3 changed files with 11 additions and 81 deletions
--- a/keypairs.js
+++ b/keypairs.js
@ -154,9 +154,9 @@ Keypairs.signJwt = function (opts) {
    var header = opts.header || {};
    var claims = JSON.parse(JSON.stringify(opts.claims || {}));
    header.typ = 'JWT';
-
+    if (!header.kid) {
-    if (!header.kid) { header.kid = thumb; }
+      header.kid = thumb;
-    if (!header.alg && opts.alg) { header.alg = opts.alg; }
+    }
    if (!claims.iat && (false === claims.iat || false === opts.iat)) {
      claims.iat = undefined;
    } else if (!claims.iat) {
@ -197,7 +197,7 @@ Keypairs.signJws = function (opts) {
      if (!opts.jwk) {
        throw new Error("opts.jwk must exist and must declare 'typ'");
      }
-      return ('RSA' === opts.jwk.kty) ? "RS256" : "ES256";
+      return ('RSA' === opts.jwk.typ) ? "RS256" : "ES256";
    }
    function sign(pem) {
@ -229,21 +229,13 @@ Keypairs.signJws = function (opts) {
      }
      // node specifies RSA-SHAxxx even whet it's actually ecdsa (it's all encoded x509 shasums anyway)
-      var nodeAlg = "SHA" + (((protect||header).alg||'').replace(/^[^\d]+/, '')||'256');
+      var nodeAlg = "RSA-SHA" + (((protect||header).alg||'').replace(/^[^\d]+/, '')||'256');
      var protected64 = Enc.strToUrlBase64(protectedHeader);
      var payload64 = Enc.bufToUrlBase64(payload);
-      var binsig = require('crypto')
+      var sig = require('crypto')
        .createSign(nodeAlg)
        .update(protect ? (protected64 + "." + payload64) : payload64)
-        .sign(pem)
+        .sign(pem, 'base64')
      ;
      if ('EC' === opts.jwk.kty) {
        // ECDSA JWT signatures differ from "normal" ECDSA signatures
        // https://tools.ietf.org/html/rfc7518#section-3.4
        binsig = ecdsaAsn1SigToJoseSig(binsig);
      }
      var sig = binsig.toString('base64')
        .replace(/\+/g, '-')
        .replace(/\//g, '_')
        .replace(/=/g, '')
@ -257,41 +249,6 @@ Keypairs.signJws = function (opts) {
      };
    }
    function ecdsaAsn1SigToJoseSig(binsig) {
      // should have asn1 sequence header of 0x30
      if (0x30 !== binsig[0]) { throw new Error("Impossible EC SHA head marker"); }
      var index = 2; // first ecdsa "R" header byte
      var len = binsig[1];
      var lenlen = 0;
      // Seek length of length if length is greater than 127 (i.e. two 512-bit / 64-byte R and S values)
      if (0x80 & len) {
        lenlen = len - 0x80; // should be exactly 1
        len = binsig[2]; // should be <= 130 (two 64-bit SHA-512s, plus padding)
        index += lenlen;
      }
      // should be of BigInt type
      if (0x02 !== binsig[index]) { throw new Error("Impossible EC SHA R marker"); }
      index += 1;
      var rlen = binsig[index];
      var bits = 32;
      if (rlen > 49) {
        bits = 64;
      } else if (rlen > 33) {
        bits = 48;
      }
      var r = binsig.slice(index + 1, index + 1 + rlen).toString('hex');
      var slen = binsig[index + 1 + rlen + 1]; // skip header and read length
      var s = binsig.slice(index + 1 + rlen + 1 + 1).toString('hex');
      if (2 *slen !== s.length) { throw new Error("Impossible EC SHA S length"); }
      // There may be one byte of padding on either
      while (r.length < 2*bits) { r = '00' + r; }
      while (s.length < 2*bits) { s = '00' + s; }
      if (2*(bits+1) === r.length) { r = r.slice(2); }
      if (2*(bits+1) === s.length) { s = s.slice(2); }
      return Buffer.concat([Buffer.from(r, 'hex'), Buffer.from(s, 'hex')]);
    }
    if (opts.pem && opts.jwk) {
      return sign(opts.pem);
    } else {
@ -342,25 +299,3 @@ Enc.bufToUrlBase64 = function (buf) {
  return Buffer.from(buf).toString('base64')
    .replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
 };
 // For 'rsa-compat' module only
 // PLEASE do not use these sync methods, they are deprecated
 Keypairs._importSync = function (opts) {
  try {
    return Eckles.importSync(opts);
  } catch(e) {
    try {
      return Rasha.importSync(opts);
    } catch(e) {
      console.error("options.pem does not appear to be a valid RSA or ECDSA public or private key");
    }
  }
 };
 // PLEASE do not use these, they are deprecated
 Keypairs._exportSync = function (opts) {
  if ('RSA' === opts.jwk.kty) {
    return Rasha.exportSync(opts);
  } else {
    return Eckles.exportSync(opts);
  }
 };
--- a/package.json
+++ b/package.json
@ -1,7 +1,7 @@
 {
  "name": "keypairs",
-  "version": "1.2.14",
+  "version": "1.2.8",
-  "description": "Lightweight RSA/ECDSA keypair generation and JWK <-> PEM using node's native RSA and ECDSA support",
+  "description": "Lightweight RSA/ECDSA keypair generation and JWK <-> PEM",
  "main": "keypairs.js",
  "files": [
    "bin/keypairs.js"
@ -21,11 +21,7 @@
    "RSA",
    "ECDSA",
    "PEM",
-    "JWK",
+    "JWK"
    "keypair",
    "crypto",
    "sign",
    "verify"
  ],
  "author": "AJ ONeal <coolaj86@gmail.com> (https://coolaj86.com/)",
  "license": "MPL-2.0",
--- a/test.js
+++ b/test.js
@ -1,7 +1,6 @@
 var Keypairs = require('./');
 /* global Promise*/
 console.info("This SHOULD result in an error message:");
 Keypairs.parseOrGenerate({ key: '' }).then(function (pair) {
  // should NOT have any warning output
  if (!pair.private || !pair.public) {
@ -91,7 +90,7 @@ Keypairs.parseOrGenerate({ key: '' }).then(function (pair) {
      if ('NOERR' === e.code) { throw e; }
      return true;
    })
-  , Keypairs.signJwt({ jwk: pair.private, alg: 'ES512', iss: 'https://example.com/', exp: '1h' }).then(function (jwt) {
+  , Keypairs.signJwt({ jwk: pair.private, iss: 'https://example.com/', exp: '1h' }).then(function (jwt) {
      var parts = jwt.split('.');
      var now = Math.round(Date.now()/1000);
      var token = {