From d349ba96d763b5ca605cffb9a3d9f016dc402a37 Mon Sep 17 00:00:00 2001
From: Filip Skokan <panva.ip@gmail.com>
Date: Mon, 11 Mar 2019 22:15:34 +0100
Subject: [PATCH] feat: keystore .all and .get operation option

---
 docs/README.md       | 4 ++++
 lib/index.d.ts       | 3 ++-
 lib/jwe/decrypt.js   | 4 ++--
 lib/jwk/key/ec.js    | 5 ++---
 lib/jwk/key/oct.js   | 1 +
 lib/jwk/key/rsa.js   | 5 ++---
 lib/jwks/keystore.js | 4 ++--
 lib/jws/verify.js    | 2 +-
 8 files changed, 16 insertions(+), 12 deletions(-)

diff --git a/docs/README.md b/docs/README.md
index 424c36e4e3..fae9612ad1 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -485,6 +485,8 @@ specified by the parameters are first.
   - `alg`: `<string>` Key supported algorithm to filter for.
   - `use`: `<string>` Key use to filter for.
   - `kid`: `<string>` Key ID to filter for.
+  - `operation`: `<string>` Further specify the operation a given alg must be valid for. Must be one
+    of 'encrypt', 'decrypt', 'sign', 'verify', 'wrapKey', 'unwrapKey'
 - Returns: `<Key[]>` Array of key instances or an empty array when none are matching the parameters.
 
 ---
@@ -499,6 +501,8 @@ parameters is returned.
   - `alg`: `<string>` Key supported algorithm to filter for.
   - `use`: `<string>` Key use to filter for.
   - `kid`: `<string>` Key ID to filter for.
+  - `operation`: `<string>` Further specify the operation a given alg must be valid for. Must be one
+    of 'encrypt', 'decrypt', 'sign', 'verify', 'wrapKey', 'unwrapKey'
 - Returns: `<JWK.RSAKey>` &vert; `<JWK.ECKey>` &vert; `<JWK.OctKey>` &vert; `<undefined>`
 
 ---
diff --git a/lib/index.d.ts b/lib/index.d.ts
index 1fb43f85d0..a1377576f3 100644
--- a/lib/index.d.ts
+++ b/lib/index.d.ts
@@ -10,9 +10,9 @@ interface KeyParameters {
 }
 type curve = 'P-256' | 'P-384' | 'P-521'
 type keyType = 'RSA' | 'EC' | 'oct'
+type keyOperation = 'encrypt' | 'decrypt' | 'sign' | 'verify' | 'wrapKey' | 'unwrapKey'
 
 export namespace JWK {
-    type keyOperation = 'encrypt' | 'decrypt' | 'sign' | 'verify' | 'wrapKey' | 'unwrapKey'
 
     class Key {
         kty: keyType
@@ -104,6 +104,7 @@ export namespace JWK {
 export namespace JWKS {
     interface KeyQuery extends KeyParameters {
         kty: keyType
+        operation: keyOperation
     }
 
     class KeyStore {
diff --git a/lib/jwe/decrypt.js b/lib/jwe/decrypt.js
index a902c7d7df..b465257b7b 100644
--- a/lib/jwe/decrypt.js
+++ b/lib/jwe/decrypt.js
@@ -94,9 +94,9 @@ const jweDecrypt = (skipValidateHeaders, serialization, jwe, key, { crit = [], c
       const keystore = key
       let keys
       if (opts.alg === 'dir') {
-        keys = keystore.all({ ...opts, alg: opts.enc })
+        keys = keystore.all({ kid: opts.kid, alg: opts.enc, operation: 'decrypt' })
       } else {
-        keys = keystore.all(opts)
+        keys = keystore.all({ kid: opts.kid, alg: opts.alg, operation: 'unwrapKey' })
       }
       switch (keys.length) {
         case 0:
diff --git a/lib/jwk/key/ec.js b/lib/jwk/key/ec.js
index 56e29a8fa6..02a8d43e4b 100644
--- a/lib/jwk/key/ec.js
+++ b/lib/jwk/key/ec.js
@@ -83,11 +83,10 @@ class ECKey extends Key {
 
         return new Set(WRAP_ALGS)
       case undefined:
+        // just the ops needed to return all algs regardless of its use
         return new Set([
-          ...this.algorithms('sign'),
           ...this.algorithms('verify'),
-          ...this.algorithms('wrapKey'),
-          ...this.algorithms('unwrapKey')
+          ...this.algorithms('wrapKey')
         ])
       default:
         throw new TypeError('invalid key operation')
diff --git a/lib/jwk/key/oct.js b/lib/jwk/key/oct.js
index e41d2dfcfa..23f4e56b5b 100644
--- a/lib/jwk/key/oct.js
+++ b/lib/jwk/key/oct.js
@@ -128,6 +128,7 @@ class OctKey extends Key {
         return algs
       case undefined:
         return new Set([
+          // just the ops needed to return all algs regardless of its use - symmetric keys
           ...this.algorithms('encrypt'),
           ...this.algorithms('sign'),
           ...this.algorithms('wrapKey')
diff --git a/lib/jwk/key/rsa.js b/lib/jwk/key/rsa.js
index 20a57fc3f6..1a50a565a3 100644
--- a/lib/jwk/key/rsa.js
+++ b/lib/jwk/key/rsa.js
@@ -90,11 +90,10 @@ class RSAKey extends Key {
 
         return new Set(WRAP_ALGS)
       case undefined:
+        // just the ops needed to return all algs regardless of its use
         return new Set([
-          ...this.algorithms('sign'),
           ...this.algorithms('verify'),
-          ...this.algorithms('wrapKey'),
-          ...this.algorithms('unwrapKey')
+          ...this.algorithms('wrapKey')
         ])
       default:
         throw new TypeError('invalid key operation')
diff --git a/lib/jwks/keystore.js b/lib/jwks/keystore.js
index 2578939b40..70c185e3bc 100644
--- a/lib/jwks/keystore.js
+++ b/lib/jwks/keystore.js
@@ -45,12 +45,12 @@ class KeyStore {
     return new KeyStore(...keys)
   }
 
-  all ({ alg, kid, use, kty } = {}) {
+  all ({ alg, kid, use, kty, operation } = {}) {
     return [...this[KEYS]]
       .filter((key) => {
         let candidate = true
 
-        if (alg !== undefined && !key.algorithms().has(alg)) {
+        if (alg !== undefined && !key.algorithms(operation).has(alg)) {
           candidate = false
         }
 
diff --git a/lib/jws/verify.js b/lib/jws/verify.js
index e041969b24..9ab11bef10 100644
--- a/lib/jws/verify.js
+++ b/lib/jws/verify.js
@@ -79,7 +79,7 @@ const jwsVerify = (skipDisjointCheck, serialization, jws, key, { crit = [], comp
 
     if (key instanceof KeyStore) {
       const keystore = key
-      const keys = keystore.all(combinedHeader)
+      const keys = keystore.all({ kid: combinedHeader.kid, alg: combinedHeader.alg, operation: 'verify' })
       switch (keys.length) {
         case 0:
           throw new errors.JWKSNoMatchingKey()