Algorithm Lucidity

paragonie-security · paragonie-security · commit 1c48636f5b02 · 2021-08-06T02:52:59.000-04:00
See #35
diff --git a/lib/key/private.js b/lib/key/private.js
@@ -28,6 +28,7 @@ function PrivateKey(protocol) {
   protocol = protocol || new V2();
 
   self._protocol = protocol;
+  self._purpose = 'public';
 }
 
 
@@ -216,6 +217,20 @@ function protocol() {
   return this._protocol;
 }
 
+/***
+ * purpose
+ *
+ * return the underlying purpose object
+ *
+ * @function
+ * @api public
+ *
+ * @returns {string}
+ */
+PrivateKey.prototype.purpose = purpose;
+function purpose() {
+  return this._purpose;
+}
 
 /***
  * encode
diff --git a/lib/key/public.js b/lib/key/public.js
@@ -22,6 +22,7 @@ function PublicKey(protocol) {
   protocol = protocol || new V2();
 
   self._protocol = protocol;
+  self._purpose = 'public';
 }
 
 
@@ -148,6 +149,21 @@ function protocol() {
   return this._protocol;
 }
 
+/***
+ * purpose
+ *
+ * return the underlying purpose object
+ *
+ * @function
+ * @api public
+ *
+ * @returns {string}
+ */
+PublicKey.prototype.purpose = purpose;
+function purpose() {
+  return this._purpose;
+}
+
 
 /***
  * encode
diff --git a/lib/key/symmetric.js b/lib/key/symmetric.js
@@ -25,6 +25,7 @@ function SymmetricKey(protocol) {
   self.INFO_AUTHENTICATION = 'paseto-auth-key-for-aead';
 
   self._protocol = protocol || new V2();
+  self._purpose = 'local';
 }
 
 
@@ -162,6 +163,21 @@ function protocol() {
   return this._protocol;
 }
 
+/***
+ * purpose
+ *
+ * return the underlying purpose object
+ *
+ * @function
+ * @api public
+ *
+ * @returns {string}
+ */
+SymmetricKey.prototype.purpose = purpose;
+function purpose() {
+  return this._purpose;
+}
+
 
 /***
  * encode
diff --git a/lib/protocol/V1.js b/lib/protocol/V1.js
@@ -137,6 +137,9 @@ function __encrypt(data, key, footer, nonce, cb) {
   const self = this;
   const done = utils.ret(cb);
 
+  if (key.purpose() !== 'local') {
+    return done(new InvalidVersionError('The given key is not intended for local PASETO tokens.'));
+  }
   if (!(key.protocol() instanceof V1)) {
     return done(new InvalidVersionError('The given key is not intended for this version of PASETO.'));
   }
@@ -189,6 +192,9 @@ function decrypt(token, key, footer, cb) {
   const self = this;
   const done = utils.ret(cb);
 
+  if (key.purpose() !== 'local') {
+    return done(new InvalidVersionError('The given key is not intended for local PASETO tokens.'));
+  }
   if (!(key.protocol() instanceof V1)) {
     return done(new InvalidVersionError('The given key is not intended for this version of PASETO.'));
   }
@@ -226,6 +232,9 @@ function sign(data, key, footer, cb) {
   const self = this;
   const done = utils.ret(cb);
 
+  if (key.purpose() !== 'public') {
+    return done(new InvalidVersionError('The given key is not intended for local PASETO tokens.'));
+  }
   if (!(key.protocol() instanceof V1)) {
     return done(new InvalidVersionError('The given key is not intended for this version of PASETO.'));
   }
@@ -278,6 +287,9 @@ function verify(token, key, footer, cb) {
   const self = this;
   const done = utils.ret(cb);
 
+  if (key.purpose() !== 'public') {
+    return done(new InvalidVersionError('The given key is not intended for local PASETO tokens.'));
+  }
   if (!(key.protocol() instanceof V1)) {
     return done(new InvalidVersionError('The given key is not intended for this version of PASETO.'));
   }
diff --git a/lib/protocol/V2.js b/lib/protocol/V2.js
@@ -129,6 +129,9 @@ function __encrypt(data, key, footer, nonce, cb) {
   const self = this;
   const done = utils.ret(cb);
 
+  if (key.purpose() !== 'local') {
+    return done(new InvalidVersionError('The given key is not intended for local PASETO tokens.'));
+  }
   if (!(key.protocol() instanceof V2)) {
     return done(new InvalidVersionError('The given key is not intended for this version of PASETO.'));
   }
@@ -190,6 +193,9 @@ function decrypt(token, key, footer, cb) {
   const self = this;
   const done = utils.ret(cb);
 
+  if (key.purpose() !== 'local') {
+    return done(new InvalidVersionError('The given key is not intended for local PASETO tokens.'));
+  }
   if (!(key.protocol() instanceof V2)) {
     return done(new InvalidVersionError('The given key is not intended for this version of PASETO.'));
   }
@@ -231,6 +237,9 @@ function sign(data, key, footer, cb) {
   const self = this;
   const done = utils.ret(cb);
 
+  if (key.purpose() !== 'public') {
+    return done(new InvalidVersionError('The given key is not intended for local PASETO tokens.'));
+  }
   if (!(key.protocol() instanceof V2)) {
     return done(new InvalidVersionError('The given key is not intended for this version of PASETO.'));
   }
@@ -283,6 +292,9 @@ function verify(token, key, footer, cb) {
   const self = this;
   const done = utils.ret(cb);
 
+  if (key.purpose() !== 'public') {
+    return done(new InvalidVersionError('The given key is not intended for local PASETO tokens.'));
+  }
   if (!(key.protocol() instanceof V2)) {
     return done(new InvalidVersionError('The given key is not intended for this version of PASETO.'));
   }
