Merge pull request #19 from transmute-industries/fully-specified

Fully specified
transmute-industries · Aug 24, 2024 · 7f53723 · 7f53723
2 parents de25eb9 + 179e27f
commit 7f53723
Show file tree

Hide file tree

Showing 35 changed files with 273 additions and 146 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@transmute/cose",
-  "version": "0.2.11",
+  "version": "0.2.12",
   "description": "COSE and related work.",
   "main": "./dist/index.js",
   "typings": "dist/index.d.ts",

diff --git a/src/cose/Params.ts b/src/cose/Params.ts
@@ -1,3 +1,5 @@
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
 // This module is just just a limited set of the IANA registries, 
 // exposed to make Map initialization more readable
 
@@ -96,7 +98,8 @@ export const Hash = {
 }
 
 export const Signature = {
-  'ES256': -7
+  'ES256': -7,
+  'ES384': -35
 }
 
 
@@ -115,26 +118,32 @@ export const Direct = {
   'HPKE-Base-P256-SHA256-AES128GCM': 35
 }
 
-export const EC2 = 2
 
-export const KeyTypes = {
-  EC2
-}
 
 export const KeyType = 1
 export const KeyAlg = 3
-export const KeyCurve = -1
+export const KeyId = 2
 
-export const Epk = {
+export const Key = {
   Kty: KeyType,
-  Crv: KeyCurve,
-  Alg: KeyAlg
+  Alg: KeyAlg,
+  Kid: KeyId
 }
 
-export const Key = {
-  Kty: KeyType,
-  Crv: KeyCurve,
-  Alg: KeyAlg
+export const Epk = {
+  ...Key
+}
+
+export const KeyTypes = {
+  EC2: 2
+}
+
+export const EC2 = {
+  ...Key,
+  Crv: -1,
+  X: -2,
+  Y: -3,
+  D: -4
 }
 
 export const Curves = {

diff --git a/src/cose/key/convertCoseKeyToJsonWebKey.ts b/src/cose/key/convertCoseKeyToJsonWebKey.ts
@@ -1,27 +1,24 @@
 import { base64url, calculateJwkThumbprint } from "jose";
 import { CoseKey } from ".";
 
-
-import { IANACOSEAlgorithms } from '../algorithms';
 import { IANACOSEEllipticCurves } from '../elliptic-curves';
 
-const algorithms = Object.values(IANACOSEAlgorithms)
 const curves = Object.values(IANACOSEEllipticCurves)
 
 import { formatJwk } from "./formatJwk";
+import { iana } from "../../iana";
+import { EC2, Key, KeyTypes } from "../Params";
 
 export const convertCoseKeyToJsonWebKey = async <T>(coseKey: CoseKey): Promise<T> => {
-  const kty = coseKey.get(1) as number
-  const kid = coseKey.get(2)
-  const alg = coseKey.get(3)
-  const crv = coseKey.get(-1)
-  // kty EC, kty: EK
-  if (![2, 5].includes(kty)) {
+  const kty = coseKey.get(Key.Kty) as number
+  // kty EC2
+  if (![KeyTypes.EC2].includes(kty)) {
     throw new Error('This library requires does not support the given key type')
   }
-  const foundAlgorithm = algorithms.find((param) => {
-    return param.Value === `${alg}`
-  })
+  const kid = coseKey.get(Key.Kid)
+  const alg = coseKey.get(Key.Alg)
+  const crv = coseKey.get(EC2.Crv)
+  const foundAlgorithm = iana["COSE Algorithms"].getByValue(alg as number)
   if (!foundAlgorithm) {
     throw new Error('This library requires keys to use fully specified algorithms')
   }
@@ -36,9 +33,9 @@ export const convertCoseKeyToJsonWebKey = async <T>(coseKey: CoseKey): Promise<T
     alg: foundAlgorithm.Name,
     crv: foundCurve.Name
   } as any
-  const x = coseKey.get(-2) as any
-  const y = coseKey.get(-3) as any
-  const d = coseKey.get(-4) as any
+  const x = coseKey.get(EC2.X) as any
+  const y = coseKey.get(EC2.Y) as any
+  const d = coseKey.get(EC2.D) as any
   if (x) {
     jwk.x = base64url.encode(x)
   }

diff --git a/src/cose/key/convertJsonWebKeyToCoseKey.ts b/src/cose/key/convertJsonWebKeyToCoseKey.ts
@@ -3,14 +3,12 @@ import { base64url } from 'jose'
 import { toArrayBuffer } from '../../cbor'
 
 import { IANACOSEKeyCommonParameters } from '../key-common-parameters';
-import { IANACOSEAlgorithms } from '../algorithms';
 import { IANACOSEKeyTypeParameters, IANACOSEKeyTypeParameter } from '../key-type-parameters';
 import { IANACOSEKeyTypes } from '../key-type';
 import { IANACOSEEllipticCurves } from '../elliptic-curves';
-import { PublicKeyJwk, SecretKeyJwk } from '../sign1';
+import { PublicKeyJwk, PrivateKeyJwk } from '../sign1';
+import { iana } from '../../iana';
 
-
-const algorithms = Object.values(IANACOSEAlgorithms)
 const commonParams = Object.values(IANACOSEKeyCommonParameters)
 const keyTypeParams = Object.values(IANACOSEKeyTypeParameters)
 const keyTypes = Object.values(IANACOSEKeyTypes)
@@ -40,7 +38,7 @@ const getKeyTypeSpecificLabel = (keyType: 'EC2' | 'OKP', keyTypeParam: string) =
   return label
 }
 
-export const convertJsonWebKeyToCoseKey = async <T>(jwk: PublicKeyJwk | SecretKeyJwk): Promise<T> => {
+export const convertJsonWebKeyToCoseKey = async <T>(jwk: PublicKeyJwk | PrivateKeyJwk): Promise<T> => {
 
   const { kty } = jwk
   let coseKty = `${kty}` as 'OKP' | 'EC' | 'EC2'; // evidence of terrible design.
@@ -82,9 +80,7 @@ export const convertJsonWebKeyToCoseKey = async <T>(jwk: PublicKeyJwk | SecretKe
       }
       case 'alg': {
         if (foundCommonParam) {
-          const foundAlgorithm = algorithms.find((param) => {
-            return param.Name === value
-          })
+          const foundAlgorithm = iana['COSE Algorithms'].getByName(value)
           if (foundAlgorithm) {
             coseKey.set(label, parseInt(foundAlgorithm.Value, 10))
           } else {

diff --git a/src/cose/key/generate.ts b/src/cose/key/generate.ts
@@ -6,8 +6,9 @@ import { IANACOSEAlgorithms } from "../algorithms"
 
 
 import { CoseKey } from '.'
+
 export type CoseKeyAgreementAlgorithms = 'ECDH-ES+A128KW'
-export type CoseSignatureAlgorithms = 'ES256' | 'ES384' | 'ES512'
+export type CoseSignatureAlgorithms = 'ES256' | 'ES384' | 'ES512' | 'ESP256' | 'ESP384'
 export type ContentTypeOfJsonWebKey = 'application/jwk+json'
 export type ContentTypeOfCoseKey = 'application/cose-key'
 export type PrivateKeyContentType = ContentTypeOfCoseKey | ContentTypeOfJsonWebKey
@@ -18,17 +19,25 @@ import { thumbprint } from "./thumbprint"
 
 import { formatJwk } from './formatJwk'
 
+import { iana } from '../../iana'
+import { Key } from "../Params"
 
 export const generate = async <T>(alg: CoseSignatureAlgorithms, contentType: PrivateKeyContentType = 'application/jwk+json'): Promise<T> => {
-  const knownAlgorithm = Object.values(IANACOSEAlgorithms).find((
+  let knownAlgorithm = Object.values(IANACOSEAlgorithms).find((
     entry
   ) => {
     return entry.Name === alg
   })
+  if (!knownAlgorithm) {
+    knownAlgorithm = iana["COSE Algorithms"].getByName(alg)
+  }
   if (!knownAlgorithm) {
     throw new Error('Algorithm is not supported.')
   }
-  const cryptoKeyPair = await generateKeyPair(knownAlgorithm.Name, { extractable: true });
+  const cryptoKeyPair = await generateKeyPair(
+    iana["COSE Algorithms"]["less-specified"](knownAlgorithm.Name),
+    { extractable: true }
+  );
   const privateKeyJwk = await exportJWK(cryptoKeyPair.privateKey)
   const jwkThumbprint = await calculateJwkThumbprint(privateKeyJwk)
   privateKeyJwk.kid = jwkThumbprint
@@ -40,7 +49,7 @@ export const generate = async <T>(alg: CoseSignatureAlgorithms, contentType: Pri
     delete privateKeyJwk.kid;
     const secretKeyCoseKey = await convertJsonWebKeyToCoseKey<CoseKey>(privateKeyJwk)
     const coseKeyThumbprint = await thumbprint.calculateCoseKeyThumbprint(secretKeyCoseKey)
-    secretKeyCoseKey.set(2, coseKeyThumbprint)
+    secretKeyCoseKey.set(Key.Kid, coseKeyThumbprint)
     return secretKeyCoseKey as T
   }
   throw new Error('Unsupported content type.')

diff --git a/src/cose/key/index.ts b/src/cose/key/index.ts
@@ -1,9 +1,9 @@
 
 
 
-import { PublicKeyJwk, SecretKeyJwk } from '../sign1'
+import { PublicKeyJwk, PrivateKeyJwk } from '../sign1'
 
-export type JsonWebKey = SecretKeyJwk | PublicKeyJwk
+export type JsonWebKey = PrivateKeyJwk | PublicKeyJwk
 
 export type CoseMapKey = string | number
 export type CoseMapValue = Uint8Array | ArrayBuffer | string | number | Map<CoseMapKey, unknown>

diff --git a/src/cose/key/publicFromPrivate.ts b/src/cose/key/publicFromPrivate.ts
@@ -1,8 +1,9 @@
 import { CoseKey } from ".";
-import { SecretKeyJwk } from "../sign1";
+import { EC2, Key, KeyTypes } from "../Params";
+import { PrivateKeyJwk } from "../sign1";
 
 
-export const extracePublicKeyJwk = (privateKeyJwk: SecretKeyJwk) => {
+export const extractPublicKeyJwk = (privateKeyJwk: PrivateKeyJwk) => {
   if (privateKeyJwk.kty !== 'EC') {
     throw new Error('Only EC keys are supported')
   }
@@ -13,19 +14,19 @@ export const extracePublicKeyJwk = (privateKeyJwk: SecretKeyJwk) => {
 
 export const extractPublicCoseKey = (secretKey: CoseKey) => {
   const publicCoseKeyMap = new Map(secretKey)
-  if (publicCoseKeyMap.get(1) !== 2) {
+  if (publicCoseKeyMap.get(Key.Kty) !== KeyTypes.EC2) {
     throw new Error('Only EC2 keys are supported')
   }
-  if (!publicCoseKeyMap.get(-4)) {
+  if (!publicCoseKeyMap.get(EC2.D)) {
     throw new Error('privateKey is not a secret / private key (has no d / -4)')
   }
-  publicCoseKeyMap.delete(-4);
+  publicCoseKeyMap.delete(EC2.D);
   return publicCoseKeyMap
 }
 
-export const publicFromPrivate = <T>(secretKey: SecretKeyJwk | CoseKey) => {
-  if ((secretKey as any).kty) {
-    return extracePublicKeyJwk(secretKey as SecretKeyJwk) as T
+export const publicFromPrivate = <T>(secretKey: PrivateKeyJwk | CoseKey) => {
+  if ((secretKey as PrivateKeyJwk).kty) {
+    return extractPublicKeyJwk(secretKey as PrivateKeyJwk) as T
   }
   return extractPublicCoseKey(secretKey as CoseKey) as T
 }
diff --git a/src/cose/key/serialize.ts b/src/cose/key/serialize.ts
@@ -5,7 +5,7 @@ import { CoseKey } from '.'
 
 export const serialize = <T>(key: JWK | CoseKey) => {
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  if ((key as any).kty) {
+  if ((key as JWK).kty) {
     return JSON.stringify(key, null, 2)
   }
   return encode(key)

diff --git a/src/cose/key/thumbprint.ts b/src/cose/key/thumbprint.ts
@@ -3,13 +3,18 @@ import { calculateJwkThumbprint, calculateJwkThumbprintUri, base64url } from "jo
 import { encodeCanonical } from "../../cbor";
 
 import subtleCryptoProvider from "../../crypto/subtleCryptoProvider";
+import { EC2, Key, KeyTypes } from "../Params";
+import { CoseKey } from ".";
 
 // https://www.ietf.org/archive/id/draft-ietf-cose-key-thumbprint-01.html#section-6
-const calculateCoseKeyThumbprint = async (coseKey: Map<any, any>): Promise<ArrayBuffer> => {
+const calculateCoseKeyThumbprint = async (coseKey: CoseKey): Promise<ArrayBuffer> => {
+  if (coseKey.get(Key.Kty) !== KeyTypes.EC2) {
+    throw new Error('Unsupported key type (Only EC2 are supported')
+  }
   const onlyRequiredMap = new Map()
-  const requriedKeys = [1, -1, -2, -3]
+  const requiredKeys = [EC2.Kty, EC2.Crv, EC2.X, EC2.Y]
   for (const [key, value] of coseKey.entries()) {
-    if (requriedKeys.includes(key as number)) {
+    if (requiredKeys.includes(key as number)) {
       onlyRequiredMap.set(key, value)
     }
   }
@@ -19,7 +24,7 @@ const calculateCoseKeyThumbprint = async (coseKey: Map<any, any>): Promise<Array
   return digest
 }
 
-const calculateCoseKeyThumbprintUri = async (coseKey: Map<any, any>): Promise<string> => {
+const calculateCoseKeyThumbprintUri = async (coseKey: CoseKey): Promise<string> => {
   const prefix = `urn:ietf:params:oauth:ckt:sha-256`
   const digest = await calculateCoseKeyThumbprint(coseKey)
   return `${prefix}:${base64url.encode(new Uint8Array(digest))}`

diff --git a/src/cose/receipt/add.ts b/src/cose/receipt/add.ts
@@ -1,4 +1,5 @@
 import { decodeFirstSync, toArrayBuffer, encodeAsync, Tagged, Sign1Tag } from '../../cbor'
+import { Receipts } from '../Params';
 import { CoseSign1Bytes } from "../sign1";
 
 export const add = async (signature: CoseSign1Bytes, receipt: CoseSign1Bytes): Promise<ArrayBuffer> => {
@@ -10,8 +11,8 @@ export const add = async (signature: CoseSign1Bytes, receipt: CoseSign1Bytes): P
     value[1] = new Map();
   }
   // unprotected header
-  const receipts = value[1].get(394) || []; // see  https://datatracker.ietf.org/doc/draft-ietf-scitt-architecture/
+  const receipts = value[1].get(Receipts) || []; // see  https://datatracker.ietf.org/doc/draft-ietf-scitt-architecture/
   receipts.push(receipt)
-  value[1].set(394, receipts)
+  value[1].set(Receipts, receipts)
   return toArrayBuffer(await encodeAsync(new Tagged(Sign1Tag, value), { canonical: true }));
 }
diff --git a/src/cose/receipt/consistency/issue.ts b/src/cose/receipt/consistency/issue.ts
@@ -1,7 +1,7 @@
 
 import { CoMETRE } from '@transmute/rfc9162'
 
-import { cbor, Protected, Unprotected, VerifiableDataProofTypes } from '../../..'
+import { cbor, Protected, Unprotected, VerifiableDataProofTypes, VerifiableDataStructures } from '../../..'
 
 import { CoseSign1Bytes, CoseSign1Signer, ProtectedHeaderMap } from "../../sign1"
 import { toArrayBuffer } from '../../../cbor'
@@ -16,7 +16,7 @@ export type RequestIssueConsistencyReceipt = {
 export const issue = async (req: RequestIssueConsistencyReceipt) => {
   const { protectedHeader, receipt, entries, signer } = req;
   const consistencyVds = protectedHeader.get(Protected.VerifiableDataStructure)
-  if (consistencyVds !== 1) {
+  if (consistencyVds !== VerifiableDataStructures['RFC9162-Binary-Merkle-Tree']) {
     throw new Error('Unsupported verifiable data structure. See https://datatracker.ietf.org/doc/draft-ietf-cose-merkle-tree-proofs')
   }
 
@@ -28,7 +28,7 @@ export const issue = async (req: RequestIssueConsistencyReceipt) => {
   const [protectedHeaderBytes, unprotectedHeaderMap, payload] = value
   const receiptProtectedHeader = cbor.decode(protectedHeaderBytes)
   const inclusionVds = receiptProtectedHeader.get(Protected.VerifiableDataStructure);
-  if (inclusionVds !== 1) {
+  if (inclusionVds !== VerifiableDataStructures['RFC9162-Binary-Merkle-Tree']) {
     throw new Error('Unsupported verifiable data structure. See https://datatracker.ietf.org/doc/draft-ietf-cose-merkle-tree-proofs')
   }
 

diff --git a/src/cose/receipt/consistency/verify.ts b/src/cose/receipt/consistency/verify.ts
@@ -1,7 +1,7 @@
 
 import { CoMETRE } from '@transmute/rfc9162'
 
-import { cbor, Protected, Unprotected, VerifiableDataProofTypes } from '../../..'
+import { cbor, Protected, Unprotected, VerifiableDataProofTypes, VerifiableDataStructures } from '../../..'
 
 import { CoseSign1Bytes, CoseSign1DetachedVerifier } from "../../sign1"
 
@@ -21,7 +21,7 @@ export const verify = async (req: RequestVerifyConsistencyReceipt) => {
   const [protectedHeaderBytes, unprotectedHeaderMap, payload] = value
   const protectedHeader = cbor.decode(protectedHeaderBytes)
   const vds = protectedHeader.get(Protected.VerifiableDataStructure);
-  if (vds !== 1) {
+  if (vds !== VerifiableDataStructures['RFC9162-Binary-Merkle-Tree']) {
     throw new Error('Unsupported verifiable data structure. See https://datatracker.ietf.org/doc/draft-ietf-cose-merkle-tree-proofs')
   }
   const proofs = unprotectedHeaderMap.get(Unprotected.VerifiableDataProofs)

diff --git a/src/cose/receipt/get.ts b/src/cose/receipt/get.ts
@@ -1,4 +1,5 @@
 import { decodeFirstSync, Sign1Tag } from '../../cbor'
+import { Receipts } from '../Params';
 import { CoseSign1Bytes } from "../sign1";
 
 export const get = async (signature: CoseSign1Bytes): Promise<CoseSign1Bytes[]> => {
@@ -10,6 +11,6 @@ export const get = async (signature: CoseSign1Bytes): Promise<CoseSign1Bytes[]>
     return []
   }
   // unprotected header
-  const receipts = value[1].get(394) || []; // see  https://datatracker.ietf.org/doc/draft-ietf-scitt-architecture/
+  const receipts = value[1].get(Receipts) || []; // see  https://datatracker.ietf.org/doc/draft-ietf-scitt-architecture/
   return receipts
 }