astro-ghostcms/.pnpm-store/v3/files/07/18bf3a39b1d12293bf042106835...

"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
const aeskw_js_1 = require("../runtime/aeskw.js");
const ECDH = require("../runtime/ecdhes.js");
const pbes2kw_js_1 = require("../runtime/pbes2kw.js");
const rsaes_js_1 = require("../runtime/rsaes.js");
const base64url_js_1 = require("../runtime/base64url.js");
const errors_js_1 = require("../util/errors.js");
const cek_js_1 = require("../lib/cek.js");
const import_js_1 = require("../key/import.js");
const check_key_type_js_1 = require("./check_key_type.js");
const is_object_js_1 = require("./is_object.js");
const aesgcmkw_js_1 = require("./aesgcmkw.js");
async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {
    (0, check_key_type_js_1.default)(alg, key, 'decrypt');
    switch (alg) {
        case 'dir': {
            if (encryptedKey !== undefined)
                throw new errors_js_1.JWEInvalid('Encountered unexpected JWE Encrypted Key');
            return key;
        }
        case 'ECDH-ES':
            if (encryptedKey !== undefined)
                throw new errors_js_1.JWEInvalid('Encountered unexpected JWE Encrypted Key');
        case 'ECDH-ES+A128KW':
        case 'ECDH-ES+A192KW':
        case 'ECDH-ES+A256KW': {
            if (!(0, is_object_js_1.default)(joseHeader.epk))
                throw new errors_js_1.JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
            if (!ECDH.ecdhAllowed(key))
                throw new errors_js_1.JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');
            const epk = await (0, import_js_1.importJWK)(joseHeader.epk, alg);
            let partyUInfo;
            let partyVInfo;
            if (joseHeader.apu !== undefined) {
                if (typeof joseHeader.apu !== 'string')
                    throw new errors_js_1.JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
                try {
                    partyUInfo = (0, base64url_js_1.decode)(joseHeader.apu);
                }
                catch {
                    throw new errors_js_1.JWEInvalid('Failed to base64url decode the apu');
                }
            }
            if (joseHeader.apv !== undefined) {
                if (typeof joseHeader.apv !== 'string')
                    throw new errors_js_1.JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
                try {
                    partyVInfo = (0, base64url_js_1.decode)(joseHeader.apv);
                }
                catch {
                    throw new errors_js_1.JWEInvalid('Failed to base64url decode the apv');
                }
            }
            const sharedSecret = await ECDH.deriveKey(epk, key, alg === 'ECDH-ES' ? joseHeader.enc : alg, alg === 'ECDH-ES' ? (0, cek_js_1.bitLength)(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);
            if (alg === 'ECDH-ES')
                return sharedSecret;
            if (encryptedKey === undefined)
                throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');
            return (0, aeskw_js_1.unwrap)(alg.slice(-6), sharedSecret, encryptedKey);
        }
        case 'RSA1_5':
        case 'RSA-OAEP':
        case 'RSA-OAEP-256':
        case 'RSA-OAEP-384':
        case 'RSA-OAEP-512': {
            if (encryptedKey === undefined)
                throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');
            return (0, rsaes_js_1.decrypt)(alg, key, encryptedKey);
        }
        case 'PBES2-HS256+A128KW':
        case 'PBES2-HS384+A192KW':
        case 'PBES2-HS512+A256KW': {
            if (encryptedKey === undefined)
                throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');
            if (typeof joseHeader.p2c !== 'number')
                throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
            const p2cLimit = options?.maxPBES2Count || 10000;
            if (joseHeader.p2c > p2cLimit)
                throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
            if (typeof joseHeader.p2s !== 'string')
                throw new errors_js_1.JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
            let p2s;
            try {
                p2s = (0, base64url_js_1.decode)(joseHeader.p2s);
            }
            catch {
                throw new errors_js_1.JWEInvalid('Failed to base64url decode the p2s');
            }
            return (0, pbes2kw_js_1.decrypt)(alg, key, encryptedKey, joseHeader.p2c, p2s);
        }
        case 'A128KW':
        case 'A192KW':
        case 'A256KW': {
            if (encryptedKey === undefined)
                throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');
            return (0, aeskw_js_1.unwrap)(alg, key, encryptedKey);
        }
        case 'A128GCMKW':
        case 'A192GCMKW':
        case 'A256GCMKW': {
            if (encryptedKey === undefined)
                throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');
            if (typeof joseHeader.iv !== 'string')
                throw new errors_js_1.JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
            if (typeof joseHeader.tag !== 'string')
                throw new errors_js_1.JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
            let iv;
            try {
                iv = (0, base64url_js_1.decode)(joseHeader.iv);
            }
            catch {
                throw new errors_js_1.JWEInvalid('Failed to base64url decode the iv');
            }
            let tag;
            try {
                tag = (0, base64url_js_1.decode)(joseHeader.tag);
            }
            catch {
                throw new errors_js_1.JWEInvalid('Failed to base64url decode the tag');
            }
            return (0, aesgcmkw_js_1.unwrap)(alg, key, encryptedKey, iv, tag);
        }
        default: {
            throw new errors_js_1.JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value');
        }
    }
}
exports.default = decryptKeyManagement;
chore: update versions 2024-02-14 14:10:47 +00:00			`"use strict";`
			`Object.defineProperty(exports, "__esModule", { value: true });`
			`const aeskw_js_1 = require("../runtime/aeskw.js");`
			`const ECDH = require("../runtime/ecdhes.js");`
			`const pbes2kw_js_1 = require("../runtime/pbes2kw.js");`
			`const rsaes_js_1 = require("../runtime/rsaes.js");`
			`const base64url_js_1 = require("../runtime/base64url.js");`
			`const errors_js_1 = require("../util/errors.js");`
			`const cek_js_1 = require("../lib/cek.js");`
			`const import_js_1 = require("../key/import.js");`
			`const check_key_type_js_1 = require("./check_key_type.js");`
			`const is_object_js_1 = require("./is_object.js");`
			`const aesgcmkw_js_1 = require("./aesgcmkw.js");`
			`async function decryptKeyManagement(alg, key, encryptedKey, joseHeader, options) {`
			`(0, check_key_type_js_1.default)(alg, key, 'decrypt');`
			`switch (alg) {`
			`case 'dir': {`
			`if (encryptedKey !== undefined)`
			`throw new errors_js_1.JWEInvalid('Encountered unexpected JWE Encrypted Key');`
			`return key;`
			`}`
			`case 'ECDH-ES':`
			`if (encryptedKey !== undefined)`
			`throw new errors_js_1.JWEInvalid('Encountered unexpected JWE Encrypted Key');`
			`case 'ECDH-ES+A128KW':`
			`case 'ECDH-ES+A192KW':`
			`case 'ECDH-ES+A256KW': {`
			`if (!(0, is_object_js_1.default)(joseHeader.epk))`
			throw new errors_js_1.JWEInvalid(`JOSE Header "epk" (Ephemeral Public Key) missing or invalid`);
			`if (!ECDH.ecdhAllowed(key))`
			`throw new errors_js_1.JOSENotSupported('ECDH with the provided key is not allowed or not supported by your javascript runtime');`
			`const epk = await (0, import_js_1.importJWK)(joseHeader.epk, alg);`
			`let partyUInfo;`
			`let partyVInfo;`
			`if (joseHeader.apu !== undefined) {`
			`if (typeof joseHeader.apu !== 'string')`
			throw new errors_js_1.JWEInvalid(`JOSE Header "apu" (Agreement PartyUInfo) invalid`);
			`try {`
			`partyUInfo = (0, base64url_js_1.decode)(joseHeader.apu);`
			`}`
			`catch {`
			`throw new errors_js_1.JWEInvalid('Failed to base64url decode the apu');`
			`}`
			`}`
			`if (joseHeader.apv !== undefined) {`
			`if (typeof joseHeader.apv !== 'string')`
			throw new errors_js_1.JWEInvalid(`JOSE Header "apv" (Agreement PartyVInfo) invalid`);
			`try {`
			`partyVInfo = (0, base64url_js_1.decode)(joseHeader.apv);`
			`}`
			`catch {`
			`throw new errors_js_1.JWEInvalid('Failed to base64url decode the apv');`
			`}`
			`}`
			`const sharedSecret = await ECDH.deriveKey(epk, key, alg === 'ECDH-ES' ? joseHeader.enc : alg, alg === 'ECDH-ES' ? (0, cek_js_1.bitLength)(joseHeader.enc) : parseInt(alg.slice(-5, -2), 10), partyUInfo, partyVInfo);`
			`if (alg === 'ECDH-ES')`
			`return sharedSecret;`
			`if (encryptedKey === undefined)`
			`throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');`
			`return (0, aeskw_js_1.unwrap)(alg.slice(-6), sharedSecret, encryptedKey);`
			`}`
			`case 'RSA1_5':`
			`case 'RSA-OAEP':`
			`case 'RSA-OAEP-256':`
			`case 'RSA-OAEP-384':`
			`case 'RSA-OAEP-512': {`
			`if (encryptedKey === undefined)`
			`throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');`
			`return (0, rsaes_js_1.decrypt)(alg, key, encryptedKey);`
			`}`
			`case 'PBES2-HS256+A128KW':`
			`case 'PBES2-HS384+A192KW':`
			`case 'PBES2-HS512+A256KW': {`
			`if (encryptedKey === undefined)`
			`throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');`
			`if (typeof joseHeader.p2c !== 'number')`
			throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) missing or invalid`);
			`const p2cLimit = options?.maxPBES2Count \|\| 10000;`
			`if (joseHeader.p2c > p2cLimit)`
			throw new errors_js_1.JWEInvalid(`JOSE Header "p2c" (PBES2 Count) out is of acceptable bounds`);
			`if (typeof joseHeader.p2s !== 'string')`
			throw new errors_js_1.JWEInvalid(`JOSE Header "p2s" (PBES2 Salt) missing or invalid`);
			`let p2s;`
			`try {`
			`p2s = (0, base64url_js_1.decode)(joseHeader.p2s);`
			`}`
			`catch {`
			`throw new errors_js_1.JWEInvalid('Failed to base64url decode the p2s');`
			`}`
			`return (0, pbes2kw_js_1.decrypt)(alg, key, encryptedKey, joseHeader.p2c, p2s);`
			`}`
			`case 'A128KW':`
			`case 'A192KW':`
			`case 'A256KW': {`
			`if (encryptedKey === undefined)`
			`throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');`
			`return (0, aeskw_js_1.unwrap)(alg, key, encryptedKey);`
			`}`
			`case 'A128GCMKW':`
			`case 'A192GCMKW':`
			`case 'A256GCMKW': {`
			`if (encryptedKey === undefined)`
			`throw new errors_js_1.JWEInvalid('JWE Encrypted Key missing');`
			`if (typeof joseHeader.iv !== 'string')`
			throw new errors_js_1.JWEInvalid(`JOSE Header "iv" (Initialization Vector) missing or invalid`);
			`if (typeof joseHeader.tag !== 'string')`
			throw new errors_js_1.JWEInvalid(`JOSE Header "tag" (Authentication Tag) missing or invalid`);
			`let iv;`
			`try {`
			`iv = (0, base64url_js_1.decode)(joseHeader.iv);`
			`}`
			`catch {`
			`throw new errors_js_1.JWEInvalid('Failed to base64url decode the iv');`
			`}`
			`let tag;`
			`try {`
			`tag = (0, base64url_js_1.decode)(joseHeader.tag);`
			`}`
			`catch {`
			`throw new errors_js_1.JWEInvalid('Failed to base64url decode the tag');`
			`}`
			`return (0, aesgcmkw_js_1.unwrap)(alg, key, encryptedKey, iv, tag);`
			`}`
			`default: {`
			`throw new errors_js_1.JOSENotSupported('Invalid or unsupported "alg" (JWE Algorithm) header value');`
			`}`
			`}`
			`}`
			`exports.default = decryptKeyManagement;`