors.js';
+import isDisjoint from '../../lib/is_disjoint.js';
+import { encoder, decoder, concat } from '../../lib/buffer_utils.js';
+import validateCrit from '../../lib/validate_crit.js';
+const generateIv = ivFactory(random);
+const checkExtensions = validateCrit.bind(undefined, JWEInvalid, new Map());
+class FlattenedEncrypt {
+    constructor(plaintext) {
+        if (!(plaintext instanceof Uint8Array)) {
+            throw new TypeError('plaintext must be an instance of Uint8Array');
+        }
+        this._plaintext = plaintext;
+    }
+    setKeyManagementParameters(parameters) {
+        if (this._keyManagementParameters) {
+            throw new TypeError('setKeyManagementParameters can only be called once');
+        }
+        this._keyManagementParameters = parameters;
+        return this;
+    }
+    setProtectedHeader(protectedHeader) {
+        if (this._protectedHeader) {
+            throw new TypeError('setProtectedHeader can only be called once');
+        }
+        this._protectedHeader = protectedHeader;
+        return this;
+    }
+    setSharedUnprotectedHeader(sharedUnprotectedHeader) {
+        if (this._sharedUnprotectedHeader) {
+            throw new TypeError('setSharedUnprotectedHeader can only be called once');
+        }
+        this._sharedUnprotectedHeader = sharedUnprotectedHeader;
+        return this;
+    }
+    setUnprotectedHeader(unprotectedHeader) {
+        if (this._unprotectedHeader) {
+            throw new TypeError('setUnprotectedHeader can only be called once');
+        }
+        this._unprotectedHeader = unprotectedHeader;
+        return this;
+    }
+    setAdditionalAuthenticatedData(aad) {
+        this._aad = aad;
+        return this;
+    }
+    setContentEncryptionKey(cek) {
+        if (this._cek) {
+            throw new TypeError('setContentEncryptionKey can only be called once');
+        }
+        this._cek = cek;
+        return this;
+    }
+    setInitializationVector(iv) {
+        if (this._iv) {
+            throw new TypeError('setInitializationVector can only be called once');
+        }
+        this._iv = iv;
+        return this;
+    }
+    async encrypt(key, options) {
+        if (!this._protectedHeader && !this._unprotectedHeader && !this._sharedUnprotectedHeader) {
+            throw new JWEInvalid('either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()');
+        }
+        if (!isDisjoint(this._protectedHeader, this._unprotectedHeader, this._sharedUnprotectedHeader)) {
+            throw new JWEInvalid('JWE Shared Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');
+        }
+        const joseHeader = {
+            ...this._protectedHeader,
+            ...this._unprotectedHeader,
+            ...this._sharedUnprotectedHeader,
+        };
+        checkExtensions(options === null || options === void 0 ? void 0 : options.crit, this._protectedHeader, joseHeader);
+        if (joseHeader.zip !== undefined) {
+            if (!this._protectedHeader || !this._protectedHeader.zip) {
+                throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header MUST be integrity protected');
+            }
+            if (joseHeader.zip !== 'DEF') {
+                throw new JOSENotSupported('unsupported JWE "zip" (Compression Algorithm) Header Parameter value');
+            }
+        }
+        const { alg, enc } = joseHeader;
+        if (typeof alg !== 'string' || !alg) {
+            throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
+        }
+        if (typeof enc !== 'string' || !enc) {
+            throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
+        }
+        let encryptedKey;
+        if (alg === 'dir') {
+            if (this._cek) {
+                throw new TypeError('setContentEncryptionKey cannot be called when using Direct Encryption');
+            }
+        }
+        else if (alg === 'ECDH-ES') {
+            if (this._cek) {
+                throw new TypeError('setContentEncryptionKey cannot be called when using Direct Key Agreement');
+            }
+        }
+        let cek;
+        {
+            let parameters;
+            ({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, key, this._cek, this._keyManagementParameters));
+            if (parameters) {
+                if (!this._protectedHeader) {
+                    this.setProtectedHeader(parameters);
+                }
+                else {
+                    this._protectedHeader = { ...this._protectedHeader, ...parameters };
+                }
+            }
+        }
+        this._iv || (this._iv = generateIv(enc));
+        let additionalData;
+        let protectedHeader;
+        let aadMember;
+        if (this._protectedHeader) {
+            protectedHeader = encoder.encode(base64url(JSON.stringify(this._protectedHeader)));
+        }
+        else {
+            protectedHeader = encoder.encode('');
+        }
+        if (this._aad) {
+            aadMember = base64url(this._aad);
+            additionalData = concat(protectedHeader, encoder.encode('.'), encoder.encode(aadMember));
+        }
+        else {
+            additionalData = protectedHeader;
+        }
+        let ciphertext;
+        let tag;
+        if (joseHeader.zip === 'DEF') {
+            const deflated = await ((options === null || options === void 0 ? void 0 : options.deflateRaw) || deflate)(this._plaintext);
+            ({ ciphertext, tag } = await encrypt(enc, deflated, cek, this._iv, additionalData));
+        }
+        else {
+            ;
+            ({ ciphertext, tag } = await encrypt(enc, this._plaintext, cek, this._iv, additionalData));
+        }
+        const jwe = {
+            ciphertext: base64url(ciphertext),
+            iv: base64url(this._iv),
+            tag: base64url(tag),
+        };
+        if (encryptedKey) {
+            jwe.encrypted_key = base64url(encryptedKey);
+        }
+        if (aadMember) {
+            jwe.aad = aadMember;
+        }
+        if (this._protectedHeader) {
+            jwe.protected = decoder.decode(protectedHeader);
+        }
+        if (this._sharedUnprotectedHeader) {
+            jwe.unprotected = this._sharedUnprotectedHeader;
+        }
+        if (this._unprotectedHeader) {
+            jwe.header = this._unprotectedHeader;
+        }
+        return jwe;
+    }
+}
+export { FlattenedEncrypt };
+export default FlattenedEncrypt;