fix: jwk thumprint using crypto.subtle

Signed-off-by: Timo Glastra <timo@animo.id>

Author: TimoGlastra

packages/client/lib/AuthorizationCodeClient.ts

@@ -114,7 +114,7 @@ export const createAuthorizationRequestUrl = async ({
   const client_id = clientId ?? authorizationRequest.clientId;
 
   // Authorization server metadata takes precedence
-  const authorizationMetadata = endpointMetadata.authorizationServerMetadata ?? endpointMetadata.credentialIssuerMetadata
+  const authorizationMetadata = endpointMetadata.authorizationServerMetadata ?? endpointMetadata.credentialIssuerMetadata;
 
   let { authorizationDetails } = authorizationRequest;
   const parMode = authorizationMetadata?.require_pushed_authorization_requests
@@ -182,7 +182,6 @@ export const createAuthorizationRequestUrl = async ({
   }
   const parEndpoint = authorizationMetadata?.pushed_authorization_request_endpoint;
 
-
   let queryObj: Record<string, any> | PushedAuthorizationResponse = {
     response_type: ResponseType.AUTH_CODE,
     ...(!pkce.disabled && {

packages/common/lib/dpop/DPoP.ts

@@ -1,8 +1,9 @@
 import { jwtDecode } from 'jwt-decode';
-import SHA from 'sha.js';
 import * as u8a from 'uint8arrays';
 import { v4 as uuidv4 } from 'uuid';
 
+import { defaultHasher } from '../hasher';
+
 import {
   calculateJwkThumbprint,
   CreateJwtCallback,
@@ -68,7 +69,7 @@ export async function createDPoP(options: CreateDPoPOpts): Promise<string> {
     throw new Error('expected access token without scheme');
   }
 
-  const ath = jwtPayloadProps.accessToken ? u8a.toString(SHA('sha256').update(jwtPayloadProps.accessToken).digest(), 'base64url') : undefined;
+  const ath = jwtPayloadProps.accessToken ? u8a.toString(defaultHasher(jwtPayloadProps.accessToken, 'sha256'), 'base64url') : undefined;
   return createJwtCallback(
     { method: 'jwk', type: 'dpop', alg: jwtIssuer.alg, jwk: jwtIssuer.jwk, dPoPSigningAlgValuesSupported },
     {
@@ -195,7 +196,7 @@ export async function verifyDPoP(
     }
 
     const accessToken = authorizationHeader.replace('DPoP ', '');
-    const expectedAth = u8a.toString(SHA('sha256').update(accessToken).digest(), 'base64url');
+    const expectedAth = u8a.toString(defaultHasher(accessToken, 'sha256'), 'base64url');
     if (dPoPPayload.ath !== expectedAth) {
       throw new Error('invalid_dpop_proof. Invalid ath claim');
     }

packages/common/lib/hasher.ts

@@ -0,0 +1,17 @@
+import { Hasher } from '@sphereon/ssi-types';
+import sha from 'sha.js';
+
+const supportedAlgorithms = ['sha256', 'sha384', 'sha512'] as const;
+type SupportedAlgorithms = (typeof supportedAlgorithms)[number];
+
+export const defaultHasher: Hasher = (data, algorithm) => {
+  if (!supportedAlgorithms.includes(algorithm as SupportedAlgorithms)) {
+    throw new Error(`Unsupported hashing algorithm ${algorithm}`);
+  }
+
+  return new Uint8Array(
+    sha(algorithm as SupportedAlgorithms)
+      .update(data)
+      .digest(),
+  );
+};

packages/common/lib/index.ts

@@ -7,3 +7,4 @@ export * from './jwt';
 export * from './dpop';
 
 export { v4 as uuidv4 } from 'uuid';
+export { defaultHasher } from './hasher';

packages/common/lib/jwt/JwkThumbprint.ts

@@ -1,5 +1,6 @@
 import * as u8a from 'uint8arrays';
 
+import { defaultHasher } from '../hasher';
 import { DigestAlgorithm } from '../types';
 
 import { JWK } from '.';
@@ -10,11 +11,6 @@ const check = (value: unknown, description: string) => {
   }
 };
 
-const digest = async (algorithm: DigestAlgorithm, data: Uint8Array) => {
-  const subtleDigest = `SHA-${algorithm.slice(-3)}`;
-  return new Uint8Array(await crypto.subtle.digest(subtleDigest, data));
-};
-
 export async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestAlgorithm): Promise<string> {
   if (!jwk || typeof jwk !== 'object') {
     throw new TypeError('JWK must be an object');
@@ -48,8 +44,7 @@ export async function calculateJwkThumbprint(jwk: JWK, digestAlgorithm?: DigestA
     default:
       throw Error('"kty" (Key Type) Parameter missing or unsupported');
   }
-  const data = u8a.fromString(JSON.stringify(components), 'utf-8');
-  return u8a.toString(await digest(algorithm, data), 'base64url');
+  return u8a.toString(defaultHasher(algorithm, JSON.stringify(components)), 'base64url');
 }
 
 export async function getDigestAlgorithmFromJwkThumbprintUri(uri: string): Promise<DigestAlgorithm> {

packages/oid4vci-common/lib/functions/RandomUtils.ts

@@ -1,4 +1,4 @@
-import SHA from 'sha.js';
+import { defaultHasher } from '@sphereon/oid4vc-common';
 import * as u8a from 'uint8arrays';
 import { SupportedEncodings } from 'uint8arrays/to-string';
 
@@ -26,7 +26,7 @@ export const createCodeChallenge = (codeVerifier: string, codeChallengeMethod?:
   if (codeChallengeMethod === CodeChallengeMethod.plain) {
     return codeVerifier;
   } else if (!codeChallengeMethod || codeChallengeMethod === CodeChallengeMethod.S256) {
-    return u8a.toString(SHA('sha256').update(codeVerifier).digest(), 'base64url');
+    return u8a.toString(defaultHasher(codeVerifier, 'sha256'), 'base64url');
   } else {
     // Just a precaution if a new method would be introduced
     throw Error(`code challenge method ${codeChallengeMethod} not implemented`);

packages/oid4vci-common/package.json

@@ -14,13 +14,11 @@
     "@sphereon/ssi-types": "0.28.0",
     "cross-fetch": "^3.1.8",
     "jwt-decode": "^4.0.0",
-    "sha.js": "^2.4.11",
     "uint8arrays": "3.1.1",
     "uuid": "^9.0.0"
   },
   "devDependencies": {
     "@types/jest": "^29.5.12",
-    "@types/sha.js": "^2.4.4",
     "@types/uuid": "^9.0.1",
     "typescript": "5.4.5"
   },

packages/siop-oid4vp/lib/helpers/State.ts

@@ -1,5 +1,4 @@
-import { uuidv4 } from '@sphereon/oid4vc-common'
-import SHA from 'sha.js'
+import { defaultHasher, uuidv4 } from '@sphereon/oid4vc-common'
 
 import { base64urlEncodeBuffer } from './Encodings'
 
@@ -8,7 +7,7 @@ export function getNonce(state: string, nonce?: string) {
 }
 
 export function toNonce(input: string): string {
-  const buff = SHA('sha256').update(input).digest()
+  const buff = defaultHasher(input, 'sha256')
   return base64urlEncodeBuffer(buff)
 }
 

packages/siop-oid4vp/lib/op/Opts.ts

@@ -1,3 +1,5 @@
+import { defaultHasher } from '@sphereon/oid4vc-common'
+
 import { VerifyAuthorizationRequestOpts } from '../authorization-request'
 import { AuthorizationResponseOpts } from '../authorization-response'
 import { LanguageTagUtils } from '../helpers'
@@ -63,7 +65,7 @@ export const createVerifyRequestOptsFromBuilderOrExistingOpts = (opts: {
   return opts.builder
     ? {
         verifyJwtCallback: opts.builder.verifyJwtCallback,
-        hasher: opts.builder.hasher,
+        hasher: opts.builder.hasher ?? defaultHasher,
         verification: {},
         supportedVersions: opts.builder.supportedVersions,
         correlationId: undefined,

packages/siop-oid4vp/lib/rp/Opts.ts

@@ -1,3 +1,5 @@
+import { defaultHasher } from '@sphereon/oid4vc-common'
+
 import { CreateAuthorizationRequestOpts, PropertyTarget, PropertyTargets, RequestPropertyWithTargets } from '../authorization-request'
 import { VerifyAuthorizationResponseOpts } from '../authorization-response'
 // import { CreateAuthorizationRequestOptsSchema } from '../schemas';
@@ -49,7 +51,7 @@ export const createRequestOptsFromBuilderOrExistingOpts = (opts: { builder?: RPB
 export const createVerifyResponseOptsFromBuilderOrExistingOpts = (opts: { builder?: RPBuilder; verifyOpts?: VerifyAuthorizationResponseOpts }) => {
   return opts.builder
     ? {
-        hasher: opts.builder.hasher,
+        hasher: opts.builder.hasher ?? defaultHasher,
         verifyJwtCallback: opts.builder.verifyJwtCallback,
         verification: {
           presentationVerificationCallback: opts.builder.presentationVerificationCallback,