@credo-ts/askar 0.6.1-pr-2091-20241119140918 → 0.6.1

package/build/error/AskarStoreImportPathExistsError.d.mts

@@ -0,0 +1,13 @@
+import { AskarStoreError } from "./AskarStoreError.mjs";
+
+//#region src/error/AskarStoreImportPathExistsError.d.ts
+declare class AskarStoreImportPathExistsError extends AskarStoreError {
+  constructor(message: string, {
+    cause
+  }?: {
+    cause?: Error;
+  });
+}
+//#endregion
+export { AskarStoreImportPathExistsError };
+//# sourceMappingURL=AskarStoreImportPathExistsError.d.mts.map

package/build/error/AskarStoreImportPathExistsError.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AskarStoreImportPathExistsError.d.mts","names":[],"sources":["../../src/error/AskarStoreImportPathExistsError.ts"],"sourcesContent":[],"mappings":";;;cAEa,+BAAA,SAAwC,eAAA;;;EACb,CAAA;IAD3B,KAAA,CAAA,EAC8C,KAD9C;EAC2B,CAAA"}

package/build/error/AskarStoreImportPathExistsError.mjs

@@ -0,0 +1,12 @@
+import { AskarStoreError } from "./AskarStoreError.mjs";
+
+//#region src/error/AskarStoreImportPathExistsError.ts
+var AskarStoreImportPathExistsError = class extends AskarStoreError {
+	constructor(message, { cause } = {}) {
+		super(message, { cause });
+	}
+};
+
+//#endregion
+export { AskarStoreImportPathExistsError };
+//# sourceMappingURL=AskarStoreImportPathExistsError.mjs.map

package/build/error/AskarStoreImportPathExistsError.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"AskarStoreImportPathExistsError.mjs","names":[],"sources":["../../src/error/AskarStoreImportPathExistsError.ts"],"sourcesContent":["import { AskarStoreError } from './AskarStoreError'\n\nexport class AskarStoreImportPathExistsError extends AskarStoreError {\n  public constructor(message: string, { cause }: { cause?: Error } = {}) {\n    super(message, { cause })\n  }\n}\n"],"mappings":";;;AAEA,IAAa,kCAAb,cAAqD,gBAAgB;CACnE,AAAO,YAAY,SAAiB,EAAE,UAA6B,EAAE,EAAE;AACrE,QAAM,SAAS,EAAE,OAAO,CAAC"}

package/build/error/AskarStoreInvalidKeyError.d.mts

@@ -0,0 +1,13 @@
+import { AskarStoreError } from "./AskarStoreError.mjs";
+
+//#region src/error/AskarStoreInvalidKeyError.d.ts
+declare class AskarStoreInvalidKeyError extends AskarStoreError {
+  constructor(message: string, {
+    cause
+  }?: {
+    cause?: Error;
+  });
+}
+//#endregion
+export { AskarStoreInvalidKeyError };
+//# sourceMappingURL=AskarStoreInvalidKeyError.d.mts.map

package/build/error/AskarStoreInvalidKeyError.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AskarStoreInvalidKeyError.d.mts","names":[],"sources":["../../src/error/AskarStoreInvalidKeyError.ts"],"sourcesContent":[],"mappings":";;;cAEa,yBAAA,SAAkC,eAAA;;;EACP,CAAA;IAD3B,KAAA,CAAA,EAC8C,KAD9C;EAC2B,CAAA"}

package/build/error/AskarStoreInvalidKeyError.mjs

@@ -0,0 +1,12 @@
+import { AskarStoreError } from "./AskarStoreError.mjs";
+
+//#region src/error/AskarStoreInvalidKeyError.ts
+var AskarStoreInvalidKeyError = class extends AskarStoreError {
+	constructor(message, { cause } = {}) {
+		super(message, { cause });
+	}
+};
+
+//#endregion
+export { AskarStoreInvalidKeyError };
+//# sourceMappingURL=AskarStoreInvalidKeyError.mjs.map

package/build/error/AskarStoreInvalidKeyError.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"AskarStoreInvalidKeyError.mjs","names":[],"sources":["../../src/error/AskarStoreInvalidKeyError.ts"],"sourcesContent":["import { AskarStoreError } from './AskarStoreError'\n\nexport class AskarStoreInvalidKeyError extends AskarStoreError {\n  public constructor(message: string, { cause }: { cause?: Error } = {}) {\n    super(message, { cause })\n  }\n}\n"],"mappings":";;;AAEA,IAAa,4BAAb,cAA+C,gBAAgB;CAC7D,AAAO,YAAY,SAAiB,EAAE,UAA6B,EAAE,EAAE;AACrE,QAAM,SAAS,EAAE,OAAO,CAAC"}

package/build/error/AskarStoreNotFoundError.d.mts

@@ -0,0 +1,13 @@
+import { AskarStoreError } from "./AskarStoreError.mjs";
+
+//#region src/error/AskarStoreNotFoundError.d.ts
+declare class AskarStoreNotFoundError extends AskarStoreError {
+  constructor(message: string, {
+    cause
+  }?: {
+    cause?: Error;
+  });
+}
+//#endregion
+export { AskarStoreNotFoundError };
+//# sourceMappingURL=AskarStoreNotFoundError.d.mts.map

package/build/error/AskarStoreNotFoundError.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AskarStoreNotFoundError.d.mts","names":[],"sources":["../../src/error/AskarStoreNotFoundError.ts"],"sourcesContent":[],"mappings":";;;cAEa,uBAAA,SAAgC,eAAA;;;EACL,CAAA;IAD3B,KAAA,CAAA,EAC8C,KAD9C;EAC2B,CAAA"}

package/build/error/AskarStoreNotFoundError.mjs

@@ -0,0 +1,12 @@
+import { AskarStoreError } from "./AskarStoreError.mjs";
+
+//#region src/error/AskarStoreNotFoundError.ts
+var AskarStoreNotFoundError = class extends AskarStoreError {
+	constructor(message, { cause } = {}) {
+		super(message, { cause });
+	}
+};
+
+//#endregion
+export { AskarStoreNotFoundError };
+//# sourceMappingURL=AskarStoreNotFoundError.mjs.map

package/build/error/AskarStoreNotFoundError.mjs.map

@@ -0,0 +1 @@
+{"version":3,"file":"AskarStoreNotFoundError.mjs","names":[],"sources":["../../src/error/AskarStoreNotFoundError.ts"],"sourcesContent":["import { AskarStoreError } from './AskarStoreError'\n\nexport class AskarStoreNotFoundError extends AskarStoreError {\n  public constructor(message: string, { cause }: { cause?: Error } = {}) {\n    super(message, { cause })\n  }\n}\n"],"mappings":";;;AAEA,IAAa,0BAAb,cAA6C,gBAAgB;CAC3D,AAAO,YAAY,SAAiB,EAAE,UAA6B,EAAE,EAAE;AACrE,QAAM,SAAS,EAAE,OAAO,CAAC"}

package/build/error/index.d.mts

@@ -0,0 +1,8 @@
+import "./AskarError.mjs";
+import { AskarStoreError } from "./AskarStoreError.mjs";
+import { AskarStoreDuplicateError } from "./AskarStoreDuplicateError.mjs";
+import { AskarStoreExportPathExistsError } from "./AskarStoreExportPathExistsError.mjs";
+import { AskarStoreExportUnsupportedError } from "./AskarStoreExportUnsupportedError.mjs";
+import { AskarStoreImportPathExistsError } from "./AskarStoreImportPathExistsError.mjs";
+import { AskarStoreInvalidKeyError } from "./AskarStoreInvalidKeyError.mjs";
+import { AskarStoreNotFoundError } from "./AskarStoreNotFoundError.mjs";

package/build/error/index.mjs

@@ -0,0 +1,8 @@
+import { AskarError } from "./AskarError.mjs";
+import { AskarStoreError } from "./AskarStoreError.mjs";
+import { AskarStoreDuplicateError } from "./AskarStoreDuplicateError.mjs";
+import { AskarStoreExportPathExistsError } from "./AskarStoreExportPathExistsError.mjs";
+import { AskarStoreExportUnsupportedError } from "./AskarStoreExportUnsupportedError.mjs";
+import { AskarStoreImportPathExistsError } from "./AskarStoreImportPathExistsError.mjs";
+import { AskarStoreInvalidKeyError } from "./AskarStoreInvalidKeyError.mjs";
+import { AskarStoreNotFoundError } from "./AskarStoreNotFoundError.mjs";

package/build/index.d.mts

@@ -0,0 +1,19 @@
+import { AskarPostgresConfig, AskarPostgresCredentials, AskarPostgresStorageConfig, AskarSqliteConfig, AskarSqliteStorageConfig } from "./AskarStorageConfig.mjs";
+import { AskarModuleConfig, AskarModuleConfigOptions, AskarModuleConfigStoreOptions, AskarMultiWalletDatabaseScheme } from "./AskarModuleConfig.mjs";
+import { AskarStoreManager } from "./AskarStoreManager.mjs";
+import { AskarModule } from "./AskarModule.mjs";
+import { AskarStoreError } from "./error/AskarStoreError.mjs";
+import { AskarStoreDuplicateError } from "./error/AskarStoreDuplicateError.mjs";
+import { AskarStoreExportPathExistsError } from "./error/AskarStoreExportPathExistsError.mjs";
+import { AskarStoreExportUnsupportedError } from "./error/AskarStoreExportUnsupportedError.mjs";
+import { AskarStoreImportPathExistsError } from "./error/AskarStoreImportPathExistsError.mjs";
+import { AskarStoreInvalidKeyError } from "./error/AskarStoreInvalidKeyError.mjs";
+import { AskarStoreNotFoundError } from "./error/AskarStoreNotFoundError.mjs";
+import "./error/index.mjs";
+import { AskarKeyManagementService } from "./kms/AskarKeyManagementService.mjs";
+import { AskarStorageService } from "./storage/AskarStorageService.mjs";
+import "./storage/index.mjs";
+import { recordToInstance } from "./storage/utils.mjs";
+import { transformPrivateKeyToPrivateJwk, transformSeedToPrivateJwk } from "./utils/transformPrivateKey.mjs";
+import "./utils/index.mjs";
+export { AskarKeyManagementService, AskarModule, AskarModuleConfig, type AskarModuleConfigOptions, type AskarModuleConfigStoreOptions, AskarMultiWalletDatabaseScheme, type AskarPostgresConfig, type AskarPostgresCredentials, type AskarPostgresStorageConfig, type AskarSqliteConfig, type AskarSqliteStorageConfig, AskarStorageService, AskarStoreDuplicateError, AskarStoreError, AskarStoreExportPathExistsError, AskarStoreExportUnsupportedError, AskarStoreImportPathExistsError, AskarStoreInvalidKeyError, AskarStoreManager, AskarStoreNotFoundError, recordToInstance, transformPrivateKeyToPrivateJwk, transformSeedToPrivateJwk };

package/build/index.mjs

@@ -0,0 +1,19 @@
+import { AskarModuleConfig, AskarMultiWalletDatabaseScheme } from "./AskarModuleConfig.mjs";
+import { AskarStoreError } from "./error/AskarStoreError.mjs";
+import { AskarStoreDuplicateError } from "./error/AskarStoreDuplicateError.mjs";
+import { AskarStoreExportPathExistsError } from "./error/AskarStoreExportPathExistsError.mjs";
+import { AskarStoreExportUnsupportedError } from "./error/AskarStoreExportUnsupportedError.mjs";
+import { AskarStoreImportPathExistsError } from "./error/AskarStoreImportPathExistsError.mjs";
+import { AskarStoreInvalidKeyError } from "./error/AskarStoreInvalidKeyError.mjs";
+import { AskarStoreNotFoundError } from "./error/AskarStoreNotFoundError.mjs";
+import "./error/index.mjs";
+import { recordToInstance } from "./storage/utils.mjs";
+import { transformPrivateKeyToPrivateJwk, transformSeedToPrivateJwk } from "./utils/transformPrivateKey.mjs";
+import "./utils/index.mjs";
+import { AskarStoreManager } from "./AskarStoreManager.mjs";
+import { AskarKeyManagementService } from "./kms/AskarKeyManagementService.mjs";
+import { AskarStorageService } from "./storage/AskarStorageService.mjs";
+import "./storage/index.mjs";
+import { AskarModule } from "./AskarModule.mjs";
+
+export { AskarKeyManagementService, AskarModule, AskarModuleConfig, AskarMultiWalletDatabaseScheme, AskarStorageService, AskarStoreDuplicateError, AskarStoreError, AskarStoreExportPathExistsError, AskarStoreExportUnsupportedError, AskarStoreImportPathExistsError, AskarStoreInvalidKeyError, AskarStoreManager, AskarStoreNotFoundError, recordToInstance, transformPrivateKeyToPrivateJwk, transformSeedToPrivateJwk };

package/build/kms/AskarKeyManagementService.d.mts

@@ -0,0 +1,30 @@
+import { AgentContext, Kms } from "@credo-ts/core";
+
+//#region src/kms/AskarKeyManagementService.d.ts
+declare class AskarKeyManagementService implements Kms.KeyManagementService {
+  static readonly backend = "askar";
+  readonly backend = "askar";
+  private static algToSigType;
+  private withSession;
+  isOperationSupported(_agentContext: AgentContext, operation: Kms.KmsOperation): boolean;
+  randomBytes(_agentContext: AgentContext, options: Kms.KmsRandomBytesOptions): Kms.KmsRandomBytesReturn;
+  getPublicKey(agentContext: AgentContext, keyId: string): Promise<Kms.KmsJwkPublic | null>;
+  importKey<Jwk extends Kms.KmsJwkPrivate>(agentContext: AgentContext, options: Kms.KmsImportKeyOptions<Jwk>): Promise<Kms.KmsImportKeyReturn<Jwk>>;
+  deleteKey(agentContext: AgentContext, options: Kms.KmsDeleteKeyOptions): Promise<boolean>;
+  createKey<Type extends Kms.KmsCreateKeyType>(agentContext: AgentContext, options: Kms.KmsCreateKeyOptions<Type>): Promise<Kms.KmsCreateKeyReturn<Type>>;
+  sign(agentContext: AgentContext, options: Kms.KmsSignOptions): Promise<Kms.KmsSignReturn>;
+  verify(agentContext: AgentContext, options: Kms.KmsVerifyOptions): Promise<Kms.KmsVerifyReturn>;
+  encrypt(agentContext: AgentContext, options: Kms.KmsEncryptOptions): Promise<Kms.KmsEncryptReturn>;
+  decrypt(agentContext: AgentContext, options: Kms.KmsDecryptOptions): Promise<Kms.KmsDecryptReturn>;
+  private assertedSigTypeForAlg;
+  private assertAskarAlgForJwkCrv;
+  private keyFromJwk;
+  private keyFromSecretBytesAndEncryptionAlgorithm;
+  private publicJwkFromKey;
+  private privateJwkFromKey;
+  private fetchAskarKey;
+  private getKeyAsserted;
+}
+//#endregion
+export { AskarKeyManagementService };
+//# sourceMappingURL=AskarKeyManagementService.d.mts.map

package/build/kms/AskarKeyManagementService.d.mts.map

@@ -0,0 +1 @@
+{"version":3,"file":"AskarKeyManagementService.d.mts","names":[],"sources":["../../src/kms/AskarKeyManagementService.ts"],"sourcesContent":[],"mappings":";;;cAwBa,yBAAA,YAAqC,GAAA,CAAI;;EAAzC,SAAA,OAAA,GAAA,OAAA;EAgBgC,eAAA,YAAA;EAAyB,QAAI,WAAA;EA6DtC,oBAAA,CAAA,aAAA,EA7DS,YA6DT,EAAA,SAAA,EA7DkC,GAAA,CAAI,YA6DtC,CAAA,EAAA,OAAA;EAAuB,WAAI,CAAA,aAAA,EAA3B,YAA2B,EAAA,OAAA,EAAJ,GAAA,CAAI,qBAAA,CAAA,EAAwB,GAAA,CAAI,oBAA5B;EAAwB,YAAI,CAAA,YAAA,EAIjD,YAJiD,EAAA,KAAA,EAAA,MAAA,CAAA,EAInB,OAJmB,CAIX,GAAA,CAAI,YAJO,GAAA,IAAA,CAAA;EAIjD,SAAA,CAAA,YAOL,GAAA,CAAI,aAPC,CAAA,CAAA,YAAA,EAQxB,YARwB,EAAA,OAAA,EAS7B,GAAA,CAAI,mBATyB,CASL,GATK,CAAA,CAAA,EAUrC,OAVqC,CAU7B,GAAA,CAAI,kBAVyB,CAUN,GAVM,CAAA,CAAA;EAAsC,SAAI,CAAA,YAAA,EAgE7C,YAhE6C,EAAA,OAAA,EAgEtB,GAAA,CAAI,mBAhEkB,CAAA,EAgEI,OAhEJ,CAAA,OAAA,CAAA;EAAZ,SAAA,CAAA,aA8ElC,GAAA,CAAI,gBA9E8B,CAAA,CAAA,YAAA,EA+EtD,YA/EsD,EAAA,OAAA,EAgF3D,GAAA,CAAI,mBAhFuD,CAgFnC,IAhFmC,CAAA,CAAA,EAiFnE,OAjFmE,CAiF3D,GAAA,CAAI,kBAjFuD,CAiFpC,IAjFoC,CAAA,CAAA;EAOnC,IAAI,CAAA,YAAA,EA+IP,YA/IO,EAAA,OAAA,EA+IgB,GAAA,CAAI,cA/IpB,CAAA,EA+IqC,OA/IrC,CA+I6C,GAAA,CAAI,aA/IjD,CAAA;EACvB,MAAA,CAAA,YAAA,EAoLkB,YApLlB,EAAA,OAAA,EAoLyC,GAAA,CAAI,gBApL7C,CAAA,EAoLgE,OApLhE,CAoLwE,GAAA,CAAI,eApL5E,CAAA;EACmB,OAAA,CAAA,YAAA,EAwPA,YAxPA,EAAA,OAAA,EAwPuB,GAAA,CAAI,iBAxP3B,CAAA,EAwP+C,OAxP/C,CAwPuD,GAAA,CAAI,gBAxP3D,CAAA;EAAxB,OAAI,CAAA,YAAA,EA6YoB,YA7YpB,EAAA,OAAA,EA6Y2C,GAAA,CAAI,iBA7Y/C,CAAA,EA6YmE,OA7YnE,CA6Y2E,GAAA,CAAI,gBA7Y/E,CAAA;EACmB,QAAA,qBAAA;EAAvB,QAAI,uBAAA;EAAZ,QAAA,UAAA;EAsDkC,QAAA,wCAAA;EAAuB,QAAI,gBAAA;EAAsB,QAAA,iBAAA;EAclD,QAAI,aAAA;EACxB,QAAA,cAAA"}

package/build/kms/AskarKeyManagementService.mjs

@@ -0,0 +1,415 @@
+import { AskarErrorCode, isAskarError } from "../utils/askarError.mjs";
+import { jwkCrvToAskarAlg, jwkEncToAskarAlg } from "../utils/askarKeyTypes.mjs";
+import "../utils/index.mjs";
+import { AskarStoreManager } from "../AskarStoreManager.mjs";
+import { aeadDecrypt } from "./crypto/decrypt.mjs";
+import { askarSupportedKeyAgreementAlgorithms, deriveDecryptionKey, deriveEncryptionKey } from "./crypto/deriveKey.mjs";
+import { aeadEncrypt } from "./crypto/encrypt.mjs";
+import { randomBytes } from "./crypto/randomBytes.mjs";
+import { JsonEncoder, Kms, TypedArrayEncoder, utils } from "@credo-ts/core";
+import { CryptoBox, Jwk, Key, KeyAlgorithm, KeyEntryList, SignatureAlgorithm, askar } from "@openwallet-foundation/askar-shared";
+
+//#region src/kms/AskarKeyManagementService.ts
+const askarSupportedEncryptionAlgorithms = [...Object.keys(jwkEncToAskarAlg), "XSALSA20-POLY1305"];
+var AskarKeyManagementService = class AskarKeyManagementService {
+	constructor() {
+		this.backend = AskarKeyManagementService.backend;
+	}
+	withSession(agentContext, callback) {
+		return agentContext.dependencyManager.resolve(AskarStoreManager).withSession(agentContext, callback);
+	}
+	isOperationSupported(_agentContext, operation) {
+		if (operation.operation === "deleteKey") return true;
+		if (operation.operation === "randomBytes") return true;
+		if (operation.operation === "importKey") {
+			if (operation.privateJwk.kty === "EC" || operation.privateJwk.kty === "OKP") return jwkCrvToAskarAlg[operation.privateJwk.crv] !== void 0;
+			return false;
+		}
+		if (operation.operation === "createKey") {
+			if (operation.type.kty === "EC" || operation.type.kty === "OKP") return jwkCrvToAskarAlg[operation.type.crv] !== void 0;
+			if (operation.type.kty === "oct") {
+				if (operation.type.algorithm === "C20P") return true;
+				if (operation.type.algorithm === "aes") return [128, 256].includes(operation.type.length);
+			}
+			return false;
+		}
+		if (operation.operation === "sign" || operation.operation === "verify") return AskarKeyManagementService.algToSigType[operation.algorithm] !== void 0;
+		if (operation.operation === "encrypt") {
+			if (!askarSupportedEncryptionAlgorithms.includes(operation.encryption.algorithm)) return false;
+			if (!operation.keyAgreement) return true;
+			return askarSupportedKeyAgreementAlgorithms.includes(operation.keyAgreement.algorithm);
+		}
+		if (operation.operation === "decrypt") {
+			if (!askarSupportedEncryptionAlgorithms.includes(operation.decryption.algorithm)) return false;
+			if (!operation.keyAgreement) return true;
+			return askarSupportedKeyAgreementAlgorithms.includes(operation.keyAgreement.algorithm);
+		}
+		return false;
+	}
+	randomBytes(_agentContext, options) {
+		return randomBytes(options.length);
+	}
+	async getPublicKey(agentContext, keyId) {
+		const key = await this.fetchAskarKey(agentContext, keyId);
+		if (!key) return null;
+		return this.publicJwkFromKey(key.key, { kid: keyId });
+	}
+	async importKey(agentContext, options) {
+		const { kid } = options.privateJwk;
+		const privateJwk = {
+			...options.privateJwk,
+			kid: kid ?? utils.uuid()
+		};
+		let key;
+		try {
+			if (privateJwk.kty === "oct") throw new Kms.KeyManagementAlgorithmNotSupportedError(`importing keys with kty '${privateJwk.kty}'`, this.backend);
+			if (privateJwk.kty === "EC" || privateJwk.kty === "OKP") {
+				this.assertAskarAlgForJwkCrv(privateJwk.kty, privateJwk.crv);
+				key = Key.fromJwk({ jwk: Jwk.fromJson(privateJwk) });
+			}
+			const _key = key;
+			if (!_key) throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty '${privateJwk.kty}'`, this.backend);
+			await this.withSession(agentContext, (session) => session.insertKey({
+				name: privateJwk.kid,
+				key: _key
+			}));
+			const publicJwk = Kms.publicJwkFromPrivateJwk(privateJwk);
+			return {
+				keyId: privateJwk.kid,
+				publicJwk: {
+					...publicJwk,
+					kid: privateJwk.kid
+				}
+			};
+		} catch (error) {
+			if (error instanceof Kms.KeyManagementError) throw error;
+			if (isAskarError(error, AskarErrorCode.Duplicate)) throw new Kms.KeyManagementKeyExistsError(privateJwk.kid, this.backend);
+			throw new Kms.KeyManagementError("Error importing key", { cause: error });
+		} finally {
+			key?.handle.free();
+		}
+	}
+	async deleteKey(agentContext, options) {
+		try {
+			await this.withSession(agentContext, (session) => session.removeKey({ name: options.keyId }));
+			return true;
+		} catch (error) {
+			if (isAskarError(error, AskarErrorCode.NotFound)) return false;
+			throw new Kms.KeyManagementError(`Error deleting key with id '${options.keyId}'`, { cause: error });
+		}
+	}
+	async createKey(agentContext, options) {
+		const { type, keyId } = options;
+		const kid = keyId ?? utils.uuid();
+		let askarKey;
+		try {
+			if (type.kty === "EC" || type.kty === "OKP") {
+				const keyAlg = this.assertAskarAlgForJwkCrv(type.kty, type.crv);
+				askarKey = Key.generate(keyAlg);
+			} else if (type.kty === "oct") if (type.algorithm === "aes") {
+				const lengthToKeyAlg = {
+					128: KeyAlgorithm.AesA128Gcm,
+					256: KeyAlgorithm.AesA256Gcm,
+					512: KeyAlgorithm.AesA256CbcHs512
+				};
+				const keyAlg = lengthToKeyAlg[type.length];
+				if (!keyAlg) throw new Kms.KeyManagementAlgorithmNotSupportedError(`length '${type.length}' for kty '${type.kty}' with algorithm '${type.algorithm}'. Supported length values are ${Object.keys(lengthToKeyAlg).join(", ")}`, this.backend);
+				askarKey = Key.generate(keyAlg);
+			} else if (type.algorithm === "C20P") askarKey = Key.generate(KeyAlgorithm.Chacha20C20P);
+			else throw new Kms.KeyManagementAlgorithmNotSupportedError(`algorithm '${type.algorithm}' for kty '${type.kty}'`, this.backend);
+			const _key = askarKey;
+			if (!_key) throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty '${type.kty}'`, this.backend);
+			const publicJwk = this.publicJwkFromKey(_key, { kid });
+			await this.withSession(agentContext, (session) => session.insertKey({
+				name: kid,
+				key: _key
+			}));
+			return {
+				publicJwk,
+				keyId: kid
+			};
+		} catch (error) {
+			if (error instanceof Kms.KeyManagementError) throw error;
+			if (isAskarError(error, AskarErrorCode.Duplicate)) throw new Kms.KeyManagementKeyExistsError(kid, this.backend);
+			throw new Kms.KeyManagementError("Error creating key", { cause: error });
+		} finally {
+			askarKey?.handle.free();
+		}
+	}
+	async sign(agentContext, options) {
+		const { keyId, algorithm, data } = options;
+		const key = await this.getKeyAsserted(agentContext, keyId);
+		try {
+			const sigType = this.assertedSigTypeForAlg(algorithm);
+			if (!key.key) throw new Kms.KeyManagementAlgorithmNotSupportedError(`algorithm ${algorithm}`, this.backend);
+			const publicJwk = this.publicJwkFromKey(key.key, { kid: keyId });
+			const privateJwk = this.privateJwkFromKey(key.key, { kid: keyId });
+			Kms.assertAllowedSigningAlgForKey(privateJwk, algorithm);
+			Kms.assertKeyAllowsSign(publicJwk);
+			const signature = key.key.signMessage({
+				message: new Uint8Array(data),
+				sigType
+			});
+			return { signature: new Uint8Array(signature) };
+		} catch (error) {
+			if (error instanceof Kms.KeyManagementError) throw error;
+			throw new Kms.KeyManagementError("Error signing with key", { cause: error });
+		} finally {
+			key.key?.handle.free();
+		}
+	}
+	async verify(agentContext, options) {
+		const { algorithm, data, signature, key: keyInput } = options;
+		const sigType = this.assertedSigTypeForAlg(algorithm);
+		let askarKey;
+		try {
+			if (keyInput.keyId) askarKey = (await this.getKeyAsserted(agentContext, keyInput.keyId)).key;
+			else if (keyInput.publicJwk?.kty === "EC" || keyInput.publicJwk?.kty === "OKP") {
+				this.assertAskarAlgForJwkCrv(keyInput.publicJwk.kty, keyInput.publicJwk.crv);
+				askarKey = Key.fromJwk({ jwk: Jwk.fromJson(keyInput.publicJwk) });
+			} else throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty ${keyInput.publicJwk?.kty}`, this.backend);
+			if (!askarKey) throw new Kms.KeyManagementAlgorithmNotSupportedError(`algorithm ${algorithm}`, this.backend);
+			const keyId = keyInput.keyId ?? keyInput.publicJwk?.kid;
+			const publicJwk = this.publicJwkFromKey(askarKey, { kid: keyId });
+			if (publicJwk.kty === "oct") {
+				const privateJwk = this.privateJwkFromKey(askarKey, { kid: keyId });
+				Kms.assertAllowedSigningAlgForKey(privateJwk, algorithm);
+				Kms.assertKeyAllowsVerify(publicJwk);
+			} else {
+				Kms.assertAllowedSigningAlgForKey(publicJwk, algorithm);
+				Kms.assertKeyAllowsVerify(publicJwk);
+			}
+			if (askarKey.verifySignature({
+				message: new Uint8Array(data),
+				signature: new Uint8Array(signature),
+				sigType
+			})) return {
+				verified: true,
+				publicJwk: keyInput.keyId ? this.publicJwkFromKey(askarKey, { kid: keyId }) : keyInput.publicJwk
+			};
+			return { verified: false };
+		} catch (error) {
+			if (error instanceof Kms.KeyManagementError) throw error;
+			throw new Kms.KeyManagementError("Error verifying with key", { cause: error });
+		} finally {
+			if (askarKey) askarKey.handle.free();
+		}
+	}
+	async encrypt(agentContext, options) {
+		const { data, encryption, key } = options;
+		Kms.assertSupportedEncryptionAlgorithm(encryption, askarSupportedEncryptionAlgorithms, this.backend);
+		const keysToFree = [];
+		try {
+			let encryptionKey;
+			let encryptedKey;
+			if (key.keyId) {
+				encryptionKey = (await this.getKeyAsserted(agentContext, key.keyId)).key;
+				keysToFree.push(encryptionKey);
+			} else if (key.privateJwk) {
+				if (encryption.algorithm === "XSALSA20-POLY1305") throw new Kms.KeyManagementAlgorithmNotSupportedError(`encryption algorithm '${encryption.algorithm}' is only supported in combination with key agreement algorithm '${Kms.KnownJwaKeyAgreementAlgorithms.ECDH_HSALSA20}'`, this.backend);
+				encryptionKey = this.keyFromSecretBytesAndEncryptionAlgorithm(TypedArrayEncoder.fromBase64(key.privateJwk.k), encryption.algorithm);
+				keysToFree.push(encryptionKey);
+			} else if (key.keyAgreement) {
+				Kms.assertAllowedKeyDerivationAlgForKey(key.keyAgreement.externalPublicJwk, key.keyAgreement.algorithm);
+				Kms.assertKeyAllowsDerive(key.keyAgreement.externalPublicJwk);
+				Kms.assertSupportedKeyAgreementAlgorithm(key.keyAgreement, askarSupportedKeyAgreementAlgorithms, this.backend);
+				let privateKey = key.keyAgreement.keyId ? (await this.getKeyAsserted(agentContext, key.keyAgreement.keyId)).key : void 0;
+				if (privateKey) keysToFree.push(privateKey);
+				const privateJwk$1 = privateKey ? this.privateJwkFromKey(privateKey) : void 0;
+				if (privateJwk$1) {
+					Kms.assertJwkAsymmetric(privateJwk$1, key.keyAgreement.keyId);
+					Kms.assertAllowedKeyDerivationAlgForKey(privateJwk$1, key.keyAgreement.algorithm);
+					Kms.assertKeyAllowsDerive(privateJwk$1);
+					if (key.keyAgreement.algorithm !== "ECDH-HSALSA20") Kms.assertAsymmetricJwkKeyTypeMatches(privateJwk$1, key.keyAgreement.externalPublicJwk);
+				}
+				const recipientKey = this.keyFromJwk(key.keyAgreement.externalPublicJwk);
+				keysToFree.push(recipientKey);
+				if (key.keyAgreement.algorithm === "ECDH-HSALSA20" || encryption.algorithm === "XSALSA20-POLY1305") {
+					if (encryption.algorithm !== "XSALSA20-POLY1305" || key.keyAgreement.algorithm !== "ECDH-HSALSA20") throw new Kms.KeyManagementAlgorithmNotSupportedError(`key agreement algorithm '${key.keyAgreement.algorithm}' with encryption algorithm '${encryption.algorithm}'`, this.backend);
+					if (!privateKey) return { encrypted: new Uint8Array(CryptoBox.seal({
+						recipientKey,
+						message: new Uint8Array(data)
+					})) };
+					if (privateKey.algorithm === KeyAlgorithm.Ed25519) {
+						privateKey = privateKey.convertkey({ algorithm: KeyAlgorithm.X25519 });
+						keysToFree.push(privateKey);
+					}
+					const nonce = new Uint8Array(CryptoBox.randomNonce());
+					return {
+						encrypted: new Uint8Array(CryptoBox.cryptoBox({
+							recipientKey,
+							senderKey: privateKey,
+							message: new Uint8Array(data),
+							nonce
+						})),
+						iv: nonce
+					};
+				}
+				if (!privateKey) throw new Kms.KeyManagementError("sender key is required for ECDH-ES key derivation.");
+				const { contentEncryptionKey, encryptedContentEncryptionKey } = deriveEncryptionKey({
+					encryption,
+					keyAgreement: key.keyAgreement,
+					recipientKey,
+					senderKey: privateKey
+				});
+				encryptionKey = contentEncryptionKey;
+				keysToFree.push(contentEncryptionKey);
+				encryptedKey = encryptedContentEncryptionKey;
+			} else throw new Kms.KeyManagementError("Unexpected key parameter for encrypt");
+			if (encryption.algorithm === "XSALSA20-POLY1305") throw new Kms.KeyManagementAlgorithmNotSupportedError(`encryption algorithm '${encryption.algorithm}' can only be used with key agreement algorithm ECDH-HSALSA20`, this.backend);
+			const privateJwk = this.privateJwkFromKey(encryptionKey);
+			Kms.assertKeyAllowsDerive(privateJwk);
+			Kms.assertAllowedEncryptionAlgForKey(privateJwk, encryption.algorithm);
+			Kms.assertKeyAllowsEncrypt(privateJwk);
+			return {
+				...aeadEncrypt({
+					key: encryptionKey,
+					data,
+					encryption
+				}),
+				encryptedKey
+			};
+		} catch (error) {
+			if (error instanceof Kms.KeyManagementError) throw error;
+			throw new Kms.KeyManagementError("Error encrypting with key", { cause: error });
+		} finally {
+			for (const key$1 of keysToFree) key$1.handle.free();
+		}
+	}
+	async decrypt(agentContext, options) {
+		const { encrypted, decryption, key } = options;
+		Kms.assertSupportedEncryptionAlgorithm(decryption, askarSupportedEncryptionAlgorithms, this.backend);
+		const keysToFree = [];
+		try {
+			let decryptionKey;
+			if (key.keyId) {
+				decryptionKey = (await this.getKeyAsserted(agentContext, key.keyId)).key;
+				keysToFree.push(decryptionKey);
+			} else if (key.privateJwk) {
+				if (decryption.algorithm === "XSALSA20-POLY1305") throw new Kms.KeyManagementAlgorithmNotSupportedError(`decryption algorithm '${decryption.algorithm}' is only supported in combination with key agreement algorithm '${Kms.KnownJwaKeyAgreementAlgorithms.ECDH_HSALSA20}'`, this.backend);
+				decryptionKey = this.keyFromSecretBytesAndEncryptionAlgorithm(TypedArrayEncoder.fromBase64(key.privateJwk.k), decryption.algorithm);
+				keysToFree.push(decryptionKey);
+			} else if (key.keyAgreement) {
+				if (key.keyAgreement.externalPublicJwk) {
+					Kms.assertAllowedKeyDerivationAlgForKey(key.keyAgreement.externalPublicJwk, key.keyAgreement.algorithm);
+					Kms.assertKeyAllowsDerive(key.keyAgreement.externalPublicJwk);
+				}
+				Kms.assertSupportedKeyAgreementAlgorithm(key.keyAgreement, askarSupportedKeyAgreementAlgorithms, this.backend);
+				let privateKey = (await this.getKeyAsserted(agentContext, key.keyAgreement.keyId)).key;
+				keysToFree.push(privateKey);
+				const privateJwk$1 = this.privateJwkFromKey(privateKey);
+				Kms.assertJwkAsymmetric(privateJwk$1, key.keyAgreement.keyId);
+				Kms.assertAllowedKeyDerivationAlgForKey(privateJwk$1, key.keyAgreement.algorithm);
+				Kms.assertKeyAllowsDerive(privateJwk$1);
+				if (key.keyAgreement.externalPublicJwk && key.keyAgreement.algorithm !== "ECDH-HSALSA20") Kms.assertAsymmetricJwkKeyTypeMatches(privateJwk$1, key.keyAgreement.externalPublicJwk);
+				const senderKey = key.keyAgreement.externalPublicJwk ? this.keyFromJwk(key.keyAgreement.externalPublicJwk) : void 0;
+				if (senderKey) keysToFree.push(senderKey);
+				if (key.keyAgreement.algorithm === "ECDH-HSALSA20" || decryption.algorithm === "XSALSA20-POLY1305") {
+					if (decryption.algorithm !== "XSALSA20-POLY1305" || key.keyAgreement.algorithm !== "ECDH-HSALSA20") throw new Kms.KeyManagementAlgorithmNotSupportedError(`key agreement algorithm '${key.keyAgreement.algorithm}' with encryption algorithm '${decryption.algorithm}'`, this.backend);
+					if (privateKey.algorithm === KeyAlgorithm.Ed25519) {
+						privateKey = privateKey.convertkey({ algorithm: KeyAlgorithm.X25519 });
+						keysToFree.push(privateKey);
+					}
+					if (!senderKey) return { data: new Uint8Array(CryptoBox.sealOpen({
+						recipientKey: privateKey,
+						ciphertext: new Uint8Array(encrypted)
+					})) };
+					if (!decryption.iv) throw new Kms.KeyManagementError(`Missing required 'iv' for key agreement algorithm ${key.keyAgreement.algorithm} and encryption algorithm ${decryption.algorithm} with sender key defined.`);
+					return { data: new Uint8Array(CryptoBox.open({
+						recipientKey: privateKey,
+						senderKey,
+						message: new Uint8Array(encrypted),
+						nonce: new Uint8Array(decryption.iv)
+					})) };
+				}
+				if (!senderKey) throw new Kms.KeyManagementError("sender key is required for ECDH-ES key derivation.");
+				const { contentEncryptionKey } = deriveDecryptionKey({
+					decryption,
+					keyAgreement: key.keyAgreement,
+					recipientKey: privateKey,
+					senderKey
+				});
+				decryptionKey = contentEncryptionKey;
+				keysToFree.push(contentEncryptionKey);
+			} else throw new Kms.KeyManagementError("Unexpected key parameter for decrypt");
+			if (decryption.algorithm === "XSALSA20-POLY1305") throw new Kms.KeyManagementAlgorithmNotSupportedError(`encryption algorithm '${decryption.algorithm}' can only be used with key agreement algorithm ECDH-HSALSA20`, this.backend);
+			const privateJwk = this.privateJwkFromKey(decryptionKey);
+			Kms.assertKeyAllowsDerive(privateJwk);
+			Kms.assertAllowedEncryptionAlgForKey(privateJwk, decryption.algorithm);
+			Kms.assertKeyAllowsEncrypt(privateJwk);
+			return { data: aeadDecrypt({
+				key: decryptionKey,
+				encrypted,
+				decryption
+			}) };
+		} catch (error) {
+			if (error instanceof Kms.KeyManagementError) throw error;
+			throw new Kms.KeyManagementError("Error decrypting with key", { cause: error });
+		} finally {
+			for (const key$1 of keysToFree) key$1.handle.free();
+		}
+	}
+	assertedSigTypeForAlg(algorithm) {
+		const sigType = AskarKeyManagementService.algToSigType[algorithm];
+		if (!sigType) throw new Kms.KeyManagementAlgorithmNotSupportedError(`signing and verification with algorithm '${algorithm}'`, this.backend);
+		return sigType;
+	}
+	assertAskarAlgForJwkCrv(kty, crv) {
+		const keyAlg = jwkCrvToAskarAlg[crv];
+		if (!keyAlg) throw new Kms.KeyManagementAlgorithmNotSupportedError(`crv '${crv}' for kty '${kty}'`, this.backend);
+		return keyAlg;
+	}
+	keyFromJwk(jwk) {
+		return new Key(askar.keyFromJwk({ jwk: new Uint8Array(JsonEncoder.toBuffer(jwk)) }));
+	}
+	keyFromSecretBytesAndEncryptionAlgorithm(secretBytes, algorithm) {
+		const askarEncryptionAlgorithm = jwkEncToAskarAlg[algorithm];
+		if (!askarEncryptionAlgorithm) throw new Kms.KeyManagementAlgorithmNotSupportedError(`JWA encryption algorithm '${algorithm}'`, "askar");
+		return Key.fromSecretBytes({
+			algorithm: askarEncryptionAlgorithm,
+			secretKey: new Uint8Array(secretBytes)
+		});
+	}
+	publicJwkFromKey(key, partialJwkPublic) {
+		return Kms.publicJwkFromPrivateJwk(this.privateJwkFromKey(key, partialJwkPublic));
+	}
+	privateJwkFromKey(key, partialJwkPrivate) {
+		const { alg, ...jwkSecret } = JsonEncoder.fromBuffer(askar.keyGetJwkSecret({ localKeyHandle: key.handle }));
+		return {
+			...partialJwkPrivate,
+			...jwkSecret
+		};
+	}
+	async fetchAskarKey(agentContext, keyId) {
+		return await this.withSession(agentContext, async (session) => {
+			if (!session.handle) throw Error("Cannot fetch a key with a closed session");
+			const handle = await askar.sessionFetchKey({
+				forUpdate: false,
+				name: keyId,
+				sessionHandle: session.handle
+			});
+			if (!handle) return null;
+			const keyEntryList = new KeyEntryList({ handle });
+			const keyEntryObject = keyEntryList.getEntryByIndex(0).toJson();
+			keyEntryList.handle.free();
+			return keyEntryObject;
+		});
+	}
+	async getKeyAsserted(agentContext, keyId) {
+		const storageKey = await this.fetchAskarKey(agentContext, keyId);
+		if (!storageKey) throw new Kms.KeyManagementKeyNotFoundError(keyId, [this.backend]);
+		return storageKey;
+	}
+};
+AskarKeyManagementService.backend = "askar";
+AskarKeyManagementService.algToSigType = {
+	EdDSA: SignatureAlgorithm.EdDSA,
+	Ed25519: SignatureAlgorithm.EdDSA,
+	ES256K: SignatureAlgorithm.ES256K,
+	ES256: SignatureAlgorithm.ES256,
+	ES384: SignatureAlgorithm.ES384
+};
+
+//#endregion
+export { AskarKeyManagementService };
+//# sourceMappingURL=AskarKeyManagementService.mjs.map