Commit f308b09

panva

committed

feat: support ML-DSA JWS algorithm identifiers

1 parent bb69c7b commit f308b09Copy full SHA for f308b09

File tree

17 files changed

+312

-120

lines changed

certification/oidc
- configuration.js
docs
- README.md
lib
- consts
  - jwa.js
- helpers
  - client_schema.js
  - configuration.js
  - defaults.js
  - initialize_keystore.js
  - keystore.js
- models
  - client.js
- shared
  - attest_client_auth.js
test
- client_auth
  - client_auth.test.js
- configuration
  - client_keystore.test.js
  - client_metadata.test.js
  - keystore_configuration.test.js
- keys.js
- run.js
- signatures
  - signatures.test.js

17 files changed

+312

-120

lines changed

`certification/oidc/configuration.js`

Lines changed: 108 additions & 81 deletions

Large diffs are not rendered by default.

`docs/README.md`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -1913,7 +1913,7 @@ async function getResourceServerInfo(ctx, resourceIndicator, client) {`
`1913`	`1913`	`// Tokens will be signed`
`1914`	`1914`	`sign?:`
`1915`	`1915`	`\| {`
`1916`		`- alg?: string, // 'PS256' \| 'PS384' \| 'PS512' \| 'ES256' \| 'ES384' \| 'ES512' \| 'Ed25519' \| 'RS256' \| 'RS384' \| 'RS512' \| 'EdDSA'`
	`1916`	`+ alg?: string, // 'PS256' \| 'PS384' \| 'PS512' \| 'ES256' \| 'ES384' \| 'ES512' \| 'Ed25519' \| 'RS256' \| 'RS384' \| 'RS512' \| 'EdDSA' \| 'ML-DSA-44' \| 'ML-DSA-65' \| 'ML-DSA-87'`
`1917`	`1917`	kid?: string, // OPTIONAL `kid` to aid in signing key selection
`1918`	`1918`	`}`
`1919`	`1919`	`\| {`
`@@ -3598,6 +3598,7 @@ _default value_:`
`3598`	`3598`	`'PS256', 'PS384', 'PS512',`
`3599`	`3599`	`'ES256', 'ES384', 'ES512',`
`3600`	`3600`	`'Ed25519', 'EdDSA',`
	`3601`	`+ 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`3601`	`3602`	`]`
`3602`	`3603`	```
`3603`	`3604`
`@@ -3689,6 +3690,7 @@ _default value_:`
`3689`	`3690`	`'PS256', 'PS384', 'PS512',`
`3690`	`3691`	`'ES256', 'ES384', 'ES512',`
`3691`	`3692`	`'Ed25519', 'EdDSA',`
	`3693`	`+ 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`3692`	`3694`	`'HS256', 'HS384', 'HS512',`
`3693`	`3695`	`]`
`3694`	`3696`	```
`@@ -3721,6 +3723,7 @@ _default value_:`
`3721`	`3723`	`'PS256', 'PS384', 'PS512',`
`3722`	`3724`	`'ES256', 'ES384', 'ES512',`
`3723`	`3725`	`'Ed25519', 'EdDSA',`
	`3726`	`+ 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`3724`	`3727`	`'HS256', 'HS384', 'HS512',`
`3725`	`3728`	`]`
`3726`	`3729`	```
`@@ -3750,6 +3753,7 @@ _default value_:`
`3750`	`3753`	`'PS256', 'PS384', 'PS512',`
`3751`	`3754`	`'ES256', 'ES384', 'ES512',`
`3752`	`3755`	`'Ed25519', 'EdDSA',`
	`3756`	`+ 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`3753`	`3757`	`]`
`3754`	`3758`	```
`3755`	`3759`
`@@ -3841,6 +3845,7 @@ _default value_:`
`3841`	`3845`	`'PS256', 'PS384', 'PS512',`
`3842`	`3846`	`'ES256', 'ES384', 'ES512',`
`3843`	`3847`	`'Ed25519', 'EdDSA',`
	`3848`	`+ 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`3844`	`3849`	`'HS256', 'HS384', 'HS512',`
`3845`	`3850`	`]`
`3846`	`3851`	```
`@@ -3933,6 +3938,7 @@ _default value_:`
`3933`	`3938`	`'PS256', 'PS384', 'PS512',`
`3934`	`3939`	`'ES256', 'ES384', 'ES512',`
`3935`	`3940`	`'Ed25519', 'EdDSA',`
	`3941`	`+ 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`3936`	`3942`	`'HS256', 'HS384', 'HS512',`
`3937`	`3943`	`]`
`3938`	`3944`	```
`@@ -4026,6 +4032,7 @@ _default value_:`
`4026`	`4032`	`'PS256', 'PS384', 'PS512',`
`4027`	`4033`	`'ES256', 'ES384', 'ES512',`
`4028`	`4034`	`'Ed25519', 'EdDSA',`
	`4035`	`+ 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`4029`	`4036`	`'HS256', 'HS384', 'HS512',`
`4030`	`4037`	`]`
`4031`	`4038`	```
`@@ -4118,6 +4125,7 @@ _default value_:`
`4118`	`4125`	`'PS256', 'PS384', 'PS512',`
`4119`	`4126`	`'ES256', 'ES384', 'ES512',`
`4120`	`4127`	`'Ed25519', 'EdDSA',`
	`4128`	`+ 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`4121`	`4129`	`'HS256', 'HS384', 'HS512',`
`4122`	`4130`	`]`
`4123`	`4131`	```

`lib/consts/jwa.js`

Lines changed: 6 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,12 @@ const signingAlgValues = [`
`6`	`6`	`'Ed25519', 'EdDSA',`
`7`	`7`	`];`
`8`	`8`
	`9`	`+const version = globalThis.process?.version?.substring(1).split('.').map((i) => parseInt(i, 10));`
	`10`	`+`
	`11`	`+if (version[0] > 24 \|\| (version[0] === 24 && version[1] >= 7)) {`
	`12`	`+ signingAlgValues.push('ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87');`
	`13`	`+}`
	`14`	`+`
`9`	`15`	`const encryptionAlgValues = [`
`10`	`16`	`// asymmetric`
`11`	`17`	`'RSA-OAEP',`

`lib/helpers/client_schema.js`

Lines changed: 1 addition & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@ import omitBy from './_/omit_by.js';`
`11`	`11`	const W3CEmailRegExp = /^[a-zA-Z0-9.!#$%&'+/=?^_`{\|}~-]+@[a-zA-Z0-9-]+(?:\.[a-zA-Z0-9-]+)$/;
`12`	`12`	`const needsJwks = {`
`13`	`13`	`jwe: /^(RSA\|ECDH)/,`
`14`		`- jws: /^(?:(?:P\|E\|R)S(?:256\|384\|512)\|Ed(?:DSA\|25519))$/,`
	`14`	`+ jws: /^(?:(?:P\|E\|R)S(?:256\|384\|512)\|Ed(?:DSA\|25519)\|ML-DSA-(?:44\|65\|87))$/,`
`15`	`15`	`};`
`16`	`16`	`const {`
`17`	`17`	`ARYS,`

`lib/helpers/configuration.js`

Lines changed: 15 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,21 @@ function filterHS(alg) {`
`22`	`22`	`return alg.startsWith('HS');`
`23`	`23`	`}`
`24`	`24`
`25`		`-const filterAsymmetricSig = RegExp.prototype.test.bind(/^(?:PS(?:256\|384\|512)\|RS(?:256\|384\|512)\|ES(?:256K?\|384\|512)\|Ed(?:25519\|DSA))$/);`
	`25`	`+function filterAsymmetricSig(alg) {`
	`26`	`+ switch (alg.slice(0, 2)) {`
	`27`	`+ case 'ML': // ML-DSA-, ML-KEM-`
	`28`	`+ case 'RS': // RS\d{3}, RSA-OAEP`
	`29`	`+ case 'PS': // PS\d{3}`
	`30`	`+ case 'ES': // ECDSA`
	`31`	`+ case 'EC': // ECDH`
	`32`	`+ case 'Ed': // Ed*`
	`33`	`+ case 'X2': // X25519`
	`34`	`+ case 'X4': // X448`
	`35`	`+ return true;`
	`36`	`+ default:`
	`37`	`+ return false;`
	`38`	`+ }`
	`39`	`+}`
`26`	`40`
`27`	`41`	`const supportedResponseTypes = new Set(['none', 'code', 'id_token', 'token']);`
`28`	`42`	`const fapiProfiles = new Set(['1.0 Final', '2.0']);`

`lib/helpers/defaults.js`

Lines changed: 9 additions & 1 deletion

Original file line number	Diff line number	Diff line change
`@@ -2107,7 +2107,7 @@ function makeDefaults() {`
`2107`	`2107`	`* // Tokens will be signed`
`2108`	`2108`	`* sign?:`
`2109`	`2109`	`* \| {`
`2110`		`- * alg?: string, // 'PS256' \| 'PS384' \| 'PS512' \| 'ES256' \| 'ES384' \| 'ES512' \| 'Ed25519' \| 'RS256' \| 'RS384' \| 'RS512' \| 'EdDSA'`
	`2110`	`+ * alg?: string, // 'PS256' \| 'PS384' \| 'PS512' \| 'ES256' \| 'ES384' \| 'ES512' \| 'Ed25519' \| 'RS256' \| 'RS384' \| 'RS512' \| 'EdDSA' \| 'ML-DSA-44' \| 'ML-DSA-65' \| 'ML-DSA-87'`
`2111`	`2111`	* kid?: string, // OPTIONAL `kid` to aid in signing key selection
`2112`	`2112`	`* }`
`2113`	`2113`	`* \| {`
`@@ -2855,6 +2855,7 @@ function makeDefaults() {`
`2855`	`2855`	`* 'PS256', 'PS384', 'PS512',`
`2856`	`2856`	`* 'ES256', 'ES384', 'ES512',`
`2857`	`2857`	`* 'Ed25519', 'EdDSA',`
	`2858`	`+ * 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`2858`	`2859`	`* 'HS256', 'HS384', 'HS512',`
`2859`	`2860`	`* ]`
`2860`	`2861`	* ```
`@@ -2881,6 +2882,7 @@ function makeDefaults() {`
`2881`	`2882`	`* 'PS256', 'PS384', 'PS512',`
`2882`	`2883`	`* 'ES256', 'ES384', 'ES512',`
`2883`	`2884`	`* 'Ed25519', 'EdDSA',`
	`2885`	`+ * 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`2884`	`2886`	`* 'HS256', 'HS384', 'HS512',`
`2885`	`2887`	`* ]`
`2886`	`2888`	* ```
`@@ -2900,6 +2902,7 @@ function makeDefaults() {`
`2900`	`2902`	`* 'PS256', 'PS384', 'PS512',`
`2901`	`2903`	`* 'ES256', 'ES384', 'ES512',`
`2902`	`2904`	`* 'Ed25519', 'EdDSA',`
	`2905`	`+ * 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`2903`	`2906`	`* 'HS256', 'HS384', 'HS512',`
`2904`	`2907`	`* ]`
`2905`	`2908`	* ```
`@@ -2926,6 +2929,7 @@ function makeDefaults() {`
`2926`	`2929`	`* 'PS256', 'PS384', 'PS512',`
`2927`	`2930`	`* 'ES256', 'ES384', 'ES512',`
`2928`	`2931`	`* 'Ed25519', 'EdDSA',`
	`2932`	`+ * 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`2929`	`2933`	`* 'HS256', 'HS384', 'HS512',`
`2930`	`2934`	`* ]`
`2931`	`2935`	* ```
`@@ -2945,6 +2949,7 @@ function makeDefaults() {`
`2945`	`2949`	`* 'PS256', 'PS384', 'PS512',`
`2946`	`2950`	`* 'ES256', 'ES384', 'ES512',`
`2947`	`2951`	`* 'Ed25519', 'EdDSA',`
	`2952`	`+ * 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`2948`	`2953`	`* 'HS256', 'HS384', 'HS512',`
`2949`	`2954`	`* ]`
`2950`	`2955`	* ```
`@@ -2970,6 +2975,7 @@ function makeDefaults() {`
`2970`	`2975`	`* 'PS256', 'PS384', 'PS512',`
`2971`	`2976`	`* 'ES256', 'ES384', 'ES512',`
`2972`	`2977`	`* 'Ed25519', 'EdDSA',`
	`2978`	`+ * 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`2973`	`2979`	`* 'HS256', 'HS384', 'HS512',`
`2974`	`2980`	`* ]`
`2975`	`2981`	* ```
`@@ -3242,6 +3248,7 @@ function makeDefaults() {`
`3242`	`3248`	`* 'PS256', 'PS384', 'PS512',`
`3243`	`3249`	`* 'ES256', 'ES384', 'ES512',`
`3244`	`3250`	`* 'Ed25519', 'EdDSA',`
	`3251`	`+ * 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`3245`	`3252`	`* ]`
`3246`	`3253`	* ```
`3247`	`3254`	`*/`
`@@ -3260,6 +3267,7 @@ function makeDefaults() {`
`3260`	`3267`	`* 'PS256', 'PS384', 'PS512',`
`3261`	`3268`	`* 'ES256', 'ES384', 'ES512',`
`3262`	`3269`	`* 'Ed25519', 'EdDSA',`
	`3270`	`+ * 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87', // available in Node.js >= 24.7.0`
`3263`	`3271`	`* ]`
`3264`	`3272`	* ```
`3265`	`3273`	`*/`

`lib/helpers/initialize_keystore.js`

Lines changed: 25 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -26,13 +26,18 @@ const calculateKid = (jwk) => {`
`26`	`26`	`crv: jwk.crv, kty: 'OKP', x: jwk.x,`
`27`	`27`	`};`
`28`	`28`	`break;`
	`29`	`+ case 'AKP':`
	`30`	`+ components = {`
	`31`	`+ alg: jwk.alg, kty: 'AKP', pub: jwk.pub,`
	`32`	`+ };`
	`33`	`+ break;`
`29`	`34`	`default:`
`30`	`35`	`return undefined;`
`31`	`36`	`}`
`32`	`37`
`33`	`38`	`return crypto.hash('sha256', JSON.stringify(components), 'base64url');`
`34`	`39`	`};`
`35`		`-const KEY_TYPES = new Set(['RSA', 'EC', 'OKP']);`
	`40`	`+const KEY_TYPES = new Set(['RSA', 'EC', 'OKP', 'AKP']);`
`36`	`41`
`37`	`42`	`const jwkSignatureAlgorithms = (jwk) => {`
`38`	`43`	`if (jwk.use !== 'sig' && jwk.use !== undefined) {`
`@@ -67,6 +72,16 @@ const jwkSignatureAlgorithms = (jwk) => {`
`67`	`72`	`default:`
`68`	`73`	`}`
`69`	`74`	`break;`
	`75`	`+ case 'AKP':`
	`76`	`+ switch (jwk.alg) {`
	`77`	`+ case 'ML-DSA-44':`
	`78`	`+ case 'ML-DSA-65':`
	`79`	`+ case 'ML-DSA-87':`
	`80`	`+ available = [jwk.alg];`
	`81`	`+ break;`
	`82`	`+ default:`
	`83`	`+ }`
	`84`	`+ break;`
`70`	`85`	`default:`
`71`	`86`	`}`
`72`	`87`
`@@ -140,14 +155,21 @@ function registerKey(input, i, keystore, kids) {`
`140`	`155`	`} else {`
`141`	`156`	`key = structuredClone(input);`
`142`	`157`	`}`
`143`		- assert(KEY_TYPES.has(key.kty), `only RSA, EC, or OKP keys should be part of jwks configuration (index ${i})`);
	`158`	+ assert(KEY_TYPES.has(key.kty), `only RSA, EC, OKP, or AKP keys should be part of jwks configuration (index ${i})`);
`144`	`159`	`key.kid ??= calculateKid(key);`
`145`	`160`	`checkString(key.kid, 'kid', i);`
`146`	`161`
`147`	`162`	`assert(!kids.has(key.kid), 'jwks.keys configuration must not contain duplicate "kid" values');`
`148`	`163`	`kids.add(key.kid);`
`149`	`164`
`150`	`165`	`switch (key.kty) {`
	`166`	`+ case 'AKP':`
	`167`	`+ checkString(key.alg, 'alg', i);`
	`168`	`+ checkString(key.pub, 'pub', i);`
	`169`	`+ if (!(key instanceof ExternalSigningKey)) {`
	`170`	`+ checkString(key.priv, 'priv', i);`
	`171`	`+ }`
	`172`	`+ break;`
`151`	`173`	`case 'OKP':`
`152`	`174`	`checkString(key.crv, 'crv', i);`
`153`	`175`	`checkString(key.x, 'x', i);`
`@@ -282,6 +304,7 @@ provide your own in the configuration "jwks" property');`
`282`	`304`	`x: key.x,`
`283`	`305`	`x5c: key.x5c ? [...key.x5c] : undefined,`
`284`	`306`	`y: key.y,`
	`307`	`+ pub: key.pub,`
`285`	`308`	`}));`
`286`	`309`	`instance(this).jwks = { keys };`
`287`	`310`	`}`

`lib/helpers/keystore.js`

Lines changed: 10 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,11 @@ export class ExternalSigningKey {`
`36`	`36`	`return this.#publicJwk.kty;`
`37`	`37`	`}`
`38`	`38`
	`39`	`+ get pub() {`
	`40`	`+ this.#ensurePublicJwk();`
	`41`	`+ return this.#publicJwk.pub;`
	`42`	`+ }`
	`43`	`+`
`39`	`44`	`get e() {`
`40`	`45`	`this.#ensurePublicJwk();`
`41`	`46`	`return this.#publicJwk.e;`
`@@ -99,6 +104,7 @@ const getKtyFromJWSAlg = (alg) => {`
`99`	`104`	`case 'HS': return 'oct';`
`100`	`105`	`case 'ES': return 'EC';`
`101`	`106`	`case 'Ed': return 'OKP';`
	`107`	`+ case 'ML': return 'AKP';`
`102`	`108`	`default:`
`103`	`109`	`throw new Error();`
`104`	`110`	`}`
`@@ -138,7 +144,7 @@ const filter = Symbol();`
`138`	`144`
`139`	`145`	`function stripPrivate(jwk) {`
`140`	`146`	`const {`
`141`		`- d, p, q, dp, dq, qi, oth, ...pub`
	`147`	`+ d, p, q, dp, dq, qi, oth, priv, ...pub`
`142`	`148`	`} = jwk;`
`143`	`149`	`return pub;`
`144`	`150`	`}`
`@@ -163,13 +169,13 @@ class KeyStore {`
`163`	`169`	`const scoring = { alg, use: 'sig' };`
`164`	`170`
`165`	`171`	`return this[filter]((jwk) => {`
`166`		`- let candidate = typeof kty === 'string' ? jwk.kty === kty : kty.includes(jwk.kty);`
	`172`	`+ let candidate = jwk.kty === kty;`
`167`	`173`
`168`	`174`	`if (candidate && typeof kid === 'string') {`
`169`	`175`	`candidate = kid === jwk.kid;`
`170`	`176`	`}`
`171`	`177`
`172`		`- if (candidate && typeof jwk.alg === 'string') {`
	`178`	`+ if (candidate && (typeof jwk.alg === 'string' \|\| kty === 'AKP')) {`
`173`	`179`	`candidate = alg === jwk.alg;`
`174`	`180`	`}`
`175`	`181`
`@@ -272,7 +278,7 @@ class KeyStore {`
`272`	`278`	`return getPublic ? input.keyObject() : input;`
`273`	`279`	`}`
`274`	`280`
`275`		`- if (input.kty === 'oct' \|\| !input.d \|\| !getPublic) {`
	`281`	`+ if (input.kty === 'oct' \|\| (!input.d && !input.priv) \|\| !getPublic) {`
`276`	`282`	`return input;`
`277`	`283`	`}`
`278`	`284`

`lib/models/client.js`

Lines changed: 9 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -77,23 +77,30 @@ function checkJWK(jwk) {`
`77`	`77`	`if (!EC_CURVES.has(jwk.crv)) return undefined;`
`78`	`78`	`if (!(typeof jwk.x === 'string' && jwk.x)) throw new Error();`
`79`	`79`	`if (!(typeof jwk.y === 'string' && jwk.y)) throw new Error();`
	`80`	`+ if (jwk.d !== undefined) throw new Error();`
`80`	`81`	`break;`
`81`	`82`	`case 'OKP':`
`82`	`83`	`if (!(typeof jwk.crv === 'string' && jwk.crv)) throw new Error();`
`83`	`84`	`if (!OKP_SUBTYPES.has(jwk.crv)) return undefined;`
`84`	`85`	`if (!(typeof jwk.x === 'string' && jwk.x)) throw new Error();`
	`86`	`+ if (jwk.d !== undefined) throw new Error();`
	`87`	`+ break;`
	`88`	`+ case 'AKP':`
	`89`	`+ if (!(typeof jwk.alg === 'string' && jwk.alg)) throw new Error();`
	`90`	`+ if (!(typeof jwk.pub === 'string' && jwk.pub)) throw new Error();`
	`91`	`+ if (jwk.priv !== undefined) throw new Error();`
`85`	`92`	`break;`
`86`	`93`	`case 'RSA':`
`87`	`94`	`if (!(typeof jwk.e === 'string' && jwk.e)) throw new Error();`
`88`	`95`	`if (!(typeof jwk.n === 'string' && jwk.n)) throw new Error();`
	`96`

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit f308b09

File tree

17 files changed

17 files changed

`certification/oidc/configuration.js`

`docs/README.md`

`lib/consts/jwa.js`

`lib/helpers/client_schema.js`

`lib/helpers/configuration.js`

`lib/helpers/defaults.js`

`lib/helpers/initialize_keystore.js`

`lib/helpers/keystore.js`

`lib/models/client.js`