162 lines
6.8 KiB
Plaintext
162 lines
6.8 KiB
Plaintext
|
"use strict";
|
||
|
Object.defineProperty(exports, "__esModule", { value: true });
|
||
|
exports.flattenedDecrypt = void 0;
|
||
|
const base64url_js_1 = require("../../runtime/base64url.js");
|
||
|
const decrypt_js_1 = require("../../runtime/decrypt.js");
|
||
|
const errors_js_1 = require("../../util/errors.js");
|
||
|
const is_disjoint_js_1 = require("../../lib/is_disjoint.js");
|
||
|
const is_object_js_1 = require("../../lib/is_object.js");
|
||
|
const decrypt_key_management_js_1 = require("../../lib/decrypt_key_management.js");
|
||
|
const buffer_utils_js_1 = require("../../lib/buffer_utils.js");
|
||
|
const cek_js_1 = require("../../lib/cek.js");
|
||
|
const validate_crit_js_1 = require("../../lib/validate_crit.js");
|
||
|
const validate_algorithms_js_1 = require("../../lib/validate_algorithms.js");
|
||
|
async function flattenedDecrypt(jwe, key, options) {
|
||
|
if (!(0, is_object_js_1.default)(jwe)) {
|
||
|
throw new errors_js_1.JWEInvalid('Flattened JWE must be an object');
|
||
|
}
|
||
|
if (jwe.protected === undefined && jwe.header === undefined && jwe.unprotected === undefined) {
|
||
|
throw new errors_js_1.JWEInvalid('JOSE Header missing');
|
||
|
}
|
||
|
if (typeof jwe.iv !== 'string') {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Initialization Vector missing or incorrect type');
|
||
|
}
|
||
|
if (typeof jwe.ciphertext !== 'string') {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Ciphertext missing or incorrect type');
|
||
|
}
|
||
|
if (typeof jwe.tag !== 'string') {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Authentication Tag missing or incorrect type');
|
||
|
}
|
||
|
if (jwe.protected !== undefined && typeof jwe.protected !== 'string') {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Protected Header incorrect type');
|
||
|
}
|
||
|
if (jwe.encrypted_key !== undefined && typeof jwe.encrypted_key !== 'string') {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Encrypted Key incorrect type');
|
||
|
}
|
||
|
if (jwe.aad !== undefined && typeof jwe.aad !== 'string') {
|
||
|
throw new errors_js_1.JWEInvalid('JWE AAD incorrect type');
|
||
|
}
|
||
|
if (jwe.header !== undefined && !(0, is_object_js_1.default)(jwe.header)) {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Shared Unprotected Header incorrect type');
|
||
|
}
|
||
|
if (jwe.unprotected !== undefined && !(0, is_object_js_1.default)(jwe.unprotected)) {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Per-Recipient Unprotected Header incorrect type');
|
||
|
}
|
||
|
let parsedProt;
|
||
|
if (jwe.protected) {
|
||
|
try {
|
||
|
const protectedHeader = (0, base64url_js_1.decode)(jwe.protected);
|
||
|
parsedProt = JSON.parse(buffer_utils_js_1.decoder.decode(protectedHeader));
|
||
|
}
|
||
|
catch {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Protected Header is invalid');
|
||
|
}
|
||
|
}
|
||
|
if (!(0, is_disjoint_js_1.default)(parsedProt, jwe.header, jwe.unprotected)) {
|
||
|
throw new errors_js_1.JWEInvalid('JWE Protected, JWE Unprotected Header, and JWE Per-Recipient Unprotected Header Parameter names must be disjoint');
|
||
|
}
|
||
|
const joseHeader = {
|
||
|
...parsedProt,
|
||
|
...jwe.header,
|
||
|
...jwe.unprotected,
|
||
|
};
|
||
|
(0, validate_crit_js_1.default)(errors_js_1.JWEInvalid, new Map(), options?.crit, parsedProt, joseHeader);
|
||
|
if (joseHeader.zip !== undefined) {
|
||
|
throw new errors_js_1.JOSENotSupported('JWE "zip" (Compression Algorithm) Header Parameter is not supported.');
|
||
|
}
|
||
|
const { alg, enc } = joseHeader;
|
||
|
if (typeof alg !== 'string' || !alg) {
|
||
|
throw new errors_js_1.JWEInvalid('missing JWE Algorithm (alg) in JWE Header');
|
||
|
}
|
||
|
if (typeof enc !== 'string' || !enc) {
|
||
|
throw new errors_js_1.JWEInvalid('missing JWE Encryption Algorithm (enc) in JWE Header');
|
||
|
}
|
||
|
const keyManagementAlgorithms = options && (0, validate_algorithms_js_1.default)('keyManagementAlgorithms', options.keyManagementAlgorithms);
|
||
|
const contentEncryptionAlgorithms = options &&
|
||
|
(0, validate_algorithms_js_1.default)('contentEncryptionAlgorithms', options.contentEncryptionAlgorithms);
|
||
|
if ((keyManagementAlgorithms && !keyManagementAlgorithms.has(alg)) ||
|
||
|
(!keyManagementAlgorithms && alg.startsWith('PBES2'))) {
|
||
|
throw new errors_js_1.JOSEAlgNotAllowed('"alg" (Algorithm) Header Parameter value not allowed');
|
||
|
}
|
||
|
if (contentEncryptionAlgorithms && !contentEncryptionAlgorithms.has(enc)) {
|
||
|
throw new errors_js_1.JOSEAlgNotAllowed('"enc" (Encryption Algorithm) Header Parameter value not allowed');
|
||
|
}
|
||
|
let encryptedKey;
|
||
|
if (jwe.encrypted_key !== undefined) {
|
||
|
try {
|
||
|
encryptedKey = (0, base64url_js_1.decode)(jwe.encrypted_key);
|
||
|
}
|
||
|
catch {
|
||
|
throw new errors_js_1.JWEInvalid('Failed to base64url decode the encrypted_key');
|
||
|
}
|
||
|
}
|
||
|
let resolvedKey = false;
|
||
|
if (typeof key === 'function') {
|
||
|
key = await key(parsedProt, jwe);
|
||
|
resolvedKey = true;
|
||
|
}
|
||
|
let cek;
|
||
|
try {
|
||
|
cek = await (0, decrypt_key_management_js_1.default)(alg, key, encryptedKey, joseHeader, options);
|
||
|
}
|
||
|
catch (err) {
|
||
|
if (err instanceof TypeError || err instanceof errors_js_1.JWEInvalid || err instanceof errors_js_1.JOSENotSupported) {
|
||
|
throw err;
|
||
|
}
|
||
|
cek = (0, cek_js_1.default)(enc);
|
||
|
}
|
||
|
let iv;
|
||
|
let tag;
|
||
|
try {
|
||
|
iv = (0, base64url_js_1.decode)(jwe.iv);
|
||
|
}
|
||
|
catch {
|
||
|
throw new errors_js_1.JWEInvalid('Failed to base64url decode the iv');
|
||
|
}
|
||
|
try {
|
||
|
tag = (0, base64url_js_1.decode)(jwe.tag);
|
||
|
}
|
||
|
catch {
|
||
|
throw new errors_js_1.JWEInvalid('Failed to base64url decode the tag');
|
||
|
}
|
||
|
const protectedHeader = buffer_utils_js_1.encoder.encode(jwe.protected ?? '');
|
||
|
let additionalData;
|
||
|
if (jwe.aad !== undefined) {
|
||
|
additionalData = (0, buffer_utils_js_1.concat)(protectedHeader, buffer_utils_js_1.encoder.encode('.'), buffer_utils_js_1.encoder.encode(jwe.aad));
|
||
|
}
|
||
|
else {
|
||
|
additionalData = protectedHeader;
|
||
|
}
|
||
|
let ciphertext;
|
||
|
try {
|
||
|
ciphertext = (0, base64url_js_1.decode)(jwe.ciphertext);
|
||
|
}
|
||
|
catch {
|
||
|
throw new errors_js_1.JWEInvalid('Failed to base64url decode the ciphertext');
|
||
|
}
|
||
|
let plaintext = await (0, decrypt_js_1.default)(enc, cek, ciphertext, iv, tag, additionalData);
|
||
|
const result = { plaintext };
|
||
|
if (jwe.protected !== undefined) {
|
||
|
result.protectedHeader = parsedProt;
|
||
|
}
|
||
|
if (jwe.aad !== undefined) {
|
||
|
try {
|
||
|
result.additionalAuthenticatedData = (0, base64url_js_1.decode)(jwe.aad);
|
||
|
}
|
||
|
catch {
|
||
|
throw new errors_js_1.JWEInvalid('Failed to base64url decode the aad');
|
||
|
}
|
||
|
}
|
||
|
if (jwe.unprotected !== undefined) {
|
||
|
result.sharedUnprotectedHeader = jwe.unprotected;
|
||
|
}
|
||
|
if (jwe.header !== undefined) {
|
||
|
result.unprotectedHeader = jwe.header;
|
||
|
}
|
||
|
if (resolvedKey) {
|
||
|
return { ...result, key };
|
||
|
}
|
||
|
return result;
|
||
|
}
|
||
|
exports.flattenedDecrypt = flattenedDecrypt;
|