Google Git
Sign in
chromium / external / w3c / web-platform-tests.git / HEAD / . / push-api / resources / vapid.js
blob: ab8984199c573dabf733464f817934c5b0ad41b9 [file] [log] [blame]
function toBase64Url(array) {
return btoa([...array].map(c => String.fromCharCode(c)).join('')).replaceAll("+", "-").replaceAll("/", "_").replaceAll("=", "")
}
class VAPID {
#publicKey;
#privateKey;
constructor(publicKey, privateKey) {
this.#publicKey = publicKey;
this.#privateKey = privateKey;
}
get publicKey() {
return this.#publicKey;
}
async #jws(audience) {
// https://datatracker.ietf.org/doc/html/rfc7515#section-3.1
// BASE64URL(UTF8(JWS Protected Header)) || '.' ||
// BASE64URL(JWS Payload) || '.' ||
// BASE64URL(JWS Signature)
// https://datatracker.ietf.org/doc/html/rfc8292#section-2
// ECDSA on the NIST P-256 curve [FIPS186], which is identified as "ES256" [RFC7518].
const rawHeader = { typ: "JWT", alg: "ES256" };
const header = toBase64Url(new TextEncoder().encode(JSON.stringify(rawHeader)));
// https://datatracker.ietf.org/doc/html/rfc8292#section-2
const rawPayload = {
// An "aud" (Audience) claim in the token MUST include the Unicode
// serialization of the origin (Section 6.1 of [RFC6454]) of the push
// resource URL.
aud: audience,
// An "exp" (Expiry) claim MUST be included with the time after which
// the token expires.
exp: parseInt(new Date().getTime() / 1000) + 24 * 60 * 60, // seconds, 24hr
// The "sub" claim SHOULD include a contact URI for the application server as either a
// "mailto:" (email) [RFC6068] or an "https:" [RFC2818] URI.
sub: "mailto:webpush@example.com",
};
const payload = toBase64Url(new TextEncoder().encode(JSON.stringify(rawPayload)));
const input = `${header}.${payload}`;
// https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
// ES256 | ECDSA using P-256 and SHA-256
const rawSignature = await crypto.subtle.sign({
name: "ECDSA",
namedCurve: "P-256",
hash: { name: "SHA-256" },
}, this.#privateKey, new TextEncoder().encode(input));
const signature = toBase64Url(new Uint8Array(rawSignature));
return `${input}.${signature}`;
}
async generateAuthHeader(audience) {
// https://datatracker.ietf.org/doc/html/rfc8292#section-3.1
// The "t" parameter of the "vapid" authentication scheme carries a JWT
// as described in Section 2.
const t = await this.#jws(audience);
// https://datatracker.ietf.org/doc/html/rfc8292#section-3.2
// The "k" parameter includes an ECDSA public key [FIPS186] in
// uncompressed form [X9.62] that is encoded using base64url encoding
// [RFC7515].
const k = toBase64Url(this.#publicKey)
return `vapid t=${t},k=${k}`;
}
};
export async function createVapid() {
// https://datatracker.ietf.org/doc/html/rfc8292#section-2
// The signature MUST use ECDSA on the NIST P-256 curve [FIPS186]
const keys = await crypto.subtle.generateKey({ name: "ECDSA", namedCurve: "P-256" }, true, ["sign"]);
const publicKey = new Uint8Array(await crypto.subtle.exportKey("raw", keys.publicKey));
const privateKey = keys.privateKey;
return new VAPID(publicKey, privateKey);
};