npm - @clef-sh/core - Versions diffs - 0.1.7-beta.48 → 0.1.8 - Mend

@clef-sh/core 0.1.7-beta.48 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (17) hide show

package/dist/artifact/packer.d.ts.map +1 -1
package/dist/artifact/signer.d.ts +66 -0
package/dist/artifact/signer.d.ts.map +1 -0
package/dist/artifact/types.d.ts +10 -0
package/dist/artifact/types.d.ts.map +1 -1
package/dist/index.d.mts +2 -1
package/dist/index.d.ts +2 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js +119 -10
package/dist/index.js.map +4 -4
package/dist/index.mjs +108 -5
package/dist/index.mjs.map +4 -4
package/dist/kms/types.d.ts +2 -0
package/dist/kms/types.d.ts.map +1 -1
package/dist/types/index.d.ts +2 -0
package/dist/types/index.d.ts.map +1 -1
package/package.json +1 -1

package/dist/index.mjs CHANGED Viewed

@@ -4457,7 +4457,87 @@ async function resolveIdentitySecrets(identityName, environment, manifest, repoR
 // src/artifact/packer.ts
 import * as fs16 from "fs";
 import * as path18 from "path";
+import * as crypto3 from "crypto";
+// src/artifact/signer.ts
 import * as crypto2 from "crypto";
+function buildSigningPayload(artifact) {
+  const fields = [
+    "clef-sig-v1",
+    String(artifact.version),
+    artifact.identity,
+    artifact.environment,
+    artifact.revision,
+    artifact.packedAt,
+    artifact.ciphertextHash,
+    [...artifact.keys].sort().join(","),
+    artifact.expiresAt ?? "",
+    artifact.envelope?.provider ?? "",
+    artifact.envelope?.keyId ?? "",
+    artifact.envelope?.wrappedKey ?? "",
+    artifact.envelope?.algorithm ?? ""
+  ];
+  return Buffer.from(fields.join("\n"), "utf-8");
+}
+function generateSigningKeyPair() {
+  const pair = crypto2.generateKeyPairSync("ed25519");
+  return {
+    publicKey: pair.publicKey.export({ type: "spki", format: "der" }).toString(
+      "base64"
+    ),
+    privateKey: pair.privateKey.export({ type: "pkcs8", format: "der" }).toString(
+      "base64"
+    )
+  };
+}
+function signEd25519(payload, privateKeyBase64) {
+  const keyObj = crypto2.createPrivateKey({
+    key: Buffer.from(privateKeyBase64, "base64"),
+    format: "der",
+    type: "pkcs8"
+  });
+  const signature = crypto2.sign(null, payload, keyObj);
+  return signature.toString("base64");
+}
+async function signKms(payload, kms, signingKeyId) {
+  if (!kms.sign) {
+    throw new Error(
+      "KMS provider does not support signing. Ensure the provider implements the sign() method."
+    );
+  }
+  const digest = crypto2.createHash("sha256").update(payload).digest();
+  const signature = await kms.sign(signingKeyId, digest);
+  return signature.toString("base64");
+}
+function verifySignature(payload, signatureBase64, publicKeyBase64) {
+  const keyObj = crypto2.createPublicKey({
+    key: Buffer.from(publicKeyBase64, "base64"),
+    format: "der",
+    type: "spki"
+  });
+  const signature = Buffer.from(signatureBase64, "base64");
+  const keyType = keyObj.asymmetricKeyType;
+  if (keyType === "ed25519") {
+    return crypto2.verify(null, payload, keyObj, signature);
+  }
+  if (keyType === "ec") {
+    return crypto2.verify("sha256", payload, keyObj, signature);
+  }
+  throw new Error(`Unsupported key type for signature verification: ${keyType}`);
+}
+function detectAlgorithm(publicKeyBase64) {
+  const keyObj = crypto2.createPublicKey({
+    key: Buffer.from(publicKeyBase64, "base64"),
+    format: "der",
+    type: "spki"
+  });
+  const keyType = keyObj.asymmetricKeyType;
+  if (keyType === "ed25519") return "Ed25519";
+  if (keyType === "ec") return "ECDSA_SHA256";
+  throw new Error(`Unsupported key type: ${keyType}`);
+}
+// src/artifact/packer.ts
 var ArtifactPacker = class {
   constructor(encryption, matrixManager, kms) {
     this.encryption = encryption;
@@ -4469,6 +4549,11 @@ var ArtifactPacker = class {
    * values to the service identity's recipient, and write a JSON envelope.
    */
   async pack(config, manifest, repoRoot) {
+    if (config.signingKey && config.signingKmsKeyId) {
+      throw new Error(
+        "Cannot specify both signingKey (Ed25519) and signingKmsKeyId (KMS). Choose one."
+      );
+    }
     const resolved = await resolveIdentitySecrets(
       config.identity,
       config.environment,
@@ -4500,8 +4585,8 @@ var ArtifactPacker = class {
       }
       const kmsConfig = resolved.envConfig.kms;
       const wrapped = await this.kms.wrap(kmsConfig.keyId, Buffer.from(ephemeralPrivateKey));
-      const revision = `${Date.now()}-${crypto2.randomBytes(4).toString("hex")}`;
-      const ciphertextHash = crypto2.createHash("sha256").update(ciphertext).digest("hex");
+      const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
+      const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
       artifact = {
         version: 1,
         identity: config.identity,
@@ -4528,8 +4613,8 @@ var ArtifactPacker = class {
       } catch {
         throw new Error("Failed to age-encrypt artifact. Check recipient key.");
       }
-      const revision = `${Date.now()}-${crypto2.randomBytes(4).toString("hex")}`;
-      const ciphertextHash = crypto2.createHash("sha256").update(ciphertext).digest("hex");
+      const revision = `${Date.now()}-${crypto3.randomBytes(4).toString("hex")}`;
+      const ciphertextHash = crypto3.createHash("sha256").update(ciphertext).digest("hex");
       artifact = {
         version: 1,
         identity: config.identity,
@@ -4548,6 +4633,18 @@ var ArtifactPacker = class {
     if (config.ttl && config.ttl > 0) {
       artifact.expiresAt = new Date(Date.now() + config.ttl * 1e3).toISOString();
     }
+    if (config.signingKey) {
+      const payload = buildSigningPayload(artifact);
+      artifact.signature = signEd25519(payload, config.signingKey);
+      artifact.signatureAlgorithm = "Ed25519";
+    } else if (config.signingKmsKeyId) {
+      if (!this.kms) {
+        throw new Error("KMS provider required for KMS signing but none was provided.");
+      }
+      const payload = buildSigningPayload(artifact);
+      artifact.signature = await signKms(payload, this.kms, config.signingKmsKeyId);
+      artifact.signatureAlgorithm = "ECDSA_SHA256";
+    }
     const json = JSON.stringify(artifact, null, 2);
     const tmpOutput = `${config.outputPath}.tmp.${process.pid}`;
     fs16.writeFileSync(tmpOutput, json, "utf-8");
@@ -4599,15 +4696,18 @@ export {
   SopsMissingError,
   SopsVersionError,
   assertSops,
+  buildSigningPayload,
   checkAll,
   checkDependency,
   collectCIContext,
   deriveAgePublicKey,
+  detectAlgorithm,
   detectFormat,
   findRequest,
   formatAgeKeyFile,
   generateAgeIdentity,
   generateRandomValue,
+  generateSigningKeyPair,
   getPendingKeys,
   isHighEntropy,
   isKmsEnvelope,
@@ -4639,7 +4739,10 @@ export {
   shannonEntropy,
   shouldIgnoreFile,
   shouldIgnoreMatch,
+  signEd25519,
+  signKms,
   upsertRequest,
-  validateAgePublicKey
+  validateAgePublicKey,
+  verifySignature
 };
 //# sourceMappingURL=index.mjs.map