UNPKG

jose/lib/jws/sign.js

Version:

4.21 kBJavaScriptView Raw

1const base64url = require('../help/base64url')
2const isDisjoint = require('../help/is_disjoint')
3const isObject = require('../help/is_object')
4const deepClone = require('../help/deep_clone')
5const { JWSInvalid } = require('../errors')
6const { sign } = require('../jwa')
7const getKey = require('../help/get_key')
8
9const serializers = require('./serializers')
10
11const PROCESS_RECIPIENT = Symbol('PROCESS_RECIPIENT')
12
13class Sign {
constructor (payload) {
  if (typeof payload === 'string') {
    payload = base64url.encode(payload)
  } else if (Buffer.isBuffer(payload)) {
    payload = base64url.encodeBuffer(payload)
    this._binary = true
  } else if (isObject(payload)) {
    payload = base64url.JSON.encode(payload)
  } else {
    throw new TypeError('payload argument must be a Buffer, string or an object')
  }
25
  this._payload = payload
  this._recipients = []
}
29
/*
 * @public
 */
recipient (key, protectedHeader, unprotectedHeader) {
  key = getKey(key)
35
  if (protectedHeader !== undefined && !isObject(protectedHeader)) {
    throw new TypeError('protectedHeader argument must be a plain object when provided')
  }
39
  if (unprotectedHeader !== undefined && !isObject(unprotectedHeader)) {
    throw new TypeError('unprotectedHeader argument must be a plain object when provided')
  }
43
  if (!isDisjoint(protectedHeader, unprotectedHeader)) {
    throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint')
  }
47
  this._recipients.push({
    key,
    protectedHeader: protectedHeader ? deepClone(protectedHeader) : undefined,
    unprotectedHeader: unprotectedHeader ? deepClone(unprotectedHeader) : undefined
  })
53
  return this
}
56
/*
 * @private
 */
[PROCESS_RECIPIENT] (recipient) {
  const { key, protectedHeader, unprotectedHeader } = recipient
62
  if (key.use === 'enc') {
    throw new TypeError('a key with "use":"enc" is not usable for signing')
  }
66
  const joseHeader = {
    protected: protectedHeader || {},
    unprotected: unprotectedHeader || {}
  }
71
  let alg = joseHeader.protected.alg || joseHeader.unprotected.alg
73
  if (!alg) {
    alg = key.alg || [...key.algorithms('sign')][0]
    if (recipient.protectedHeader) {
      joseHeader.protected.alg = recipient.protectedHeader.alg = alg
    } else {
      joseHeader.protected = recipient.protectedHeader = { alg }
    }
  }
82
  if (!alg) {
    throw new JWSInvalid('could not resolve a usable "alg" for a recipient')
  }
86
  recipient.header = unprotectedHeader
  recipient.protected = Object.keys(joseHeader.protected).length ? base64url.JSON.encode(joseHeader.protected) : ''
89
  let toBeSigned
  if (joseHeader.protected.crit && joseHeader.protected.crit.includes('b64')) {
    if (this._b64 !== undefined && this._b64 !== joseHeader.protected.b64) {
      throw new JWSInvalid('the "b64" Header Parameter value MUST be the same for all recipients')
    } else {
      this._b64 = joseHeader.protected.b64
    }
97
    if (!joseHeader.protected.b64) {
      if (this._binary) {
        this._payload = base64url.decodeToBuffer(this._payload)
      } else {
        this._payload = base64url.decode(this._payload)
      }
    }
105
    toBeSigned = Buffer.concat([
      Buffer.from(recipient.protected || ''),
      Buffer.from('.'),
      Buffer.isBuffer(this._payload) ? this._payload : Buffer.from(this._payload)
    ])
  } else {
    toBeSigned = `${recipient.protected || ''}.${this._payload}`
  }
114
  recipient.signature = base64url.encodeBuffer(sign(alg, key, toBeSigned))
}
117
/*
 * @public
 */
sign (serialization) {
  const serializer = serializers[serialization]
  if (!serializer) {
    throw new TypeError('serialization must be one of "compact", "flattened", "general"')
  }
126
  if (!this._recipients.length) {
    throw new JWSInvalid('missing recipients')
  }
130
  serializer.validate(this, this._recipients)
132
  for (const recipient of this._recipients) {
    this[PROCESS_RECIPIENT](recipient)
  }
136
  return serializer(this._payload, this._recipients)
}
139}
140
141module.exports = Sign

1	`const base64url = require('../help/base64url')`
2	`const isDisjoint = require('../help/is_disjoint')`
3	`const isObject = require('../help/is_object')`
4	`const deepClone = require('../help/deep_clone')`
5	`const { JWSInvalid } = require('../errors')`
6	`const { sign } = require('../jwa')`
7	`const getKey = require('../help/get_key')`
8
9	`const serializers = require('./serializers')`
10
11	`const PROCESS_RECIPIENT = Symbol('PROCESS_RECIPIENT')`
12
13	`class Sign {`
14	`constructor (payload) {`
15	`if (typeof payload === 'string') {`
16	`payload = base64url.encode(payload)`
17	`} else if (Buffer.isBuffer(payload)) {`
18	`payload = base64url.encodeBuffer(payload)`
19	`this._binary = true`
20	`} else if (isObject(payload)) {`
21	`payload = base64url.JSON.encode(payload)`
22	`} else {`
23	`throw new TypeError('payload argument must be a Buffer, string or an object')`
24	`}`
25
26	`this._payload = payload`
27	`this._recipients = []`
28	`}`
29
30	`/*`
31	`* @public`
32	`*/`
33	`recipient (key, protectedHeader, unprotectedHeader) {`
34	`key = getKey(key)`
35
36	`if (protectedHeader !== undefined && !isObject(protectedHeader)) {`
37	`throw new TypeError('protectedHeader argument must be a plain object when provided')`
38	`}`
39
40	`if (unprotectedHeader !== undefined && !isObject(unprotectedHeader)) {`
41	`throw new TypeError('unprotectedHeader argument must be a plain object when provided')`
42	`}`
43
44	`if (!isDisjoint(protectedHeader, unprotectedHeader)) {`
45	`throw new JWSInvalid('JWS Protected and JWS Unprotected Header Parameter names must be disjoint')`
46	`}`
47
48	`this._recipients.push({`
49	`key,`
50	`protectedHeader: protectedHeader ? deepClone(protectedHeader) : undefined,`
51	`unprotectedHeader: unprotectedHeader ? deepClone(unprotectedHeader) : undefined`
52	`})`
53
54	`return this`
55	`}`
56
57	`/*`
58	`* @private`
59	`*/`
60	`[PROCESS_RECIPIENT] (recipient) {`
61	`const { key, protectedHeader, unprotectedHeader } = recipient`
62
63	`if (key.use === 'enc') {`
64	`throw new TypeError('a key with "use":"enc" is not usable for signing')`
65	`}`
66
67	`const joseHeader = {`
68	`protected: protectedHeader \|\| {},`
69	`unprotected: unprotectedHeader \|\| {}`
70	`}`
71
72	`let alg = joseHeader.protected.alg \|\| joseHeader.unprotected.alg`
73
74	`if (!alg) {`
75	`alg = key.alg \|\| [...key.algorithms('sign')][0]`
76	`if (recipient.protectedHeader) {`
77	`joseHeader.protected.alg = recipient.protectedHeader.alg = alg`
78	`} else {`
79	`joseHeader.protected = recipient.protectedHeader = { alg }`
80	`}`
81	`}`
82
83	`if (!alg) {`
84	`throw new JWSInvalid('could not resolve a usable "alg" for a recipient')`
85	`}`
86
87	`recipient.header = unprotectedHeader`
88	`recipient.protected = Object.keys(joseHeader.protected).length ? base64url.JSON.encode(joseHeader.protected) : ''`
89
90	`let toBeSigned`
91	`if (joseHeader.protected.crit && joseHeader.protected.crit.includes('b64')) {`
92	`if (this._b64 !== undefined && this._b64 !== joseHeader.protected.b64) {`
93	`throw new JWSInvalid('the "b64" Header Parameter value MUST be the same for all recipients')`
94	`} else {`
95	`this._b64 = joseHeader.protected.b64`
96	`}`
97
98	`if (!joseHeader.protected.b64) {`
99	`if (this._binary) {`
100	`this._payload = base64url.decodeToBuffer(this._payload)`
101	`} else {`
102	`this._payload = base64url.decode(this._payload)`
103	`}`
104	`}`
105
106	`toBeSigned = Buffer.concat([`
107	`Buffer.from(recipient.protected \|\| ''),`
108	`Buffer.from('.'),`
109	`Buffer.isBuffer(this._payload) ? this._payload : Buffer.from(this._payload)`
110	`])`
111	`} else {`
112	toBeSigned = `${recipient.protected \|\| ''}.${this._payload}`
113	`}`
114
115	`recipient.signature = base64url.encodeBuffer(sign(alg, key, toBeSigned))`
116	`}`
117
118	`/*`
119	`* @public`
120	`*/`
121	`sign (serialization) {`
122	`const serializer = serializers[serialization]`
123	`if (!serializer) {`
124	`throw new TypeError('serialization must be one of "compact", "flattened", "general"')`
125	`}`
126
127	`if (!this._recipients.length) {`
128	`throw new JWSInvalid('missing recipients')`
129	`}`
130
131	`serializer.validate(this, this._recipients)`
132
133	`for (const recipient of this._recipients) {`
134	`this[PROCESS_RECIPIENT](recipient)`
135	`}`
136
137	`return serializer(this._payload, this._recipients)`
138	`}`
139	`}`
140
141	`module.exports = Sign`