feat: allow JWK.asKey inputs for sign/verify/encrypt/decrypt operations

docs/README.md

@@ -53,8 +53,11 @@ If you or your business use `jose`, please consider becoming a [sponsor][support
 - [JWK.isKey(object)](#jwkiskeyobject)
 <!-- TOC JWK END -->
 
-All `jose` operations require `<JWK.Key>` or `<JWKS.KeyStore>` as arguments. Here's
-how to get a `<JWK.Key>` instances generated or instantiated from existing key material.
+All sign and encrypt operations require `<JWK.Key>` or `JWK.asKey()` compatible input.  
+All verify and decrypt operations require `<JWK.Key>`, `<JWKS.KeyStore>`, or `JWK.asKey()` compatible input.  
+
+Whenever you're re-using the same key input for an operation it is recommended that you instantiate
+the  `<JWK.Key>` instance. Here's how to get a `<JWK.Key>` instances generated or instantiated from existing key material.
 
 
 ```js
@@ -756,7 +759,9 @@ that will be used to sign with is either provided as part of the 'options.algori
 'options.header.alg' or inferred from the provided `<JWK.Key>` instance.
 
 - `payload`: `<Object>` JWT Claims Set
-- `key`: `<JWK.Key>` The key to sign with.
+- `key`: `<JWK.Key>` The key to sign with. Any `JWK.asKey()` compatible input also works.
+  `<JWK.Key>` instances are recommended for performance purposes when re-using the same key for
+  every operation.
 - `options`: `<Object>`
   - `algorithm`: `<string>` The algorithm to use
   - `audience`: `<string>` &vert; `string[]` JWT Audience, "aud" claim value, if provided it will replace
@@ -817,7 +822,9 @@ Verifies the claims and signature of a JSON Web Token.
 - `token`: `<String>` JSON Web Token to verify
 - `keyOrStore`: `<JWK.Key>` &vert; `<JWKS.KeyStore>` The key or store to verify with. When
   `<JWKS.KeyStore>` instance is provided a selection of possible candidate keys will be done and the
-  operation will succeed if just one key matches.
+  operation will succeed if just one key matches. Any `JWK.asKey()` compatible input also works.
+  `<JWK.Key>` instances are recommended for performance purposes when re-using the same key for
+  every operation.
 - `options`: `<Object>`
   - `algorithms`: `string[]` Array of expected signing algorithms. JWT signed with an algorithm not
     found in this option will be rejected. **Default:** accepts all algorithms available on the
@@ -1002,7 +1009,9 @@ Creates a new Sign object for the provided payload, intended for one or more rec
 Adds a recipient to the JWS, the Algorithm that will be used to sign with is either provided as part
 of the Protected or Unprotected Header or inferred from the provided `<JWK.Key>` instance.
 
-- `key`: `<JWK.Key>` The key to sign with.
+- `key`: `<JWK.Key>` The key to sign with. Any `JWK.asKey()` compatible input also works.
+  `<JWK.Key>` instances are recommended for performance purposes when re-using the same key for
+  every operation.
 - `protected`: `<Object>` Protected Header for this recipient
 - `header`: `<Object>` Unprotected Header for this recipient
 
@@ -1029,7 +1038,9 @@ provided `<JWK.Key>` instance.
 
 - `payload`: `<Object>` &vert; `<string>` &vert; `<Buffer>` The payload that will be signed. When `<Object>`
   it will be automatically serialized to JSON before signing
-- `key`: `<JWK.Key>` The key to sign with.
+- `key`: `<JWK.Key>` The key to sign with. Any `JWK.asKey()` compatible input also works.
+  `<JWK.Key>` instances are recommended for performance purposes when re-using the same key for
+  every operation.
 - `protected`: `<Object>` Protected Header
 - Returns: `<string>`
 
@@ -1062,7 +1073,9 @@ inferred from the provided `<JWK.Key>` instance.
 
 - `payload`: `<Object>` &vert; `<string>` &vert; `<Buffer>` The payload that will be signed. When `<Object>`
   it will be automatically serialized to JSON before signing
-- `key`: `<JWK.Key>` The key to sign with.
+- `key`: `<JWK.Key>` The key to sign with. Any `JWK.asKey()` compatible input also works.
+  `<JWK.Key>` instances are recommended for performance purposes when re-using the same key for
+  every operation.
 - `protected`: `<Object>` Protected Header
 - `header`: `<Object>` Unprotected Header
 - Returns: `<Object>`
@@ -1099,7 +1112,8 @@ Verifies the provided JWS in either serialization with a given `<JWK.Key>` or `<
 - `keyOrStore`: `<JWK.Key>` &vert; `<JWKS.KeyStore>` The key or store to verify with. When
   `<JWKS.KeyStore>` instance is provided a selection of possible candidate keys will be done and the
   operation will succeed if just one key or signature (in case of General JWS JSON Serialization
-  Syntax) matches.
+  Syntax) matches. Any `JWK.asKey()` compatible input also works. `<JWK.Key>` instances are
+  recommended for performance purposes when re-using the same key for every operation.
 - `options`: `<Object>`
   - `algorithms`: `string[]` Array of Algorithms to accept, when the signature does not use an
     algorithm from this list the verification will fail. **Default:** 'undefined' - accepts all
@@ -1232,7 +1246,9 @@ Adds a recipient to the JWE, the Algorithm that will be used to wrap or derive t
 Encryption Key (CEK) is either provided as part of the combined JWE Header for the recipient or
 inferred from the provided `<JWK.Key>` instance.
 
-- `key`: `<JWK.Key>` The key to use for Key Management or Direct Encryption
+- `key`: `<JWK.Key>` The key to use for Key Management or Direct Encryption. Any `JWK.asKey()`
+  compatible input also works. `<JWK.Key>` instances are recommended for performance purposes when
+  re-using the same key for every operation.
 - `header`: `<Object>` JWE Per-Recipient Unprotected Header
 
 ---
@@ -1258,7 +1274,9 @@ will be used to wrap or derive the Content Encryption Key (CEK) is either provid
 Protected Header or inferred from the provided `<JWK.Key>` instance.
 
 - `cleartext`: `<string>` &vert; `<Buffer>` The cleartext that will be encrypted.
-- `key`: `<JWK.Key>` The key to use for Key Management or Direct Encryption
+- `key`: `<JWK.Key>` The key to use for Key Management or Direct Encryption. Any `JWK.asKey()`
+  compatible input also works. `<JWK.Key>` instances are recommended for performance purposes when
+  re-using the same key for every operation.
 - `protected`: `<Object>` JWE Protected Header
 - Returns: `<string>`
 
@@ -1271,7 +1289,9 @@ that will be used to wrap or derive the Content Encryption Key (CEK) is either p
 the combined JWE Header or inferred from the provided `<JWK.Key>` instance.
 
 - `cleartext`: `<string>` &vert; `<Buffer>` The cleartext that will be encrypted.
-- `key`: `<JWK.Key>` The key to use for Key Management or Direct Encryption
+- `key`: `<JWK.Key>` The key to use for Key Management or Direct Encryption. Any `JWK.asKey()`
+  compatible input also works. `<JWK.Key>` instances are recommended for performance purposes when
+  re-using the same key for every operation.
 - `protected`: `<Object>` JWE Protected Header
 - `unprotected`: `<Object>` JWE Shared Unprotected Header
 - `aad`: `<string>` &vert; `<Buffer>` JWE Additional Authenticated Data
@@ -1287,7 +1307,8 @@ Verifies the provided JWE in either serialization with a given `<JWK.Key>` or `<
 - `keyOrStore`: `<JWK.Key>` &vert; `<JWKS.KeyStore>` The key or store to decrypt with. When
   `<JWKS.KeyStore>` instance is provided a selection of possible candidate keys will be done and the
   operation will succeed if just one key or signature (in case of General JWE JSON Serialization
-  Syntax) matches.
+  Syntax) matches. Any `JWK.asKey()` compatible input also works. `<JWK.Key>` instances are
+  recommended for performance purposes when re-using the same key for every operation.
 - `options`: `<Object>`
   - `algorithms`: `string[]` Array of Algorithms to accept, when the JWE does not use an
     Key Management algorithm from this list the decryption will fail. **Default:** 'undefined' -

lib/help/get_key.js

@@ -0,0 +1,35 @@
+const errors = require('../errors')
+const Key = require('../jwk/key/base')
+const importKey = require('../jwk/import')
+const { KeyStore } = require('../jwks/keystore')
+
+module.exports = (input, keyStoreAllowed = false) => {
+  if (input instanceof KeyStore) {
+    if (!keyStoreAllowed) {
+      throw new TypeError('key argument for this operation must not be a JWKS.KeyStore instance')
+    }
+
+    return input
+  }
+
+  if (input instanceof Key) {
+    return input
+  }
+
+  try {
+    return importKey(input)
+  } catch (err) {
+    if (err instanceof errors.JOSEError && !(err instanceof errors.JWKImportFailed)) {
+      throw err
+    }
+
+    let msg
+    if (keyStoreAllowed) {
+      msg = 'key must be an instance of a key instantiated by JWK.asKey, a valid JWK.asKey input, or a JWKS.KeyStore instance'
+    } else {
+      msg = 'key must be an instance of a key instantiated by JWK.asKey, or a valid JWK.asKey input'
+    }
+
+    throw new TypeError(msg)
+  }
+}

lib/jwe/decrypt.js

@@ -1,8 +1,8 @@
 const { inflateRawSync } = require('zlib')
 
 const base64url = require('../help/base64url')
+const getKey = require('../help/get_key')
 const { KeyStore } = require('../jwks')
-const Key = require('../jwk/key/base')
 const errors = require('../errors')
 const { check, decrypt, keyManagementDecrypt } = require('../jwa')
 const JWK = require('../jwk')
@@ -41,9 +41,7 @@ const combineHeader = (prot = {}, unprotected = {}, header = {}) => {
  * @public
  */
 const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], complete = false, algorithms } = {}) => {
-  if (!(key instanceof Key) && !(key instanceof KeyStore)) {
-    throw new TypeError('key must be an instance of a key instantiated by JWK.asKey or a JWKS.KeyStore')
-  }
+  key = getKey(key, true)
 
   if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some(s => typeof s !== 'string' || !s))) {
     throw new TypeError('"algorithms" option must be an array of non-empty strings')

lib/jwe/encrypt.js

@@ -3,10 +3,10 @@ const { deflateRawSync } = require('zlib')
 const { KEYOBJECT } = require('../help/consts')
 const generateIV = require('../help/generate_iv')
 const base64url = require('../help/base64url')
+const getKey = require('../help/get_key')
 const isObject = require('../help/is_object')
 const { createSecretKey } = require('../help/key_object')
 const deepClone = require('../help/deep_clone')
-const Key = require('../jwk/key/base')
 const importKey = require('../jwk/import')
 const { JWEInvalid } = require('../errors')
 const { check, keyManagementEncrypt, encrypt } = require('../jwa')
@@ -57,9 +57,7 @@ class Encrypt {
    * @public
    */
   recipient (key, header) {
-    if (!(key instanceof Key)) {
-      throw new TypeError('key must be an instance of a key instantiated by JWK.asKey')
-    }
+    key = getKey(key)
 
     if (header !== undefined && !isObject(header)) {
       throw new TypeError('header argument must be a plain object when provided')

lib/jwk/import.js

@@ -49,7 +49,7 @@ const asKey = (key, parameters, { calculateMissingRSAPrimes = false } = {}) => {
         secret = key
         break
     }
-  } else if (typeof key === 'object' && 'kty' in key && key.kty === 'oct') { // symmetric key <Object>
+  } else if (typeof key === 'object' && key && 'kty' in key && key.kty === 'oct') { // symmetric key <Object>
     try {
       secret = createSecretKey(base64url.decodeToBuffer(key.k))
     } catch (err) {
@@ -62,7 +62,7 @@ const asKey = (key, parameters, { calculateMissingRSAPrimes = false } = {}) => {
       }
     }
     parameters = mergedParameters(parameters, key)
-  } else if (typeof key === 'object' && 'kty' in key) { // assume JWK formatted asymmetric key <Object>
+  } else if (typeof key === 'object' && key && 'kty' in key) { // assume JWK formatted asymmetric key <Object>
     ({ calculateMissingRSAPrimes = false } = parameters || { calculateMissingRSAPrimes })
     let pem
 
@@ -81,7 +81,7 @@ const asKey = (key, parameters, { calculateMissingRSAPrimes = false } = {}) => {
     }
 
     parameters = mergedParameters({}, key)
-  } else { // <Object> | <string> | <Buffer> passed to crypto.createPrivateKey or crypto.createPublicKey or <Buffer> passed to crypto.createSecretKey
+  } else if (key && (typeof key === 'object' || typeof key === 'string')) { // <Object> | <string> | <Buffer> passed to crypto.createPrivateKey or crypto.createPublicKey or <Buffer> passed to crypto.createSecretKey
     try {
       privateKey = createPrivateKey(key)
     } catch (err) {}
@@ -119,7 +119,7 @@ const asKey = (key, parameters, { calculateMissingRSAPrimes = false } = {}) => {
     return new OctKey(keyObject, parameters)
   }
 
-  throw new errors.JWKImportFailed('import failed')
+  throw new errors.JWKImportFailed('key import failed')
 }
 
 module.exports = asKey

lib/jws/sign.js

@@ -2,9 +2,9 @@ const base64url = require('../help/base64url')
 const isDisjoint = require('../help/is_disjoint')
 const isObject = require('../help/is_object')
 const deepClone = require('../help/deep_clone')
-const Key = require('../jwk/key/base')
 const { JWSInvalid } = require('../errors')
 const { check, sign } = require('../jwa')
+const getKey = require('../help/get_key')
 
 const serializers = require('./serializers')
 
@@ -39,9 +39,7 @@ class Sign {
    * @public
    */
   recipient (key, protectedHeader, unprotectedHeader) {
-    if (!(key instanceof Key)) {
-      throw new TypeError('key must be an instance of a key instantiated by JWK.asKey')
-    }
+    key = getKey(key)
 
     if (protectedHeader !== undefined && !isObject(protectedHeader)) {
       throw new TypeError('protectedHeader argument must be a plain object when provided')

lib/jws/verify.js

@@ -1,8 +1,8 @@
 const base64url = require('../help/base64url')
 const isDisjoint = require('../help/is_disjoint')
 let validateCrit = require('../help/validate_crit')
+const getKey = require('../help/get_key')
 const { KeyStore } = require('../jwks')
-const Key = require('../jwk/key/base')
 const errors = require('../errors')
 const { check, verify } = require('../jwa')
 
@@ -15,9 +15,7 @@ const SINGLE_RECIPIENT = new Set(['compact', 'flattened'])
  * @public
  */
 const jwsVerify = (skipDisjointCheck, serialization, jws, key, { crit = [], complete = false, algorithms, parse = true, encoding = 'utf8' } = {}) => {
-  if (!(key instanceof Key) && !(key instanceof KeyStore)) {
-    throw new TypeError('key must be an instance of a key instantiated by JWK.asKey or a JWKS.KeyStore')
-  }
+  key = getKey(key, true)
 
   if (algorithms !== undefined && (!Array.isArray(algorithms) || algorithms.some(s => typeof s !== 'string' || !s))) {
     throw new TypeError('"algorithms" option must be an array of non-empty strings')

lib/jwt/sign.js

@@ -1,6 +1,7 @@
 const isObject = require('../help/is_object')
 const secs = require('../help/secs')
 const epoch = require('../help/epoch')
+const getKey = require('../help/get_key')
 const JWS = require('../jws')
 
 const isString = require('./shared_validations').isString.bind(undefined, TypeError)
@@ -74,6 +75,8 @@ module.exports = (payload, key, options = {}) => {
     nbf: notBefore ? unix + secs(notBefore) : payload.nbf
   }
 
+  key = getKey(key)
+
   return JWS.sign(payload, key, {
     ...header,
     alg: algorithm || header.alg,

lib/jwt/verify.js

@@ -1,6 +1,7 @@
 const isObject = require('../help/is_object')
 const epoch = require('../help/epoch')
 const secs = require('../help/secs')
+const getKey = require('../help/get_key')
 const JWS = require('../jws')
 const { KeyStore } = require('../jwks')
 const { JWTClaimInvalid } = require('../errors')
@@ -217,6 +218,8 @@ module.exports = (token, key, options = {}) => {
     throw new JWTClaimInvalid('azp mismatch')
   }
 
+  key = getKey(key, true)
+
   if (complete && key instanceof KeyStore) {
     ({ key } = JWS.verify(token, key, { crit, algorithms, complete: true }))
   } else {

test/help/get_key.test.js

@@ -0,0 +1,78 @@
+const test = require('ava')
+
+const { createSecretKey, generateKeyPairSync } = require('crypto')
+
+const { keyObjectSupported } = require('../../lib/help/runtime_support')
+const errors = require('../../lib/errors')
+const getKey = require('../../lib/help/get_key')
+const { JWKS, JWK } = require('../..')
+
+test('key must not be a KeyStore instance unless keyStoreAllowed is true', t => {
+  const ks = new JWKS.KeyStore()
+  t.throws(() => {
+    getKey(ks)
+  }, { instanceOf: TypeError, message: 'key argument for this operation must not be a JWKS.KeyStore instance' })
+  t.is(getKey(ks, true), ks)
+})
+
+test('Key instances are passed through', async t => {
+  const k = await JWK.generate('oct')
+  t.is(getKey(k, true), k)
+})
+
+test('JWK is instantiated', async t => {
+  const jwk = (await JWK.generate('RSA')).toJWK()
+  const key = getKey(jwk)
+  t.truthy(key)
+  t.true(JWK.isKey(key))
+})
+
+if (keyObjectSupported) {
+  test('KeyObject is instantiated', async t => {
+    const key = getKey(createSecretKey(Buffer.from('foo')))
+    t.truthy(key)
+    t.true(JWK.isKey(key))
+  })
+}
+
+test('Buffer is instantiated', async t => {
+  const key = getKey(Buffer.from('foo'))
+  t.truthy(key)
+  t.true(JWK.isKey(key))
+  t.is(key.kty, 'oct')
+})
+
+test('oct tring is instantiated', async t => {
+  const key = getKey(Buffer.from('foo'))
+  t.truthy(key)
+  t.true(JWK.isKey(key))
+  t.is(key.kty, 'oct')
+})
+
+test('PEM key is instantiated', async t => {
+  const pem = (await JWK.generate('RSA')).toPEM()
+  const key = getKey(pem)
+  t.truthy(key)
+  t.true(JWK.isKey(key))
+  t.is(key.kty, 'RSA')
+})
+
+test('invalid inputs throw TypeError', t => {
+  ;[{}, new Object(), false, null, Infinity, 0, 1].forEach((val) => { // eslint-disable-line no-new-object
+    t.throws(() => {
+      getKey(val)
+    }, { instanceOf: TypeError, message: 'key must be an instance of a key instantiated by JWK.asKey, or a valid JWK.asKey input' })
+    t.throws(() => {
+      getKey(val, true)
+    }, { instanceOf: TypeError, message: 'key must be an instance of a key instantiated by JWK.asKey, a valid JWK.asKey input, or a JWKS.KeyStore instance' })
+  })
+
+  if (keyObjectSupported && !('electron' in process.versions)) {
+    const { privateKey, publicKey } = generateKeyPairSync('dsa', { modulusLength: 1024 })
+    ;[privateKey, publicKey].forEach((val) => {
+      t.throws(() => {
+        getKey(val)
+      }, { instanceOf: errors.JOSENotSupported, code: 'ERR_JOSE_NOT_SUPPORTED', message: 'only RSA, EC and OKP asymmetric keys are supported' })
+    })
+  }
+})