feat: enable RSA-OAEP-256 when node runtime supports it

panva · Aug 20, 2019 · cfada87 · cfada87
1 parent a019fc9
commit cfada87
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 33 deletions.
diff --git a/docs/README.md b/docs/README.md
@@ -2879,8 +2879,8 @@ _**default value**_:
 
 ```js
 [
-  // asymmetric RSAES based
-  'RSA-OAEP', 'RSA1_5',
+  // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+  'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
   // asymmetric ECDH-ES based
   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
   // symmetric AES key wrapping
@@ -3006,8 +3006,8 @@ _**default value**_:
 
 ```js
 [
-  // asymmetric RSAES based
-  'RSA-OAEP', 'RSA1_5',
+  // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+  'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
   // asymmetric ECDH-ES based
   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
   // symmetric AES key wrapping
@@ -3104,8 +3104,8 @@ _**default value**_:
 
 ```js
 [
-  // asymmetric RSAES based
-  'RSA-OAEP', 'RSA1_5',
+  // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+  'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
   // asymmetric ECDH-ES based
   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
   // symmetric AES key wrapping
@@ -3234,8 +3234,8 @@ _**default value**_:
 
 ```js
 [
-  // asymmetric RSAES based
-  'RSA-OAEP', 'RSA1_5',
+  // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+  'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
   // asymmetric ECDH-ES based
   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
   // symmetric AES key wrapping
@@ -3396,8 +3396,8 @@ _**default value**_:
 
 ```js
 [
-  // asymmetric RSAES based
-  'RSA-OAEP', 'RSA1_5',
+  // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+  'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
   // asymmetric ECDH-ES based
   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
   // symmetric AES key wrapping

diff --git a/lib/consts/jwa.js b/lib/consts/jwa.js
@@ -1,3 +1,7 @@
+const [major, minor] = process.version.substr(1).split('.').map((x) => parseInt(x, 10));
+
+const OAEP256 = major > 12 || (major === 12 && minor >= 9);
+
 const signingAlgValues = [
   'HS256', 'HS384', 'HS512',
   'RS256', 'RS384', 'RS512',
@@ -8,14 +12,14 @@ const signingAlgValues = [
 
 const encryptionAlgValues = [
   // asymmetric kw
-  'RSA-OAEP', 'RSA1_5',
+  'RSA-OAEP', OAEP256 ? 'RSA-OAEP-256' : false, 'RSA1_5',
   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
   // symmetric kw
   'A128GCMKW', 'A192GCMKW', 'A256GCMKW', 'A128KW', 'A192KW', 'A256KW',
   'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
   // no kw
   'dir',
-];
+].filter(Boolean);
 
 const encryptionEncValues = [
   'A128CBC-HS256', 'A128GCM', 'A192CBC-HS384', 'A192GCM', 'A256CBC-HS512', 'A256GCM',

diff --git a/lib/helpers/defaults.js b/lib/helpers/defaults.js
@@ -2131,8 +2131,8 @@ const DEFAULTS = {
      * example: Supported values list
      * ```js
      * [
-     *   // asymmetric RSAES based
-     *   'RSA-OAEP', 'RSA1_5',
+     *   // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+     *   'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
      *   // asymmetric ECDH-ES based
      *   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
      *   // symmetric AES key wrapping
@@ -2158,8 +2158,8 @@ const DEFAULTS = {
      * example: Supported values list
      * ```js
      * [
-     *   // asymmetric RSAES based
-     *   'RSA-OAEP', 'RSA1_5',
+     *   // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+     *   'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
      *   // asymmetric ECDH-ES based
      *   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
      *   // symmetric AES key wrapping
@@ -2184,8 +2184,8 @@ const DEFAULTS = {
      * example: Supported values list
      * ```js
      * [
-     *   // asymmetric RSAES based
-     *   'RSA-OAEP', 'RSA1_5',
+     *   // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+     *   'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
      *   // asymmetric ECDH-ES based
      *   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
      *   // symmetric AES key wrapping
@@ -2211,8 +2211,8 @@ const DEFAULTS = {
      * example: Supported values list
      * ```js
      * [
-     *   // asymmetric RSAES based
-     *   'RSA-OAEP', 'RSA1_5',
+     *   // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+     *   'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
      *   // asymmetric ECDH-ES based
      *   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
      *   // symmetric AES key wrapping
@@ -2238,8 +2238,8 @@ const DEFAULTS = {
      * example: Supported values list
      * ```js
      * [
-     *   // asymmetric RSAES based
-     *   'RSA-OAEP', 'RSA1_5',
+     *   // asymmetric RSAES based (note: RSA-OAEP-256 is only supported in node runtime >= 12.9.0)
+     *   'RSA-OAEP', 'RSA-OAEP-256', 'RSA1_5',
      *   // asymmetric ECDH-ES based
      *   'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW',
      *   // symmetric AES key wrapping

diff --git a/package.json b/package.json
@@ -41,7 +41,7 @@
   },
   "dependencies": {
     "@koa/cors": "^3.0.0",
-    "@panva/jose": "^1.5.0",
+    "@panva/jose": "^1.7.0",
     "debug": "^4.1.1",
     "ejs": "^2.6.2",
     "got": "^9.6.0",

diff --git a/test/configuration/client_metadata.test.js b/test/configuration/client_metadata.test.js
@@ -9,6 +9,10 @@ const Provider = require('../../lib');
 const { whitelistedJWA } = require('../default.config');
 const mtlsKeys = require('../jwks/jwks.json');
 
+const [major, minor] = process.version.substr(1).split('.').map((x) => parseInt(x, 10));
+
+const OAEP256 = major > 12 || (major === 12 && minor >= 9);
+
 const sigKey = global.keystore.get().toJWK();
 const privateKey = global.keystore.get().toJWK(true);
 const { DYNAMIC_SCOPE_LABEL, errors: { InvalidClientMetadata } } = Provider;
@@ -607,10 +611,10 @@ describe('Client metadata validation', () => {
       }));
       allows(this.title, 'dir', undefined, configuration);
       [
-        'RSA-OAEP', 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
+        'RSA-OAEP', OAEP256 ? 'RSA-OAEP-256' : false, 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
         'ECDH-ES+A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', 'A128KW', 'A192KW', 'A256KW',
         'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
-      ].forEach((value) => {
+      ].filter(Boolean).forEach((value) => {
         allows(this.title, value, {
           jwks: { keys: [sigKey] },
         }, configuration);
@@ -669,10 +673,10 @@ describe('Client metadata validation', () => {
       }));
       allows(this.title, 'dir', undefined, configuration);
       [
-        'RSA-OAEP', 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
+        'RSA-OAEP', OAEP256 ? 'RSA-OAEP-256' : false, 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
         'ECDH-ES+A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', 'A128KW', 'A192KW', 'A256KW',
         'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
-      ].forEach((value) => {
+      ].filter(Boolean).forEach((value) => {
         allows(this.title, value, {
           jwks: { keys: [sigKey] },
         }, configuration);
@@ -732,10 +736,10 @@ describe('Client metadata validation', () => {
       }));
       allows(this.title, 'dir', undefined, configuration);
       [
-        'RSA-OAEP', 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
+        'RSA-OAEP', OAEP256 ? 'RSA-OAEP-256' : false, 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
         'ECDH-ES+A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', 'A128KW', 'A192KW', 'A256KW',
         'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
-      ].forEach((value) => {
+      ].filter(Boolean).forEach((value) => {
         allows(this.title, value, {
           jwks: { keys: [sigKey] },
         }, configuration);
@@ -795,10 +799,10 @@ describe('Client metadata validation', () => {
       }));
       allows(this.title, 'dir', undefined, configuration);
       [
-        'RSA-OAEP', 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
+        'RSA-OAEP', OAEP256 ? 'RSA-OAEP-256' : false, 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
         'ECDH-ES+A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', 'A128KW', 'A192KW', 'A256KW',
         'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
-      ].forEach((value) => {
+      ].filter(Boolean).forEach((value) => {
         allows(this.title, value, {
           jwks: { keys: [sigKey] },
         }, configuration);
@@ -864,10 +868,10 @@ describe('Client metadata validation', () => {
       }));
       allows(this.title, 'dir', undefined, configuration);
       [
-        'RSA-OAEP', 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
+        'RSA-OAEP', OAEP256 ? 'RSA-OAEP-256' : false, 'RSA1_5', 'ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW',
         'ECDH-ES+A256KW', 'A128GCMKW', 'A192GCMKW', 'A256GCMKW', 'A128KW', 'A192KW', 'A256KW',
         'PBES2-HS256+A128KW', 'PBES2-HS384+A192KW', 'PBES2-HS512+A256KW',
-      ].forEach((value) => {
+      ].filter(Boolean).forEach((value) => {
         allows(this.title, value, undefined, configuration);
         if (value === 'ECDH-ES') {
           rejects(this.title, value, 'A192CBC-HS384 is not possible with ECDH-ES', {