marketing-shibata50/cmux
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update app and tooling

Browse source
This commit is contained in:
Lawrence Chen 2026-01-29 17:36:26 -08:00
parent 3046531bdd
commit e620ec7349
4950 changed files with 2975120 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

50
node_modules/jose/dist/node/esm/runtime/aeskw.js generated vendored Normal file
View file

@ -0,0 +1,50 @@
import { Buffer } from 'node:buffer';
import { KeyObject, createDecipheriv, createCipheriv, createSecretKey } from 'node:crypto';
import { JOSENotSupported } from '../util/errors.js';
import { concat } from '../lib/buffer_utils.js';
import { isCryptoKey } from './webcrypto.js';
import { checkEncCryptoKey } from '../lib/crypto_key.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import supported from './ciphers.js';
import { types } from './is_key_like.js';
function checkKeySize(key, alg) {
if (key.symmetricKeySize << 3 !== parseInt(alg.slice(1, 4), 10)) {
throw new TypeError(`Invalid key size for alg: ${alg}`);
}
}
function ensureKeyObject(key, alg, usage) {
if (isKeyObject(key)) {
return key;
}
if (key instanceof Uint8Array) {
return createSecretKey(key);
}
if (isCryptoKey(key)) {
checkEncCryptoKey(key, alg, usage);
return KeyObject.from(key);
}
throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));
}
export const wrap = (alg, key, cek) => {
const size = parseInt(alg.slice(1, 4), 10);
const algorithm = `aes${size}-wrap`;
if (!supported(algorithm)) {
throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
const keyObject = ensureKeyObject(key, alg, 'wrapKey');
checkKeySize(keyObject, alg);
const cipher = createCipheriv(algorithm, keyObject, Buffer.alloc(8, 0xa6));
return concat(cipher.update(cek), cipher.final());
};
export const unwrap = (alg, key, encryptedKey) => {
const size = parseInt(alg.slice(1, 4), 10);
const algorithm = `aes${size}-wrap`;
if (!supported(algorithm)) {
throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
const keyObject = ensureKeyObject(key, alg, 'unwrapKey');
checkKeySize(keyObject, alg);
const cipher = createDecipheriv(algorithm, keyObject, Buffer.alloc(8, 0xa6));
return concat(cipher.update(encryptedKey), cipher.final());
};

46
node_modules/jose/dist/node/esm/runtime/asn1.js generated vendored Normal file
View file

@ -0,0 +1,46 @@
import { createPrivateKey, createPublicKey, KeyObject } from 'node:crypto';
import { Buffer } from 'node:buffer';
import { isCryptoKey } from './webcrypto.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import { types } from './is_key_like.js';
const genericExport = (keyType, keyFormat, key) => {
let keyObject;
if (isCryptoKey(key)) {
if (!key.extractable) {
throw new TypeError('CryptoKey is not extractable');
}
keyObject = KeyObject.from(key);
}
else if (isKeyObject(key)) {
keyObject = key;
}
else {
throw new TypeError(invalidKeyInput(key, ...types));
}
if (keyObject.type !== keyType) {
throw new TypeError(`key is not a ${keyType} key`);
}
return keyObject.export({ format: 'pem', type: keyFormat });
};
export const toSPKI = (key) => {
return genericExport('public', 'spki', key);
};
export const toPKCS8 = (key) => {
return genericExport('private', 'pkcs8', key);
};
export const fromPKCS8 = (pem) => createPrivateKey({
key: Buffer.from(pem.replace(/(?:-----(?:BEGIN|END) PRIVATE KEY-----|\s)/g, ''), 'base64'),
type: 'pkcs8',
format: 'der',
});
export const fromSPKI = (pem) => createPublicKey({
key: Buffer.from(pem.replace(/(?:-----(?:BEGIN|END) PUBLIC KEY-----|\s)/g, ''), 'base64'),
type: 'spki',
format: 'der',
});
export const fromX509 = (pem) => createPublicKey({
key: pem,
type: 'spki',
format: 'pem',
});

14
node_modules/jose/dist/node/esm/runtime/base64url.js generated vendored Normal file
View file

@ -0,0 +1,14 @@
import { Buffer } from 'node:buffer';
import { decoder } from '../lib/buffer_utils.js';
function normalize(input) {
let encoded = input;
if (encoded instanceof Uint8Array) {
encoded = decoder.decode(encoded);
}
return encoded;
}
const encode = (input) => Buffer.from(input).toString('base64url');
export const decodeBase64 = (input) => new Uint8Array(Buffer.from(input, 'base64'));
export const encodeBase64 = (input) => Buffer.from(input).toString('base64');
export { encode };
export const decode = (input) => new Uint8Array(Buffer.from(normalize(input), 'base64url'));

8
node_modules/jose/dist/node/esm/runtime/cbc_tag.js generated vendored Normal file
View file

@ -0,0 +1,8 @@
import { createHmac } from 'node:crypto';
import { concat, uint64be } from '../lib/buffer_utils.js';
export default function cbcTag(aad, iv, ciphertext, macSize, macKey, keySize) {
const macData = concat(aad, iv, ciphertext, uint64be(aad.length << 3));
const hmac = createHmac(`sha${macSize}`, macKey);
hmac.update(macData);
return hmac.digest().slice(0, keySize >> 3);
}

35
node_modules/jose/dist/node/esm/runtime/check_cek_length.js generated vendored Normal file
View file

@ -0,0 +1,35 @@
import { JWEInvalid, JOSENotSupported } from '../util/errors.js';
import isKeyObject from './is_key_object.js';
const checkCekLength = (enc, cek) => {
let expected;
switch (enc) {
case 'A128CBC-HS256':
case 'A192CBC-HS384':
case 'A256CBC-HS512':
expected = parseInt(enc.slice(-3), 10);
break;
case 'A128GCM':
case 'A192GCM':
case 'A256GCM':
expected = parseInt(enc.slice(1, 4), 10);
break;
default:
throw new JOSENotSupported(`Content Encryption Algorithm ${enc} is not supported either by JOSE or your javascript runtime`);
}
if (cek instanceof Uint8Array) {
const actual = cek.byteLength << 3;
if (actual !== expected) {
throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
}
return;
}
if (isKeyObject(cek) && cek.type === 'secret') {
const actual = cek.symmetricKeySize << 3;
if (actual !== expected) {
throw new JWEInvalid(`Invalid Content Encryption Key length. Expected ${expected} bits, got ${actual} bits`);
}
return;
}
throw new TypeError('Invalid Content Encryption Key type');
};
export default checkCekLength;

16
node_modules/jose/dist/node/esm/runtime/check_key_length.js generated vendored Normal file
View file

@ -0,0 +1,16 @@
import { KeyObject } from 'node:crypto';
export default (key, alg) => {
let modulusLength;
try {
if (key instanceof KeyObject) {
modulusLength = key.asymmetricKeyDetails?.modulusLength;
}
else {
modulusLength = Buffer.from(key.n, 'base64url').byteLength << 3;
}
}
catch { }
if (typeof modulusLength !== 'number' || modulusLength < 2048) {
throw new TypeError(`${alg} requires key modulusLength to be 2048 bits or larger`);
}
};

6
node_modules/jose/dist/node/esm/runtime/ciphers.js generated vendored Normal file
View file

@ -0,0 +1,6 @@
import { getCiphers } from 'node:crypto';
let ciphers;
export default (algorithm) => {
ciphers ||= new Set(getCiphers());
return ciphers.has(algorithm);
};

101
node_modules/jose/dist/node/esm/runtime/decrypt.js generated vendored Normal file
View file

@ -0,0 +1,101 @@
import { createDecipheriv, KeyObject } from 'node:crypto';
import checkIvLength from '../lib/check_iv_length.js';
import checkCekLength from './check_cek_length.js';
import { concat } from '../lib/buffer_utils.js';
import { JOSENotSupported, JWEDecryptionFailed, JWEInvalid } from '../util/errors.js';
import timingSafeEqual from './timing_safe_equal.js';
import cbcTag from './cbc_tag.js';
import { isCryptoKey } from './webcrypto.js';
import { checkEncCryptoKey } from '../lib/crypto_key.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import supported from './ciphers.js';
import { types } from './is_key_like.js';
function cbcDecrypt(enc, cek, ciphertext, iv, tag, aad) {
const keySize = parseInt(enc.slice(1, 4), 10);
if (isKeyObject(cek)) {
cek = cek.export();
}
const encKey = cek.subarray(keySize >> 3);
const macKey = cek.subarray(0, keySize >> 3);
const macSize = parseInt(enc.slice(-3), 10);
const algorithm = `aes-${keySize}-cbc`;
if (!supported(algorithm)) {
throw new JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`);
}
const expectedTag = cbcTag(aad, iv, ciphertext, macSize, macKey, keySize);
let macCheckPassed;
try {
macCheckPassed = timingSafeEqual(tag, expectedTag);
}
catch {
}
if (!macCheckPassed) {
throw new JWEDecryptionFailed();
}
let plaintext;
try {
const decipher = createDecipheriv(algorithm, encKey, iv);
plaintext = concat(decipher.update(ciphertext), decipher.final());
}
catch {
}
if (!plaintext) {
throw new JWEDecryptionFailed();
}
return plaintext;
}
function gcmDecrypt(enc, cek, ciphertext, iv, tag, aad) {
const keySize = parseInt(enc.slice(1, 4), 10);
const algorithm = `aes-${keySize}-gcm`;
if (!supported(algorithm)) {
throw new JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`);
}
try {
const decipher = createDecipheriv(algorithm, cek, iv, { authTagLength: 16 });
decipher.setAuthTag(tag);
if (aad.byteLength) {
decipher.setAAD(aad, { plaintextLength: ciphertext.length });
}
const plaintext = decipher.update(ciphertext);
decipher.final();
return plaintext;
}
catch {
throw new JWEDecryptionFailed();
}
}
const decrypt = (enc, cek, ciphertext, iv, tag, aad) => {
let key;
if (isCryptoKey(cek)) {
checkEncCryptoKey(cek, enc, 'decrypt');
key = KeyObject.from(cek);
}
else if (cek instanceof Uint8Array || isKeyObject(cek)) {
key = cek;
}
else {
throw new TypeError(invalidKeyInput(cek, ...types, 'Uint8Array'));
}
if (!iv) {
throw new JWEInvalid('JWE Initialization Vector missing');
}
if (!tag) {
throw new JWEInvalid('JWE Authentication Tag missing');
}
checkCekLength(enc, key);
checkIvLength(enc, iv);
switch (enc) {
case 'A128CBC-HS256':
case 'A192CBC-HS384':
case 'A256CBC-HS512':
return cbcDecrypt(enc, key, ciphertext, iv, tag, aad);
case 'A128GCM':
case 'A192GCM':
case 'A256GCM':
return gcmDecrypt(enc, key, ciphertext, iv, tag, aad);
default:
throw new JOSENotSupported('Unsupported JWE Content Encryption Algorithm');
}
};
export default decrypt;

3
node_modules/jose/dist/node/esm/runtime/digest.js generated vendored Normal file
View file

@ -0,0 +1,3 @@
import { createHash } from 'node:crypto';
const digest = (algorithm, data) => createHash(algorithm).update(data).digest();
export default digest;

22
node_modules/jose/dist/node/esm/runtime/dsa_digest.js generated vendored Normal file
View file

@ -0,0 +1,22 @@
import { JOSENotSupported } from '../util/errors.js';
export default function dsaDigest(alg) {
switch (alg) {
case 'PS256':
case 'RS256':
case 'ES256':
case 'ES256K':
return 'sha256';
case 'PS384':
case 'RS384':
case 'ES384':
return 'sha384';
case 'PS512':
case 'RS512':
case 'ES512':
return 'sha512';
case 'EdDSA':
return undefined;
default:
throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
}

64
node_modules/jose/dist/node/esm/runtime/ecdhes.js generated vendored Normal file
View file

@ -0,0 +1,64 @@
import { diffieHellman, generateKeyPair as generateKeyPairCb, KeyObject } from 'node:crypto';
import { promisify } from 'node:util';
import getNamedCurve from './get_named_curve.js';
import { encoder, concat, uint32be, lengthAndInput, concatKdf } from '../lib/buffer_utils.js';
import { JOSENotSupported } from '../util/errors.js';
import { isCryptoKey } from './webcrypto.js';
import { checkEncCryptoKey } from '../lib/crypto_key.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import { types } from './is_key_like.js';
const generateKeyPair = promisify(generateKeyPairCb);
export async function deriveKey(publicKee, privateKee, algorithm, keyLength, apu = new Uint8Array(0), apv = new Uint8Array(0)) {
let publicKey;
if (isCryptoKey(publicKee)) {
checkEncCryptoKey(publicKee, 'ECDH');
publicKey = KeyObject.from(publicKee);
}
else if (isKeyObject(publicKee)) {
publicKey = publicKee;
}
else {
throw new TypeError(invalidKeyInput(publicKee, ...types));
}
let privateKey;
if (isCryptoKey(privateKee)) {
checkEncCryptoKey(privateKee, 'ECDH', 'deriveBits');
privateKey = KeyObject.from(privateKee);
}
else if (isKeyObject(privateKee)) {
privateKey = privateKee;
}
else {
throw new TypeError(invalidKeyInput(privateKee, ...types));
}
const value = concat(lengthAndInput(encoder.encode(algorithm)), lengthAndInput(apu), lengthAndInput(apv), uint32be(keyLength));
const sharedSecret = diffieHellman({ privateKey, publicKey });
return concatKdf(sharedSecret, keyLength, value);
}
export async function generateEpk(kee) {
let key;
if (isCryptoKey(kee)) {
key = KeyObject.from(kee);
}
else if (isKeyObject(kee)) {
key = kee;
}
else {
throw new TypeError(invalidKeyInput(kee, ...types));
}
switch (key.asymmetricKeyType) {
case 'x25519':
return generateKeyPair('x25519');
case 'x448': {
return generateKeyPair('x448');
}
case 'ec': {
const namedCurve = getNamedCurve(key);
return generateKeyPair('ec', { namedCurve });
}
default:
throw new JOSENotSupported('Invalid or unsupported EPK');
}
}
export const ecdhAllowed = (key) => ['P-256', 'P-384', 'P-521', 'X25519', 'X448'].includes(getNamedCurve(key));

78
node_modules/jose/dist/node/esm/runtime/encrypt.js generated vendored Normal file
View file

@ -0,0 +1,78 @@
import { createCipheriv, KeyObject } from 'node:crypto';
import checkIvLength from '../lib/check_iv_length.js';
import checkCekLength from './check_cek_length.js';
import { concat } from '../lib/buffer_utils.js';
import cbcTag from './cbc_tag.js';
import { isCryptoKey } from './webcrypto.js';
import { checkEncCryptoKey } from '../lib/crypto_key.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import generateIv from '../lib/iv.js';
import { JOSENotSupported } from '../util/errors.js';
import supported from './ciphers.js';
import { types } from './is_key_like.js';
function cbcEncrypt(enc, plaintext, cek, iv, aad) {
const keySize = parseInt(enc.slice(1, 4), 10);
if (isKeyObject(cek)) {
cek = cek.export();
}
const encKey = cek.subarray(keySize >> 3);
const macKey = cek.subarray(0, keySize >> 3);
const algorithm = `aes-${keySize}-cbc`;
if (!supported(algorithm)) {
throw new JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`);
}
const cipher = createCipheriv(algorithm, encKey, iv);
const ciphertext = concat(cipher.update(plaintext), cipher.final());
const macSize = parseInt(enc.slice(-3), 10);
const tag = cbcTag(aad, iv, ciphertext, macSize, macKey, keySize);
return { ciphertext, tag, iv };
}
function gcmEncrypt(enc, plaintext, cek, iv, aad) {
const keySize = parseInt(enc.slice(1, 4), 10);
const algorithm = `aes-${keySize}-gcm`;
if (!supported(algorithm)) {
throw new JOSENotSupported(`alg ${enc} is not supported by your javascript runtime`);
}
const cipher = createCipheriv(algorithm, cek, iv, { authTagLength: 16 });
if (aad.byteLength) {
cipher.setAAD(aad, { plaintextLength: plaintext.length });
}
const ciphertext = cipher.update(plaintext);
cipher.final();
const tag = cipher.getAuthTag();
return { ciphertext, tag, iv };
}
const encrypt = (enc, plaintext, cek, iv, aad) => {
let key;
if (isCryptoKey(cek)) {
checkEncCryptoKey(cek, enc, 'encrypt');
key = KeyObject.from(cek);
}
else if (cek instanceof Uint8Array || isKeyObject(cek)) {
key = cek;
}
else {
throw new TypeError(invalidKeyInput(cek, ...types, 'Uint8Array'));
}
checkCekLength(enc, key);
if (iv) {
checkIvLength(enc, iv);
}
else {
iv = generateIv(enc);
}
switch (enc) {
case 'A128CBC-HS256':
case 'A192CBC-HS384':
case 'A256CBC-HS512':
return cbcEncrypt(enc, plaintext, key, iv, aad);
case 'A128GCM':
case 'A192GCM':
case 'A256GCM':
return gcmEncrypt(enc, plaintext, key, iv, aad);
default:
throw new JOSENotSupported('Unsupported JWE Content Encryption Algorithm');
}
};
export default encrypt;

43
node_modules/jose/dist/node/esm/runtime/fetch_jwks.js generated vendored Normal file
View file

@ -0,0 +1,43 @@
import * as http from 'node:http';
import * as https from 'node:https';
import { once } from 'node:events';
import { JOSEError, JWKSTimeout } from '../util/errors.js';
import { concat, decoder } from '../lib/buffer_utils.js';
const fetchJwks = async (url, timeout, options) => {
let get;
switch (url.protocol) {
case 'https:':
get = https.get;
break;
case 'http:':
get = http.get;
break;
default:
throw new TypeError('Unsupported URL protocol.');
}
const { agent, headers } = options;
const req = get(url.href, {
agent,
timeout,
headers,
});
const [response] = (await Promise.race([once(req, 'response'), once(req, 'timeout')]));
if (!response) {
req.destroy();
throw new JWKSTimeout();
}
if (response.statusCode !== 200) {
throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');
}
const parts = [];
for await (const part of response) {
parts.push(part);
}
try {
return JSON.parse(decoder.decode(concat(...parts)));
}
catch {
throw new JOSEError('Failed to parse the JSON Web Key Set HTTP response as JSON');
}
};
export default fetchJwks;

97
node_modules/jose/dist/node/esm/runtime/generate.js generated vendored Normal file
View file

@ -0,0 +1,97 @@
import { createSecretKey, generateKeyPair as generateKeyPairCb } from 'node:crypto';
import { promisify } from 'node:util';
import random from './random.js';
import { JOSENotSupported } from '../util/errors.js';
const generate = promisify(generateKeyPairCb);
export async function generateSecret(alg, options) {
let length;
switch (alg) {
case 'HS256':
case 'HS384':
case 'HS512':
case 'A128CBC-HS256':
case 'A192CBC-HS384':
case 'A256CBC-HS512':
length = parseInt(alg.slice(-3), 10);
break;
case 'A128KW':
case 'A192KW':
case 'A256KW':
case 'A128GCMKW':
case 'A192GCMKW':
case 'A256GCMKW':
case 'A128GCM':
case 'A192GCM':
case 'A256GCM':
length = parseInt(alg.slice(1, 4), 10);
break;
default:
throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
}
return createSecretKey(random(new Uint8Array(length >> 3)));
}
export async function generateKeyPair(alg, options) {
switch (alg) {
case 'RS256':
case 'RS384':
case 'RS512':
case 'PS256':
case 'PS384':
case 'PS512':
case 'RSA-OAEP':
case 'RSA-OAEP-256':
case 'RSA-OAEP-384':
case 'RSA-OAEP-512':
case 'RSA1_5': {
const modulusLength = options?.modulusLength ?? 2048;
if (typeof modulusLength !== 'number' || modulusLength < 2048) {
throw new JOSENotSupported('Invalid or unsupported modulusLength option provided, 2048 bits or larger keys must be used');
}
const keypair = await generate('rsa', {
modulusLength,
publicExponent: 0x10001,
});
return keypair;
}
case 'ES256':
return generate('ec', { namedCurve: 'P-256' });
case 'ES256K':
return generate('ec', { namedCurve: 'secp256k1' });
case 'ES384':
return generate('ec', { namedCurve: 'P-384' });
case 'ES512':
return generate('ec', { namedCurve: 'P-521' });
case 'EdDSA': {
switch (options?.crv) {
case undefined:
case 'Ed25519':
return generate('ed25519');
case 'Ed448':
return generate('ed448');
default:
throw new JOSENotSupported('Invalid or unsupported crv option provided, supported values are Ed25519 and Ed448');
}
}
case 'ECDH-ES':
case 'ECDH-ES+A128KW':
case 'ECDH-ES+A192KW':
case 'ECDH-ES+A256KW': {
const crv = options?.crv ?? 'P-256';
switch (crv) {
case undefined:
case 'P-256':
case 'P-384':
case 'P-521':
return generate('ec', { namedCurve: crv });
case 'X25519':
return generate('x25519');
case 'X448':
return generate('x448');
default:
throw new JOSENotSupported('Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448');
}
}
default:
throw new JOSENotSupported('Invalid or unsupported JWK "alg" (Algorithm) Parameter value');
}
}

58
node_modules/jose/dist/node/esm/runtime/get_named_curve.js generated vendored Normal file
View file

@ -0,0 +1,58 @@
import { KeyObject } from 'node:crypto';
import { JOSENotSupported } from '../util/errors.js';
import { isCryptoKey } from './webcrypto.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import { types } from './is_key_like.js';
import { isJWK } from '../lib/is_jwk.js';
export const weakMap = new WeakMap();
const namedCurveToJOSE = (namedCurve) => {
switch (namedCurve) {
case 'prime256v1':
return 'P-256';
case 'secp384r1':
return 'P-384';
case 'secp521r1':
return 'P-521';
case 'secp256k1':
return 'secp256k1';
default:
throw new JOSENotSupported('Unsupported key curve for this operation');
}
};
const getNamedCurve = (kee, raw) => {
let key;
if (isCryptoKey(kee)) {
key = KeyObject.from(kee);
}
else if (isKeyObject(kee)) {
key = kee;
}
else if (isJWK(kee)) {
return kee.crv;
}
else {
throw new TypeError(invalidKeyInput(kee, ...types));
}
if (key.type === 'secret') {
throw new TypeError('only "private" or "public" type keys can be used for this operation');
}
switch (key.asymmetricKeyType) {
case 'ed25519':
case 'ed448':
return `Ed${key.asymmetricKeyType.slice(2)}`;
case 'x25519':
case 'x448':
return `X${key.asymmetricKeyType.slice(1)}`;
case 'ec': {
const namedCurve = key.asymmetricKeyDetails.namedCurve;
if (raw) {
return namedCurve;
}
return namedCurveToJOSE(namedCurve);
}
default:
throw new TypeError('Invalid asymmetric key type for this operation');
}
};
export default getNamedCurve;

28
node_modules/jose/dist/node/esm/runtime/get_sign_verify_key.js generated vendored Normal file
View file

@ -0,0 +1,28 @@
import { KeyObject, createSecretKey } from 'node:crypto';
import { isCryptoKey } from './webcrypto.js';
import { checkSigCryptoKey } from '../lib/crypto_key.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import { types } from './is_key_like.js';
import * as jwk from '../lib/is_jwk.js';
export default function getSignVerifyKey(alg, key, usage) {
if (key instanceof Uint8Array) {
if (!alg.startsWith('HS')) {
throw new TypeError(invalidKeyInput(key, ...types));
}
return createSecretKey(key);
}
if (key instanceof KeyObject) {
return key;
}
if (isCryptoKey(key)) {
checkSigCryptoKey(key, alg, usage);
return KeyObject.from(key);
}
if (jwk.isJWK(key)) {
if (alg.startsWith('HS')) {
return createSecretKey(Buffer.from(key.k, 'base64url'));
}
return key;
}
throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array', 'JSON Web Key'));
}

13
node_modules/jose/dist/node/esm/runtime/hmac_digest.js generated vendored Normal file
View file

@ -0,0 +1,13 @@
import { JOSENotSupported } from '../util/errors.js';
export default function hmacDigest(alg) {
switch (alg) {
case 'HS256':
return 'sha256';
case 'HS384':
return 'sha384';
case 'HS512':
return 'sha512';
default:
throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
}

8
node_modules/jose/dist/node/esm/runtime/is_key_like.js generated vendored Normal file
View file

@ -0,0 +1,8 @@
import webcrypto, { isCryptoKey } from './webcrypto.js';
import isKeyObject from './is_key_object.js';
export default (key) => isKeyObject(key) || isCryptoKey(key);
const types = ['KeyObject'];
if (globalThis.CryptoKey || webcrypto?.CryptoKey) {
types.push('CryptoKey');
}
export { types };

2
node_modules/jose/dist/node/esm/runtime/is_key_object.js generated vendored Normal file
View file

@ -0,0 +1,2 @@
import * as util from 'node:util';
export default (obj) => util.types.isKeyObject(obj);

8
node_modules/jose/dist/node/esm/runtime/jwk_to_key.js generated vendored Normal file
View file

@ -0,0 +1,8 @@
import { createPrivateKey, createPublicKey } from 'node:crypto';
const parse = (key) => {
if (key.d) {
return createPrivateKey({ format: 'jwk', key });
}
return createPublicKey({ format: 'jwk', key });
};
export default parse;

34
node_modules/jose/dist/node/esm/runtime/key_to_jwk.js generated vendored Normal file
View file

@ -0,0 +1,34 @@
import { KeyObject } from 'node:crypto';
import { encode as base64url } from './base64url.js';
import { JOSENotSupported } from '../util/errors.js';
import { isCryptoKey } from './webcrypto.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import { types } from './is_key_like.js';
const keyToJWK = (key) => {
let keyObject;
if (isCryptoKey(key)) {
if (!key.extractable) {
throw new TypeError('CryptoKey is not extractable');
}
keyObject = KeyObject.from(key);
}
else if (isKeyObject(key)) {
keyObject = key;
}
else if (key instanceof Uint8Array) {
return {
kty: 'oct',
k: base64url(key),
};
}
else {
throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));
}
if (keyObject.type !== 'secret' &&
!['rsa', 'ec', 'ed25519', 'x25519', 'ed448', 'x448'].includes(keyObject.asymmetricKeyType)) {
throw new JOSENotSupported('Unsupported key asymmetricKeyType');
}
return keyObject.export({ format: 'jwk' });
};
export default keyToJWK;

103
node_modules/jose/dist/node/esm/runtime/node_key.js generated vendored Normal file
View file

@ -0,0 +1,103 @@
import { constants, KeyObject } from 'node:crypto';
import getNamedCurve from './get_named_curve.js';
import { JOSENotSupported } from '../util/errors.js';
import checkKeyLength from './check_key_length.js';
const ecCurveAlgMap = new Map([
['ES256', 'P-256'],
['ES256K', 'secp256k1'],
['ES384', 'P-384'],
['ES512', 'P-521'],
]);
export default function keyForCrypto(alg, key) {
let asymmetricKeyType;
let asymmetricKeyDetails;
let isJWK;
if (key instanceof KeyObject) {
asymmetricKeyType = key.asymmetricKeyType;
asymmetricKeyDetails = key.asymmetricKeyDetails;
}
else {
isJWK = true;
switch (key.kty) {
case 'RSA':
asymmetricKeyType = 'rsa';
break;
case 'EC':
asymmetricKeyType = 'ec';
break;
case 'OKP': {
if (key.crv === 'Ed25519') {
asymmetricKeyType = 'ed25519';
break;
}
if (key.crv === 'Ed448') {
asymmetricKeyType = 'ed448';
break;
}
throw new TypeError('Invalid key for this operation, its crv must be Ed25519 or Ed448');
}
default:
throw new TypeError('Invalid key for this operation, its kty must be RSA, OKP, or EC');
}
}
let options;
switch (alg) {
case 'EdDSA':
if (!['ed25519', 'ed448'].includes(asymmetricKeyType)) {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be ed25519 or ed448');
}
break;
case 'RS256':
case 'RS384':
case 'RS512':
if (asymmetricKeyType !== 'rsa') {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be rsa');
}
checkKeyLength(key, alg);
break;
case 'PS256':
case 'PS384':
case 'PS512':
if (asymmetricKeyType === 'rsa-pss') {
const { hashAlgorithm, mgf1HashAlgorithm, saltLength } = asymmetricKeyDetails;
const length = parseInt(alg.slice(-3), 10);
if (hashAlgorithm !== undefined &&
(hashAlgorithm !== `sha${length}` || mgf1HashAlgorithm !== hashAlgorithm)) {
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${alg}`);
}
if (saltLength !== undefined && saltLength > length >> 3) {
throw new TypeError(`Invalid key for this operation, its RSA-PSS parameter saltLength does not meet the requirements of "alg" ${alg}`);
}
}
else if (asymmetricKeyType !== 'rsa') {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be rsa or rsa-pss');
}
checkKeyLength(key, alg);
options = {
padding: constants.RSA_PKCS1_PSS_PADDING,
saltLength: constants.RSA_PSS_SALTLEN_DIGEST,
};
break;
case 'ES256':
case 'ES256K':
case 'ES384':
case 'ES512': {
if (asymmetricKeyType !== 'ec') {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be ec');
}
const actual = getNamedCurve(key);
const expected = ecCurveAlgMap.get(alg);
if (actual !== expected) {
throw new TypeError(`Invalid key curve for the algorithm, its curve must be ${expected}, got ${actual}`);
}
options = { dsaEncoding: 'ieee-p1363' };
break;
}
default:
throw new JOSENotSupported(`alg ${alg} is not supported either by JOSE or your javascript runtime`);
}
if (isJWK) {
return { format: 'jwk', key, ...options };
}
return options ? { ...options, key } : key;
}

1
node_modules/jose/dist/node/esm/runtime/normalize_key.js generated vendored Normal file
View file

@ -0,0 +1 @@
export default {};

43
node_modules/jose/dist/node/esm/runtime/pbes2kw.js generated vendored Normal file
View file

@ -0,0 +1,43 @@
import { promisify } from 'node:util';
import { KeyObject, pbkdf2 as pbkdf2cb } from 'node:crypto';
import random from './random.js';
import { p2s as concatSalt } from '../lib/buffer_utils.js';
import { encode as base64url } from './base64url.js';
import { wrap, unwrap } from './aeskw.js';
import checkP2s from '../lib/check_p2s.js';
import { isCryptoKey } from './webcrypto.js';
import { checkEncCryptoKey } from '../lib/crypto_key.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import { types } from './is_key_like.js';
const pbkdf2 = promisify(pbkdf2cb);
function getPassword(key, alg) {
if (isKeyObject(key)) {
return key.export();
}
if (key instanceof Uint8Array) {
return key;
}
if (isCryptoKey(key)) {
checkEncCryptoKey(key, alg, 'deriveBits', 'deriveKey');
return KeyObject.from(key).export();
}
throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));
}
export const encrypt = async (alg, key, cek, p2c = 2048, p2s = random(new Uint8Array(16))) => {
checkP2s(p2s);
const salt = concatSalt(alg, p2s);
const keylen = parseInt(alg.slice(13, 16), 10) >> 3;
const password = getPassword(key, alg);
const derivedKey = await pbkdf2(password, salt, p2c, keylen, `sha${alg.slice(8, 11)}`);
const encryptedKey = await wrap(alg.slice(-6), derivedKey, cek);
return { encryptedKey, p2c, p2s: base64url(p2s) };
};
export const decrypt = async (alg, key, encryptedKey, p2c, p2s) => {
checkP2s(p2s);
const salt = concatSalt(alg, p2s);
const keylen = parseInt(alg.slice(13, 16), 10) >> 3;
const password = getPassword(key, alg);
const derivedKey = await pbkdf2(password, salt, p2c, keylen, `sha${alg.slice(8, 11)}`);
return unwrap(alg.slice(-6), derivedKey, encryptedKey);
};

1
node_modules/jose/dist/node/esm/runtime/random.js generated vendored Normal file
View file

@ -0,0 +1 @@
export { randomFillSync as default } from 'node:crypto';

66
node_modules/jose/dist/node/esm/runtime/rsaes.js generated vendored Normal file
View file

@ -0,0 +1,66 @@
import { KeyObject, publicEncrypt, constants, privateDecrypt } from 'node:crypto';
import { deprecate } from 'node:util';
import checkKeyLength from './check_key_length.js';
import { isCryptoKey } from './webcrypto.js';
import { checkEncCryptoKey } from '../lib/crypto_key.js';
import isKeyObject from './is_key_object.js';
import invalidKeyInput from '../lib/invalid_key_input.js';
import { types } from './is_key_like.js';
const checkKey = (key, alg) => {
if (key.asymmetricKeyType !== 'rsa') {
throw new TypeError('Invalid key for this operation, its asymmetricKeyType must be rsa');
}
checkKeyLength(key, alg);
};
const RSA1_5 = deprecate(() => constants.RSA_PKCS1_PADDING, 'The RSA1_5 "alg" (JWE Algorithm) is deprecated and will be removed in the next major revision.');
const resolvePadding = (alg) => {
switch (alg) {
case 'RSA-OAEP':
case 'RSA-OAEP-256':
case 'RSA-OAEP-384':
case 'RSA-OAEP-512':
return constants.RSA_PKCS1_OAEP_PADDING;
case 'RSA1_5':
return RSA1_5();
default:
return undefined;
}
};
const resolveOaepHash = (alg) => {
switch (alg) {
case 'RSA-OAEP':
return 'sha1';
case 'RSA-OAEP-256':
return 'sha256';
case 'RSA-OAEP-384':
return 'sha384';
case 'RSA-OAEP-512':
return 'sha512';
default:
return undefined;
}
};
function ensureKeyObject(key, alg, ...usages) {
if (isKeyObject(key)) {
return key;
}
if (isCryptoKey(key)) {
checkEncCryptoKey(key, alg, ...usages);
return KeyObject.from(key);
}
throw new TypeError(invalidKeyInput(key, ...types));
}
export const encrypt = (alg, key, cek) => {
const padding = resolvePadding(alg);
const oaepHash = resolveOaepHash(alg);
const keyObject = ensureKeyObject(key, alg, 'wrapKey', 'encrypt');
checkKey(keyObject, alg);
return publicEncrypt({ key: keyObject, oaepHash, padding }, cek);
};
export const decrypt = (alg, key, encryptedKey) => {
const padding = resolvePadding(alg);
const oaepHash = resolveOaepHash(alg);
const keyObject = ensureKeyObject(key, alg, 'unwrapKey', 'decrypt');
checkKey(keyObject, alg);
return privateDecrypt({ key: keyObject, oaepHash, padding }, encryptedKey);
};

1
node_modules/jose/dist/node/esm/runtime/runtime.js generated vendored Normal file
View file

@ -0,0 +1 @@
export default 'node:crypto';

17
node_modules/jose/dist/node/esm/runtime/sign.js generated vendored Normal file
View file

@ -0,0 +1,17 @@
import * as crypto from 'node:crypto';
import { promisify } from 'node:util';
import nodeDigest from './dsa_digest.js';
import hmacDigest from './hmac_digest.js';
import nodeKey from './node_key.js';
import getSignKey from './get_sign_verify_key.js';
const oneShotSign = promisify(crypto.sign);
const sign = async (alg, key, data) => {
const k = getSignKey(alg, key, 'sign');
if (alg.startsWith('HS')) {
const hmac = crypto.createHmac(hmacDigest(alg), k);
hmac.update(data);
return hmac.digest();
}
return oneShotSign(nodeDigest(alg), data, nodeKey(alg, k));
};
export default sign;

3
node_modules/jose/dist/node/esm/runtime/timing_safe_equal.js generated vendored Normal file
View file

@ -0,0 +1,3 @@
import { timingSafeEqual as impl } from 'node:crypto';
const timingSafeEqual = impl;
export default timingSafeEqual;

29
node_modules/jose/dist/node/esm/runtime/verify.js generated vendored Normal file
View file

@ -0,0 +1,29 @@
import * as crypto from 'node:crypto';
import { promisify } from 'node:util';
import nodeDigest from './dsa_digest.js';
import nodeKey from './node_key.js';
import sign from './sign.js';
import getVerifyKey from './get_sign_verify_key.js';
const oneShotVerify = promisify(crypto.verify);
const verify = async (alg, key, signature, data) => {
const k = getVerifyKey(alg, key, 'verify');
if (alg.startsWith('HS')) {
const expected = await sign(alg, k, data);
const actual = signature;
try {
return crypto.timingSafeEqual(actual, expected);
}
catch {
return false;
}
}
const algorithm = nodeDigest(alg);
const keyInput = nodeKey(alg, k);
try {
return await oneShotVerify(algorithm, data, keyInput, signature);
}
catch {
return false;
}
};
export default verify;

5
node_modules/jose/dist/node/esm/runtime/webcrypto.js generated vendored Normal file
View file

@ -0,0 +1,5 @@
import * as crypto from 'node:crypto';
import * as util from 'node:util';
const webcrypto = crypto.webcrypto;
export default webcrypto;
export const isCryptoKey = (key) => util.types.isCryptoKey(key);