1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
import { CompactEncrypt } from '../jwe/compact/encrypt.ts'import type {  EncryptOptions,  CompactJWEHeaderParameters,  JWEKeyManagementHeaderParameters,  KeyLike,} from '../types.d.ts'import { encoder } from '../lib/buffer_utils.ts'import { ProduceJWT } from './produce.ts'
/** * The EncryptJWT class is used to build and encrypt Compact JWE formatted JSON Web Tokens. * */export class EncryptJWT extends ProduceJWT {  private _cek!: Uint8Array
  private _iv!: Uint8Array
  private _keyManagementParameters!: JWEKeyManagementHeaderParameters
  private _protectedHeader!: CompactJWEHeaderParameters
  private _replicateIssuerAsHeader!: boolean
  private _replicateSubjectAsHeader!: boolean
  private _replicateAudienceAsHeader!: boolean
  /**   * Sets the JWE Protected Header on the EncryptJWT object.   *   * @param protectedHeader JWE Protected Header. Must contain an "alg" (JWE Algorithm) and "enc"   *   (JWE Encryption Algorithm) properties.   */  setProtectedHeader(protectedHeader: CompactJWEHeaderParameters) {    if (this._protectedHeader) {      throw new TypeError('setProtectedHeader can only be called once')    }    this._protectedHeader = protectedHeader    return this  }
  /**   * Sets the JWE Key Management parameters to be used when encrypting. Use of this is method is   * really only needed for ECDH based algorithms when utilizing the Agreement PartyUInfo or   * Agreement PartyVInfo parameters. Other parameters will always be randomly generated when needed   * and missing.   *   * @param parameters JWE Key Management parameters.   */  setKeyManagementParameters(parameters: JWEKeyManagementHeaderParameters) {    if (this._keyManagementParameters) {      throw new TypeError('setKeyManagementParameters can only be called once')    }    this._keyManagementParameters = parameters    return this  }
  /**   * Sets a content encryption key to use, by default a random suitable one is generated for the JWE   * enc" (Encryption Algorithm) Header Parameter.   *   * @deprecated You should not use this method. It is only really intended for test and vector   *   validation purposes.   *   * @param cek JWE Content Encryption Key.   */  setContentEncryptionKey(cek: Uint8Array) {    if (this._cek) {      throw new TypeError('setContentEncryptionKey can only be called once')    }    this._cek = cek    return this  }
  /**   * Sets the JWE Initialization Vector to use for content encryption, by default a random suitable   * one is generated for the JWE enc" (Encryption Algorithm) Header Parameter.   *   * @deprecated You should not use this method. It is only really intended for test and vector   *   validation purposes.   *   * @param iv JWE Initialization Vector.   */  setInitializationVector(iv: Uint8Array) {    if (this._iv) {      throw new TypeError('setInitializationVector can only be called once')    }    this._iv = iv    return this  }
  /**   * Replicates the "iss" (Issuer) Claim as a JWE Protected Header Parameter.   *   * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-5.3 RFC7519#section-5.3}   */  replicateIssuerAsHeader() {    this._replicateIssuerAsHeader = true    return this  }
  /**   * Replicates the "sub" (Subject) Claim as a JWE Protected Header Parameter.   *   * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-5.3 RFC7519#section-5.3}   */  replicateSubjectAsHeader() {    this._replicateSubjectAsHeader = true    return this  }
  /**   * Replicates the "aud" (Audience) Claim as a JWE Protected Header Parameter.   *   * @see {@link https://www.rfc-editor.org/rfc/rfc7519#section-5.3 RFC7519#section-5.3}   */  replicateAudienceAsHeader() {    this._replicateAudienceAsHeader = true    return this  }
  /**   * Encrypts and returns the JWT.   *   * @param key Public Key or Secret to encrypt the JWT with. See   *   {@link https://github.com/panva/jose/issues/210#jwe-alg Algorithm Key Requirements}.   * @param options JWE Encryption options.   */  async encrypt(key: KeyLike | Uint8Array, options?: EncryptOptions): Promise<string> {    const enc = new CompactEncrypt(encoder.encode(JSON.stringify(this._payload)))    if (this._replicateIssuerAsHeader) {      this._protectedHeader = { ...this._protectedHeader, iss: this._payload.iss }    }    if (this._replicateSubjectAsHeader) {      this._protectedHeader = { ...this._protectedHeader, sub: this._payload.sub }    }    if (this._replicateAudienceAsHeader) {      this._protectedHeader = { ...this._protectedHeader, aud: this._payload.aud }    }    enc.setProtectedHeader(this._protectedHeader)    if (this._iv) {      enc.setInitializationVector(this._iv)    }    if (this._cek) {      enc.setContentEncryptionKey(this._cek)    }    if (this._keyManagementParameters) {      enc.setKeyManagementParameters(this._keyManagementParameters)    }    return enc.encrypt(key, options)  }}