refactor: ensure export functions continue to work with KeyObject inputs

Author: panva

src/key/export.ts

@@ -4,7 +4,7 @@ import keyToJWK from '../lib/key_to_jwk.js'
 import type * as types from '../types.d.ts'
 
 /**
- * Exports a public {@link !CryptoKey} to a PEM-encoded SPKI string format.
+ * Exports a public {@link !CryptoKey} or {@link !KeyObject} to a PEM-encoded SPKI string format.
  *
  * This function is exported (as a named export) from the main `'jose'` module entry point as well
  * as from its subpath export `'jose/key/export'`.
@@ -19,12 +19,12 @@ import type * as types from '../types.d.ts'
  *
  * @param key Key to export to a PEM-encoded SPKI string format.
  */
-export async function exportSPKI(key: types.CryptoKey): Promise<string> {
+export async function exportSPKI(key: types.CryptoKey | types.KeyObject): Promise<string> {
   return exportPublic(key)
 }
 
 /**
- * Exports a private {@link !CryptoKey} to a PEM-encoded PKCS8 string format.
+ * Exports a private {@link !CryptoKey} or {@link !KeyObject} to a PEM-encoded PKCS8 string format.
  *
  * This function is exported (as a named export) from the main `'jose'` module entry point as well
  * as from its subpath export `'jose/key/export'`.
@@ -39,12 +39,12 @@ export async function exportSPKI(key: types.CryptoKey): Promise<string> {
  *
  * @param key Key to export to a PEM-encoded PKCS8 string format.
  */
-export async function exportPKCS8(key: types.CryptoKey): Promise<string> {
+export async function exportPKCS8(key: types.CryptoKey | types.KeyObject): Promise<string> {
   return exportPrivate(key)
 }
 
 /**
- * Exports a {@link !CryptoKey} to a JWK.
+ * Exports a {@link !CryptoKey}, {@link !KeyObject}, or {@link !Uint8Array} to a JWK.
  *
  * This function is exported (as a named export) from the main `'jose'` module entry point as well
  * as from its subpath export `'jose/key/export'`.
@@ -61,6 +61,8 @@ export async function exportPKCS8(key: types.CryptoKey): Promise<string> {
  *
  * @param key Key to export as JWK.
  */
-export async function exportJWK(key: types.CryptoKey | Uint8Array): Promise<types.JWK> {
+export async function exportJWK(
+  key: types.CryptoKey | types.KeyObject | Uint8Array,
+): Promise<types.JWK> {
   return keyToJWK(key)
 }

src/lib/asn1.ts

@@ -2,7 +2,7 @@ import type * as types from '../types.d.ts'
 import invalidKeyInput from './invalid_key_input.js'
 import { encodeBase64, decodeBase64 } from './base64url.js'
 import { JOSENotSupported } from '../util/errors.js'
-import { isCryptoKey } from './is_key_like.js'
+import { isCryptoKey, isKeyObject } from './is_key_like.js'
 
 import type { PEMImportOptions } from '../key/import.js'
 
@@ -11,13 +11,30 @@ const formatPEM = (b64: string, descriptor: string) => {
   return `-----BEGIN ${descriptor}-----\n${newlined}\n-----END ${descriptor}-----`
 }
 
+interface ExportOptions {
+  format: 'pem'
+  type: 'spki' | 'pkcs8'
+}
+
+interface ExtractableKeyObject extends types.KeyObject {
+  export(arg: ExportOptions): string
+}
+
 const genericExport = async (
   keyType: 'private' | 'public',
   keyFormat: 'spki' | 'pkcs8',
   key: unknown,
 ) => {
+  if (isKeyObject(key)) {
+    if (key.type !== keyType) {
+      throw new TypeError(`key is not a ${keyType} key`)
+    }
+
+    return (key as ExtractableKeyObject).export({ format: 'pem', type: keyFormat })
+  }
+
   if (!isCryptoKey(key)) {
-    throw new TypeError(invalidKeyInput(key, 'CryptoKey'))
+    throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject'))
   }
 
   if (!key.extractable) {

src/lib/key_to_jwk.ts

@@ -1,17 +1,33 @@
 import type * as types from '../types.d.ts'
 import invalidKeyInput from './invalid_key_input.js'
 import { encode as base64url } from './base64url.js'
-import { isCryptoKey } from './is_key_like.js'
+import { isCryptoKey, isKeyObject } from './is_key_like.js'
 
-export default async (key: unknown): Promise<types.JWK> => {
+interface ExportOptions {
+  format: 'jwk'
+}
+
+interface ExtractableKeyObject extends types.KeyObject {
+  export(arg: ExportOptions): types.JWK
+  export(): Uint8Array
+}
+
+export default async function keyToJWK(key: unknown): Promise<types.JWK> {
+  if (isKeyObject(key)) {
+    if (key.type === 'secret') {
+      key = (key as ExtractableKeyObject).export()
+    } else {
+      return (key as ExtractableKeyObject).export({ format: 'jwk' })
+    }
+  }
   if (key instanceof Uint8Array) {
     return {
       kty: 'oct',
       k: base64url(key),
     }
   }
   if (!isCryptoKey(key)) {
-    throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'Uint8Array'))
+    throw new TypeError(invalidKeyInput(key, 'CryptoKey', 'KeyObject', 'Uint8Array'))
   }
   if (!key.extractable) {
     throw new TypeError('non-extractable CryptoKey cannot be exported as a JWK')

tap/jwk.ts

@@ -6,7 +6,7 @@ import type * as jose from '../src/index.js'
 export default (
   QUnit: QUnit,
   lib: typeof jose,
-  _keys: Pick<typeof jose, 'exportJWK' | 'generateKeyPair' | 'generateSecret' | 'importJWK'>,
+  keys: Pick<typeof jose, 'exportJWK' | 'generateKeyPair' | 'generateSecret' | 'importJWK'>,
 ) => {
   const { module, test } = QUnit
   module('jwk.ts')
@@ -95,6 +95,16 @@ export default (
         )
       }
 
+      if (env.isNode && lib.importJWK !== keys.importJWK) {
+        const nCrypto = globalThis.process.getBuiltinModule('node:crypto')
+        t.deepEqual(
+          await lib.exportJWK(
+            nCrypto[jwk.d ? 'createPrivateKey' : 'createPublicKey']({ format: 'jwk', key: jwk }),
+          ),
+          exported,
+        )
+      }
+
       t.ok(1)
     }
 

tap/pem.ts

@@ -10,7 +10,7 @@ function normalize(pem: string) {
 export default (
   QUnit: QUnit,
   lib: typeof jose,
-  _keys: Pick<typeof jose, 'exportJWK' | 'generateKeyPair' | 'generateSecret' | 'importJWK'>,
+  keys: Pick<typeof jose, 'exportJWK' | 'importJWK'>,
 ) => {
   const { module, test } = QUnit
   module('pem.ts')
@@ -148,6 +148,14 @@ export default (
 
       if (!x509) {
         t.strictEqual(normalize(await exportFn(k)), normalize(pem))
+        if (env.isNode && lib.importJWK !== keys.importJWK) {
+          const nCrypto = globalThis.process.getBuiltinModule('node:crypto')
+          if (pem.startsWith('-----BEGIN PRIVATE KEY-----')) {
+            t.strictEqual(normalize(await exportFn(nCrypto.createPrivateKey(pem))), normalize(pem))
+          } else {
+            t.strictEqual(normalize(await exportFn(nCrypto.createPublicKey(pem))), normalize(pem))
+          }
+        }
       } else {
         await exportFn(k)
       }