feat: keystore .all and .get operation option

docs/README.md

@@ -485,6 +485,8 @@ specified by the parameters are first.
  - `alg`: `<string>` Key supported algorithm to filter for.
  - `use`: `<string>` Key use to filter for.
  - `kid`: `<string>` Key ID to filter for.
+ - `operation`: `<string>` Further specify the operation a given alg must be valid for. Must be one
+ of 'encrypt', 'decrypt', 'sign', 'verify', 'wrapKey', 'unwrapKey'
 - Returns: `<Key[]>` Array of key instances or an empty array when none are matching the parameters.
 
 ---
@@ -499,6 +501,8 @@ parameters is returned.
  - `alg`: `<string>` Key supported algorithm to filter for.
  - `use`: `<string>` Key use to filter for.
  - `kid`: `<string>` Key ID to filter for.
+ - `operation`: `<string>` Further specify the operation a given alg must be valid for. Must be one
+ of 'encrypt', 'decrypt', 'sign', 'verify', 'wrapKey', 'unwrapKey'
 - Returns: `<JWK.RSAKey>` &vert; `<JWK.ECKey>` &vert; `<JWK.OctKey>` &vert; `<undefined>`
 
 ---

lib/index.d.ts

@@ -10,9 +10,9 @@ interface KeyParameters {
 }
 type curve = 'P-256' | 'P-384' | 'P-521'
 type keyType = 'RSA' | 'EC' | 'oct'
+type keyOperation = 'encrypt' | 'decrypt' | 'sign' | 'verify' | 'wrapKey' | 'unwrapKey'
 
 export namespace JWK {
- type keyOperation = 'encrypt' | 'decrypt' | 'sign' | 'verify' | 'wrapKey' | 'unwrapKey'
 
  class Key {
  kty: keyType
@@ -104,6 +104,7 @@ export namespace JWK {
 export namespace JWKS {
  interface KeyQuery extends KeyParameters {
  kty: keyType
+ operation: keyOperation
  }
 
  class KeyStore {

lib/jwe/decrypt.js

@@ -94,9 +94,9 @@ const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], c
  const keystore = key
  let keys
  if (opts.alg === 'dir') {
- keys = keystore.all({ ...opts, alg: opts.enc })
+ keys = keystore.all({ kid: opts.kid, alg: opts.enc, operation: 'decrypt' })
  } else {
- keys = keystore.all(opts)
+ keys = keystore.all({ kid: opts.kid, alg: opts.alg, operation: 'unwrapKey' })
  }
  switch (keys.length) {
  case 0:

lib/jwk/key/ec.js

@@ -83,11 +83,10 @@ class ECKey extends Key {
 
  return new Set(WRAP_ALGS)
  case undefined:
+ // just the ops needed to return all algs regardless of its use
  return new Set([
- ...this.algorithms('sign'),
  ...this.algorithms('verify'),
- ...this.algorithms('wrapKey'),
- ...this.algorithms('unwrapKey')
+ ...this.algorithms('wrapKey')
  ])
  default:
  throw new TypeError('invalid key operation')

lib/jwk/key/oct.js

@@ -128,6 +128,7 @@ class OctKey extends Key {
  return algs
  case undefined:
  return new Set([
+ // just the ops needed to return all algs regardless of its use - symmetric keys
  ...this.algorithms('encrypt'),
  ...this.algorithms('sign'),
  ...this.algorithms('wrapKey')

lib/jwk/key/rsa.js

@@ -90,11 +90,10 @@ class RSAKey extends Key {
 
  return new Set(WRAP_ALGS)
  case undefined:
+ // just the ops needed to return all algs regardless of its use
  return new Set([
- ...this.algorithms('sign'),
  ...this.algorithms('verify'),
- ...this.algorithms('wrapKey'),
- ...this.algorithms('unwrapKey')
+ ...this.algorithms('wrapKey')
  ])
  default:
  throw new TypeError('invalid key operation')

lib/jwks/keystore.js

@@ -45,12 +45,12 @@ class KeyStore {
  return new KeyStore(...keys)
  }
 
- all ({ alg, kid, use, kty } = {}) {
+ all ({ alg, kid, use, kty, operation } = {}) {
  return [...this[KEYS]]
  .filter((key) => {
  let candidate = true
 
- if (alg !== undefined && !key.algorithms().has(alg)) {
+ if (alg !== undefined && !key.algorithms(operation).has(alg)) {
  candidate = false
  }
 

lib/jws/verify.js

@@ -79,7 +79,7 @@ const jwsVerify = (skipDisjointCheck, serialization, jws, key, { crit = [], comp
 
  if (key instanceof KeyStore) {
  const keystore = key
- const keys = keystore.all(combinedHeader)
+ const keys = keystore.all({ kid: combinedHeader.kid, alg: combinedHeader.alg, operation: 'verify' })
  switch (keys.length) {
  case 0:
  throw new errors.JWKSNoMatchingKey()