Public scan · 2026-05-01

panva/jose

JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes

github → TypeScript ★ 7,553 commit f06b9ff scanner v0.1.0

browser
bun
cloudflare-workers
deno
jose
jsonwebtoken
jwa
jwe
jwk
jwks
jws
jwt
node

Files scanned

143

Shor-vulnerable

RSA / ECC / Ed* / X25519

Grover-weakened

AES-128 / SHA-1 / MD5

Total occurrences

Breakdown by primitive

RSA 13
ECDSA/ECDH 11
ECC 6
SHA-1 (broken, replace with SHA-256) 3

Findings

download CycloneDX 1.6 CBOM →

src/key/generate_key_pair.ts open ↗

L95 Shor RSA web-crypto-rsa
```
name: 'RSA-PSS',
```
L106 Shor RSA web-crypto-rsa
```
name: 'RSASSA-PKCS1-v1_5',
```
L118 Shor RSA web-crypto-rsa
```
name: 'RSA-OAEP',
```

L126 Shor ECDSA/ECDH web-crypto-ec

algorithm = { name: 'ECDSA', namedCurve: 'P-256' }

L126 Shor ECC node-namedcurve

algorithm = { name: 'ECDSA', namedCurve: 'P-256' }

L130 Shor ECDSA/ECDH web-crypto-ec

algorithm = { name: 'ECDSA', namedCurve: 'P-384' }

L130 Shor ECC node-namedcurve

algorithm = { name: 'ECDSA', namedCurve: 'P-384' }

L134 Shor ECDSA/ECDH web-crypto-ec

algorithm = { name: 'ECDSA', namedCurve: 'P-521' }

L134 Shor ECC node-namedcurve

algorithm = { name: 'ECDSA', namedCurve: 'P-521' }

L160 Shor ECDSA/ECDH web-crypto-ec

algorithm = { name: 'ECDH', namedCurve: crv }

src/lib/asn1.ts open ↗

L218 Shor RSA web-crypto-rsa

algorithm = { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` }

L224 Shor RSA web-crypto-rsa

algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` }

L232 Shor RSA web-crypto-rsa
```
name: 'RSA-OAEP',
```

L241 Shor ECDSA/ECDH web-crypto-ec

algorithm = { name: 'ECDSA', namedCurve: curveMap[alg] }

L251 Shor ECDSA/ECDH web-crypto-ec

algorithm = namedCurve === 'X25519' ? { name: 'X25519' } : { name: 'ECDH', namedCurve }

src/lib/jwk_to_key.ts open ↗

L32 Shor RSA web-crypto-rsa

algorithm = { name: 'RSA-PSS', hash: `SHA-${jwk.alg.slice(-3)}` }

L38 Shor RSA web-crypto-rsa

algorithm = { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${jwk.alg.slice(-3)}` }

L46 Shor RSA web-crypto-rsa
```
name: 'RSA-OAEP',
```
L62 Shor ECDSA/ECDH web-crypto-ec
```
name: 'ECDSA',
```

L71 Shor ECDSA/ECDH web-crypto-ec

algorithm = { name: 'ECDH', namedCurve: jwk.crv! }

src/lib/normalize_key.ts open ↗

L133 Shor RSA web-crypto-rsa
```
name: 'RSA-OAEP',
```
L167 Shor ECDSA/ECDH web-crypto-ec
```
name: 'ECDSA',
```
L178 Shor ECDSA/ECDH web-crypto-ec
```
name: 'ECDH',
```
L108 Grover SHA-1 (broken, replace with SHA-256) sha1
```
hash = 'SHA-1'
```

src/lib/signing.ts open ↗

L25 Shor RSA web-crypto-rsa

return { hash, name: 'RSA-PSS', saltLength: parseInt(alg.slice(-3), 10) >> 3 }

L29 Shor RSA web-crypto-rsa

return { hash, name: 'RSASSA-PKCS1-v1_5' }

L33 Shor ECDSA/ECDH web-crypto-ec

return { hash, name: 'ECDSA', namedCurve: (algorithm as EcKeyAlgorithm).namedCurve }

tap/keyobject-stub.ts open ↗

L85 Shor ECC node-namedcurve

return generate('ec', { namedCurve: 'P-256' })

L87 Shor ECC node-namedcurve

return generate('ec', { namedCurve: 'P-384' })

L89 Shor ECC node-namedcurve

return generate('ec', { namedCurve: 'P-521' })

test/jwe/zip.test.ts open ↗

L136 Shor RSA node-rsa-keypair

const { publicKey, privateKey } = crypto.generateKeyPairSync('rsa', { modulusLength: 2048 })

src/types.d.ts open ↗

L19 Grover SHA-1 (broken, replace with SHA-256) sha1

/** JWK "x5t" (X.509 Certificate SHA-1 Thumbprint) Parameter */

L260 Grover SHA-1 (broken, replace with SHA-256) sha1

/** "x5t" (X.509 Certificate SHA-1 Thumbprint) Header Parameter */