修改后台权限
This commit is contained in:
yoyuzh
27
node_modules/jose/dist/webapi/jwe/compact/decrypt.js
generated
vendored
Normal file
27
node_modules/jose/dist/webapi/jwe/compact/decrypt.js
generated
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
import { flattenedDecrypt } from '../flattened/decrypt.js';
|
||||
import { JWEInvalid } from '../../util/errors.js';
|
||||
import { decoder } from '../../lib/buffer_utils.js';
|
||||
export async function compactDecrypt(jwe, key, options) {
|
||||
if (jwe instanceof Uint8Array) {
|
||||
jwe = decoder.decode(jwe);
|
||||
}
|
||||
if (typeof jwe !== 'string') {
|
||||
throw new JWEInvalid('Compact JWE must be a string or Uint8Array');
|
||||
}
|
||||
const { 0: protectedHeader, 1: encryptedKey, 2: iv, 3: ciphertext, 4: tag, length, } = jwe.split('.');
|
||||
if (length !== 5) {
|
||||
throw new JWEInvalid('Invalid Compact JWE');
|
||||
}
|
||||
const decrypted = await flattenedDecrypt({
|
||||
ciphertext,
|
||||
iv: iv || undefined,
|
||||
protected: protectedHeader,
|
||||
tag: tag || undefined,
|
||||
encrypted_key: encryptedKey || undefined,
|
||||
}, key, options);
|
||||
const result = { plaintext: decrypted.plaintext, protectedHeader: decrypted.protectedHeader };
|
||||
if (typeof key === 'function') {
|
||||
return { ...result, key: decrypted.key };
|
||||
}
|
||||
return result;
|
||||
}
|
||||
27
node_modules/jose/dist/webapi/jwe/compact/encrypt.js
generated
vendored
Normal file
27
node_modules/jose/dist/webapi/jwe/compact/encrypt.js
generated
vendored
Normal file
@@ -0,0 +1,27 @@
|
||||
import { FlattenedEncrypt } from '../flattened/encrypt.js';
|
||||
export class CompactEncrypt {
|
||||
#flattened;
|
||||
constructor(plaintext) {
|
||||
this.#flattened = new FlattenedEncrypt(plaintext);
|
||||
}
|
||||
setContentEncryptionKey(cek) {
|
||||
this.#flattened.setContentEncryptionKey(cek);
|
||||
return this;
|
||||
}
|
||||
setInitializationVector(iv) {
|
||||
this.#flattened.setInitializationVector(iv);
|
||||
return this;
|
||||
}
|
||||
setProtectedHeader(protectedHeader) {
|
||||
this.#flattened.setProtectedHeader(protectedHeader);
|
||||
return this;
|
||||
}
|
||||
setKeyManagementParameters(parameters) {
|
||||
this.#flattened.setKeyManagementParameters(parameters);
|
||||
return this;
|
||||
}
|
||||
async encrypt(key, options) {
|
||||
const jwe = await this.#flattened.encrypt(key, options);
|
||||
return [jwe.protected, jwe.encrypted_key, jwe.iv, jwe.ciphertext, jwe.tag].join('.');
|
||||
}
|
||||
}
|
||||
159
node_modules/jose/dist/webapi/jwe/flattened/decrypt.js
generated
vendored
Normal file
159
node_modules/jose/dist/webapi/jwe/flattened/decrypt.js
generated
vendored
Normal file
@@ -0,0 +1,159 @@
|
||||
import { decode as b64u } from '../../util/base64url.js';
|
||||
import { decrypt } from '../../lib/content_encryption.js';
|
||||
import { decodeBase64url } from '../../lib/helpers.js';
|
||||
import { JOSEAlgNotAllowed, JOSENotSupported, JWEInvalid } from '../../util/errors.js';
|
||||
import { isDisjoint } from '../../lib/type_checks.js';
|
||||
import { isObject } from '../../lib/type_checks.js';
|
||||
import { decryptKeyManagement } from '../../lib/key_management.js';
|
||||
import { decoder, concat, encode } from '../../lib/buffer_utils.js';
|
||||
import { generateCek } from '../../lib/content_encryption.js';
|
||||
import { validateCrit } from '../../lib/validate_crit.js';
|
||||
import { validateAlgorithms } from '../../lib/validate_algorithms.js';
|
||||
import { normalizeKey } from '../../lib/normalize_key.js';
|
||||
import { checkKeyType } from '../../lib/check_key_type.js';
|
||||
import { decompress } from '../../lib/deflate.js';
|
||||
export async function flattenedDecrypt(jwe, key, options) {
|
||||
if (!isObject(jwe)) {
|
||||
throw new JWEInvalid('Flattened JWE must be an object');
|
||||
}
|
||||
if (jwe.protected === undefined && jwe.header === undefined && jwe.unprotected === undefined) {
|
||||
throw new JWEInvalid('JOSE Header missing');
|
||||
}
|
||||
if (jwe.iv !== undefined && typeof jwe.iv !== 'string') {
|
||||
throw new JWEInvalid('JWE Initialization Vector incorrect type');
|
||||
}
|
||||
if (typeof jwe.ciphertext !== 'string') {
|
||||
throw new JWEInvalid('JWE Ciphertext missing or incorrect type');
|
||||
}
|
||||
if (jwe.tag !== undefined && typeof jwe.tag !== 'string') {
|
||||
throw new JWEInvalid('JWE Authentication Tag incorrect type');
|
||||
}
|
||||
if (jwe.protected !== undefined && typeof jwe.protected !== 'string') {
|
||||
throw new JWEInvalid('JWE Protected Header incorrect type');
|
||||
}
|
||||
if (jwe.encrypted_key !== undefined && typeof jwe.encrypted_key !== 'string') {
|
||||
throw new JWEInvalid('JWE Encrypted Key incorrect type');
|
||||
}
|
||||
if (jwe.aad !== undefined && typeof jwe.aad !== 'string') {
|
||||
throw new JWEInvalid('JWE AAD incorrect type');
|
||||
}
|
||||
if (jwe.header !== undefined && !isObject(jwe.header)) {
|
||||
throw new JWEInvalid('JWE Shared Unprotected Header incorrect type');
|
||||
}
|
||||
if (jwe.unprotected !== undefined && !isObject(jwe.unprotected)) {
|
||||
throw new JWEInvalid('JWE Per-Recipient Unprotected Header incorrect type');
|
||||
}
|
||||
let parsedProt;
|
||||
if (jwe.protected) {
|
||||
try {
|
||||
const protectedHeader = b64u(jwe.protected);
|
||||
parsedProt = JSON.parse(decoder.decode(protectedHeader));
|
||||
}
|
||||
catch {
|
||||
throw new JWEInvalid('JWE Protected Header is invalid');
|
||||
}
|
||||
}
|
||||
if (!isDisjoint(parsedProt, jwe.header, jwe.unprotected)) {
|
||||
throw new JWEInvalid('JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint');
|
||||
}
|
||||
const joseHeader = {
|
||||
...parsedProt,
|
||||
...jwe.header,
|
||||
...jwe.unprotected,
|
||||
};
|
||||
validateCrit(JWEInvalid, new Map(), options?.crit, parsedProt, joseHeader);
|
||||
if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
|
||||
throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
|
||||
}
|
||||
if (joseHeader.zip !== undefined && !parsedProt?.zip) {
|
||||
throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
|
||||
}
|
||||
const { alg, enc } = joseHeader;
|
||||
if (typeof alg !== 'string' || !alg) {
|
||||
throw new JWEInvalid('missing JWE Algorithm (alg) in JWE Header');
|
||||
}
|
||||
if (typeof enc !== 'string' || !enc) {
|
||||
throw new JWEInvalid('missing JWE Encryption Algorithm (enc) in JWE Header');
|
||||
}
|
||||
const keyManagementAlgorithms = options && validateAlgorithms('keyManagementAlgorithms', options.keyManagementAlgorithms);
|
||||
const contentEncryptionAlgorithms = options &&
|
||||
validateAlgorithms('contentEncryptionAlgorithms', options.contentEncryptionAlgorithms);
|
||||
if ((keyManagementAlgorithms && !keyManagementAlgorithms.has(alg)) ||
|
||||
(!keyManagementAlgorithms && alg.startsWith('PBES2'))) {
|
||||
throw new JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
|
||||
}
|
||||
if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) {
|
||||
throw new JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter value not allowed');
|
||||
}
|
||||
let encryptedKey;
|
||||
if (jwe.encrypted_key !== undefined) {
|
||||
encryptedKey = decodeBase64url(jwe.encrypted_key, 'encrypted_key', JWEInvalid);
|
||||
}
|
||||
let resolvedKey = false;
|
||||
if (typeof key === 'function') {
|
||||
key = await key(parsedProt, jwe);
|
||||
resolvedKey = true;
|
||||
}
|
||||
checkKeyType(alg === 'dir' ? enc : alg, key, 'decrypt');
|
||||
const k = await normalizeKey(key, alg);
|
||||
let cek;
|
||||
try {
|
||||
cek = await decryptKeyManagement(alg, k, encryptedKey, joseHeader, options);
|
||||
}
|
||||
catch (err) {
|
||||
if (err instanceof TypeError || err instanceof JWEInvalid || err instanceof JOSENotSupported) {
|
||||
throw err;
|
||||
}
|
||||
cek = generateCek(enc);
|
||||
}
|
||||
let iv;
|
||||
let tag;
|
||||
if (jwe.iv !== undefined) {
|
||||
iv = decodeBase64url(jwe.iv, 'iv', JWEInvalid);
|
||||
}
|
||||
if (jwe.tag !== undefined) {
|
||||
tag = decodeBase64url(jwe.tag, 'tag', JWEInvalid);
|
||||
}
|
||||
const protectedHeader = jwe.protected !== undefined ? encode(jwe.protected) : new Uint8Array();
|
||||
let additionalData;
|
||||
if (jwe.aad !== undefined) {
|
||||
additionalData = concat(protectedHeader, encode('.'), encode(jwe.aad));
|
||||
}
|
||||
else {
|
||||
additionalData = protectedHeader;
|
||||
}
|
||||
const ciphertext = decodeBase64url(jwe.ciphertext, 'ciphertext', JWEInvalid);
|
||||
const plaintext = await decrypt(enc, cek, ciphertext, iv, tag, additionalData);
|
||||
const result = { plaintext };
|
||||
if (joseHeader.zip === 'DEF') {
|
||||
const maxDecompressedLength = options?.maxDecompressedLength ?? 250_000;
|
||||
if (maxDecompressedLength === 0) {
|
||||
throw new JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
|
||||
}
|
||||
if (maxDecompressedLength !== Infinity &&
|
||||
(!Number.isSafeInteger(maxDecompressedLength) || maxDecompressedLength < 1)) {
|
||||
throw new TypeError('maxDecompressedLength must be 0, a positive safe integer, or Infinity');
|
||||
}
|
||||
result.plaintext = await decompress(plaintext, maxDecompressedLength).catch((cause) => {
|
||||
if (cause instanceof JWEInvalid)
|
||||
throw cause;
|
||||
throw new JWEInvalid('Failed to decompress plaintext', { cause });
|
||||
});
|
||||
}
|
||||
if (jwe.protected !== undefined) {
|
||||
result.protectedHeader = parsedProt;
|
||||
}
|
||||
if (jwe.aad !== undefined) {
|
||||
result.additionalAuthenticatedData = decodeBase64url(jwe.aad, 'aad', JWEInvalid);
|
||||
}
|
||||
if (jwe.unprotected !== undefined) {
|
||||
result.sharedUnprotectedHeader = jwe.unprotected;
|
||||
}
|
||||
if (jwe.header !== undefined) {
|
||||
result.unprotectedHeader = jwe.header;
|
||||
}
|
||||
if (resolvedKey) {
|
||||
return { ...result, key: k };
|
||||
}
|
||||
return result;
|
||||
}
|
||||
167
node_modules/jose/dist/webapi/jwe/flattened/encrypt.js
generated
vendored
Normal file
167
node_modules/jose/dist/webapi/jwe/flattened/encrypt.js
generated
vendored
Normal file
@@ -0,0 +1,167 @@
|
||||
import { encode as b64u } from '../../util/base64url.js';
|
||||
import { unprotected, assertNotSet } from '../../lib/helpers.js';
|
||||
import { encrypt } from '../../lib/content_encryption.js';
|
||||
import { encryptKeyManagement } from '../../lib/key_management.js';
|
||||
import { JOSENotSupported, JWEInvalid } from '../../util/errors.js';
|
||||
import { isDisjoint } from '../../lib/type_checks.js';
|
||||
import { concat, encode } from '../../lib/buffer_utils.js';
|
||||
import { validateCrit } from '../../lib/validate_crit.js';
|
||||
import { normalizeKey } from '../../lib/normalize_key.js';
|
||||
import { checkKeyType } from '../../lib/check_key_type.js';
|
||||
import { compress } from '../../lib/deflate.js';
|
||||
export class FlattenedEncrypt {
|
||||
#plaintext;
|
||||
#protectedHeader;
|
||||
#sharedUnprotectedHeader;
|
||||
#unprotectedHeader;
|
||||
#aad;
|
||||
#cek;
|
||||
#iv;
|
||||
#keyManagementParameters;
|
||||
constructor(plaintext) {
|
||||
if (!(plaintext instanceof Uint8Array)) {
|
||||
throw new TypeError('plaintext must be an instance of Uint8Array');
|
||||
}
|
||||
this.#plaintext = plaintext;
|
||||
}
|
||||
setKeyManagementParameters(parameters) {
|
||||
assertNotSet(this.#keyManagementParameters, 'setKeyManagementParameters');
|
||||
this.#keyManagementParameters = parameters;
|
||||
return this;
|
||||
}
|
||||
setProtectedHeader(protectedHeader) {
|
||||
assertNotSet(this.#protectedHeader, 'setProtectedHeader');
|
||||
this.#protectedHeader = protectedHeader;
|
||||
return this;
|
||||
}
|
||||
setSharedUnprotectedHeader(sharedUnprotectedHeader) {
|
||||
assertNotSet(this.#sharedUnprotectedHeader, 'setSharedUnprotectedHeader');
|
||||
this.#sharedUnprotectedHeader = sharedUnprotectedHeader;
|
||||
return this;
|
||||
}
|
||||
setUnprotectedHeader(unprotectedHeader) {
|
||||
assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader');
|
||||
this.#unprotectedHeader = unprotectedHeader;
|
||||
return this;
|
||||
}
|
||||
setAdditionalAuthenticatedData(aad) {
|
||||
this.#aad = aad;
|
||||
return this;
|
||||
}
|
||||
setContentEncryptionKey(cek) {
|
||||
assertNotSet(this.#cek, 'setContentEncryptionKey');
|
||||
this.#cek = cek;
|
||||
return this;
|
||||
}
|
||||
setInitializationVector(iv) {
|
||||
assertNotSet(this.#iv, 'setInitializationVector');
|
||||
this.#iv = iv;
|
||||
return this;
|
||||
}
|
||||
async encrypt(key, options) {
|
||||
if (!this.#protectedHeader && !this.#unprotectedHeader && !this.#sharedUnprotectedHeader) {
|
||||
throw new JWEInvalid('either setProtectedHeader, setUnprotectedHeader, or sharedUnprotectedHeader must be called before #encrypt()');
|
||||
}
|
||||
if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, this.#sharedUnprotectedHeader)) {
|
||||
throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');
|
||||
}
|
||||
const joseHeader = {
|
||||
...this.#protectedHeader,
|
||||
...this.#unprotectedHeader,
|
||||
...this.#sharedUnprotectedHeader,
|
||||
};
|
||||
validateCrit(JWEInvalid, new Map(), options?.crit, this.#protectedHeader, joseHeader);
|
||||
if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
|
||||
throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
|
||||
}
|
||||
if (joseHeader.zip !== undefined && !this.#protectedHeader?.zip) {
|
||||
throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
|
||||
}
|
||||
const { alg, enc } = joseHeader;
|
||||
if (typeof alg !== 'string' || !alg) {
|
||||
throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
|
||||
}
|
||||
if (typeof enc !== 'string' || !enc) {
|
||||
throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
|
||||
}
|
||||
let encryptedKey;
|
||||
if (this.#cek && (alg === 'dir' || alg === 'ECDH-ES')) {
|
||||
throw new TypeError(`setContentEncryptionKey cannot be called with JWE "alg" (Algorithm) Header ${alg}`);
|
||||
}
|
||||
checkKeyType(alg === 'dir' ? enc : alg, key, 'encrypt');
|
||||
let cek;
|
||||
{
|
||||
let parameters;
|
||||
const k = await normalizeKey(key, alg);
|
||||
({ cek, encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, this.#cek, this.#keyManagementParameters));
|
||||
if (parameters) {
|
||||
if (options && unprotected in options) {
|
||||
if (!this.#unprotectedHeader) {
|
||||
this.setUnprotectedHeader(parameters);
|
||||
}
|
||||
else {
|
||||
this.#unprotectedHeader = { ...this.#unprotectedHeader, ...parameters };
|
||||
}
|
||||
}
|
||||
else if (!this.#protectedHeader) {
|
||||
this.setProtectedHeader(parameters);
|
||||
}
|
||||
else {
|
||||
this.#protectedHeader = { ...this.#protectedHeader, ...parameters };
|
||||
}
|
||||
}
|
||||
}
|
||||
let additionalData;
|
||||
let protectedHeaderS;
|
||||
let protectedHeaderB;
|
||||
let aadMember;
|
||||
if (this.#protectedHeader) {
|
||||
protectedHeaderS = b64u(JSON.stringify(this.#protectedHeader));
|
||||
protectedHeaderB = encode(protectedHeaderS);
|
||||
}
|
||||
else {
|
||||
protectedHeaderS = '';
|
||||
protectedHeaderB = new Uint8Array();
|
||||
}
|
||||
if (this.#aad) {
|
||||
aadMember = b64u(this.#aad);
|
||||
const aadMemberBytes = encode(aadMember);
|
||||
additionalData = concat(protectedHeaderB, encode('.'), aadMemberBytes);
|
||||
}
|
||||
else {
|
||||
additionalData = protectedHeaderB;
|
||||
}
|
||||
let plaintext = this.#plaintext;
|
||||
if (joseHeader.zip === 'DEF') {
|
||||
plaintext = await compress(plaintext).catch((cause) => {
|
||||
throw new JWEInvalid('Failed to compress plaintext', { cause });
|
||||
});
|
||||
}
|
||||
const { ciphertext, tag, iv } = await encrypt(enc, plaintext, cek, this.#iv, additionalData);
|
||||
const jwe = {
|
||||
ciphertext: b64u(ciphertext),
|
||||
};
|
||||
if (iv) {
|
||||
jwe.iv = b64u(iv);
|
||||
}
|
||||
if (tag) {
|
||||
jwe.tag = b64u(tag);
|
||||
}
|
||||
if (encryptedKey) {
|
||||
jwe.encrypted_key = b64u(encryptedKey);
|
||||
}
|
||||
if (aadMember) {
|
||||
jwe.aad = aadMember;
|
||||
}
|
||||
if (this.#protectedHeader) {
|
||||
jwe.protected = protectedHeaderS;
|
||||
}
|
||||
if (this.#sharedUnprotectedHeader) {
|
||||
jwe.unprotected = this.#sharedUnprotectedHeader;
|
||||
}
|
||||
if (this.#unprotectedHeader) {
|
||||
jwe.header = this.#unprotectedHeader;
|
||||
}
|
||||
return jwe;
|
||||
}
|
||||
}
|
||||
31
node_modules/jose/dist/webapi/jwe/general/decrypt.js
generated
vendored
Normal file
31
node_modules/jose/dist/webapi/jwe/general/decrypt.js
generated
vendored
Normal file
@@ -0,0 +1,31 @@
|
||||
import { flattenedDecrypt } from '../flattened/decrypt.js';
|
||||
import { JWEDecryptionFailed, JWEInvalid } from '../../util/errors.js';
|
||||
import { isObject } from '../../lib/type_checks.js';
|
||||
export async function generalDecrypt(jwe, key, options) {
|
||||
if (!isObject(jwe)) {
|
||||
throw new JWEInvalid('General JWE must be an object');
|
||||
}
|
||||
if (!Array.isArray(jwe.recipients) || !jwe.recipients.every(isObject)) {
|
||||
throw new JWEInvalid('JWE Recipients missing or incorrect type');
|
||||
}
|
||||
if (!jwe.recipients.length) {
|
||||
throw new JWEInvalid('JWE Recipients has no members');
|
||||
}
|
||||
for (const recipient of jwe.recipients) {
|
||||
try {
|
||||
return await flattenedDecrypt({
|
||||
aad: jwe.aad,
|
||||
ciphertext: jwe.ciphertext,
|
||||
encrypted_key: recipient.encrypted_key,
|
||||
header: recipient.header,
|
||||
iv: jwe.iv,
|
||||
protected: jwe.protected,
|
||||
tag: jwe.tag,
|
||||
unprotected: jwe.unprotected,
|
||||
}, key, options);
|
||||
}
|
||||
catch {
|
||||
}
|
||||
}
|
||||
throw new JWEDecryptionFailed();
|
||||
}
|
||||
182
node_modules/jose/dist/webapi/jwe/general/encrypt.js
generated
vendored
Normal file
182
node_modules/jose/dist/webapi/jwe/general/encrypt.js
generated
vendored
Normal file
@@ -0,0 +1,182 @@
|
||||
import { FlattenedEncrypt } from '../flattened/encrypt.js';
|
||||
import { unprotected, assertNotSet } from '../../lib/helpers.js';
|
||||
import { JOSENotSupported, JWEInvalid } from '../../util/errors.js';
|
||||
import { generateCek } from '../../lib/content_encryption.js';
|
||||
import { isDisjoint } from '../../lib/type_checks.js';
|
||||
import { encryptKeyManagement } from '../../lib/key_management.js';
|
||||
import { encode as b64u } from '../../util/base64url.js';
|
||||
import { validateCrit } from '../../lib/validate_crit.js';
|
||||
import { normalizeKey } from '../../lib/normalize_key.js';
|
||||
import { checkKeyType } from '../../lib/check_key_type.js';
|
||||
class IndividualRecipient {
|
||||
#parent;
|
||||
unprotectedHeader;
|
||||
keyManagementParameters;
|
||||
key;
|
||||
options;
|
||||
constructor(enc, key, options) {
|
||||
this.#parent = enc;
|
||||
this.key = key;
|
||||
this.options = options;
|
||||
}
|
||||
setUnprotectedHeader(unprotectedHeader) {
|
||||
assertNotSet(this.unprotectedHeader, 'setUnprotectedHeader');
|
||||
this.unprotectedHeader = unprotectedHeader;
|
||||
return this;
|
||||
}
|
||||
setKeyManagementParameters(parameters) {
|
||||
assertNotSet(this.keyManagementParameters, 'setKeyManagementParameters');
|
||||
this.keyManagementParameters = parameters;
|
||||
return this;
|
||||
}
|
||||
addRecipient(...args) {
|
||||
return this.#parent.addRecipient(...args);
|
||||
}
|
||||
encrypt(...args) {
|
||||
return this.#parent.encrypt(...args);
|
||||
}
|
||||
done() {
|
||||
return this.#parent;
|
||||
}
|
||||
}
|
||||
export class GeneralEncrypt {
|
||||
#plaintext;
|
||||
#recipients = [];
|
||||
#protectedHeader;
|
||||
#unprotectedHeader;
|
||||
#aad;
|
||||
constructor(plaintext) {
|
||||
this.#plaintext = plaintext;
|
||||
}
|
||||
addRecipient(key, options) {
|
||||
const recipient = new IndividualRecipient(this, key, { crit: options?.crit });
|
||||
this.#recipients.push(recipient);
|
||||
return recipient;
|
||||
}
|
||||
setProtectedHeader(protectedHeader) {
|
||||
assertNotSet(this.#protectedHeader, 'setProtectedHeader');
|
||||
this.#protectedHeader = protectedHeader;
|
||||
return this;
|
||||
}
|
||||
setSharedUnprotectedHeader(sharedUnprotectedHeader) {
|
||||
assertNotSet(this.#unprotectedHeader, 'setSharedUnprotectedHeader');
|
||||
this.#unprotectedHeader = sharedUnprotectedHeader;
|
||||
return this;
|
||||
}
|
||||
setAdditionalAuthenticatedData(aad) {
|
||||
this.#aad = aad;
|
||||
return this;
|
||||
}
|
||||
async encrypt() {
|
||||
if (!this.#recipients.length) {
|
||||
throw new JWEInvalid('at least one recipient must be added');
|
||||
}
|
||||
if (this.#recipients.length === 1) {
|
||||
const [recipient] = this.#recipients;
|
||||
const flattened = await new FlattenedEncrypt(this.#plaintext)
|
||||
.setAdditionalAuthenticatedData(this.#aad)
|
||||
.setProtectedHeader(this.#protectedHeader)
|
||||
.setSharedUnprotectedHeader(this.#unprotectedHeader)
|
||||
.setUnprotectedHeader(recipient.unprotectedHeader)
|
||||
.encrypt(recipient.key, { ...recipient.options });
|
||||
const jwe = {
|
||||
ciphertext: flattened.ciphertext,
|
||||
iv: flattened.iv,
|
||||
recipients: [{}],
|
||||
tag: flattened.tag,
|
||||
};
|
||||
if (flattened.aad)
|
||||
jwe.aad = flattened.aad;
|
||||
if (flattened.protected)
|
||||
jwe.protected = flattened.protected;
|
||||
if (flattened.unprotected)
|
||||
jwe.unprotected = flattened.unprotected;
|
||||
if (flattened.encrypted_key)
|
||||
jwe.recipients[0].encrypted_key = flattened.encrypted_key;
|
||||
if (flattened.header)
|
||||
jwe.recipients[0].header = flattened.header;
|
||||
return jwe;
|
||||
}
|
||||
let enc;
|
||||
for (let i = 0; i < this.#recipients.length; i++) {
|
||||
const recipient = this.#recipients[i];
|
||||
if (!isDisjoint(this.#protectedHeader, this.#unprotectedHeader, recipient.unprotectedHeader)) {
|
||||
throw new JWEInvalid('JWE Protected, JWE Shared Unprotected and JWE Per-Recipient Header Parameter names must be disjoint');
|
||||
}
|
||||
const joseHeader = {
|
||||
...this.#protectedHeader,
|
||||
...this.#unprotectedHeader,
|
||||
...recipient.unprotectedHeader,
|
||||
};
|
||||
const { alg } = joseHeader;
|
||||
if (typeof alg !== 'string' || !alg) {
|
||||
throw new JWEInvalid('JWE "alg" (Algorithm) Header Parameter missing or invalid');
|
||||
}
|
||||
if (alg === 'dir' || alg === 'ECDH-ES') {
|
||||
throw new JWEInvalid('"dir" and "ECDH-ES" alg may only be used with a single recipient');
|
||||
}
|
||||
if (typeof joseHeader.enc !== 'string' || !joseHeader.enc) {
|
||||
throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter missing or invalid');
|
||||
}
|
||||
if (!enc) {
|
||||
enc = joseHeader.enc;
|
||||
}
|
||||
else if (enc !== joseHeader.enc) {
|
||||
throw new JWEInvalid('JWE "enc" (Encryption Algorithm) Header Parameter must be the same for all recipients');
|
||||
}
|
||||
validateCrit(JWEInvalid, new Map(), recipient.options.crit, this.#protectedHeader, joseHeader);
|
||||
if (joseHeader.zip !== undefined && joseHeader.zip !== 'DEF') {
|
||||
throw new JOSENotSupported('Unsupported JWE "zip" (Compression Algorithm) Header Parameter value.');
|
||||
}
|
||||
if (joseHeader.zip !== undefined && !this.#protectedHeader?.zip) {
|
||||
throw new JWEInvalid('JWE "zip" (Compression Algorithm) Header Parameter MUST be in a protected header.');
|
||||
}
|
||||
}
|
||||
const cek = generateCek(enc);
|
||||
const jwe = {
|
||||
ciphertext: '',
|
||||
recipients: [],
|
||||
};
|
||||
for (let i = 0; i < this.#recipients.length; i++) {
|
||||
const recipient = this.#recipients[i];
|
||||
const target = {};
|
||||
jwe.recipients.push(target);
|
||||
if (i === 0) {
|
||||
const flattened = await new FlattenedEncrypt(this.#plaintext)
|
||||
.setAdditionalAuthenticatedData(this.#aad)
|
||||
.setContentEncryptionKey(cek)
|
||||
.setProtectedHeader(this.#protectedHeader)
|
||||
.setSharedUnprotectedHeader(this.#unprotectedHeader)
|
||||
.setUnprotectedHeader(recipient.unprotectedHeader)
|
||||
.setKeyManagementParameters(recipient.keyManagementParameters)
|
||||
.encrypt(recipient.key, {
|
||||
...recipient.options,
|
||||
[unprotected]: true,
|
||||
});
|
||||
jwe.ciphertext = flattened.ciphertext;
|
||||
jwe.iv = flattened.iv;
|
||||
jwe.tag = flattened.tag;
|
||||
if (flattened.aad)
|
||||
jwe.aad = flattened.aad;
|
||||
if (flattened.protected)
|
||||
jwe.protected = flattened.protected;
|
||||
if (flattened.unprotected)
|
||||
jwe.unprotected = flattened.unprotected;
|
||||
target.encrypted_key = flattened.encrypted_key;
|
||||
if (flattened.header)
|
||||
target.header = flattened.header;
|
||||
continue;
|
||||
}
|
||||
const alg = recipient.unprotectedHeader?.alg ||
|
||||
this.#protectedHeader?.alg ||
|
||||
this.#unprotectedHeader?.alg;
|
||||
checkKeyType(alg === 'dir' ? enc : alg, recipient.key, 'encrypt');
|
||||
const k = await normalizeKey(recipient.key, alg);
|
||||
const { encryptedKey, parameters } = await encryptKeyManagement(alg, enc, k, cek, recipient.keyManagementParameters);
|
||||
target.encrypted_key = b64u(encryptedKey);
|
||||
if (recipient.unprotectedHeader || parameters)
|
||||
target.header = { ...recipient.unprotectedHeader, ...parameters };
|
||||
}
|
||||
return jwe;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user