Bump Jose to ^6

Author: nulltoken

README.md

@@ -95,12 +95,12 @@ axios
 
 ### Supported JWK formats
 
-| Algorithm         | kty | alg                         |
-| ----------------- | --- | --------------------------- |
-| RSASSA-PKCS1-v1_5 | RSA | RS256, RS384, RS512         |
-| RSASSA-PSS        | RSA | PS256, PS384, PS512         |
-| ECDSA             | EC  | ES256, ES256K, ES384, ES512 |
-| Edwards-curve DSA | OKP | EdDSA (Ed25519 / Ed448)     |
+| Algorithm         | kty | alg                 |
+| ----------------- | --- | ------------------- |
+| RSASSA-PKCS1-v1_5 | RSA | RS256, RS384, RS512 |
+| RSASSA-PSS        | RSA | PS256, PS384, PS512 |
+| ECDSA             | EC  | ES256, ES384, ES512 |
+| EdDSA             | OKP | Ed25519             |
 
 ### Customization hooks
 

package-lock.json

@@ -61,7 +61,7 @@
     "cors": "^2.8.5",
     "express": "^5.1.0",
     "is-plain-obj": "^4.1.0",
-    "jose": "^5.10.0"
+    "jose": "^6.0.11"
   },
   "devDependencies": {
     "@eslint/js": "^9.26.0",

package.json

@@ -22,7 +22,7 @@ import { webcrypto as crypto } from 'node:crypto';
 
 import isPlainObject from 'is-plain-obj';
 
-import type { CodeChallenge, PKCEAlgorithm, TokenRequest } from './types';
+import type { CodeChallenge, JWK, PKCEAlgorithm, TokenRequest } from './types';
 
 export const defaultTokenTtl = 3600;
 
@@ -162,3 +162,66 @@ export const createPKCECodeChallenge = async (
   }
   return challenge;
 };
+
+type JwkTransformer = (jwk: JWK) => JWK;
+
+const RsaPrivateFieldsRemover: JwkTransformer = (jwk) => {
+  const x = { ...jwk };
+
+  delete x.d;
+  delete x.p;
+  delete x.q;
+  delete x.dp;
+  delete x.dq;
+  delete x.qi;
+
+  return x;
+};
+
+const EcdsaPrivateFieldsRemover: JwkTransformer = (jwk) => {
+  const x = { ...jwk };
+
+  delete x.d;
+
+  return x;
+};
+
+const EddsaPrivateFieldsRemover: JwkTransformer = (jwk) => {
+  const x = { ...jwk };
+
+  delete x.d;
+
+  return x;
+};
+
+const privateToPublicTransformerMap: Record<string, JwkTransformer> = {
+  // RSASSA-PKCS1-v1_5
+  RS256: RsaPrivateFieldsRemover,
+  RS384: RsaPrivateFieldsRemover,
+  RS512: RsaPrivateFieldsRemover,
+
+  // RSASSA-PSS
+  PS256: RsaPrivateFieldsRemover,
+  PS384: RsaPrivateFieldsRemover,
+  PS512: RsaPrivateFieldsRemover,
+
+  // ECDSA
+  ES256: EcdsaPrivateFieldsRemover,
+  ES384: EcdsaPrivateFieldsRemover,
+  ES512: EcdsaPrivateFieldsRemover,
+
+  // Edwards-curve DSA
+  EdDSA: EddsaPrivateFieldsRemover,
+};
+
+export const supportedAlgs = Object.keys(privateToPublicTransformerMap);
+
+export const privateToPublicKeyTransformer = (privateKey: JWK): JWK => {
+  const transformer = privateToPublicTransformerMap[privateKey.alg];
+
+  if (transformer === undefined) {
+    throw new Error(`Unsupported algo '${privateKey.alg}'`);
+  }
+
+  return transformer(privateKey);
+};

src/lib/helpers.ts

@@ -18,74 +18,24 @@
  * @module lib/jwk-store
  */
 
-import { KeyObject, randomBytes } from 'node:crypto';
+import { randomBytes } from 'node:crypto';
 import { AssertionError } from 'node:assert';
 
 import type { GenerateKeyPairOptions } from 'jose';
 import { exportJWK, importJWK, generateKeyPair } from 'jose';
 
 import type { JWK } from './types';
 import type { JWKWithKid } from './types-internals';
-import { assertIsPlainObject } from './helpers';
+import {
+  assertIsPlainObject,
+  privateToPublicKeyTransformer,
+  supportedAlgs,
+} from './helpers';
 
 const generateRandomKid = () => {
   return randomBytes(40).toString('hex');
 };
 
-type JwkTransformer = (jwk: JWK) => JWK;
-
-const RsaPrivateFieldsRemover: JwkTransformer = (jwk) => {
-  const x = { ...jwk };
-
-  delete x.d;
-  delete x.p;
-  delete x.q;
-  delete x.dp;
-  delete x.dq;
-  delete x.qi;
-
-  return x;
-};
-
-const EcdsaPrivateFieldsRemover: JwkTransformer = (jwk) => {
-  const x = { ...jwk };
-
-  delete x.d;
-
-  return x;
-};
-
-const EddsaPrivateFieldsRemover: JwkTransformer = (jwk) => {
-  const x = { ...jwk };
-
-  delete x.d;
-
-  return x;
-};
-
-const privateToPublicTransformerMap: Record<string, JwkTransformer> = {
-  // RSASSA-PKCS1-v1_5
-  RS256: RsaPrivateFieldsRemover,
-  RS384: RsaPrivateFieldsRemover,
-  RS512: RsaPrivateFieldsRemover,
-
-  // RSASSA-PSS
-  PS256: RsaPrivateFieldsRemover,
-  PS384: RsaPrivateFieldsRemover,
-  PS512: RsaPrivateFieldsRemover,
-
-  // ECDSA
-  ES256: EcdsaPrivateFieldsRemover,
-  ES256K: EcdsaPrivateFieldsRemover,
-  ES384: EcdsaPrivateFieldsRemover,
-  ES512: EcdsaPrivateFieldsRemover,
-
-  // Edwards-curve DSA
-  EdDSA: EddsaPrivateFieldsRemover,
-};
-
-const supportedAlgs = Object.keys(privateToPublicTransformerMap);
-
 function normalizeKeyKid(
   jwk: unknown,
   opts?: { kid?: string },
@@ -131,9 +81,20 @@ export class JWKStore {
     const generateOpts: GenerateKeyPairOptions =
       opts?.crv !== undefined ? { crv: opts.crv } : {};
 
+    generateOpts.extractable = true;
+
+    if (
+      alg === 'EdDSA' &&
+      generateOpts.crv !== undefined &&
+      generateOpts.crv !== 'Ed25519'
+    ) {
+      throw new Error(
+        'Invalid or unsupported crv option provided, supported values are: Ed25519',
+      );
+    }
+
     const pair = await generateKeyPair(alg, generateOpts);
     const joseJwk = await exportJWK(pair.privateKey);
-
     normalizeKeyKid(joseJwk, opts);
     joseJwk.alg = alg;
 
@@ -162,9 +123,9 @@ export class JWKStore {
 
     const jwk = tempJwk as JWK;
 
-    const privateKey = await importJWK(jwk);
+    const privateKey = await importJWK(jwk, jwk.alg, { extractable: false });
 
-    if (!(privateKey instanceof KeyObject) || privateKey.type !== 'private') {
+    if (privateKey instanceof Uint8Array || privateKey.type !== 'private') {
       throw new Error(
         `Invalid JWK type. No "private" key related data has been found.`,
       );
@@ -229,13 +190,7 @@ class KeyRotator {
         continue;
       }
 
-      const cleaner = privateToPublicTransformerMap[key.alg];
-
-      if (cleaner === undefined) {
-        throw new Error(`Unsupported algo '{key.alg}'`);
-      }
-
-      keys.push(cleaner(key));
+      keys.push(privateToPublicKeyTransformer(key));
     }
 
     return keys;

src/lib/jwk-store.ts

@@ -1,6 +1,8 @@
 import { describe, it, expect } from 'vitest';
 
 import { JWKStore } from '../src/lib/jwk-store';
+import type { JWK } from '../src/lib/types';
+import { privateToPublicKeyTransformer } from '../src/lib/helpers';
 
 import * as testKeys from './keys';
 
@@ -14,7 +16,6 @@ describe('JWK Store', () => {
       ["RSASSA-PSS", "PS384", "RSA"],
       ["RSASSA-PSS", "PS512", "RSA"],
       ["ECDSA", "ES256", "EC"],
-      ["ECDSA", "ES256K", "EC"],
       ["ECDSA", "ES384", "EC"],
       ["ECDSA", "ES512", "EC"],
     ])('should be able to generate a new %s based key (alg = %s)', async (_kind: string, alg: string, expectedKty: string) => {
@@ -29,7 +30,6 @@ describe('JWK Store', () => {
 
     it.each([
       "Ed25519",
-      "Ed448",
     ])('should be able to generate a new EdDSA based key (crv = %s)', async (crv: string) => {
       const store = new JWKStore();
       const key = await store.generate('EdDSA', { crv });
@@ -56,7 +56,7 @@ describe('JWK Store', () => {
     ])('throws on unsupported crv for EdDSA alg (crv = %s)', async (crv: string) => {
       const store = new JWKStore();
 
-      await expect(() => store.generate('EdDSA', { crv })).rejects.toThrow("Invalid or unsupported crv option provided, supported values are Ed25519 and Ed448");
+      await expect(() => store.generate('EdDSA', { crv })).rejects.toThrow("Invalid or unsupported crv option provided, supported values are: Ed25519");
     });
 
     it.each([
@@ -115,14 +115,9 @@ describe('JWK Store', () => {
 
       const testKey = testKeys.getParsed('test-rs256-key.json');
 
-      delete testKey['d'];
-      delete testKey['p'];
-      delete testKey['q'];
-      delete testKey['dp'];
-      delete testKey['dq'];
-      delete testKey['qi'];
+      const publicKey = privateToPublicKeyTransformer(testKey as JWK);
 
-      await expect(() => store.add(testKey)).rejects.toThrow('Invalid JWK type. No "private" key related data has been found.');
+      await expect(() => store.add(publicKey)).rejects.toThrow('Invalid JWK type. No "private" key related data has been found.');
     });
 
     it('throws when serialized EC key is public"', async () => {

test/jwk-store.test.ts

@@ -4,6 +4,7 @@ import type {JWTVerifyResult } from "jose";
 import { importJWK, jwtVerify } from "jose";
 
 import type { OAuth2Issuer } from "../../src/lib/oauth2-issuer";
+import { privateToPublicKeyTransformer } from "../../src/lib/helpers";
 
 export const verifyTokenWithKey = async (issuer: OAuth2Issuer, token: string, kid: string): Promise<JWTVerifyResult> => {
   const key = issuer.keys.get(kid);
@@ -12,8 +13,8 @@ export const verifyTokenWithKey = async (issuer: OAuth2Issuer, token: string, ki
     throw new AssertionError({ message: 'Key is undefined' });
   }
 
-  const privateKey = await importJWK(key);
+  const publicKey = await importJWK(privateToPublicKeyTransformer(key));
 
-  const verified = await jwtVerify(token, privateKey);
+  const verified = await jwtVerify(token, publicKey);
   return verified;
 };