CHANGELOG.md

@@ -2,6 +2,18 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [3.20.0](https://github.com/panva/jose/compare/v3.19.0...v3.20.0) (2021-10-06)
+
+
+### Features
+
+* improve key input type errors, remove dependency on @types/node ([a13eb04](https://github.com/panva/jose/commit/a13eb045d86d96e56f7a250cdc808f8c5aa0e62a))
+
+
+### Bug Fixes
+
+* proper createRemoteJWKSet timeoutDuration handling ([efa1619](https://github.com/panva/jose/commit/efa16195173f9f66b21d4f41039caaad0ccfa92a)), closes [#277](https://github.com/panva/jose/issues/277)
+
 ## [3.19.0](https://github.com/panva/jose/compare/v3.18.0...v3.19.0) (2021-09-26)
 
 

dist/browser/jwk/embedded.js

@@ -9,8 +9,8 @@ async function EmbeddedJWK(protectedHeader, token) {
     if (!isObject(joseHeader.jwk)) {
         throw new JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a JSON object');
     }
-    const key = (await importJWK({ ...joseHeader.jwk, ext: true }, joseHeader.alg, true));
-    if (key.type !== 'public') {
+    const key = await importJWK({ ...joseHeader.jwk, ext: true }, joseHeader.alg, true);
+    if (key instanceof Uint8Array || key.type !== 'public') {
         throw new JWSInvalid('"jwk" (JSON Web Key) Header Parameter must be a public key');
     }
     return key;

dist/browser/jwks/remote.js

@@ -1,9 +1,9 @@
 import fetchJwks from '../runtime/fetch_jwks.js';
-import parseJWK from '../jwk/parse.js';
+import { importJWK } from '../key/import.js';
 import { JWKSInvalid, JOSENotSupported, JWKSNoMatchingKey, JWKSMultipleMatchingKeys, } from '../util/errors.js';
 import isObject from '../lib/is_object.js';
 function getKtyFromAlg(alg) {
-    switch (alg.substr(0, 2)) {
+    switch (typeof alg === 'string' && alg.substr(0, 2)) {
         case 'RS':
         case 'PS':
             return 'RSA';
@@ -32,7 +32,7 @@ class RemoteJWKSet {
             typeof (options === null || options === void 0 ? void 0 : options.cooldownDuration) === 'number' ? options === null || options === void 0 ? void 0 : options.cooldownDuration : 30000;
     }
     coolingDown() {
-        if (typeof this._cooldownStarted === 'undefined') {
+        if (!this._cooldownStarted) {
             return false;
         }
         return Date.now() < this._cooldownStarted + this._cooldownDuration;
@@ -56,7 +56,7 @@ class RemoteJWKSet {
                 candidate = jwk.key_ops.includes('verify');
             }
             if (candidate && protectedHeader.alg === 'EdDSA') {
-                candidate = ['Ed25519', 'Ed448'].includes(jwk.crv);
+                candidate = jwk.crv === 'Ed25519' || jwk.crv === 'Ed448';
             }
             if (candidate) {
                 switch (protectedHeader.alg) {
@@ -88,13 +88,10 @@ class RemoteJWKSet {
         else if (length !== 1) {
             throw new JWKSMultipleMatchingKeys();
         }
-        if (!this._cached.has(jwk)) {
-            this._cached.set(jwk, {});
-        }
-        const cached = this._cached.get(jwk);
+        const cached = this._cached.get(jwk) || this._cached.set(jwk, {}).get(jwk);
         if (cached[protectedHeader.alg] === undefined) {
-            const keyObject = (await parseJWK({ ...jwk, alg: protectedHeader.alg, ext: true }));
-            if (keyObject.type !== 'public') {
+            const keyObject = await importJWK({ ...jwk, ext: true }, protectedHeader.alg);
+            if (keyObject instanceof Uint8Array || keyObject.type !== 'public') {
                 throw new JWKSInvalid('JSON Web Key Set members must be public keys');
             }
             cached[protectedHeader.alg] = keyObject;

dist/browser/jwt/encrypt.js

@@ -1,6 +1,6 @@
 import CompactEncrypt from '../jwe/compact/encrypt.js';
 import { encoder } from '../lib/buffer_utils.js';
-import ProduceJWT from '../lib/jwt_producer.js';
+import { ProduceJWT } from './produce.js';
 class EncryptJWT extends ProduceJWT {
     setProtectedHeader(protectedHeader) {
         if (this._protectedHeader) {

dist/browser/lib/jwt_producer.js → dist/browser/jwt/produce.js

@@ -1,7 +1,7 @@
-import epoch from './epoch.js';
-import isObject from './is_object.js';
-import secs from './secs.js';
-export default class ProduceJWT {
+import epoch from '../lib/epoch.js';
+import isObject from '../lib/is_object.js';
+import secs from '../lib/secs.js';
+export class ProduceJWT {
     constructor(payload) {
         if (!isObject(payload)) {
             throw new TypeError('JWT Claims Set MUST be an object');

dist/browser/jwt/sign.js

@@ -1,7 +1,7 @@
 import CompactSign from '../jws/compact/sign.js';
 import { JWTInvalid } from '../util/errors.js';
 import { encoder } from '../lib/buffer_utils.js';
-import ProduceJWT from '../lib/jwt_producer.js';
+import { ProduceJWT } from './produce.js';
 class SignJWT extends ProduceJWT {
     setProtectedHeader(protectedHeader) {
         this._protectedHeader = protectedHeader;

dist/browser/jwt/unsecured.js

@@ -2,7 +2,7 @@ import * as base64url from '../runtime/base64url.js';
 import { decoder } from '../lib/buffer_utils.js';
 import { JWTInvalid } from '../util/errors.js';
 import jwtPayload from '../lib/jwt_claims_set.js';
-import ProduceJWT from '../lib/jwt_producer.js';
+import { ProduceJWT } from './produce.js';
 class UnsecuredJWT extends ProduceJWT {
     encode() {
         const header = base64url.encode(JSON.stringify({ alg: 'none' }));

dist/browser/lib/check_key_type.js

@@ -1,28 +1,45 @@
 import invalidKeyInput from '../runtime/invalid_key_input.js';
-const checkKeyType = (alg, key, usage) => {
-    if (!(key instanceof Uint8Array) && !(key === null || key === void 0 ? void 0 : key.type)) {
-        throw new TypeError(invalidKeyInput(key, 'KeyObject', 'CryptoKey', 'Uint8Array'));
+import isKeyLike, { types } from '../runtime/is_key_like.js';
+const symmetricTypeCheck = (key) => {
+    if (key instanceof Uint8Array)
+        return;
+    if (!isKeyLike(key)) {
+        throw new TypeError(invalidKeyInput(key, ...types, 'Uint8Array'));
     }
-    if (alg.startsWith('HS') ||
-        alg === 'dir' ||
-        alg.startsWith('PBES2') ||
-        alg.match(/^A\d{3}(?:GCM)?KW$/)) {
-        if (key instanceof Uint8Array || key.type === 'secret') {
-            return;
-        }
-        throw new TypeError('CryptoKey or KeyObject instances for symmetric algorithms must be of type "secret"');
+    if (key.type !== 'secret') {
+        throw new TypeError(`${types.join(' or ')} instances for symmetric algorithms must be of type "secret"`);
     }
-    if (key instanceof Uint8Array) {
-        throw new TypeError(invalidKeyInput(key, 'KeyObject', 'CryptoKey'));
+};
+const asymmetricTypeCheck = (key, usage) => {
+    if (!isKeyLike(key)) {
+        throw new TypeError(invalidKeyInput(key, ...types));
     }
     if (key.type === 'secret') {
-        throw new TypeError('CryptoKey or KeyObject instances for asymmetric algorithms must not be of type "secret"');
+        throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithms must not be of type "secret"`);
     }
     if (usage === 'sign' && key.type === 'public') {
-        throw new TypeError('CryptoKey or KeyObject instances for asymmetric algorithm signing must be of type "private"');
+        throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm signing must be of type "private"`);
     }
     if (usage === 'decrypt' && key.type === 'public') {
-        throw new TypeError('CryptoKey or KeyObject instances for asymmetric algorithm decryption must be of type "private"');
+        throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm decryption must be of type "private"`);
+    }
+    if (key.algorithm && usage === 'verify' && key.type === 'private') {
+        throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm verifying must be of type "public"`);
+    }
+    if (key.algorithm && usage === 'encrypt' && key.type === 'private') {
+        throw new TypeError(`${types.join(' or ')} instances for asymmetric algorithm encryption must be of type "public"`);
+    }
+};
+const checkKeyType = (alg, key, usage) => {
+    const symmetric = alg.startsWith('HS') ||
+        alg === 'dir' ||
+        alg.startsWith('PBES2') ||
+        /^A\d{3}(?:GCM)?KW$/.test(alg);
+    if (symmetric) {
+        symmetricTypeCheck(key);
+    }
+    else {
+        asymmetricTypeCheck(key, usage);
     }
 };
 export default checkKeyType;

dist/browser/lib/decrypt_key_management.js

@@ -8,81 +8,81 @@ import { JOSENotSupported, JWEInvalid } from '../util/errors.js';
 import { bitLengths as cekLengths } from '../lib/cek.js';
 import { importJWK } from '../key/import.js';
 import checkKeyType from './check_key_type.js';
-function assertEnryptedKey(encryptedKey) {
-    if (!encryptedKey) {
-        throw new JWEInvalid('JWE Encrypted Key missing');
-    }
-}
-function assertHeaderParameter(joseHeader, parameter, name) {
-    if (joseHeader[parameter] === undefined) {
-        throw new JWEInvalid(`JOSE Header ${name} (${parameter}) missing`);
-    }
-}
+import isObject from './is_object.js';
 async function decryptKeyManagement(alg, key, encryptedKey, joseHeader) {
     checkKeyType(alg, key, 'decrypt');
     switch (alg) {
         case 'dir': {
-            if (encryptedKey !== undefined) {
+            if (encryptedKey !== undefined)
                 throw new JWEInvalid('Encountered unexpected JWE Encrypted Key');
-            }
             return key;
         }
         case 'ECDH-ES':
-            if (encryptedKey !== undefined) {
+            if (encryptedKey !== undefined)
                 throw new JWEInvalid('Encountered unexpected JWE Encrypted Key');
-            }
         case 'ECDH-ES+A128KW':
         case 'ECDH-ES+A192KW':
         case 'ECDH-ES+A256KW': {
-            assertHeaderParameter(joseHeader, 'epk', 'Ephemeral Public Key');
-            if (!ECDH.ecdhAllowed(key)) {
+            if (!isObject(joseHeader.epk))
+                throw new JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
+            if (!ECDH.ecdhAllowed(key))
                 throw new JOSENotSupported('ECDH-ES with the provided key is not allowed or not supported by your javascript runtime');
-            }
             const epk = await importJWK(joseHeader.epk, alg);
             let partyUInfo;
             let partyVInfo;
-            if (joseHeader.apu !== undefined)
+            if (joseHeader.apu !== undefined) {
+                if (typeof joseHeader.apu !== 'string')
+                    throw new JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
                 partyUInfo = base64url(joseHeader.apu);
-            if (joseHeader.apv !== undefined)
+            }
+            if (joseHeader.apv !== undefined) {
+                if (typeof joseHeader.apv !== 'string')
+                    throw new JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
                 partyVInfo = base64url(joseHeader.apv);
+            }
             const sharedSecret = await ECDH.deriveKey(epk, key, alg === 'ECDH-ES' ? joseHeader.enc : alg, parseInt(alg.substr(-5, 3), 10) || cekLengths.get(joseHeader.enc), partyUInfo, partyVInfo);
-            if (alg === 'ECDH-ES') {
+            if (alg === 'ECDH-ES')
                 return sharedSecret;
-            }
-            assertEnryptedKey(encryptedKey);
-            const kwAlg = alg.substr(-6);
-            return aesKw(kwAlg, sharedSecret, encryptedKey);
+            if (encryptedKey === undefined)
+                throw new JWEInvalid('JWE Encrypted Key missing');
+            return aesKw(alg.substr(-6), sharedSecret, encryptedKey);
         }
         case 'RSA1_5':
         case 'RSA-OAEP':
         case 'RSA-OAEP-256':
         case 'RSA-OAEP-384':
         case 'RSA-OAEP-512': {
-            assertEnryptedKey(encryptedKey);
+            if (encryptedKey === undefined)
+                throw new JWEInvalid('JWE Encrypted Key missing');
             return rsaEs(alg, key, encryptedKey);
         }
         case 'PBES2-HS256+A128KW':
         case 'PBES2-HS384+A192KW':
         case 'PBES2-HS512+A256KW': {
-            assertEnryptedKey(encryptedKey);
-            assertHeaderParameter(joseHeader, 'p2c', 'PBES2 Count');
-            assertHeaderParameter(joseHeader, 'p2s', 'PBES2 Salt');
-            const { p2c } = joseHeader;
-            const p2s = base64url(joseHeader.p2s);
-            return pbes2Kw(alg, key, encryptedKey, p2c, p2s);
+            if (encryptedKey === undefined)
+                throw new JWEInvalid('JWE Encrypted Key missing');
+            if (typeof joseHeader.p2c !== 'number')
+                throw new JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
+            if (typeof joseHeader.p2s !== 'string')
+                throw new JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
+            return pbes2Kw(alg, key, encryptedKey, joseHeader.p2c, base64url(joseHeader.p2s));
         }
         case 'A128KW':
         case 'A192KW':
         case 'A256KW': {
-            assertEnryptedKey(encryptedKey);
+            if (encryptedKey === undefined)
+                throw new JWEInvalid('JWE Encrypted Key missing');
             return aesKw(alg, key, encryptedKey);
         }
         case 'A128GCMKW':
         case 'A192GCMKW':
         case 'A256GCMKW': {
-            assertEnryptedKey(encryptedKey);
-            assertHeaderParameter(joseHeader, 'iv', 'Initialization Vector');
-            assertHeaderParameter(joseHeader, 'tag', 'Authentication Tag');
+            if (encryptedKey === undefined)
+                throw new JWEInvalid('JWE Encrypted Key missing');
+            if (typeof joseHeader.iv !== 'string')
+                throw new JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
+            if (typeof joseHeader.tag !== 'string')
+                throw new JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
             const iv = base64url(joseHeader.iv);
             const tag = base64url(joseHeader.tag);
             return aesGcmKw(alg, key, encryptedKey, iv, tag);

dist/browser/lib/encrypt_key_management.js

@@ -7,7 +7,7 @@ import { wrap as aesGcmKw } from '../runtime/aesgcmkw.js';
 import { encode as base64url } from '../runtime/base64url.js';
 import cekFactory, { bitLengths as cekLengths } from '../lib/cek.js';
 import { JOSENotSupported } from '../util/errors.js';
-import { fromKeyLike } from '../jwk/from_key_like.js';
+import { exportJWK } from '../key/export.js';
 import checkKeyType from './check_key_type.js';
 const generateCek = cekFactory(random);
 async function encryptKeyManagement(alg, enc, key, providedCek, providedParameters = {}) {
@@ -30,7 +30,7 @@ async function encryptKeyManagement(alg, enc, key, providedCek, providedParamete
             const { apu, apv } = providedParameters;
             let { epk: ephemeralKey } = providedParameters;
             ephemeralKey || (ephemeralKey = await ECDH.generateEpk(key));
-            const { x, y, crv, kty } = await fromKeyLike(ephemeralKey);
+            const { x, y, crv, kty } = await exportJWK(ephemeralKey);
             const sharedSecret = await ECDH.deriveKey(key, ephemeralKey, alg === 'ECDH-ES' ? enc : alg, parseInt(alg.substr(-5, 3), 10) || cekLengths.get(enc), apu, apv);
             parameters = { epk: { x, y, crv, kty } };
             if (apu)

dist/browser/runtime/fetch_jwks.js

@@ -1,12 +1,18 @@
-import { JOSEError } from '../util/errors.js';
+import { JOSEError, JWKSTimeout } from '../util/errors.js';
 import globalThis, { isCloudflareWorkers } from './global.js';
 const fetchJwks = async (url, timeout) => {
     let controller;
+    let id;
+    let timedOut = false;
     if (typeof AbortController === 'function') {
         controller = new AbortController();
-        setTimeout(() => controller.abort(), timeout);
+        id = setTimeout(() => {
+            timedOut = true;
+            controller.abort();
+        }, timeout);
     }
-    const response = await globalThis.fetch(url.href, {
+    const response = await globalThis
+        .fetch(url.href, {
         signal: controller ? controller.signal : undefined,
         redirect: 'manual',
         method: 'GET',
@@ -17,7 +23,14 @@ const fetchJwks = async (url, timeout) => {
                 mode: 'cors',
             }
             : undefined),
+    })
+        .catch((err) => {
+        if (timedOut)
+            throw new JWKSTimeout();
+        throw err;
     });
+    if (id !== undefined)
+        clearTimeout(id);
     if (response.status !== 200) {
         throw new JOSEError('Expected 200 OK from the JSON Web Key Set HTTP response');
     }

dist/browser/runtime/is_key_like.js

@@ -0,0 +1,5 @@
+import { isCryptoKey } from './webcrypto.js';
+export default (key) => {
+    return isCryptoKey(key);
+};
+export const types = ['CryptoKey'];

dist/browser/util/errors.js

@@ -1,11 +1,10 @@
 export class JOSEError extends Error {
     constructor(message) {
+        var _a;
         super(message);
         this.code = JOSEError.code;
         this.name = this.constructor.name;
-        if (Error.captureStackTrace) {
-            Error.captureStackTrace(this, this.constructor);
-        }
+        (_a = Error.captureStackTrace) === null || _a === void 0 ? void 0 : _a.call(Error, this, this.constructor);
     }
 }
 JOSEError.code = 'ERR_JOSE_GENERIC';
@@ -91,6 +90,14 @@ export class JWKSMultipleMatchingKeys extends JOSEError {
     }
 }
 JWKSMultipleMatchingKeys.code = 'ERR_JWKS_MULTIPLE_MATCHING_KEYS';
+export class JWKSTimeout extends JOSEError {
+    constructor() {
+        super(...arguments);
+        this.code = JWKSTimeout.code;
+        this.message = 'request timed out';
+    }
+}
+JWKSTimeout.code = 'ERR_JWKS_TIMEOUT';
 export class JWSSignatureVerificationFailed extends JOSEError {
     constructor() {
         super(...arguments);