refactor!: drop support for Ed448 and X448

Author: panva

src/jwks/local.ts

@@ -101,7 +101,12 @@ class LocalJWKSet {
         candidate = jwk.key_ops.includes('verify')
       }
 
-      // filter out non-applicable curves / sub types
+      // filter out non-applicable OKP Sub Types
+      if (candidate && alg === 'EdDSA') {
+        candidate = jwk.crv === 'Ed25519'
+      }
+
+      // filter out non-applicable EC curves
       if (candidate) {
         switch (alg) {
           case 'ES256':

src/lib/crypto_key.ts

@@ -65,9 +65,7 @@ export function checkSigCryptoKey(key: CryptoKey, alg: string, usage: KeyUsage)
       break
     }
     case 'EdDSA': {
-      if (key.algorithm.name !== 'Ed25519' && key.algorithm.name !== 'Ed448') {
-        throw unusable('Ed25519 or Ed448')
-      }
+      if (!isAlgorithm(key.algorithm, 'Ed25519')) throw unusable('Ed25519')
       break
     }
     case 'Ed25519': {
@@ -114,10 +112,9 @@ export function checkEncCryptoKey(key: CryptoKey, alg: string, usage?: KeyUsage)
       switch (key.algorithm.name) {
         case 'ECDH':
         case 'X25519':
-        case 'X448':
           break
         default:
-          throw unusable('ECDH, X25519, or X448')
+          throw unusable('ECDH or X25519')
       }
       break
     }

src/runtime/asn1.ts

@@ -60,12 +60,8 @@ const getNamedCurve = (keyData: Uint8Array): string => {
       return 'P-521'
     case findOid(keyData, [0x2b, 0x65, 0x6e]):
       return 'X25519'
-    case findOid(keyData, [0x2b, 0x65, 0x6f]):
-      return 'X448'
     case findOid(keyData, [0x2b, 0x65, 0x70]):
       return 'Ed25519'
-    case findOid(keyData, [0x2b, 0x65, 0x71]):
-      return 'Ed448'
     default:
       throw new JOSENotSupported('Invalid or unsupported EC Key Curve or OKP Key Sub Type')
   }

src/runtime/ecdhes.ts

@@ -23,8 +23,6 @@ export async function deriveKey(
   let length: number
   if (publicKey.algorithm.name === 'X25519') {
     length = 256
-  } else if (publicKey.algorithm.name === 'X448') {
-    length = 448
   } else {
     length =
       Math.ceil(parseInt((publicKey.algorithm as EcKeyAlgorithm).namedCurve.slice(-3), 10) / 8) << 3
@@ -51,7 +49,6 @@ export async function generateEpk(key: CryptoKey) {
 export function ecdhAllowed(key: CryptoKey) {
   return (
     ['P-256', 'P-384', 'P-521'].includes((key.algorithm as EcKeyAlgorithm).namedCurve) ||
-    key.algorithm.name === 'X25519' ||
-    key.algorithm.name === 'X448'
+    key.algorithm.name === 'X25519'
   )
 }

src/runtime/generate.ts

@@ -115,15 +115,7 @@ export async function generateKeyPair(alg: string, options?: GenerateKeyPairOpti
       break
     case 'EdDSA': {
       keyUsages = ['sign', 'verify']
-      const crv = options?.crv ?? 'Ed25519'
-      switch (crv) {
-        case 'Ed25519':
-        case 'Ed448':
-          algorithm = { name: crv }
-          break
-        default:
-          throw new JOSENotSupported('Invalid or unsupported crv option provided')
-      }
+      algorithm = { name: 'Ed25519' }
       break
     }
     case 'ECDH-ES':
@@ -140,12 +132,11 @@ export async function generateKeyPair(alg: string, options?: GenerateKeyPairOpti
           break
         }
         case 'X25519':
-        case 'X448':
           algorithm = { name: crv }
           break
         default:
           throw new JOSENotSupported(
-            'Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, X25519, and X448',
+            'Invalid or unsupported crv option provided, supported values are P-256, P-384, P-521, and X25519',
           )
       }
       break

src/runtime/normalize_key.ts

@@ -48,7 +48,7 @@ const handleKeyObject = (key: ConvertableKeyObject, alg: string) => {
   }
 
   let cryptoKey: CryptoKey | undefined
-  if (key.asymmetricKeyType === 'x25519' || key.asymmetricKeyType === 'x448') {
+  if (key.asymmetricKeyType === 'x25519') {
     switch (alg) {
       case 'ECDH-ES':
       case 'ECDH-ES+A128KW':
@@ -67,7 +67,7 @@ const handleKeyObject = (key: ConvertableKeyObject, alg: string) => {
     )
   }
 
-  if (key.asymmetricKeyType === 'ed25519' || key.asymmetricKeyType === 'ed448') {
+  if (key.asymmetricKeyType === 'ed25519') {
     if (alg !== 'EdDSA') {
       throw new TypeError('TODO')
     }

tap/ecdh.ts

@@ -29,7 +29,6 @@ export default (
         (env.isBlink && env.isBrowserVersionAtLeast(133)),
       { crv: 'X25519' },
     ],
-    ['ECDH-ES', env.isNode || env.isEdgeRuntime, { crv: 'X448' }],
   ]
 
   function title(vector: Vector) {

tap/fixtures.ts

@@ -27,38 +27,6 @@ export const KEYS = {
       'Krphj6cA4Ls9aMYAHf5w+OW9D/t3a9p6mYm78AKIdBsPEtT1AQ==\n' +
       '-----END CERTIFICATE-----\n',
   },
-  Ed448: {
-    jwk: {
-      crv: 'Ed448',
-      d: '35yNO4M8bgte2BEjaCxrx9epQhzZ4VqF5GhjDaBHGPHHCznFXtmQuOps4XvrNpnVUtiawY4j3FCq',
-      kty: 'OKP',
-      x: 'pNAfXkImnUHY52ePCZoU4TKCnrq8baLpCiboNxlmN2AbG2xqmLW5F1DA3lsf-S6GWVIfXPysVd0A',
-    },
-    pkcs8:
-      '-----BEGIN PRIVATE KEY-----\n' +
-      'MEcCAQAwBQYDK2VxBDsEOd+cjTuDPG4LXtgRI2gsa8fXqUIc2eFaheRoYw2gRxjx\n' +
-      'xws5xV7ZkLjqbOF76zaZ1VLYmsGOI9xQqg==\n' +
-      '-----END PRIVATE KEY-----\n',
-    spki:
-      '-----BEGIN PUBLIC KEY-----\n' +
-      'MEMwBQYDK2VxAzoApNAfXkImnUHY52ePCZoU4TKCnrq8baLpCiboNxlmN2AbG2xq\n' +
-      'mLW5F1DA3lsf+S6GWVIfXPysVd0A\n' +
-      '-----END PUBLIC KEY-----\n',
-    x509:
-      '-----BEGIN CERTIFICATE-----\n' +
-      'MIIB7DCCAWygAwIBAgIUL85nVDm2evUiy7tWzGv6OxRjclswBQYDK2VxMEUxCzAJ\n' +
-      'BgNVBAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l\n' +
-      'dCBXaWRnaXRzIFB0eSBMdGQwIBcNMjIxMDExMTIyMTQwWhgPMjEyMjA5MTcxMjIx\n' +
-      'NDBaMEUxCzAJBgNVBAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK\n' +
-      'DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwQzAFBgMrZXEDOgCk0B9eQiadQdjn\n' +
-      'Z48JmhThMoKeurxtoukKJug3GWY3YBsbbGqYtbkXUMDeWx/5LoZZUh9c/KxV3QCj\n' +
-      'UzBRMB0GA1UdDgQWBBSA9Hb5PA/vVojQWg4Per+myWHvCzAfBgNVHSMEGDAWgBSA\n' +
-      '9Hb5PA/vVojQWg4Per+myWHvCzAPBgNVHRMBAf8EBTADAQH/MAUGAytlcQNzAN9G\n' +
-      '9bFcVViH8c/zexozB/QCtueCu2kLNCLM9auSlFoHEy8u7+Gxyg1O+3bc43YxBObB\n' +
-      '+wwH7G+8gKKOkFL/43b7o2HNOlZUDHcWAP25cGY6lDFUvQDc0FGO0ge+h4tt075x\n' +
-      'e52JbhpyuHQlrWYQqHQSAA==\n' +
-      '-----END CERTIFICATE-----\n',
-  },
   P256: {
     jwk: {
       crv: 'P-256',
@@ -243,23 +211,4 @@ export const KEYS = {
       '-----END PUBLIC KEY-----\n',
     x509: undefined,
   },
-  X448: {
-    jwk: {
-      crv: 'X448',
-      d: 'tMpYXWcUg7vGrUcZ1cUMVodjB6rWSOaBKgmaigThaInGRTCmaWPDYrE93wwPmyxOhVYRsmIRFv0',
-      kty: 'OKP',
-      x: 'jk-IiddcEYNq6CwHnqsQleaB86W2tUITnIMwkurT5BUdw2YpJxQt9rgnEZQW0KnQE-ORhEl0kaA',
-    },
-    pkcs8:
-      '-----BEGIN PRIVATE KEY-----\n' +
-      'MEYCAQAwBQYDK2VvBDoEOLTKWF1nFIO7xq1HGdXFDFaHYweq1kjmgSoJmooE4WiJ\n' +
-      'xkUwpmljw2KxPd8MD5ssToVWEbJiERb9\n' +
-      '-----END PRIVATE KEY-----\n',
-    spki:
-      '-----BEGIN PUBLIC KEY-----\n' +
-      'MEIwBQYDK2VvAzkAjk+IiddcEYNq6CwHnqsQleaB86W2tUITnIMwkurT5BUdw2Yp\n' +
-      'JxQt9rgnEZQW0KnQE+ORhEl0kaA=\n' +
-      '-----END PUBLIC KEY-----\n',
-    x509: undefined,
-  },
 }

tap/jwk.ts

@@ -28,10 +28,7 @@ export default (
         (env.isGecko && env.isBrowserVersionAtLeast(130)) ||
         (env.isBlink && env.isBrowserVersionAtLeast(133)),
     ],
-    ['ECDH-ES', KEYS.X448.jwk, env.isDeno ? [true, false] : env.isNode || env.isEdgeRuntime],
     ['EdDSA', KEYS.Ed25519.jwk, !env.isBlink],
-    ['Ed25519', KEYS.Ed25519.jwk, !env.isBlink],
-    ['EdDSA', KEYS.Ed448.jwk, env.isNode || env.isEdgeRuntime],
     ['ES256', KEYS.P256.jwk, true],
     ['ES384', KEYS.P384.jwk, true],
     ['ES512', KEYS.P521.jwk, env.isDeno ? [true, false] : true],

tap/jws.ts

@@ -14,8 +14,6 @@ export default (
   type Vector = [string, boolean] | [string, boolean, jose.GenerateKeyPairOptions]
   const algorithms: Vector[] = [
     ['EdDSA', !env.isBlink],
-    ['Ed25519', !env.isBlink],
-    ['EdDSA', env.isNode || env.isEdgeRuntime, { crv: 'Ed448' }],
     ['ES256', true],
     ['ES384', true],
     ['ES512', !env.isDeno],

tap/keyobject-stub.ts

@@ -88,8 +88,6 @@ const stub: Pick<
           case undefined:
           case 'Ed25519':
             return generate('ed25519')
-          case 'Ed448':
-            return generate('ed448')
           default:
             throw new Error('unreachable')
         }
@@ -106,8 +104,6 @@ const stub: Pick<
             return generate('ec', { namedCurve: crv })
           case 'X25519':
             return generate('x25519')
-          case 'X448':
-            return generate('x448')
           default:
             Error('unreachable')
         }

tap/pem.ts

@@ -87,17 +87,9 @@ export default (
         (env.isGecko && env.isBrowserVersionAtLeast(130)) ||
         (env.isBlink && env.isBrowserVersionAtLeast(133)),
     ],
-    [['ECDH-ES', 'X448'], KEYS.X448.pkcs8, env.isNode || env.isEdgeRuntime],
-    [['ECDH-ES', 'X448'], KEYS.X448.spki, env.isNode || env.isEdgeRuntime || env.isDeno],
     [['EdDSA', 'Ed25519'], KEYS.Ed25519.pkcs8, !env.isBlink],
     [['EdDSA', 'Ed25519'], KEYS.Ed25519.spki, !env.isBlink],
     [['EdDSA', 'Ed25519'], KEYS.Ed25519.x509, !env.isBlink],
-    [['EdDSA', 'Ed448'], KEYS.Ed448.pkcs8, env.isNode || env.isEdgeRuntime],
-    [['EdDSA', 'Ed448'], KEYS.Ed448.spki, env.isNode || env.isEdgeRuntime],
-    [['EdDSA', 'Ed448'], KEYS.Ed448.x509, env.isNode || env.isEdgeRuntime],
-    ['Ed25519', KEYS.Ed25519.pkcs8, !env.isBlink],
-    ['Ed25519', KEYS.Ed25519.spki, !env.isBlink],
-    ['Ed25519', KEYS.Ed25519.x509, !env.isBlink],
   ]
 
   function title(alg: string, crv: string | undefined, pem: string, works: boolean) {