feat: Add JWK Sign Support for NodeCrypto

Author: d-goog

src/crypto/node/crypto.ts

@@ -49,11 +49,27 @@ export class NodeCrypto implements Crypto {
     }
   }
 
-  async sign(privateKey: string, data: string | Buffer): Promise<string> {
+  async sign(
+    privateKey: string | JwkCertificate | crypto.JsonWebKey,
+    data: string | Buffer
+  ): Promise<string> {
     const signer = crypto.createSign('RSA-SHA256');
     signer.update(data);
     signer.end();
-    return signer.sign(privateKey, 'base64');
+
+    if (typeof privateKey === 'string') {
+      // must be PEM
+      return signer.sign(privateKey, 'base64');
+    } else {
+      // must be JWK
+      return signer.sign(
+        {
+          key: privateKey as unknown as crypto.KeyObject,
+          format: 'jwk',
+        },
+        'base64'
+      );
+    }
   }
 
   decodeBase64StringUtf8(base64: string): string {

test/test.crypto.ts

@@ -21,11 +21,12 @@ import {
   fromArrayBufferToHex,
 } from '../src/crypto/crypto';
 import {NodeCrypto} from '../src/crypto/node/crypto';
-import {createPublicKey} from 'crypto';
+import {createPrivateKey, createPublicKey} from 'crypto';
 
 const publicKey = fs.readFileSync('./test/fixtures/public.pem', 'utf-8');
 const privateKey = fs.readFileSync('./test/fixtures/private.pem', 'utf-8');
 const jwtPublicKeyJWT = createPublicKey(publicKey).export({format: 'jwk'});
+const jwtPrivateKeyJWT = createPrivateKey(privateKey).export({format: 'jwk'});
 
 /**
  * Converts a Node.js Buffer to an ArrayBuffer.
@@ -100,7 +101,24 @@ describe('crypto', () => {
     assert(verified);
   });
 
-  it('should sign a message', async () => {
+  it('should sign a message (JWT)', async () => {
+    const message = 'This message is signed';
+    const expectedSignatureBase64 = [
+      'ufyKBV+Ar7Yq8CSmSIN9m38ch4xnWBz8CP4qHh6V+',
+      'm4cCbeXdR1MEmWVhNJjZQFv3KL3tDAnl0Q4bTcSR/',
+      'mmhXaRjdxyJ6xAUp0KcbVq6xsDIbnnYHSgYr3zVoS',
+      'dRRefWSWTknN1S69fNmKEfUeBIJA93xitr3pbqtLC',
+      'bP28XNU=',
+    ].join('');
+
+    const signatureBase64 = await crypto.sign(
+      jwtPrivateKeyJWT as unknown as JwkCertificate,
+      message
+    );
+    assert.strictEqual(signatureBase64, expectedSignatureBase64);
+  });
+
+  it('should sign a message (PEM)', async () => {
     const message = 'This message is signed';
     const expectedSignatureBase64 = [
       'ufyKBV+Ar7Yq8CSmSIN9m38ch4xnWBz8CP4qHh6V+',