Jose 3 upgrade - browser compatibility (#59)

* update version for release

* initial conversion to JOSE 3.4.0

* clean up linting errors

* revert package.json changes that weren't necessary

* revert package.json changes that weren't necessary

* remove unused method

* clean up untyped checking

* revert back to payIdAddress json property since that has not yet changed in API spec

Author: nhartner

.eslintrc.js

@@ -25,19 +25,17 @@ module.exports = {
     '@xpring-eng/eslint-config-mocha',
     '@xpring-eng/eslint-config-base',
   ],
-
-  rules: {},
-  overrides: [
-    {
-      "files": ["*cli.ts"],
-      "rules": {
-        "node/shebang": "off"
-      },
-    },
-    {
-      "files": ["src/commands/*.ts"],
-      "rules": {
-        "class-methods-use-this": "off"
-      },
+  rules: {
+    // linter doesn't seem to understand ESM imports used by jose, even though typescript handles them just fine.
+    "node/no-missing-import": ["error", {
+      allowModules: ["jose"],
     }],
+    "import/no-unresolved": [
+      2,
+      {
+        ignore: [
+          'jose'
+        ]
+      }],
+  },
 }

package-lock.json

@@ -25,8 +25,7 @@
     "test": "nyc mocha 'test/**/*.test.ts'"
   },
   "dependencies": {
-    "axios": "^0.19.2",
-    "jose": "^1.27.3"
+    "jose": "^3.4.0"
   },
   "devDependencies": {
     "@arkweid/lefthook": "^0.7.2",

package.json

@@ -1,4 +1,4 @@
-import { JWS } from 'jose'
+import { GeneralJWSInput, GeneralJWS } from 'jose/webcrypto/types'
 
 import {
   Address,
@@ -7,27 +7,44 @@ import {
 } from './verifiable-paystring'
 
 /**
- * Converts a GeneralJWS to a Verified Address. Both have the same JWS structure but for
+ * Converts JSON to a Verified Address. Both have the same JWS structure but for
  * PayString we use our own type so as not to be coupled too tightly to the underlying JOSE library.
  *
- * @param jws - The JWS to convert.
+ * @param json - The json to convert.
  * @returns The address.
- * @throws Error if the JWS does not have the required properties.
+ * @throws Error if the json does not have the required properties.
  */
-export function convertToVerifiedAddress(jws: JWS.GeneralJWS): VerifiedAddress {
-  const verified: VerifiedAddress = {
-    payload: jws.payload,
-    signatures: jws.signatures.map((value) => {
-      if (value.protected) {
-        return {
-          protected: value.protected,
-          signature: value.signature,
-        }
+export function convertToVerifiedAddress(json: string): VerifiedAddress {
+  // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- untyped JSON
+  const { address }: { address: VerifiedAddress } = JSON.parse(json)
+  return address
+}
+
+/**
+ * Converts JWS to a Verified Address. Both have the same JWS structure but for
+ * PayString we use our own type so as not to be coupled too tightly to the underlying JOSE library.
+ *
+ * @param payload - The payload.
+ * @param jws - The JWS signatures.
+ * @returns The address.
+ * @throws Error if the json does not have the required properties.
+ */
+export function convertGeneralJwsToVerifiedAddress(
+  payload: string,
+  jws: GeneralJWS,
+): VerifiedAddress {
+  return {
+    payload,
+    signatures: jws.signatures.map((recipient) => {
+      if (recipient.protected === undefined) {
+        throw new Error('missing protected property')
+      }
+      return {
+        protected: recipient.protected,
+        signature: recipient.signature,
       }
-      throw Error('missing protected property')
     }),
   }
-  return verified
 }
 
 /**
@@ -38,8 +55,28 @@ export function convertToVerifiedAddress(jws: JWS.GeneralJWS): VerifiedAddress {
  */
 export function convertJsonToAddress(json: string): Address {
   // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- untyped JSON
-  const { payStringAddress }: { payStringAddress: Address } = JSON.parse(json)
-  return payStringAddress
+  const { payIdAddress }: { payIdAddress: Address } = JSON.parse(json)
+  return payIdAddress
+}
+
+/**
+ * Converts a VerifiedAddress to a JOSE GeneralJWSInput.
+ *
+ * @param verifiedAddress - Address to convert.
+ * @returns Address instance.
+ */
+export async function convertToGeneralJWSInput(
+  verifiedAddress: VerifiedAddress,
+): Promise<GeneralJWSInput> {
+  return {
+    payload: verifiedAddress.payload,
+    signatures: verifiedAddress.signatures.map((value) => {
+      return {
+        signature: value.signature,
+        protected: value.protected,
+      }
+    }),
+  }
 }
 
 /**

src/verifiable/converters.ts

@@ -1,18 +1,13 @@
-import { JWK } from 'jose'
+import { JWK } from 'jose/webcrypto/types'
 
 import { SigningParams } from './verifiable-paystring'
 
-import ECKey = JWK.ECKey
-import RSAKey = JWK.RSAKey
-import OctKey = JWK.OctKey
-import OKPKey = JWK.OKPKey
-
 /**
  * Represents the properties needed to sign a PayString using an identity key.
  */
 export default class IdentityKeySigningParams implements SigningParams {
   public readonly keyType = 'identityKey'
-  public readonly key: ECKey | RSAKey | OctKey | OKPKey
+  public readonly key: JWK
   public readonly alg: string
 
   /**
@@ -21,7 +16,7 @@ export default class IdentityKeySigningParams implements SigningParams {
    * @param key - The private key to sign with.
    * @param alg - The signing algorithm.
    */
-  public constructor(key: ECKey | RSAKey | OctKey | OKPKey, alg: string) {
+  public constructor(key: JWK, alg: string) {
     this.key = key
     this.alg = alg
   }

src/verifiable/identity-key-signing-params.ts

@@ -1,100 +1,44 @@
-import { promises } from 'fs'
+import fromKeyLike from 'jose/jwk/from_key_like'
+import calculateThumbprint from 'jose/jwk/thumbprint'
+import generateKeyPair from 'jose/util/generate_key_pair'
+import { JWK } from 'jose/webcrypto/types'
 
-import { JWK, JWKECKey, JWKOctKey, JWKOKPKey, JWKRSAKey, JWS } from 'jose'
-
-import RSAKey = JWK.RSAKey
-import ECKey = JWK.ECKey
-import OKPKey = JWK.OKPKey
-import OctKey = JWK.OctKey
-import JWSRecipient = JWS.JWSRecipient
+import {
+  ProtectedHeaders,
+  VerifiedAddressSignature,
+} from './verifiable-paystring'
 
+const DEFAULT_ALGORITHM = 'ES256'
 const DEFAULT_CURVE = 'P-256'
 
-/**
- * Reads JWK key from a file.
- *
- * @param path - The full file path of the key file.
- * @returns A JWK key.
- */
-export async function getSigningKeyFromFile(
-  path: string,
-): Promise<RSAKey | ECKey | OKPKey | OctKey> {
-  const pem = await promises.readFile(path, 'ascii')
-  return JWK.asKey(pem)
-}
-
-/**
- * Reads JWK from a file. If file contains a chain of certificates, JWK is generated from the first
- * certificate and the rest of the certificates in file are added to the x5c section of the JWK.
- *
- * @param path - The full file path of the key file.
- * @returns A JWK key.
- */
-export async function getJwkFromFile(
-  path: string,
-): Promise<JWKRSAKey | JWKECKey | JWKOKPKey | JWKOctKey> {
-  const content = await promises.readFile(path, 'ascii')
-  return JWK.asKey(content).toJWK(false)
-}
-
 /**
  * Extracts the JWK property from the base64 json in the protected section of a JWK recipient.
  *
  * @param recipient - The recipient to process.
  * @returns The JWK if found, otherwise undefined.
  */
 export function getJwkFromRecipient(
-  recipient: JWSRecipient,
-): JWKRSAKey | JWKECKey | JWKOKPKey | JWKOctKey | undefined {
+  recipient: VerifiedAddressSignature,
+): JWK | undefined {
   if (recipient.protected) {
     // eslint-disable-next-line @typescript-eslint/no-unsafe-assignment -- because JSON
-    const headers = JSON.parse(
+    const headers: ProtectedHeaders = JSON.parse(
       Buffer.from(recipient.protected, 'base64').toString('utf-8'),
     )
-    // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access -- because JSON
-    if (headers.jwk) {
-      // eslint-disable-next-line @typescript-eslint/no-unsafe-member-access -- because JSON
-      return JWK.asKey(headers.jwk).toJWK(false)
-    }
+    return headers.jwk
   }
   return undefined
 }
 
-/**
- * The jose library has 2 types of instances: JWK<Type>Key and JWK.<TypeKey>. The former is just data interface with no
- * methods where as the latter is a richer type. This method converts from the data interface to the richer type.
- *
- * @param jwk - The instance to convert.
- * @returns The converted result.
- */
-export function toKey(
-  jwk: JWKRSAKey | JWKECKey | JWKOctKey | JWKOKPKey,
-): JWK.RSAKey | JWK.ECKey | JWK.OKPKey | JWK.OctKey {
-  // JWKRSAKey, JWKECKey, etc use typescript conditional typing so
-  // these if conditions are needed to target the correct method overload.
-  if (jwk.kty === 'EC') {
-    return JWK.asKey(jwk)
-  }
-  if (jwk.kty === 'oct') {
-    return JWK.asKey(jwk)
-  }
-  if (jwk.kty === 'OKP') {
-    return JWK.asKey(jwk)
-  }
-  return JWK.asKey(jwk)
-}
-
 /**
  * Gets the default algorithm for a given JWK*Key instance.
  *
  * @param jwk - The jwk.
  * @returns The default algorithm to use.
  */
-export function getDefaultAlgorithm(
-  jwk: JWKRSAKey | JWKECKey | JWKOctKey | JWKOKPKey,
-): string {
+export function getDefaultAlgorithm(jwk: JWK): string {
   if (jwk.kty === 'EC') {
-    return 'ES256'
+    return DEFAULT_ALGORITHM
   }
   if (jwk.kty === 'oct') {
     return 'HS512'
@@ -110,6 +54,30 @@ export function getDefaultAlgorithm(
  *
  * @returns A JWK key.
  */
-export async function generateNewKey(): Promise<ECKey> {
-  return JWK.generate('EC', DEFAULT_CURVE)
+export async function generateNewKey(): Promise<JWK> {
+  const { privateKey } = await generateKeyPair(DEFAULT_ALGORITHM, {
+    crv: DEFAULT_CURVE,
+  })
+  return fromKeyLike(privateKey).then(async (key: JWK) => {
+    return calculateThumbprint(key).then((thumbprint: string) => {
+      return {
+        kid: thumbprint,
+        alg: getDefaultAlgorithm(key),
+        use: 'sig',
+        ...key,
+      }
+    })
+  })
+}
+
+/**
+ * Convert a JWK with a private key, to a JWK without a private key.
+ *
+ * @param jwk - The jwk.
+ * @returns A JWK key.
+ */
+export function toPublicJWK(jwk: JWK): JWK {
+  // eslint-disable-next-line id-length --- 'd' is an actual property of a JWK
+  const { d, ...rest } = jwk
+  return { ...rest }
 }