feat(KeyObject) (#5940)

* oops

* createSecretKey but weird error

* use the right prototype, do not add a function called export lol

* HMAC JWT export + base64 fix

* Fix Equals, Fix Get KeySize, add complete export RSA

* fix RSA export

* add EC exports

* X25519 and ED25519 export + fixes

* fix default exports

* better asymmetricKeyType

* fix private exports

* fix symmetricKeySize

* createPublicKey validations + refactor

* jwt + der fixes

* oopsies

* add PEM into createPublicKey

* cleanup

* WIP

* bunch of fixes

* public from private + private OKP

* encrypted keys fixes

* oops

* fix clear tls error, add some support to jwk and other formats on publicEncrypt/publicDecrypt

* more fixes and tests working

* more fixes more tests

* more clear hmac errors

* more tests and fixes

* add generateKeyPair

* more tests passing, some skips

* fix EC key from private

* fix OKP JWK

* nodejs ignores ext and key_ops on KeyObject.exports

* add EC sign verify test

* some fixes

* add crypto.generateKeyPairSync(type, options)

* more fixes and more tests

* fix hmac tests

* jsonwebtoken tests

* oops

* oops2

* generated files

* revert package.json

* vm tests

* todos instead of failues

* toBunString -> toString

* undo simdutf

* improvements

* unlikely

* cleanup

* cleanup 2

* oops

* move _generateKeyPairSync checks to native

1 files changed, 159 insertions, 0 deletions

diff --git a/test/js/third_party/jsonwebtoken/async_sign.test.js b/test/js/third_party/jsonwebtoken/async_sign.test.js
new file mode 100644
index 000000000..6efb838d0
--- /dev/null
+++ b/test/js/third_party/jsonwebtoken/async_sign.test.js
@@ -0,0 +1,159 @@
+import jwt from "jsonwebtoken";
+import { expect, describe, it } from "bun:test";
+import jws from "jws";
+import { generateKeyPairSync } from "crypto";
+var PS_SUPPORTED = true;
+
+describe("signing a token asynchronously", function () {
+  describe("when signing a token", function () {
+    var secret = "shhhhhh";
+
+    it("should return the same result as singing synchronously", function (done) {
+      jwt.sign({ foo: "bar" }, secret, { algorithm: "HS256" }, function (err, asyncToken) {
+        if (err) return done(err);
+        var syncToken = jwt.sign({ foo: "bar" }, secret, { algorithm: "HS256" });
+        expect(typeof asyncToken).toBe("string");
+        expect(asyncToken.split(".")).toHaveLength(3);
+        expect(asyncToken).toEqual(syncToken);
+        done();
+      });
+    });
+
+    it("should work with empty options", function (done) {
+      jwt.sign({ abc: 1 }, "secret", {}, function (err) {
+        expect(err).toBeNull();
+        done();
+      });
+    });
+
+    it("should work without options object at all", function (done) {
+      jwt.sign({ abc: 1 }, "secret", function (err) {
+        expect(err).toBeNull();
+        done();
+      });
+    });
+
+    it("should work with none algorithm where secret is set", function (done) {
+      jwt.sign({ foo: "bar" }, "secret", { algorithm: "none" }, function (err, token) {
+        expect(typeof token).toBe("string");
+        expect(token.split(".")).toHaveLength(3);
+        done();
+      });
+    });
+
+    //Known bug: https://github.com/brianloveswords/node-jws/issues/62
+    //If you need this use case, you need to go for the non-callback-ish code style.
+    it.skip("should work with none algorithm where secret is falsy", function (done) {
+      jwt.sign({ foo: "bar" }, undefined, { algorithm: "none" }, function (err, token) {
+        expect(typeof token).toBe("string");
+        expect(token.split(".")).toHaveLength(3);
+        done();
+      });
+    });
+
+    it("should return error when secret is not a cert for RS256", function (done) {
+      //this throw an error because the secret is not a cert and RS256 requires a cert.
+      jwt.sign({ foo: "bar" }, secret, { algorithm: "RS256" }, function (err) {
+        expect(err).toBeTruthy();
+        done();
+      });
+    });
+
+    it("should not work for RS algorithms when modulus length is less than 2048 when allowInsecureKeySizes is false or not set", function (done) {
+      const { privateKey } = generateKeyPairSync("rsa", { modulusLength: 1024 });
+
+      jwt.sign({ foo: "bar" }, privateKey, { algorithm: "RS256" }, function (err) {
+        expect(err).toBeTruthy();
+        done();
+      });
+    });
+
+    it("should work for RS algorithms when modulus length is less than 2048 when allowInsecureKeySizes is true", function (done) {
+      const { privateKey } = generateKeyPairSync("rsa", { modulusLength: 1024 });
+
+      jwt.sign({ foo: "bar" }, privateKey, { algorithm: "RS256", allowInsecureKeySizes: true }, done);
+    });
+
+    if (PS_SUPPORTED) {
+      it("should return error when secret is not a cert for PS256", function (done) {
+        //this throw an error because the secret is not a cert and PS256 requires a cert.
+        jwt.sign({ foo: "bar" }, secret, { algorithm: "PS256" }, function (err) {
+          expect(err).toBeTruthy();
+          done();
+        });
+      });
+    }
+
+    it("should return error on wrong arguments", function (done) {
+      //this throw an error because the secret is not a cert and RS256 requires a cert.
+      jwt.sign({ foo: "bar" }, secret, { notBefore: {} }, function (err) {
+        expect(err).toBeTruthy();
+        done();
+      });
+    });
+
+    it("should return error on wrong arguments (2)", function (done) {
+      jwt.sign("string", "secret", { noTimestamp: true }, function (err) {
+        expect(err).toBeTruthy();
+        expect(err).toBeInstanceOf(Error);
+        done();
+      });
+    });
+
+    it("should not stringify the payload", function (done) {
+      jwt.sign("string", "secret", {}, function (err, token) {
+        if (err) {
+          return done(err);
+        }
+        expect(jws.decode(token).payload).toEqual("string");
+        done();
+      });
+    });
+
+    describe("when mutatePayload is not set", function () {
+      it("should not apply claims to the original payload object (mutatePayload defaults to false)", function (done) {
+        var originalPayload = { foo: "bar" };
+        jwt.sign(originalPayload, "secret", { notBefore: 60, expiresIn: 600 }, function (err) {
+          if (err) {
+            return done(err);
+          }
+          expect(originalPayload).not.toHaveProperty("nbf");
+          expect(originalPayload).not.toHaveProperty("exp");
+          done();
+        });
+      });
+    });
+
+    describe("when mutatePayload is set to true", function () {
+      it("should apply claims directly to the original payload object", function (done) {
+        var originalPayload = { foo: "bar" };
+        jwt.sign(originalPayload, "secret", { notBefore: 60, expiresIn: 600, mutatePayload: true }, function (err) {
+          if (err) {
+            return done(err);
+          }
+          expect(originalPayload).toHaveProperty("nbf");
+          expect(originalPayload).toHaveProperty("exp");
+          done();
+        });
+      });
+    });
+
+    describe("secret must have a value", function () {
+      [undefined, "", 0].forEach(function (secret) {
+        it(
+          "should return an error if the secret is falsy and algorithm is not set to none: " +
+            (typeof secret === "string" ? "(empty string)" : secret),
+          function (done) {
+            // This is needed since jws will not answer for falsy secrets
+            jwt.sign("string", secret, {}, function (err, token) {
+              expect(err).toBeTruthy();
+              expect(err.message).toEqual("secretOrPrivateKey must have a value");
+              expect(token).toBeFalsy();
+              done();
+            });
+          },
+        );
+      });
+    });
+  });
+});