Replace dependency to `jwk-to-pem` with function from `node:crypto`

Grant uses [jwk-to-pem](https://github.com/Brightspace/node-jwk-to-pem) that has a dependency to [elliptic](https://github.com/indutny/elliptic) which itself has a vulnerability but seems to be abandoned.

`jwk_to_pem` can be replaced completely by two functions which are part of the Node.js `crypto` module: [createPublicKey](https://nodejs.org/docs/latest/api/crypto.html#cryptocreatepublickeykey) and [createPrivateKey](https://nodejs.org/docs/latest/api/crypto.html#cryptocreateprivatekeykey).

In the case of `grant` it's sufficient to replace

```js
var pem = require('jwk-to-pem');
return pem(jwk, { private: true });
```

in `oidc.js` (lines 29,30) with

```js
return crypto.createPrivateKey({
  key: jwk,
  format: "jwk"
}).export({
  type: "pkcs8",
  format: "pem"
});
```

and to remove the `jwk-to-pem` dependency from `package.json`. See also https://github.com/Brightspace/node-jwk-to-pem/issues/193.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replace dependency to `jwk-to-pem` with function from `node:crypto` #330

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Replace dependency to jwk-to-pem with function from node:crypto #330

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions

Replace dependency to `jwk-to-pem` with function from `node:crypto` #330