refactor: reorganize internals, less files, smaller footprint

Author: panva

src/jwe/flattened/decrypt.ts

@@ -6,13 +6,14 @@
 
 import type * as types from '../../types.d.ts'
 import { decode as b64u } from '../../util/base64url.js'
-import { decrypt } from '../../lib/decrypt.js'
+import { decrypt } from '../../lib/content_encryption.js'
+import { decodeBase64url } from '../../lib/helpers.js'
 import { JOSEAlgNotAllowed, JOSENotSupported, JWEInvalid } from '../../util/errors.js'
-import { isDisjoint } from '../../lib/is_disjoint.js'
-import { isObject } from '../../lib/is_object.js'
-import { decryptKeyManagement } from '../../lib/decrypt_key_management.js'
+import { isDisjoint } from '../../lib/type_checks.js'
+import { isObject } from '../../lib/type_checks.js'
+import { decryptKeyManagement } from '../../lib/key_management.js'
 import { decoder, concat, encode } from '../../lib/buffer_utils.js'
-import { generateCek } from '../../lib/cek.js'
+import { generateCek } from '../../lib/content_encryption.js'
 import { validateCrit } from '../../lib/validate_crit.js'
 import { validateAlgorithms } from '../../lib/validate_algorithms.js'
 import { normalizeKey } from '../../lib/normalize_key.js'
@@ -186,11 +187,7 @@ export async function flattenedDecrypt(
 
   let encryptedKey!: Uint8Array
   if (jwe.encrypted_key !== undefined) {
-    try {
-      encryptedKey = b64u(jwe.encrypted_key!)
-    } catch {
-      throw new JWEInvalid('Failed to base64url decode the encrypted_key')
-    }
+    encryptedKey = decodeBase64url(jwe.encrypted_key!, 'encrypted_key', JWEInvalid)
   }
 
   let resolvedKey = false
@@ -221,18 +218,10 @@ export async function flattenedDecrypt(
   let iv: Uint8Array | undefined
   let tag: Uint8Array | undefined
   if (jwe.iv !== undefined) {
-    try {
-      iv = b64u(jwe.iv)
-    } catch {
-      throw new JWEInvalid('Failed to base64url decode the iv')
-    }
+    iv = decodeBase64url(jwe.iv, 'iv', JWEInvalid)
   }
   if (jwe.tag !== undefined) {
-    try {
-      tag = b64u(jwe.tag)
-    } catch {
-      throw new JWEInvalid('Failed to base64url decode the tag')
-    }
+    tag = decodeBase64url(jwe.tag, 'tag', JWEInvalid)
   }
 
   const protectedHeader: Uint8Array =
@@ -245,12 +234,7 @@ export async function flattenedDecrypt(
     additionalData = protectedHeader
   }
 
-  let ciphertext: Uint8Array
-  try {
-    ciphertext = b64u(jwe.ciphertext)
-  } catch {
-    throw new JWEInvalid('Failed to base64url decode the ciphertext')
-  }
+  const ciphertext = decodeBase64url(jwe.ciphertext, 'ciphertext', JWEInvalid)
   const plaintext = await decrypt(enc, cek, ciphertext, iv, tag, additionalData)
 
   const result: types.FlattenedDecryptResult = { plaintext }
@@ -276,11 +260,7 @@ export async function flattenedDecrypt(
   }
 
   if (jwe.aad !== undefined) {
-    try {
-      result.additionalAuthenticatedData = b64u(jwe.aad!)
-    } catch {
-      throw new JWEInvalid('Failed to base64url decode the aad')
-    }
+    result.additionalAuthenticatedData = decodeBase64url(jwe.aad!, 'aad', JWEInvalid)
   }
 
   if (jwe.unprotected !== undefined) {

src/jwe/flattened/encrypt.ts

@@ -5,12 +5,12 @@
  */
 
 import { encode as b64u } from '../../util/base64url.js'
-import { unprotected } from '../../lib/private_symbols.js'
-import { encrypt } from '../../lib/encrypt.js'
+import { unprotected, assertNotSet } from '../../lib/helpers.js'
+import { encrypt } from '../../lib/content_encryption.js'
 import type * as types from '../../types.d.ts'
-import { encryptKeyManagement } from '../../lib/encrypt_key_management.js'
+import { encryptKeyManagement } from '../../lib/key_management.js'
 import { JOSENotSupported, JWEInvalid } from '../../util/errors.js'
-import { isDisjoint } from '../../lib/is_disjoint.js'
+import { isDisjoint } from '../../lib/type_checks.js'
 import { concat, encode } from '../../lib/buffer_utils.js'
 import { validateCrit } from '../../lib/validate_crit.js'
 import { normalizeKey } from '../../lib/normalize_key.js'
@@ -74,9 +74,7 @@ export class FlattenedEncrypt {
    * @param parameters JWE Key Management parameters.
    */
   setKeyManagementParameters(parameters: types.JWEKeyManagementHeaderParameters): this {
-    if (this.#keyManagementParameters) {
-      throw new TypeError('setKeyManagementParameters can only be called once')
-    }
+    assertNotSet(this.#keyManagementParameters, 'setKeyManagementParameters')
     this.#keyManagementParameters = parameters
     return this
   }
@@ -87,9 +85,7 @@ export class FlattenedEncrypt {
    * @param protectedHeader JWE Protected Header.
    */
   setProtectedHeader(protectedHeader: types.JWEHeaderParameters): this {
-    if (this.#protectedHeader) {
-      throw new TypeError('setProtectedHeader can only be called once')
-    }
+    assertNotSet(this.#protectedHeader, 'setProtectedHeader')
     this.#protectedHeader = protectedHeader
     return this
   }
@@ -100,9 +96,7 @@ export class FlattenedEncrypt {
    * @param sharedUnprotectedHeader JWE Shared Unprotected Header.
    */
   setSharedUnprotectedHeader(sharedUnprotectedHeader: types.JWEHeaderParameters): this {
-    if (this.#sharedUnprotectedHeader) {
-      throw new TypeError('setSharedUnprotectedHeader can only be called once')
-    }
+    assertNotSet(this.#sharedUnprotectedHeader, 'setSharedUnprotectedHeader')
     this.#sharedUnprotectedHeader = sharedUnprotectedHeader
     return this
   }
@@ -113,9 +107,7 @@ export class FlattenedEncrypt {
    * @param unprotectedHeader JWE Per-Recipient Unprotected Header.
    */
   setUnprotectedHeader(unprotectedHeader: types.JWEHeaderParameters): this {
-    if (this.#unprotectedHeader) {
-      throw new TypeError('setUnprotectedHeader can only be called once')
-    }
+    assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader')
     this.#unprotectedHeader = unprotectedHeader
     return this
   }
@@ -140,9 +132,7 @@ export class FlattenedEncrypt {
    * @param cek JWE Content Encryption Key.
    */
   setContentEncryptionKey(cek: Uint8Array): this {
-    if (this.#cek) {
-      throw new TypeError('setContentEncryptionKey can only be called once')
-    }
+    assertNotSet(this.#cek, 'setContentEncryptionKey')
     this.#cek = cek
     return this
   }
@@ -157,9 +147,7 @@ export class FlattenedEncrypt {
    * @param iv JWE Initialization Vector.
    */
   setInitializationVector(iv: Uint8Array): this {
-    if (this.#iv) {
-      throw new TypeError('setInitializationVector can only be called once')
-    }
+    assertNotSet(this.#iv, 'setInitializationVector')
     this.#iv = iv
     return this
   }

src/jwe/general/decrypt.ts

@@ -7,7 +7,7 @@
 import { flattenedDecrypt } from '../flattened/decrypt.js'
 import { JWEDecryptionFailed, JWEInvalid } from '../../util/errors.js'
 import type * as types from '../../types.d.ts'
-import { isObject } from '../../lib/is_object.js'
+import { isObject } from '../../lib/type_checks.js'
 
 /**
  * Interface for General JWE Decryption dynamic key resolution. No token components have been

src/jwe/general/encrypt.ts

@@ -6,11 +6,11 @@
 
 import type * as types from '../../types.d.ts'
 import { FlattenedEncrypt } from '../flattened/encrypt.js'
-import { unprotected } from '../../lib/private_symbols.js'
+import { unprotected, assertNotSet } from '../../lib/helpers.js'
 import { JOSENotSupported, JWEInvalid } from '../../util/errors.js'
-import { generateCek } from '../../lib/cek.js'
-import { isDisjoint } from '../../lib/is_disjoint.js'
-import { encryptKeyManagement } from '../../lib/encrypt_key_management.js'
+import { generateCek } from '../../lib/content_encryption.js'
+import { isDisjoint } from '../../lib/type_checks.js'
+import { encryptKeyManagement } from '../../lib/key_management.js'
 import { encode as b64u } from '../../util/base64url.js'
 import { validateCrit } from '../../lib/validate_crit.js'
 import { normalizeKey } from '../../lib/normalize_key.js'
@@ -63,17 +63,13 @@ class IndividualRecipient implements Recipient {
   }
 
   setUnprotectedHeader(unprotectedHeader: types.JWEHeaderParameters): this {
-    if (this.unprotectedHeader) {
-      throw new TypeError('setUnprotectedHeader can only be called once')
-    }
+    assertNotSet(this.unprotectedHeader, 'setUnprotectedHeader')
     this.unprotectedHeader = unprotectedHeader
     return this
   }
 
   setKeyManagementParameters(parameters: types.JWEKeyManagementHeaderParameters): this {
-    if (this.keyManagementParameters) {
-      throw new TypeError('setKeyManagementParameters can only be called once')
-    }
+    assertNotSet(this.keyManagementParameters, 'setKeyManagementParameters')
     this.keyManagementParameters = parameters
     return this
   }
@@ -155,9 +151,7 @@ export class GeneralEncrypt {
    * @param protectedHeader JWE Protected Header object.
    */
   setProtectedHeader(protectedHeader: types.JWEHeaderParameters): this {
-    if (this.#protectedHeader) {
-      throw new TypeError('setProtectedHeader can only be called once')
-    }
+    assertNotSet(this.#protectedHeader, 'setProtectedHeader')
     this.#protectedHeader = protectedHeader
     return this
   }
@@ -168,9 +162,7 @@ export class GeneralEncrypt {
    * @param sharedUnprotectedHeader JWE Shared Unprotected Header object.
    */
   setSharedUnprotectedHeader(sharedUnprotectedHeader: types.JWEHeaderParameters): this {
-    if (this.#unprotectedHeader) {
-      throw new TypeError('setSharedUnprotectedHeader can only be called once')
-    }
+    assertNotSet(this.#unprotectedHeader, 'setSharedUnprotectedHeader')
     this.#unprotectedHeader = sharedUnprotectedHeader
     return this
   }

src/jwk/embedded.ts

@@ -6,7 +6,7 @@
 
 import type * as types from '../types.d.ts'
 import { importJWK } from '../key/import.js'
-import { isObject } from '../lib/is_object.js'
+import { isObject } from '../lib/type_checks.js'
 import { JWSInvalid } from '../util/errors.js'
 
 /**

src/jwk/thumbprint.ts

@@ -4,14 +4,14 @@
  * @module
  */
 
-import { digest } from '../lib/digest.js'
+import { digest } from '../lib/helpers.js'
 import { encode as b64u } from '../util/base64url.js'
 
 import { JOSENotSupported, JWKInvalid } from '../util/errors.js'
 import { encode } from '../lib/buffer_utils.js'
 import type * as types from '../types.d.ts'
 import { isKeyLike } from '../lib/is_key_like.js'
-import { isJWK } from '../lib/is_jwk.js'
+import { isJWK } from '../lib/type_checks.js'
 import { exportJWK } from '../key/export.js'
 import { invalidKeyInput } from '../lib/invalid_key_input.js'
 

src/jwks/local.ts

@@ -12,7 +12,7 @@ import {
   JWKSNoMatchingKey,
   JWKSMultipleMatchingKeys,
 } from '../util/errors.js'
-import { isObject } from '../lib/is_object.js'
+import { isObject } from '../lib/type_checks.js'
 
 function getKtyFromAlg(alg: unknown) {
   switch (typeof alg === 'string' && alg.slice(0, 2)) {

src/jwks/remote.ts

@@ -8,7 +8,7 @@ import type * as types from '../types.d.ts'
 import { JOSEError, JWKSNoMatchingKey, JWKSTimeout } from '../util/errors.js'
 
 import { createLocalJWKSet } from './local.js'
-import { isObject } from '../lib/is_object.js'
+import { isObject } from '../lib/type_checks.js'
 
 function isCloudflareWorkers() {
   return (

src/jws/flattened/sign.ts

@@ -6,14 +6,15 @@
 
 import type * as types from '../../types.d.ts'
 import { encode as b64u } from '../../util/base64url.js'
-import { sign } from '../../lib/sign.js'
+import { sign } from '../../lib/signing.js'
 
-import { isDisjoint } from '../../lib/is_disjoint.js'
+import { isDisjoint } from '../../lib/type_checks.js'
 import { JWSInvalid } from '../../util/errors.js'
 import { concat, encode } from '../../lib/buffer_utils.js'
 import { checkKeyType } from '../../lib/check_key_type.js'
 import { validateCrit } from '../../lib/validate_crit.js'
 import { normalizeKey } from '../../lib/normalize_key.js'
+import { assertNotSet } from '../../lib/helpers.js'
 
 /**
  * The FlattenedSign class is used to build and sign Flattened JWS objects.
@@ -58,9 +59,7 @@ export class FlattenedSign {
    * @param protectedHeader JWS Protected Header.
    */
   setProtectedHeader(protectedHeader: types.JWSHeaderParameters): this {
-    if (this.#protectedHeader) {
-      throw new TypeError('setProtectedHeader can only be called once')
-    }
+    assertNotSet(this.#protectedHeader, 'setProtectedHeader')
     this.#protectedHeader = protectedHeader
     return this
   }
@@ -71,9 +70,7 @@ export class FlattenedSign {
    * @param unprotectedHeader JWS Unprotected Header.
    */
   setUnprotectedHeader(unprotectedHeader: types.JWSHeaderParameters): this {
-    if (this.#unprotectedHeader) {
-      throw new TypeError('setUnprotectedHeader can only be called once')
-    }
+    assertNotSet(this.#unprotectedHeader, 'setUnprotectedHeader')
     this.#unprotectedHeader = unprotectedHeader
     return this
   }

src/jws/flattened/verify.ts

@@ -6,12 +6,13 @@
 
 import type * as types from '../../types.d.ts'
 import { decode as b64u } from '../../util/base64url.js'
-import { verify } from '../../lib/verify.js'
+import { verify } from '../../lib/signing.js'
 
 import { JOSEAlgNotAllowed, JWSInvalid, JWSSignatureVerificationFailed } from '../../util/errors.js'
 import { concat, encoder, decoder, encode } from '../../lib/buffer_utils.js'
-import { isDisjoint } from '../../lib/is_disjoint.js'
-import { isObject } from '../../lib/is_object.js'
+import { decodeBase64url } from '../../lib/helpers.js'
+import { isDisjoint } from '../../lib/type_checks.js'
+import { isObject } from '../../lib/type_checks.js'
 import { checkKeyType } from '../../lib/check_key_type.js'
 import { validateCrit } from '../../lib/validate_crit.js'
 import { validateAlgorithms } from '../../lib/validate_algorithms.js'
@@ -177,12 +178,7 @@ export async function flattenedVerify(
         : encoder.encode(jws.payload)
       : jws.payload,
   )
-  let signature: Uint8Array
-  try {
-    signature = b64u(jws.signature)
-  } catch {
-    throw new JWSInvalid('Failed to base64url decode the signature')
-  }
+  const signature = decodeBase64url(jws.signature, 'signature', JWSInvalid)
 
   const k = await normalizeKey(key, alg)
   const verified = await verify(alg, k, signature, data)
@@ -193,11 +189,7 @@ export async function flattenedVerify(
 
   let payload: Uint8Array
   if (b64) {
-    try {
-      payload = b64u(jws.payload)
-    } catch {
-      throw new JWSInvalid('Failed to base64url decode the payload')
-    }
+    payload = decodeBase64url(jws.payload as string, 'payload', JWSInvalid)
   } else if (typeof jws.payload === 'string') {
     payload = encoder.encode(jws.payload)
   } else {