@credo-ts/node 0.7.0-pr-2704-20260425132842 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/build/kms/NodeKeyManagementService.d.mts.map +1 -1
  2. package/build/kms/NodeKeyManagementService.mjs +3 -4
  3. package/build/kms/NodeKeyManagementService.mjs.map +1 -1
  4. package/build/kms/crypto/deriveKey.mjs +1 -81
  5. package/build/kms/crypto/deriveKey.mjs.map +1 -1
  6. package/package.json +3 -3
package/build/kms/NodeKeyManagementService.d.mts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"NodeKeyManagementService.d.mts","names":[],"sources":["../../src/kms/NodeKeyManagementService.ts"],"mappings":";;;;cAmBa,wBAAA,YAAoC,GAAA,CAAI,oBAAA;EAAA;WACnC,OAAA;cAIG,OAAA,EAAS,wBAAA;EAIrB,oBAAA,CAAqB,aAAA,EAAe,YAAA,EAAc,SAAA,EAAW,GAAA,CAAI,YAAA;EAmFjE,WAAA,CAAY,aAAA,EAAe,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,qBAAA,GAAwB,GAAA,CAAI,oBAAA;EAI5E,YAAA,CAAa,YAAA,EAAc,YAAA,EAAc,KAAA,WAAgB,OAAA,CAAQ,GAAA,CAAI,YAAA;EAOrE,SAAA,aAAsB,GAAA,CAAI,aAAA,CAAA,CACrC,YAAA,EAAc,YAAA,EACd,OAAA,EAAS,GAAA,CAAI,mBAAA,CAAoB,GAAA,IAChC,OAAA,CAAQ,GAAA,CAAI,kBAAA,CAAmB,GAAA;EAyDrB,SAAA,CAAU,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,mBAAA,GAAsB,OAAA;EAIzE,SAAA,cAAuB,GAAA,CAAI,gBAAA,CAAA,CACtC,YAAA,EAAc,YAAA,EACd,OAAA,EAAS,GAAA,CAAI,mBAAA,CAAoB,IAAA,IAChC,OAAA,CAAQ,GAAA,CAAI,kBAAA,CAAmB,IAAA;EAuCrB,IAAA,CAAK,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,cAAA,GAAiB,OAAA,CAAQ,GAAA,CAAI,aAAA;EAwB3E,MAAA,CAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,gBAAA,GAAmB,OAAA,CAAQ,GAAA,CAAI,eAAA;EA2C/E,OAAA,CAAQ,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,iBAAA,GAAoB,OAAA,CAAQ,GAAA,CAAI,gBAAA;EA4DjF,OAAA,CAAQ,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,iBAAA,GAAoB,OAAA,CAAQ,GAAA,CAAI,gBAAA;EAAA,QA0DhF,cAAA;EAAA,QASA,kBAAA;AAAA"}
1
+ {"version":3,"file":"NodeKeyManagementService.d.mts","names":[],"sources":["../../src/kms/NodeKeyManagementService.ts"],"mappings":";;;;cAmBa,wBAAA,YAAoC,GAAA,CAAI,oBAAA;EAAA;WACnC,OAAA;cAIG,OAAA,EAAS,wBAAA;EAIrB,oBAAA,CAAqB,aAAA,EAAe,YAAA,EAAc,SAAA,EAAW,GAAA,CAAI,YAAA;EAmFjE,WAAA,CAAY,aAAA,EAAe,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,qBAAA,GAAwB,GAAA,CAAI,oBAAA;EAI5E,YAAA,CAAa,YAAA,EAAc,YAAA,EAAc,KAAA,WAAgB,OAAA,CAAQ,GAAA,CAAI,YAAA;EAOrE,SAAA,aAAsB,GAAA,CAAI,aAAA,CAAA,CACrC,YAAA,EAAc,YAAA,EACd,OAAA,EAAS,GAAA,CAAI,mBAAA,CAAoB,GAAA,IAChC,OAAA,CAAQ,GAAA,CAAI,kBAAA,CAAmB,GAAA;EAyDrB,SAAA,CAAU,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,mBAAA,GAAsB,OAAA;EAIzE,SAAA,cAAuB,GAAA,CAAI,gBAAA,CAAA,CACtC,YAAA,EAAc,YAAA,EACd,OAAA,EAAS,GAAA,CAAI,mBAAA,CAAoB,IAAA,IAChC,OAAA,CAAQ,GAAA,CAAI,kBAAA,CAAmB,IAAA;EAuCrB,IAAA,CAAK,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,cAAA,GAAiB,OAAA,CAAQ,GAAA,CAAI,aAAA;EAwB3E,MAAA,CAAO,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,gBAAA,GAAmB,OAAA,CAAQ,GAAA,CAAI,eAAA;EA2C/E,OAAA,CAAQ,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,iBAAA,GAAoB,OAAA,CAAQ,GAAA,CAAI,gBAAA;EA4DjF,OAAA,CAAQ,YAAA,EAAc,YAAA,EAAc,OAAA,EAAS,GAAA,CAAI,iBAAA,GAAoB,OAAA,CAAQ,GAAA,CAAI,gBAAA;EAAA,QAqDhF,cAAA;EAAA,QASA,kBAAA;AAAA"}
package/build/kms/NodeKeyManagementService.mjs CHANGED
@@ -240,14 +240,13 @@ var NodeKeyManagementService = class {
240
240
  else if (key.privateJwk) decryptionKey = key.privateJwk;
241
241
  else if (key.keyAgreement) {
242
242
  Kms.assertSupportedKeyAgreementAlgorithm(key.keyAgreement, nodeSupportedKeyAgreementAlgorithms, this.backend);
243
- const publicJwkForAssert = key.keyAgreement.algorithm === "ECDH-1PU+A256KW" ? key.keyAgreement.ephemeralPublicJwk : key.keyAgreement.externalPublicJwk;
244
- Kms.assertAllowedKeyDerivationAlgForKey(publicJwkForAssert, key.keyAgreement.algorithm);
245
- Kms.assertKeyAllowsDerive(publicJwkForAssert);
243
+ Kms.assertAllowedKeyDerivationAlgForKey(key.keyAgreement.externalPublicJwk, key.keyAgreement.algorithm);
244
+ Kms.assertKeyAllowsDerive(key.keyAgreement.externalPublicJwk);
246
245
  const privateJwk = await this.getKeyAsserted(agentContext, key.keyAgreement.keyId);
247
246
  Kms.assertJwkAsymmetric(privateJwk, key.keyAgreement.keyId);
248
247
  Kms.assertAllowedKeyDerivationAlgForKey(privateJwk, key.keyAgreement.algorithm);
249
248
  Kms.assertKeyAllowsDerive(privateJwk);
250
- Kms.assertAsymmetricJwkKeyTypeMatches(privateJwk, publicJwkForAssert);
249
+ Kms.assertAsymmetricJwkKeyTypeMatches(privateJwk, key.keyAgreement.externalPublicJwk);
251
250
  const { contentEncryptionKey } = await deriveDecryptionKey({
252
251
  keyAgreement: key.keyAgreement,
253
252
  decryption,
package/build/kms/NodeKeyManagementService.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"NodeKeyManagementService.mjs","names":[],"sources":["../../src/kms/NodeKeyManagementService.ts"],"sourcesContent":["import { createPrivateKey, createSecretKey, randomBytes, randomUUID } from 'node:crypto'\nimport type { AgentContext } from '@credo-ts/core'\nimport { Kms, TypedArrayEncoder } from '@credo-ts/core'\nimport {\n assertNodeSupportedEcCrv,\n assertNodeSupportedOctAlgorithm,\n assertNodeSupportedOkpCrv,\n createEcKey,\n createOctKey,\n createOkpKey,\n createRsaKey,\n} from './crypto/createKey'\nimport { performDecrypt } from './crypto/decrypt'\nimport { deriveDecryptionKey, deriveEncryptionKey, nodeSupportedKeyAgreementAlgorithms } from './crypto/deriveKey'\nimport { nodeSupportedEncryptionAlgorithms, performEncrypt } from './crypto/encrypt'\nimport { nodeSupportedJwaAlgorithm, performSign } from './crypto/sign'\nimport { performVerify } from './crypto/verify'\nimport type { NodeKeyManagementStorage } from './NodeKeyManagementStorage'\n\nexport class NodeKeyManagementService implements Kms.KeyManagementService {\n public readonly backend = 'node'\n\n #storage: NodeKeyManagementStorage\n\n public constructor(storage: NodeKeyManagementStorage) {\n this.#storage = storage\n }\n\n public isOperationSupported(_agentContext: AgentContext, operation: Kms.KmsOperation): boolean {\n if (operation.operation === 'deleteKey') return true\n if (operation.operation === 'randomBytes') return true\n\n if (operation.operation === 'createKey') {\n // TODO: probably clean to split the assert methods so we don't need try/catch here\n try {\n if (operation.type.kty === 'RSA') {\n return true\n }\n\n if (operation.type.kty === 'EC') {\n assertNodeSupportedEcCrv(operation.type)\n return true\n }\n\n if (operation.type.kty === 'OKP') {\n assertNodeSupportedOkpCrv(operation.type)\n return true\n }\n\n if (operation.type.kty === 'oct') {\n assertNodeSupportedOctAlgorithm(operation.type)\n return true\n }\n } catch {\n return false\n }\n\n return false\n }\n\n if (operation.operation === 'importKey') {\n try {\n if (operation.privateJwk.kty === 'RSA' || operation.privateJwk.kty === 'oct') {\n return true\n }\n\n if (operation.privateJwk.kty === 'EC') {\n assertNodeSupportedEcCrv({ kty: operation.privateJwk.kty, crv: operation.privateJwk.crv })\n return true\n }\n\n if (operation.privateJwk.kty === 'OKP') {\n assertNodeSupportedOkpCrv({ kty: operation.privateJwk.kty, crv: operation.privateJwk.crv })\n return true\n }\n } catch {\n return false\n }\n }\n\n if (operation.operation === 'sign' || operation.operation === 'verify') {\n return nodeSupportedJwaAlgorithm.includes(operation.algorithm)\n }\n\n if (operation.operation === 'encrypt') {\n const isSupportedEncryptionAlgorithm = nodeSupportedEncryptionAlgorithms.includes(\n operation.encryption.algorithm as (typeof nodeSupportedEncryptionAlgorithms)[number]\n )\n if (!isSupportedEncryptionAlgorithm) return false\n if (!operation.keyAgreement) return true\n\n return nodeSupportedKeyAgreementAlgorithms.includes(\n operation.keyAgreement.algorithm as (typeof nodeSupportedKeyAgreementAlgorithms)[number]\n )\n }\n\n if (operation.operation === 'decrypt') {\n const isSupportedEncryptionAlgorithm = nodeSupportedEncryptionAlgorithms.includes(\n operation.decryption.algorithm as (typeof nodeSupportedEncryptionAlgorithms)[number]\n )\n if (!isSupportedEncryptionAlgorithm) return false\n if (!operation.keyAgreement) return true\n\n return nodeSupportedKeyAgreementAlgorithms.includes(\n operation.keyAgreement.algorithm as (typeof nodeSupportedKeyAgreementAlgorithms)[number]\n )\n }\n\n return false\n }\n\n public randomBytes(_agentContext: AgentContext, options: Kms.KmsRandomBytesOptions): Kms.KmsRandomBytesReturn {\n return randomBytes(options.length)\n }\n\n public async getPublicKey(agentContext: AgentContext, keyId: string): Promise<Kms.KmsJwkPublic | null> {\n const privateJwk = await this.#storage.get(agentContext, keyId)\n if (!privateJwk) return null\n\n return Kms.publicJwkFromPrivateJwk(privateJwk)\n }\n\n public async importKey<Jwk extends Kms.KmsJwkPrivate>(\n agentContext: AgentContext,\n options: Kms.KmsImportKeyOptions<Jwk>\n ): Promise<Kms.KmsImportKeyReturn<Jwk>> {\n const { kid } = options.privateJwk\n\n if (kid) await this.assertKeyNotExists(agentContext, kid)\n\n const privateJwk = {\n ...options.privateJwk,\n kid: kid ?? randomUUID(),\n }\n\n try {\n if (privateJwk.kty === 'oct') {\n // Just check if we can create a secret key instance\n createSecretKey(TypedArrayEncoder.fromBase64Url(privateJwk.k)).export({ format: 'jwk' })\n } else if (privateJwk.kty === 'EC') {\n assertNodeSupportedEcCrv({ kty: privateJwk.kty, crv: privateJwk.crv })\n // This validates the JWK\n createPrivateKey({\n format: 'jwk',\n key: privateJwk,\n })\n } else if (privateJwk.kty === 'OKP') {\n assertNodeSupportedOkpCrv({ kty: privateJwk.kty, crv: privateJwk.crv })\n // This validates the JWK\n createPrivateKey({\n format: 'jwk',\n key: privateJwk,\n })\n } else if (privateJwk.kty === 'RSA') {\n // This validates the JWK\n createPrivateKey({\n format: 'jwk',\n key: privateJwk,\n })\n } else {\n // All kty values supported for now, but can change in the future\n // @ts-expect-error\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty '${privateJwk.kty}'`, this.backend)\n }\n\n await this.#storage.set(agentContext, privateJwk.kid, privateJwk)\n const publicJwk = Kms.publicJwkFromPrivateJwk(privateJwk)\n\n return {\n keyId: privateJwk.kid,\n publicJwk: {\n ...publicJwk,\n kid: privateJwk.kid,\n },\n } as Kms.KmsImportKeyReturn<Jwk>\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error importing key', { cause: error })\n }\n }\n\n public async deleteKey(agentContext: AgentContext, options: Kms.KmsDeleteKeyOptions): Promise<boolean> {\n return await this.#storage.delete(agentContext, options.keyId)\n }\n\n public async createKey<Type extends Kms.KmsCreateKeyType>(\n agentContext: AgentContext,\n options: Kms.KmsCreateKeyOptions<Type>\n ): Promise<Kms.KmsCreateKeyReturn<Type>> {\n const { type, keyId } = options\n\n if (keyId) await this.assertKeyNotExists(agentContext, keyId)\n\n try {\n let jwks: { publicJwk: Kms.KmsJwkPublic; privateJwk: Kms.KmsJwkPrivate }\n if (type.kty === 'EC') {\n assertNodeSupportedEcCrv(type)\n jwks = await createEcKey(type)\n } else if (type.kty === 'OKP') {\n assertNodeSupportedOkpCrv(type)\n jwks = await createOkpKey(type)\n } else if (type.kty === 'RSA') {\n jwks = await createRsaKey(type)\n } else if (type.kty === 'oct') {\n assertNodeSupportedOctAlgorithm(type)\n jwks = await createOctKey(type)\n } else {\n // @ts-expect-error\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty '${type.kty}'`, this.backend)\n }\n\n jwks.privateJwk.kid = keyId ?? randomUUID()\n jwks.publicJwk.kid = jwks.privateJwk.kid\n\n await this.#storage.set(agentContext, jwks.privateJwk.kid, jwks.privateJwk)\n\n return {\n publicJwk: jwks.publicJwk as Kms.KmsCreateKeyReturn<Type>['publicJwk'],\n keyId: jwks.publicJwk.kid,\n }\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error creating key', { cause: error })\n }\n }\n\n public async sign(agentContext: AgentContext, options: Kms.KmsSignOptions): Promise<Kms.KmsSignReturn> {\n const { keyId, algorithm, data } = options\n\n // 1. Retrieve the key\n const key = await this.getKeyAsserted(agentContext, keyId)\n\n try {\n // 2. Validate alg and use for key\n Kms.assertAllowedSigningAlgForKey(key, algorithm)\n Kms.assertKeyAllowsSign(key)\n\n // 3. Perform the signing operation\n const signature = await performSign(key, algorithm, data)\n\n return {\n signature,\n }\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error signing with key', { cause: error })\n }\n }\n\n public async verify(agentContext: AgentContext, options: Kms.KmsVerifyOptions): Promise<Kms.KmsVerifyReturn> {\n const { algorithm, data, signature } = options\n\n try {\n let key: Exclude<Kms.KmsJwkPublic, Kms.KmsJwkPublicOct> | Kms.KmsJwkPrivate\n if (options.key.keyId) {\n key = await this.getKeyAsserted(agentContext, options.key.keyId)\n } else if (options.key.publicJwk?.kty === 'EC') {\n assertNodeSupportedEcCrv(options.key.publicJwk)\n key = options.key.publicJwk\n } else if (options.key.publicJwk?.kty === 'OKP') {\n assertNodeSupportedOkpCrv(options.key.publicJwk)\n key = options.key.publicJwk\n } else if (options.key.publicJwk?.kty === 'RSA') {\n key = options.key.publicJwk\n } else {\n // @ts-expect-error\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty ${options.key.kty}`, this.backend)\n }\n\n // 2. Validate alg and use for key\n Kms.assertAllowedSigningAlgForKey(key, algorithm)\n Kms.assertKeyAllowsVerify(key)\n\n // 3. Perform the verify operation\n const verified = await performVerify(key, algorithm, data, signature)\n if (verified) {\n return {\n verified: true,\n publicJwk: Kms.publicJwkFromPrivateJwk(key),\n }\n }\n\n return {\n verified: false,\n }\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error verifying with key', { cause: error })\n }\n }\n\n public async encrypt(agentContext: AgentContext, options: Kms.KmsEncryptOptions): Promise<Kms.KmsEncryptReturn> {\n const { data, encryption, key } = options\n\n Kms.assertSupportedEncryptionAlgorithm(encryption, nodeSupportedEncryptionAlgorithms, this.backend)\n\n let encryptionKey: Kms.KmsJwkPrivate\n let encryptedKey: Kms.KmsEncryptedKey | undefined\n\n if (key.keyId) {\n encryptionKey = await this.getKeyAsserted(agentContext, key.keyId)\n } else if (key.privateJwk) {\n encryptionKey = key.privateJwk\n } else if (key.keyAgreement) {\n Kms.assertAllowedKeyDerivationAlgForKey(key.keyAgreement.externalPublicJwk, key.keyAgreement.algorithm)\n Kms.assertKeyAllowsDerive(key.keyAgreement.externalPublicJwk)\n Kms.assertSupportedKeyAgreementAlgorithm(key.keyAgreement, nodeSupportedKeyAgreementAlgorithms, this.backend)\n\n const privateJwk = await this.getKeyAsserted(agentContext, key.keyAgreement.keyId)\n Kms.assertJwkAsymmetric(privateJwk, key.keyAgreement.keyId)\n Kms.assertAllowedKeyDerivationAlgForKey(privateJwk, key.keyAgreement.algorithm)\n Kms.assertKeyAllowsDerive(privateJwk)\n Kms.assertAsymmetricJwkKeyTypeMatches(privateJwk, key.keyAgreement.externalPublicJwk)\n\n const { contentEncryptionKey, encryptedContentEncryptionKey } = await deriveEncryptionKey({\n keyAgreement: key.keyAgreement,\n encryption,\n privateJwk,\n })\n\n encryptionKey = contentEncryptionKey\n encryptedKey = encryptedContentEncryptionKey\n } else {\n throw new Kms.KeyManagementError('Unexpected key parameter for encrypt')\n }\n\n if (encryptionKey.kty !== 'oct') {\n throw new Kms.KeyManagementAlgorithmNotSupportedError(\n `kty '${encryptionKey.kty} for content encryption'`,\n this.backend\n )\n }\n\n try {\n // 2. Validate alg and use for key\n Kms.assertAllowedEncryptionAlgForKey(encryptionKey, encryption.algorithm)\n Kms.assertKeyAllowsEncrypt(encryptionKey)\n\n // 3. Perform the encryption operation\n const encrypted = await performEncrypt(encryptionKey, options.encryption, data)\n return {\n ...encrypted,\n encryptedKey,\n }\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error encrypting', { cause: error })\n }\n }\n\n public async decrypt(agentContext: AgentContext, options: Kms.KmsDecryptOptions): Promise<Kms.KmsDecryptReturn> {\n const { decryption, encrypted, key } = options\n\n Kms.assertSupportedEncryptionAlgorithm(decryption, nodeSupportedEncryptionAlgorithms, this.backend)\n\n let decryptionKey: Kms.KmsJwkPrivate\n if (key.keyId) {\n decryptionKey = await this.getKeyAsserted(agentContext, key.keyId)\n } else if (key.privateJwk) {\n decryptionKey = key.privateJwk\n } else if (key.keyAgreement) {\n Kms.assertSupportedKeyAgreementAlgorithm(key.keyAgreement, nodeSupportedKeyAgreementAlgorithms, this.backend)\n\n const publicJwkForAssert =\n key.keyAgreement.algorithm === 'ECDH-1PU+A256KW'\n ? key.keyAgreement.ephemeralPublicJwk\n : key.keyAgreement.externalPublicJwk\n Kms.assertAllowedKeyDerivationAlgForKey(publicJwkForAssert, key.keyAgreement.algorithm)\n Kms.assertKeyAllowsDerive(publicJwkForAssert)\n\n const privateJwk = await this.getKeyAsserted(agentContext, key.keyAgreement.keyId)\n Kms.assertJwkAsymmetric(privateJwk, key.keyAgreement.keyId)\n Kms.assertAllowedKeyDerivationAlgForKey(privateJwk, key.keyAgreement.algorithm)\n Kms.assertKeyAllowsDerive(privateJwk)\n Kms.assertAsymmetricJwkKeyTypeMatches(privateJwk, publicJwkForAssert)\n\n const { contentEncryptionKey } = await deriveDecryptionKey({\n keyAgreement: key.keyAgreement,\n decryption,\n privateJwk,\n })\n\n decryptionKey = contentEncryptionKey\n } else {\n throw new Kms.KeyManagementError('Unexpected key parameter for decrypt')\n }\n\n if (decryptionKey.kty !== 'oct') {\n throw new Kms.KeyManagementAlgorithmNotSupportedError(\n `kty '${decryptionKey.kty}' for content encryption`,\n this.backend\n )\n }\n\n try {\n // 2. Validate alg and use for key\n Kms.assertAllowedEncryptionAlgForKey(decryptionKey, decryption.algorithm)\n Kms.assertKeyAllowsEncrypt(decryptionKey)\n\n // 3. Perform the decryption operation\n return await performDecrypt(decryptionKey, decryption, encrypted)\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error decrypting', { cause: error })\n }\n }\n\n private async getKeyAsserted(agentContext: AgentContext, keyId: string) {\n const storageKey = await this.#storage.get(agentContext, keyId)\n if (!storageKey) {\n throw new Kms.KeyManagementKeyNotFoundError(keyId, [this.backend])\n }\n\n return storageKey\n }\n\n private async assertKeyNotExists(agentContext: AgentContext, keyId: string) {\n const storageKey = await this.#storage.get(agentContext, keyId)\n\n if (storageKey) {\n throw new Kms.KeyManagementKeyExistsError(keyId, this.backend)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;AAmBA,IAAa,2BAAb,MAA0E;CAKxE,AAAO,YAAY,SAAmC;OAJtC,UAAU;;AAKxB,yCAAgB,QAAO;;CAGzB,AAAO,qBAAqB,eAA6B,WAAsC;AAC7F,MAAI,UAAU,cAAc,YAAa,QAAO;AAChD,MAAI,UAAU,cAAc,cAAe,QAAO;AAElD,MAAI,UAAU,cAAc,aAAa;AAEvC,OAAI;AACF,QAAI,UAAU,KAAK,QAAQ,MACzB,QAAO;AAGT,QAAI,UAAU,KAAK,QAAQ,MAAM;AAC/B,8BAAyB,UAAU,KAAK;AACxC,YAAO;;AAGT,QAAI,UAAU,KAAK,QAAQ,OAAO;AAChC,+BAA0B,UAAU,KAAK;AACzC,YAAO;;AAGT,QAAI,UAAU,KAAK,QAAQ,OAAO;AAChC,qCAAgC,UAAU,KAAK;AAC/C,YAAO;;WAEH;AACN,WAAO;;AAGT,UAAO;;AAGT,MAAI,UAAU,cAAc,YAC1B,KAAI;AACF,OAAI,UAAU,WAAW,QAAQ,SAAS,UAAU,WAAW,QAAQ,MACrE,QAAO;AAGT,OAAI,UAAU,WAAW,QAAQ,MAAM;AACrC,6BAAyB;KAAE,KAAK,UAAU,WAAW;KAAK,KAAK,UAAU,WAAW;KAAK,CAAC;AAC1F,WAAO;;AAGT,OAAI,UAAU,WAAW,QAAQ,OAAO;AACtC,8BAA0B;KAAE,KAAK,UAAU,WAAW;KAAK,KAAK,UAAU,WAAW;KAAK,CAAC;AAC3F,WAAO;;UAEH;AACN,UAAO;;AAIX,MAAI,UAAU,cAAc,UAAU,UAAU,cAAc,SAC5D,QAAO,0BAA0B,SAAS,UAAU,UAAU;AAGhE,MAAI,UAAU,cAAc,WAAW;AAIrC,OAAI,CAHmC,kCAAkC,SACvE,UAAU,WAAW,UACtB,CACoC,QAAO;AAC5C,OAAI,CAAC,UAAU,aAAc,QAAO;AAEpC,UAAO,oCAAoC,SACzC,UAAU,aAAa,UACxB;;AAGH,MAAI,UAAU,cAAc,WAAW;AAIrC,OAAI,CAHmC,kCAAkC,SACvE,UAAU,WAAW,UACtB,CACoC,QAAO;AAC5C,OAAI,CAAC,UAAU,aAAc,QAAO;AAEpC,UAAO,oCAAoC,SACzC,UAAU,aAAa,UACxB;;AAGH,SAAO;;CAGT,AAAO,YAAY,eAA6B,SAA8D;AAC5G,SAAO,YAAY,QAAQ,OAAO;;CAGpC,MAAa,aAAa,cAA4B,OAAiD;EACrG,MAAM,aAAa,uCAAM,KAAa,CAAC,IAAI,cAAc,MAAM;AAC/D,MAAI,CAAC,WAAY,QAAO;AAExB,SAAO,IAAI,wBAAwB,WAAW;;CAGhD,MAAa,UACX,cACA,SACsC;EACtC,MAAM,EAAE,QAAQ,QAAQ;AAExB,MAAI,IAAK,OAAM,KAAK,mBAAmB,cAAc,IAAI;EAEzD,MAAM,aAAa;GACjB,GAAG,QAAQ;GACX,KAAK,OAAO,YAAY;GACzB;AAED,MAAI;AACF,OAAI,WAAW,QAAQ,MAErB,iBAAgB,kBAAkB,cAAc,WAAW,EAAE,CAAC,CAAC,OAAO,EAAE,QAAQ,OAAO,CAAC;YAC/E,WAAW,QAAQ,MAAM;AAClC,6BAAyB;KAAE,KAAK,WAAW;KAAK,KAAK,WAAW;KAAK,CAAC;AAEtE,qBAAiB;KACf,QAAQ;KACR,KAAK;KACN,CAAC;cACO,WAAW,QAAQ,OAAO;AACnC,8BAA0B;KAAE,KAAK,WAAW;KAAK,KAAK,WAAW;KAAK,CAAC;AAEvE,qBAAiB;KACf,QAAQ;KACR,KAAK;KACN,CAAC;cACO,WAAW,QAAQ,MAE5B,kBAAiB;IACf,QAAQ;IACR,KAAK;IACN,CAAC;OAIF,OAAM,IAAI,IAAI,wCAAwC,QAAQ,WAAW,IAAI,IAAI,KAAK,QAAQ;AAGhG,0CAAM,KAAa,CAAC,IAAI,cAAc,WAAW,KAAK,WAAW;GACjE,MAAM,YAAY,IAAI,wBAAwB,WAAW;AAEzD,UAAO;IACL,OAAO,WAAW;IAClB,WAAW;KACT,GAAG;KACH,KAAK,WAAW;KACjB;IACF;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,uBAAuB,EAAE,OAAO,OAAO,CAAC;;;CAI7E,MAAa,UAAU,cAA4B,SAAoD;AACrG,SAAO,uCAAM,KAAa,CAAC,OAAO,cAAc,QAAQ,MAAM;;CAGhE,MAAa,UACX,cACA,SACuC;EACvC,MAAM,EAAE,MAAM,UAAU;AAExB,MAAI,MAAO,OAAM,KAAK,mBAAmB,cAAc,MAAM;AAE7D,MAAI;GACF,IAAI;AACJ,OAAI,KAAK,QAAQ,MAAM;AACrB,6BAAyB,KAAK;AAC9B,WAAO,MAAM,YAAY,KAAK;cACrB,KAAK,QAAQ,OAAO;AAC7B,8BAA0B,KAAK;AAC/B,WAAO,MAAM,aAAa,KAAK;cACtB,KAAK,QAAQ,MACtB,QAAO,MAAM,aAAa,KAAK;YACtB,KAAK,QAAQ,OAAO;AAC7B,oCAAgC,KAAK;AACrC,WAAO,MAAM,aAAa,KAAK;SAG/B,OAAM,IAAI,IAAI,wCAAwC,QAAQ,KAAK,IAAI,IAAI,KAAK,QAAQ;AAG1F,QAAK,WAAW,MAAM,SAAS,YAAY;AAC3C,QAAK,UAAU,MAAM,KAAK,WAAW;AAErC,0CAAM,KAAa,CAAC,IAAI,cAAc,KAAK,WAAW,KAAK,KAAK,WAAW;AAE3E,UAAO;IACL,WAAW,KAAK;IAChB,OAAO,KAAK,UAAU;IACvB;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,sBAAsB,EAAE,OAAO,OAAO,CAAC;;;CAI5E,MAAa,KAAK,cAA4B,SAAyD;EACrG,MAAM,EAAE,OAAO,WAAW,SAAS;EAGnC,MAAM,MAAM,MAAM,KAAK,eAAe,cAAc,MAAM;AAE1D,MAAI;AAEF,OAAI,8BAA8B,KAAK,UAAU;AACjD,OAAI,oBAAoB,IAAI;AAK5B,UAAO,EACL,WAHgB,MAAM,YAAY,KAAK,WAAW,KAAK,EAIxD;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,0BAA0B,EAAE,OAAO,OAAO,CAAC;;;CAIhF,MAAa,OAAO,cAA4B,SAA6D;EAC3G,MAAM,EAAE,WAAW,MAAM,cAAc;AAEvC,MAAI;GACF,IAAI;AACJ,OAAI,QAAQ,IAAI,MACd,OAAM,MAAM,KAAK,eAAe,cAAc,QAAQ,IAAI,MAAM;YACvD,QAAQ,IAAI,WAAW,QAAQ,MAAM;AAC9C,6BAAyB,QAAQ,IAAI,UAAU;AAC/C,UAAM,QAAQ,IAAI;cACT,QAAQ,IAAI,WAAW,QAAQ,OAAO;AAC/C,8BAA0B,QAAQ,IAAI,UAAU;AAChD,UAAM,QAAQ,IAAI;cACT,QAAQ,IAAI,WAAW,QAAQ,MACxC,OAAM,QAAQ,IAAI;OAGlB,OAAM,IAAI,IAAI,wCAAwC,OAAO,QAAQ,IAAI,OAAO,KAAK,QAAQ;AAI/F,OAAI,8BAA8B,KAAK,UAAU;AACjD,OAAI,sBAAsB,IAAI;AAI9B,OADiB,MAAM,cAAc,KAAK,WAAW,MAAM,UAAU,CAEnE,QAAO;IACL,UAAU;IACV,WAAW,IAAI,wBAAwB,IAAI;IAC5C;AAGH,UAAO,EACL,UAAU,OACX;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,4BAA4B,EAAE,OAAO,OAAO,CAAC;;;CAIlF,MAAa,QAAQ,cAA4B,SAA+D;EAC9G,MAAM,EAAE,MAAM,YAAY,QAAQ;AAElC,MAAI,mCAAmC,YAAY,mCAAmC,KAAK,QAAQ;EAEnG,IAAI;EACJ,IAAI;AAEJ,MAAI,IAAI,MACN,iBAAgB,MAAM,KAAK,eAAe,cAAc,IAAI,MAAM;WACzD,IAAI,WACb,iBAAgB,IAAI;WACX,IAAI,cAAc;AAC3B,OAAI,oCAAoC,IAAI,aAAa,mBAAmB,IAAI,aAAa,UAAU;AACvG,OAAI,sBAAsB,IAAI,aAAa,kBAAkB;AAC7D,OAAI,qCAAqC,IAAI,cAAc,qCAAqC,KAAK,QAAQ;GAE7G,MAAM,aAAa,MAAM,KAAK,eAAe,cAAc,IAAI,aAAa,MAAM;AAClF,OAAI,oBAAoB,YAAY,IAAI,aAAa,MAAM;AAC3D,OAAI,oCAAoC,YAAY,IAAI,aAAa,UAAU;AAC/E,OAAI,sBAAsB,WAAW;AACrC,OAAI,kCAAkC,YAAY,IAAI,aAAa,kBAAkB;GAErF,MAAM,EAAE,sBAAsB,kCAAkC,MAAM,oBAAoB;IACxF,cAAc,IAAI;IAClB;IACA;IACD,CAAC;AAEF,mBAAgB;AAChB,kBAAe;QAEf,OAAM,IAAI,IAAI,mBAAmB,uCAAuC;AAG1E,MAAI,cAAc,QAAQ,MACxB,OAAM,IAAI,IAAI,wCACZ,QAAQ,cAAc,IAAI,2BAC1B,KAAK,QACN;AAGH,MAAI;AAEF,OAAI,iCAAiC,eAAe,WAAW,UAAU;AACzE,OAAI,uBAAuB,cAAc;AAIzC,UAAO;IACL,GAFgB,MAAM,eAAe,eAAe,QAAQ,YAAY,KAAK;IAG7E;IACD;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,oBAAoB,EAAE,OAAO,OAAO,CAAC;;;CAI1E,MAAa,QAAQ,cAA4B,SAA+D;EAC9G,MAAM,EAAE,YAAY,WAAW,QAAQ;AAEvC,MAAI,mCAAmC,YAAY,mCAAmC,KAAK,QAAQ;EAEnG,IAAI;AACJ,MAAI,IAAI,MACN,iBAAgB,MAAM,KAAK,eAAe,cAAc,IAAI,MAAM;WACzD,IAAI,WACb,iBAAgB,IAAI;WACX,IAAI,cAAc;AAC3B,OAAI,qCAAqC,IAAI,cAAc,qCAAqC,KAAK,QAAQ;GAE7G,MAAM,qBACJ,IAAI,aAAa,cAAc,oBAC3B,IAAI,aAAa,qBACjB,IAAI,aAAa;AACvB,OAAI,oCAAoC,oBAAoB,IAAI,aAAa,UAAU;AACvF,OAAI,sBAAsB,mBAAmB;GAE7C,MAAM,aAAa,MAAM,KAAK,eAAe,cAAc,IAAI,aAAa,MAAM;AAClF,OAAI,oBAAoB,YAAY,IAAI,aAAa,MAAM;AAC3D,OAAI,oCAAoC,YAAY,IAAI,aAAa,UAAU;AAC/E,OAAI,sBAAsB,WAAW;AACrC,OAAI,kCAAkC,YAAY,mBAAmB;GAErE,MAAM,EAAE,yBAAyB,MAAM,oBAAoB;IACzD,cAAc,IAAI;IAClB;IACA;IACD,CAAC;AAEF,mBAAgB;QAEhB,OAAM,IAAI,IAAI,mBAAmB,uCAAuC;AAG1E,MAAI,cAAc,QAAQ,MACxB,OAAM,IAAI,IAAI,wCACZ,QAAQ,cAAc,IAAI,2BAC1B,KAAK,QACN;AAGH,MAAI;AAEF,OAAI,iCAAiC,eAAe,WAAW,UAAU;AACzE,OAAI,uBAAuB,cAAc;AAGzC,UAAO,MAAM,eAAe,eAAe,YAAY,UAAU;WAC1D,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,oBAAoB,EAAE,OAAO,OAAO,CAAC;;;CAI1E,MAAc,eAAe,cAA4B,OAAe;EACtE,MAAM,aAAa,uCAAM,KAAa,CAAC,IAAI,cAAc,MAAM;AAC/D,MAAI,CAAC,WACH,OAAM,IAAI,IAAI,8BAA8B,OAAO,CAAC,KAAK,QAAQ,CAAC;AAGpE,SAAO;;CAGT,MAAc,mBAAmB,cAA4B,OAAe;AAG1E,MAFmB,uCAAM,KAAa,CAAC,IAAI,cAAc,MAAM,CAG7D,OAAM,IAAI,IAAI,4BAA4B,OAAO,KAAK,QAAQ"}
1
+ {"version":3,"file":"NodeKeyManagementService.mjs","names":[],"sources":["../../src/kms/NodeKeyManagementService.ts"],"sourcesContent":["import { createPrivateKey, createSecretKey, randomBytes, randomUUID } from 'node:crypto'\nimport type { AgentContext } from '@credo-ts/core'\nimport { Kms, TypedArrayEncoder } from '@credo-ts/core'\nimport {\n assertNodeSupportedEcCrv,\n assertNodeSupportedOctAlgorithm,\n assertNodeSupportedOkpCrv,\n createEcKey,\n createOctKey,\n createOkpKey,\n createRsaKey,\n} from './crypto/createKey'\nimport { performDecrypt } from './crypto/decrypt'\nimport { deriveDecryptionKey, deriveEncryptionKey, nodeSupportedKeyAgreementAlgorithms } from './crypto/deriveKey'\nimport { nodeSupportedEncryptionAlgorithms, performEncrypt } from './crypto/encrypt'\nimport { nodeSupportedJwaAlgorithm, performSign } from './crypto/sign'\nimport { performVerify } from './crypto/verify'\nimport type { NodeKeyManagementStorage } from './NodeKeyManagementStorage'\n\nexport class NodeKeyManagementService implements Kms.KeyManagementService {\n public readonly backend = 'node'\n\n #storage: NodeKeyManagementStorage\n\n public constructor(storage: NodeKeyManagementStorage) {\n this.#storage = storage\n }\n\n public isOperationSupported(_agentContext: AgentContext, operation: Kms.KmsOperation): boolean {\n if (operation.operation === 'deleteKey') return true\n if (operation.operation === 'randomBytes') return true\n\n if (operation.operation === 'createKey') {\n // TODO: probably clean to split the assert methods so we don't need try/catch here\n try {\n if (operation.type.kty === 'RSA') {\n return true\n }\n\n if (operation.type.kty === 'EC') {\n assertNodeSupportedEcCrv(operation.type)\n return true\n }\n\n if (operation.type.kty === 'OKP') {\n assertNodeSupportedOkpCrv(operation.type)\n return true\n }\n\n if (operation.type.kty === 'oct') {\n assertNodeSupportedOctAlgorithm(operation.type)\n return true\n }\n } catch {\n return false\n }\n\n return false\n }\n\n if (operation.operation === 'importKey') {\n try {\n if (operation.privateJwk.kty === 'RSA' || operation.privateJwk.kty === 'oct') {\n return true\n }\n\n if (operation.privateJwk.kty === 'EC') {\n assertNodeSupportedEcCrv({ kty: operation.privateJwk.kty, crv: operation.privateJwk.crv })\n return true\n }\n\n if (operation.privateJwk.kty === 'OKP') {\n assertNodeSupportedOkpCrv({ kty: operation.privateJwk.kty, crv: operation.privateJwk.crv })\n return true\n }\n } catch {\n return false\n }\n }\n\n if (operation.operation === 'sign' || operation.operation === 'verify') {\n return nodeSupportedJwaAlgorithm.includes(operation.algorithm)\n }\n\n if (operation.operation === 'encrypt') {\n const isSupportedEncryptionAlgorithm = nodeSupportedEncryptionAlgorithms.includes(\n operation.encryption.algorithm as (typeof nodeSupportedEncryptionAlgorithms)[number]\n )\n if (!isSupportedEncryptionAlgorithm) return false\n if (!operation.keyAgreement) return true\n\n return nodeSupportedKeyAgreementAlgorithms.includes(\n operation.keyAgreement.algorithm as (typeof nodeSupportedKeyAgreementAlgorithms)[number]\n )\n }\n\n if (operation.operation === 'decrypt') {\n const isSupportedEncryptionAlgorithm = nodeSupportedEncryptionAlgorithms.includes(\n operation.decryption.algorithm as (typeof nodeSupportedEncryptionAlgorithms)[number]\n )\n if (!isSupportedEncryptionAlgorithm) return false\n if (!operation.keyAgreement) return true\n\n return nodeSupportedKeyAgreementAlgorithms.includes(\n operation.keyAgreement.algorithm as (typeof nodeSupportedKeyAgreementAlgorithms)[number]\n )\n }\n\n return false\n }\n\n public randomBytes(_agentContext: AgentContext, options: Kms.KmsRandomBytesOptions): Kms.KmsRandomBytesReturn {\n return randomBytes(options.length)\n }\n\n public async getPublicKey(agentContext: AgentContext, keyId: string): Promise<Kms.KmsJwkPublic | null> {\n const privateJwk = await this.#storage.get(agentContext, keyId)\n if (!privateJwk) return null\n\n return Kms.publicJwkFromPrivateJwk(privateJwk)\n }\n\n public async importKey<Jwk extends Kms.KmsJwkPrivate>(\n agentContext: AgentContext,\n options: Kms.KmsImportKeyOptions<Jwk>\n ): Promise<Kms.KmsImportKeyReturn<Jwk>> {\n const { kid } = options.privateJwk\n\n if (kid) await this.assertKeyNotExists(agentContext, kid)\n\n const privateJwk = {\n ...options.privateJwk,\n kid: kid ?? randomUUID(),\n }\n\n try {\n if (privateJwk.kty === 'oct') {\n // Just check if we can create a secret key instance\n createSecretKey(TypedArrayEncoder.fromBase64Url(privateJwk.k)).export({ format: 'jwk' })\n } else if (privateJwk.kty === 'EC') {\n assertNodeSupportedEcCrv({ kty: privateJwk.kty, crv: privateJwk.crv })\n // This validates the JWK\n createPrivateKey({\n format: 'jwk',\n key: privateJwk,\n })\n } else if (privateJwk.kty === 'OKP') {\n assertNodeSupportedOkpCrv({ kty: privateJwk.kty, crv: privateJwk.crv })\n // This validates the JWK\n createPrivateKey({\n format: 'jwk',\n key: privateJwk,\n })\n } else if (privateJwk.kty === 'RSA') {\n // This validates the JWK\n createPrivateKey({\n format: 'jwk',\n key: privateJwk,\n })\n } else {\n // All kty values supported for now, but can change in the future\n // @ts-expect-error\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty '${privateJwk.kty}'`, this.backend)\n }\n\n await this.#storage.set(agentContext, privateJwk.kid, privateJwk)\n const publicJwk = Kms.publicJwkFromPrivateJwk(privateJwk)\n\n return {\n keyId: privateJwk.kid,\n publicJwk: {\n ...publicJwk,\n kid: privateJwk.kid,\n },\n } as Kms.KmsImportKeyReturn<Jwk>\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error importing key', { cause: error })\n }\n }\n\n public async deleteKey(agentContext: AgentContext, options: Kms.KmsDeleteKeyOptions): Promise<boolean> {\n return await this.#storage.delete(agentContext, options.keyId)\n }\n\n public async createKey<Type extends Kms.KmsCreateKeyType>(\n agentContext: AgentContext,\n options: Kms.KmsCreateKeyOptions<Type>\n ): Promise<Kms.KmsCreateKeyReturn<Type>> {\n const { type, keyId } = options\n\n if (keyId) await this.assertKeyNotExists(agentContext, keyId)\n\n try {\n let jwks: { publicJwk: Kms.KmsJwkPublic; privateJwk: Kms.KmsJwkPrivate }\n if (type.kty === 'EC') {\n assertNodeSupportedEcCrv(type)\n jwks = await createEcKey(type)\n } else if (type.kty === 'OKP') {\n assertNodeSupportedOkpCrv(type)\n jwks = await createOkpKey(type)\n } else if (type.kty === 'RSA') {\n jwks = await createRsaKey(type)\n } else if (type.kty === 'oct') {\n assertNodeSupportedOctAlgorithm(type)\n jwks = await createOctKey(type)\n } else {\n // @ts-expect-error\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty '${type.kty}'`, this.backend)\n }\n\n jwks.privateJwk.kid = keyId ?? randomUUID()\n jwks.publicJwk.kid = jwks.privateJwk.kid\n\n await this.#storage.set(agentContext, jwks.privateJwk.kid, jwks.privateJwk)\n\n return {\n publicJwk: jwks.publicJwk as Kms.KmsCreateKeyReturn<Type>['publicJwk'],\n keyId: jwks.publicJwk.kid,\n }\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error creating key', { cause: error })\n }\n }\n\n public async sign(agentContext: AgentContext, options: Kms.KmsSignOptions): Promise<Kms.KmsSignReturn> {\n const { keyId, algorithm, data } = options\n\n // 1. Retrieve the key\n const key = await this.getKeyAsserted(agentContext, keyId)\n\n try {\n // 2. Validate alg and use for key\n Kms.assertAllowedSigningAlgForKey(key, algorithm)\n Kms.assertKeyAllowsSign(key)\n\n // 3. Perform the signing operation\n const signature = await performSign(key, algorithm, data)\n\n return {\n signature,\n }\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error signing with key', { cause: error })\n }\n }\n\n public async verify(agentContext: AgentContext, options: Kms.KmsVerifyOptions): Promise<Kms.KmsVerifyReturn> {\n const { algorithm, data, signature } = options\n\n try {\n let key: Exclude<Kms.KmsJwkPublic, Kms.KmsJwkPublicOct> | Kms.KmsJwkPrivate\n if (options.key.keyId) {\n key = await this.getKeyAsserted(agentContext, options.key.keyId)\n } else if (options.key.publicJwk?.kty === 'EC') {\n assertNodeSupportedEcCrv(options.key.publicJwk)\n key = options.key.publicJwk\n } else if (options.key.publicJwk?.kty === 'OKP') {\n assertNodeSupportedOkpCrv(options.key.publicJwk)\n key = options.key.publicJwk\n } else if (options.key.publicJwk?.kty === 'RSA') {\n key = options.key.publicJwk\n } else {\n // @ts-expect-error\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`kty ${options.key.kty}`, this.backend)\n }\n\n // 2. Validate alg and use for key\n Kms.assertAllowedSigningAlgForKey(key, algorithm)\n Kms.assertKeyAllowsVerify(key)\n\n // 3. Perform the verify operation\n const verified = await performVerify(key, algorithm, data, signature)\n if (verified) {\n return {\n verified: true,\n publicJwk: Kms.publicJwkFromPrivateJwk(key),\n }\n }\n\n return {\n verified: false,\n }\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error verifying with key', { cause: error })\n }\n }\n\n public async encrypt(agentContext: AgentContext, options: Kms.KmsEncryptOptions): Promise<Kms.KmsEncryptReturn> {\n const { data, encryption, key } = options\n\n Kms.assertSupportedEncryptionAlgorithm(encryption, nodeSupportedEncryptionAlgorithms, this.backend)\n\n let encryptionKey: Kms.KmsJwkPrivate\n let encryptedKey: Kms.KmsEncryptedKey | undefined\n\n if (key.keyId) {\n encryptionKey = await this.getKeyAsserted(agentContext, key.keyId)\n } else if (key.privateJwk) {\n encryptionKey = key.privateJwk\n } else if (key.keyAgreement) {\n Kms.assertAllowedKeyDerivationAlgForKey(key.keyAgreement.externalPublicJwk, key.keyAgreement.algorithm)\n Kms.assertKeyAllowsDerive(key.keyAgreement.externalPublicJwk)\n Kms.assertSupportedKeyAgreementAlgorithm(key.keyAgreement, nodeSupportedKeyAgreementAlgorithms, this.backend)\n\n const privateJwk = await this.getKeyAsserted(agentContext, key.keyAgreement.keyId)\n Kms.assertJwkAsymmetric(privateJwk, key.keyAgreement.keyId)\n Kms.assertAllowedKeyDerivationAlgForKey(privateJwk, key.keyAgreement.algorithm)\n Kms.assertKeyAllowsDerive(privateJwk)\n Kms.assertAsymmetricJwkKeyTypeMatches(privateJwk, key.keyAgreement.externalPublicJwk)\n\n const { contentEncryptionKey, encryptedContentEncryptionKey } = await deriveEncryptionKey({\n keyAgreement: key.keyAgreement,\n encryption,\n privateJwk,\n })\n\n encryptionKey = contentEncryptionKey\n encryptedKey = encryptedContentEncryptionKey\n } else {\n throw new Kms.KeyManagementError('Unexpected key parameter for encrypt')\n }\n\n if (encryptionKey.kty !== 'oct') {\n throw new Kms.KeyManagementAlgorithmNotSupportedError(\n `kty '${encryptionKey.kty} for content encryption'`,\n this.backend\n )\n }\n\n try {\n // 2. Validate alg and use for key\n Kms.assertAllowedEncryptionAlgForKey(encryptionKey, encryption.algorithm)\n Kms.assertKeyAllowsEncrypt(encryptionKey)\n\n // 3. Perform the encryption operation\n const encrypted = await performEncrypt(encryptionKey, options.encryption, data)\n return {\n ...encrypted,\n encryptedKey,\n }\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error encrypting', { cause: error })\n }\n }\n\n public async decrypt(agentContext: AgentContext, options: Kms.KmsDecryptOptions): Promise<Kms.KmsDecryptReturn> {\n const { decryption, encrypted, key } = options\n\n Kms.assertSupportedEncryptionAlgorithm(decryption, nodeSupportedEncryptionAlgorithms, this.backend)\n\n let decryptionKey: Kms.KmsJwkPrivate\n if (key.keyId) {\n decryptionKey = await this.getKeyAsserted(agentContext, key.keyId)\n } else if (key.privateJwk) {\n decryptionKey = key.privateJwk\n } else if (key.keyAgreement) {\n Kms.assertSupportedKeyAgreementAlgorithm(key.keyAgreement, nodeSupportedKeyAgreementAlgorithms, this.backend)\n Kms.assertAllowedKeyDerivationAlgForKey(key.keyAgreement.externalPublicJwk, key.keyAgreement.algorithm)\n Kms.assertKeyAllowsDerive(key.keyAgreement.externalPublicJwk)\n\n const privateJwk = await this.getKeyAsserted(agentContext, key.keyAgreement.keyId)\n Kms.assertJwkAsymmetric(privateJwk, key.keyAgreement.keyId)\n Kms.assertAllowedKeyDerivationAlgForKey(privateJwk, key.keyAgreement.algorithm)\n Kms.assertKeyAllowsDerive(privateJwk)\n Kms.assertAsymmetricJwkKeyTypeMatches(privateJwk, key.keyAgreement.externalPublicJwk)\n\n const { contentEncryptionKey } = await deriveDecryptionKey({\n keyAgreement: key.keyAgreement,\n decryption,\n privateJwk,\n })\n\n decryptionKey = contentEncryptionKey\n } else {\n throw new Kms.KeyManagementError('Unexpected key parameter for decrypt')\n }\n\n if (decryptionKey.kty !== 'oct') {\n throw new Kms.KeyManagementAlgorithmNotSupportedError(\n `kty '${decryptionKey.kty}' for content encryption`,\n this.backend\n )\n }\n\n try {\n // 2. Validate alg and use for key\n Kms.assertAllowedEncryptionAlgForKey(decryptionKey, decryption.algorithm)\n Kms.assertKeyAllowsEncrypt(decryptionKey)\n\n // 3. Perform the decryption operation\n return await performDecrypt(decryptionKey, decryption, encrypted)\n } catch (error) {\n if (error instanceof Kms.KeyManagementError) throw error\n\n throw new Kms.KeyManagementError('Error decrypting', { cause: error })\n }\n }\n\n private async getKeyAsserted(agentContext: AgentContext, keyId: string) {\n const storageKey = await this.#storage.get(agentContext, keyId)\n if (!storageKey) {\n throw new Kms.KeyManagementKeyNotFoundError(keyId, [this.backend])\n }\n\n return storageKey\n }\n\n private async assertKeyNotExists(agentContext: AgentContext, keyId: string) {\n const storageKey = await this.#storage.get(agentContext, keyId)\n\n if (storageKey) {\n throw new Kms.KeyManagementKeyExistsError(keyId, this.backend)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;AAmBA,IAAa,2BAAb,MAA0E;CAKxE,AAAO,YAAY,SAAmC;OAJtC,UAAU;;AAKxB,yCAAgB,QAAO;;CAGzB,AAAO,qBAAqB,eAA6B,WAAsC;AAC7F,MAAI,UAAU,cAAc,YAAa,QAAO;AAChD,MAAI,UAAU,cAAc,cAAe,QAAO;AAElD,MAAI,UAAU,cAAc,aAAa;AAEvC,OAAI;AACF,QAAI,UAAU,KAAK,QAAQ,MACzB,QAAO;AAGT,QAAI,UAAU,KAAK,QAAQ,MAAM;AAC/B,8BAAyB,UAAU,KAAK;AACxC,YAAO;;AAGT,QAAI,UAAU,KAAK,QAAQ,OAAO;AAChC,+BAA0B,UAAU,KAAK;AACzC,YAAO;;AAGT,QAAI,UAAU,KAAK,QAAQ,OAAO;AAChC,qCAAgC,UAAU,KAAK;AAC/C,YAAO;;WAEH;AACN,WAAO;;AAGT,UAAO;;AAGT,MAAI,UAAU,cAAc,YAC1B,KAAI;AACF,OAAI,UAAU,WAAW,QAAQ,SAAS,UAAU,WAAW,QAAQ,MACrE,QAAO;AAGT,OAAI,UAAU,WAAW,QAAQ,MAAM;AACrC,6BAAyB;KAAE,KAAK,UAAU,WAAW;KAAK,KAAK,UAAU,WAAW;KAAK,CAAC;AAC1F,WAAO;;AAGT,OAAI,UAAU,WAAW,QAAQ,OAAO;AACtC,8BAA0B;KAAE,KAAK,UAAU,WAAW;KAAK,KAAK,UAAU,WAAW;KAAK,CAAC;AAC3F,WAAO;;UAEH;AACN,UAAO;;AAIX,MAAI,UAAU,cAAc,UAAU,UAAU,cAAc,SAC5D,QAAO,0BAA0B,SAAS,UAAU,UAAU;AAGhE,MAAI,UAAU,cAAc,WAAW;AAIrC,OAAI,CAHmC,kCAAkC,SACvE,UAAU,WAAW,UACtB,CACoC,QAAO;AAC5C,OAAI,CAAC,UAAU,aAAc,QAAO;AAEpC,UAAO,oCAAoC,SACzC,UAAU,aAAa,UACxB;;AAGH,MAAI,UAAU,cAAc,WAAW;AAIrC,OAAI,CAHmC,kCAAkC,SACvE,UAAU,WAAW,UACtB,CACoC,QAAO;AAC5C,OAAI,CAAC,UAAU,aAAc,QAAO;AAEpC,UAAO,oCAAoC,SACzC,UAAU,aAAa,UACxB;;AAGH,SAAO;;CAGT,AAAO,YAAY,eAA6B,SAA8D;AAC5G,SAAO,YAAY,QAAQ,OAAO;;CAGpC,MAAa,aAAa,cAA4B,OAAiD;EACrG,MAAM,aAAa,uCAAM,KAAa,CAAC,IAAI,cAAc,MAAM;AAC/D,MAAI,CAAC,WAAY,QAAO;AAExB,SAAO,IAAI,wBAAwB,WAAW;;CAGhD,MAAa,UACX,cACA,SACsC;EACtC,MAAM,EAAE,QAAQ,QAAQ;AAExB,MAAI,IAAK,OAAM,KAAK,mBAAmB,cAAc,IAAI;EAEzD,MAAM,aAAa;GACjB,GAAG,QAAQ;GACX,KAAK,OAAO,YAAY;GACzB;AAED,MAAI;AACF,OAAI,WAAW,QAAQ,MAErB,iBAAgB,kBAAkB,cAAc,WAAW,EAAE,CAAC,CAAC,OAAO,EAAE,QAAQ,OAAO,CAAC;YAC/E,WAAW,QAAQ,MAAM;AAClC,6BAAyB;KAAE,KAAK,WAAW;KAAK,KAAK,WAAW;KAAK,CAAC;AAEtE,qBAAiB;KACf,QAAQ;KACR,KAAK;KACN,CAAC;cACO,WAAW,QAAQ,OAAO;AACnC,8BAA0B;KAAE,KAAK,WAAW;KAAK,KAAK,WAAW;KAAK,CAAC;AAEvE,qBAAiB;KACf,QAAQ;KACR,KAAK;KACN,CAAC;cACO,WAAW,QAAQ,MAE5B,kBAAiB;IACf,QAAQ;IACR,KAAK;IACN,CAAC;OAIF,OAAM,IAAI,IAAI,wCAAwC,QAAQ,WAAW,IAAI,IAAI,KAAK,QAAQ;AAGhG,0CAAM,KAAa,CAAC,IAAI,cAAc,WAAW,KAAK,WAAW;GACjE,MAAM,YAAY,IAAI,wBAAwB,WAAW;AAEzD,UAAO;IACL,OAAO,WAAW;IAClB,WAAW;KACT,GAAG;KACH,KAAK,WAAW;KACjB;IACF;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,uBAAuB,EAAE,OAAO,OAAO,CAAC;;;CAI7E,MAAa,UAAU,cAA4B,SAAoD;AACrG,SAAO,uCAAM,KAAa,CAAC,OAAO,cAAc,QAAQ,MAAM;;CAGhE,MAAa,UACX,cACA,SACuC;EACvC,MAAM,EAAE,MAAM,UAAU;AAExB,MAAI,MAAO,OAAM,KAAK,mBAAmB,cAAc,MAAM;AAE7D,MAAI;GACF,IAAI;AACJ,OAAI,KAAK,QAAQ,MAAM;AACrB,6BAAyB,KAAK;AAC9B,WAAO,MAAM,YAAY,KAAK;cACrB,KAAK,QAAQ,OAAO;AAC7B,8BAA0B,KAAK;AAC/B,WAAO,MAAM,aAAa,KAAK;cACtB,KAAK,QAAQ,MACtB,QAAO,MAAM,aAAa,KAAK;YACtB,KAAK,QAAQ,OAAO;AAC7B,oCAAgC,KAAK;AACrC,WAAO,MAAM,aAAa,KAAK;SAG/B,OAAM,IAAI,IAAI,wCAAwC,QAAQ,KAAK,IAAI,IAAI,KAAK,QAAQ;AAG1F,QAAK,WAAW,MAAM,SAAS,YAAY;AAC3C,QAAK,UAAU,MAAM,KAAK,WAAW;AAErC,0CAAM,KAAa,CAAC,IAAI,cAAc,KAAK,WAAW,KAAK,KAAK,WAAW;AAE3E,UAAO;IACL,WAAW,KAAK;IAChB,OAAO,KAAK,UAAU;IACvB;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,sBAAsB,EAAE,OAAO,OAAO,CAAC;;;CAI5E,MAAa,KAAK,cAA4B,SAAyD;EACrG,MAAM,EAAE,OAAO,WAAW,SAAS;EAGnC,MAAM,MAAM,MAAM,KAAK,eAAe,cAAc,MAAM;AAE1D,MAAI;AAEF,OAAI,8BAA8B,KAAK,UAAU;AACjD,OAAI,oBAAoB,IAAI;AAK5B,UAAO,EACL,WAHgB,MAAM,YAAY,KAAK,WAAW,KAAK,EAIxD;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,0BAA0B,EAAE,OAAO,OAAO,CAAC;;;CAIhF,MAAa,OAAO,cAA4B,SAA6D;EAC3G,MAAM,EAAE,WAAW,MAAM,cAAc;AAEvC,MAAI;GACF,IAAI;AACJ,OAAI,QAAQ,IAAI,MACd,OAAM,MAAM,KAAK,eAAe,cAAc,QAAQ,IAAI,MAAM;YACvD,QAAQ,IAAI,WAAW,QAAQ,MAAM;AAC9C,6BAAyB,QAAQ,IAAI,UAAU;AAC/C,UAAM,QAAQ,IAAI;cACT,QAAQ,IAAI,WAAW,QAAQ,OAAO;AAC/C,8BAA0B,QAAQ,IAAI,UAAU;AAChD,UAAM,QAAQ,IAAI;cACT,QAAQ,IAAI,WAAW,QAAQ,MACxC,OAAM,QAAQ,IAAI;OAGlB,OAAM,IAAI,IAAI,wCAAwC,OAAO,QAAQ,IAAI,OAAO,KAAK,QAAQ;AAI/F,OAAI,8BAA8B,KAAK,UAAU;AACjD,OAAI,sBAAsB,IAAI;AAI9B,OADiB,MAAM,cAAc,KAAK,WAAW,MAAM,UAAU,CAEnE,QAAO;IACL,UAAU;IACV,WAAW,IAAI,wBAAwB,IAAI;IAC5C;AAGH,UAAO,EACL,UAAU,OACX;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,4BAA4B,EAAE,OAAO,OAAO,CAAC;;;CAIlF,MAAa,QAAQ,cAA4B,SAA+D;EAC9G,MAAM,EAAE,MAAM,YAAY,QAAQ;AAElC,MAAI,mCAAmC,YAAY,mCAAmC,KAAK,QAAQ;EAEnG,IAAI;EACJ,IAAI;AAEJ,MAAI,IAAI,MACN,iBAAgB,MAAM,KAAK,eAAe,cAAc,IAAI,MAAM;WACzD,IAAI,WACb,iBAAgB,IAAI;WACX,IAAI,cAAc;AAC3B,OAAI,oCAAoC,IAAI,aAAa,mBAAmB,IAAI,aAAa,UAAU;AACvG,OAAI,sBAAsB,IAAI,aAAa,kBAAkB;AAC7D,OAAI,qCAAqC,IAAI,cAAc,qCAAqC,KAAK,QAAQ;GAE7G,MAAM,aAAa,MAAM,KAAK,eAAe,cAAc,IAAI,aAAa,MAAM;AAClF,OAAI,oBAAoB,YAAY,IAAI,aAAa,MAAM;AAC3D,OAAI,oCAAoC,YAAY,IAAI,aAAa,UAAU;AAC/E,OAAI,sBAAsB,WAAW;AACrC,OAAI,kCAAkC,YAAY,IAAI,aAAa,kBAAkB;GAErF,MAAM,EAAE,sBAAsB,kCAAkC,MAAM,oBAAoB;IACxF,cAAc,IAAI;IAClB;IACA;IACD,CAAC;AAEF,mBAAgB;AAChB,kBAAe;QAEf,OAAM,IAAI,IAAI,mBAAmB,uCAAuC;AAG1E,MAAI,cAAc,QAAQ,MACxB,OAAM,IAAI,IAAI,wCACZ,QAAQ,cAAc,IAAI,2BAC1B,KAAK,QACN;AAGH,MAAI;AAEF,OAAI,iCAAiC,eAAe,WAAW,UAAU;AACzE,OAAI,uBAAuB,cAAc;AAIzC,UAAO;IACL,GAFgB,MAAM,eAAe,eAAe,QAAQ,YAAY,KAAK;IAG7E;IACD;WACM,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,oBAAoB,EAAE,OAAO,OAAO,CAAC;;;CAI1E,MAAa,QAAQ,cAA4B,SAA+D;EAC9G,MAAM,EAAE,YAAY,WAAW,QAAQ;AAEvC,MAAI,mCAAmC,YAAY,mCAAmC,KAAK,QAAQ;EAEnG,IAAI;AACJ,MAAI,IAAI,MACN,iBAAgB,MAAM,KAAK,eAAe,cAAc,IAAI,MAAM;WACzD,IAAI,WACb,iBAAgB,IAAI;WACX,IAAI,cAAc;AAC3B,OAAI,qCAAqC,IAAI,cAAc,qCAAqC,KAAK,QAAQ;AAC7G,OAAI,oCAAoC,IAAI,aAAa,mBAAmB,IAAI,aAAa,UAAU;AACvG,OAAI,sBAAsB,IAAI,aAAa,kBAAkB;GAE7D,MAAM,aAAa,MAAM,KAAK,eAAe,cAAc,IAAI,aAAa,MAAM;AAClF,OAAI,oBAAoB,YAAY,IAAI,aAAa,MAAM;AAC3D,OAAI,oCAAoC,YAAY,IAAI,aAAa,UAAU;AAC/E,OAAI,sBAAsB,WAAW;AACrC,OAAI,kCAAkC,YAAY,IAAI,aAAa,kBAAkB;GAErF,MAAM,EAAE,yBAAyB,MAAM,oBAAoB;IACzD,cAAc,IAAI;IAClB;IACA;IACD,CAAC;AAEF,mBAAgB;QAEhB,OAAM,IAAI,IAAI,mBAAmB,uCAAuC;AAG1E,MAAI,cAAc,QAAQ,MACxB,OAAM,IAAI,IAAI,wCACZ,QAAQ,cAAc,IAAI,2BAC1B,KAAK,QACN;AAGH,MAAI;AAEF,OAAI,iCAAiC,eAAe,WAAW,UAAU;AACzE,OAAI,uBAAuB,cAAc;AAGzC,UAAO,MAAM,eAAe,eAAe,YAAY,UAAU;WAC1D,OAAO;AACd,OAAI,iBAAiB,IAAI,mBAAoB,OAAM;AAEnD,SAAM,IAAI,IAAI,mBAAmB,oBAAoB,EAAE,OAAO,OAAO,CAAC;;;CAI1E,MAAc,eAAe,cAA4B,OAAe;EACtE,MAAM,aAAa,uCAAM,KAAa,CAAC,IAAI,cAAc,MAAM;AAC/D,MAAI,CAAC,WACH,OAAM,IAAI,IAAI,8BAA8B,OAAO,CAAC,KAAK,QAAQ,CAAC;AAGpE,SAAO;;CAGT,MAAc,mBAAmB,cAA4B,OAAe;AAG1E,MAFmB,uCAAM,KAAa,CAAC,IAAI,cAAc,MAAM,CAG7D,OAAM,IAAI,IAAI,4BAA4B,OAAO,KAAK,QAAQ"}
package/build/kms/crypto/deriveKey.mjs CHANGED
@@ -13,18 +13,13 @@ const nodeSupportedKeyAgreementAlgorithms = [
13
13
  "ECDH-ES",
14
14
  "ECDH-ES+A128KW",
15
15
  "ECDH-ES+A192KW",
16
- "ECDH-ES+A256KW",
17
- "ECDH-1PU+A256KW"
16
+ "ECDH-ES+A256KW"
18
17
  ];
19
18
  function assertNodeSupportedEcdhKeyDerivationCrv(jwk) {
20
19
  if (jwk.kty === "OKP" && jwk.crv !== "X25519" || jwk.kty === "EC" && !nodeSupportedEcdhKeyDerivationEcCrv.includes(jwk.crv)) throw new Kms.KeyManagementAlgorithmNotSupportedError(`key derivation with crv '${jwk.crv}' for kty '${jwk.kty}'`, "node");
21
20
  }
22
21
  async function deriveEncryptionKey(options) {
23
22
  const { keyAgreement, encryption, privateJwk } = options;
24
- if (keyAgreement.algorithm === "ECDH-1PU+A256KW") return deriveEncryptionKeyEcdh1Pu({
25
- keyAgreement,
26
- privateJwk
27
- });
28
23
  assertNodeSupportedEcdhKeyDerivationCrv(keyAgreement.externalPublicJwk);
29
24
  assertNodeSupportedEcdhKeyDerivationCrv(privateJwk);
30
25
  const derivedKeyBytes = await deriveKeyEcdhEs({
@@ -51,55 +46,8 @@ async function deriveEncryptionKey(options) {
51
46
  }
52
47
  };
53
48
  }
54
- async function deriveEncryptionKeyEcdh1Pu(options) {
55
- const { keyAgreement, privateJwk } = options;
56
- if (privateJwk.crv !== "X25519" || keyAgreement.externalPublicJwk.crv !== "X25519") throw new Kms.KeyManagementAlgorithmNotSupportedError("ECDH-1PU+A256KW requires X25519 keys", "node");
57
- const ecdh = createECDH("x25519");
58
- const ephemeralPrivate = getRandomValues(new Uint8Array(32));
59
- ecdh.setPrivateKey(Buffer.from(ephemeralPrivate));
60
- const recipientPub = Kms.PublicJwk.fromPublicJwk(keyAgreement.externalPublicJwk).publicKey;
61
- if (recipientPub.kty !== "OKP") throw new Kms.KeyManagementError("X25519 expected");
62
- const z1 = ecdh.computeSecret(recipientPub.publicKey);
63
- const senderEcdh = createECDH("x25519");
64
- senderEcdh.setPrivateKey(TypedArrayEncoder.fromBase64(privateJwk.d));
65
- const z2 = senderEcdh.computeSecret(recipientPub.publicKey);
66
- const Z = Buffer.concat([Buffer.from(z1), Buffer.from(z2)]);
67
- const algorithmId = Buffer.from("ECDH-1PU+A256KW");
68
- const kek = concatKDF(Z, 256, 256, Buffer.concat([
69
- numberTo4ByteUint8Array(algorithmId.length),
70
- algorithmId,
71
- numberTo4ByteUint8Array(0),
72
- numberTo4ByteUint8Array(0),
73
- numberTo4ByteUint8Array(256),
74
- Buffer.alloc(0)
75
- ]));
76
- const derivedKey = await subtle.importKey("raw", kek, "AES-KW", true, ["wrapKey"]);
77
- const cekBytes = Buffer.from(getRandomValues(new Uint8Array(32)));
78
- const cek = await subtle.importKey("raw", cekBytes, "AES-KW", true, ["wrapKey"]);
79
- const encryptedCek = await subtle.wrapKey("raw", cek, derivedKey, "AES-KW");
80
- const epkPub = ecdh.getPublicKey();
81
- const epkJwk = {
82
- kty: "OKP",
83
- crv: "X25519",
84
- x: TypedArrayEncoder.toBase64Url(epkPub)
85
- };
86
- return {
87
- encryptedContentEncryptionKey: {
88
- encrypted: Buffer.from(encryptedCek),
89
- ephemeralPublicKey: epkJwk
90
- },
91
- contentEncryptionKey: {
92
- kty: "oct",
93
- k: TypedArrayEncoder.toBase64Url(cekBytes)
94
- }
95
- };
96
- }
97
49
  async function deriveDecryptionKey(options) {
98
50
  const { keyAgreement, decryption, privateJwk } = options;
99
- if (keyAgreement.algorithm === "ECDH-1PU+A256KW") return deriveDecryptionKeyEcdh1Pu({
100
- keyAgreement,
101
- privateJwk
102
- });
103
51
  assertNodeSupportedEcdhKeyDerivationCrv(keyAgreement.externalPublicJwk);
104
52
  assertNodeSupportedEcdhKeyDerivationCrv(privateJwk);
105
53
  const derivedKeyBytes = await deriveKeyEcdhEs({
@@ -121,34 +69,6 @@ async function deriveDecryptionKey(options) {
121
69
  }, true, ["decrypt"]);
122
70
  return { contentEncryptionKey: await subtle.exportKey("jwk", contentEncryptionKey) };
123
71
  }
124
- async function deriveDecryptionKeyEcdh1Pu(options) {
125
- const { keyAgreement, privateJwk } = options;
126
- const { ephemeralPublicJwk, senderPublicJwk } = keyAgreement;
127
- if (privateJwk.crv !== "X25519") throw new Kms.KeyManagementAlgorithmNotSupportedError("ECDH-1PU+A256KW requires X25519", "node");
128
- const recipientEcdh = createECDH("x25519");
129
- recipientEcdh.setPrivateKey(TypedArrayEncoder.fromBase64(privateJwk.d));
130
- const epk = Kms.PublicJwk.fromPublicJwk(ephemeralPublicJwk).publicKey;
131
- const senderPub = Kms.PublicJwk.fromPublicJwk(senderPublicJwk).publicKey;
132
- if (epk.kty !== "OKP" || senderPub.kty !== "OKP") throw new Kms.KeyManagementError("X25519 keys expected");
133
- const z1 = recipientEcdh.computeSecret(epk.publicKey);
134
- const z2 = recipientEcdh.computeSecret(senderPub.publicKey);
135
- const Z = Buffer.concat([Buffer.from(z1), Buffer.from(z2)]);
136
- const algorithmId = Buffer.from("ECDH-1PU+A256KW");
137
- const kek = concatKDF(Z, 256, 256, Buffer.concat([
138
- numberTo4ByteUint8Array(algorithmId.length),
139
- algorithmId,
140
- numberTo4ByteUint8Array(0),
141
- numberTo4ByteUint8Array(0),
142
- numberTo4ByteUint8Array(256),
143
- Buffer.alloc(0)
144
- ]));
145
- const derivedKey = await subtle.importKey("raw", kek, "AES-KW", true, ["unwrapKey"]);
146
- const contentEncryptionKey = await subtle.unwrapKey("raw", keyAgreement.encryptedKey.encrypted, derivedKey, "AES-KW", {
147
- hash: "SHA-256",
148
- name: "HMAC"
149
- }, true, ["decrypt"]);
150
- return { contentEncryptionKey: await subtle.exportKey("jwk", contentEncryptionKey) };
151
- }
152
72
  /**
153
73
  * Derive a key using ECDH and Concat KDF
154
74
  */
package/build/kms/crypto/deriveKey.mjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"deriveKey.mjs","names":[],"sources":["../../../src/kms/crypto/deriveKey.ts"],"sourcesContent":["import { Buffer } from 'node:buffer'\nimport { createECDH, createHash, getRandomValues, subtle } from 'node:crypto'\nimport { Kms, TypedArrayEncoder } from '@credo-ts/core'\nimport type { NodeKmsSupportedEcCrvs } from './createKey'\n\nconst nodeSupportedEcdhKeyDerivationEcCrv = [\n 'P-256',\n 'P-384',\n 'P-521',\n 'secp256k1',\n] as const satisfies NodeKmsSupportedEcCrvs[]\n\nexport const nodeSupportedKeyAgreementAlgorithms = [\n 'ECDH-ES',\n 'ECDH-ES+A128KW',\n 'ECDH-ES+A192KW',\n 'ECDH-ES+A256KW',\n 'ECDH-1PU+A256KW',\n] satisfies Kms.KnownJwaKeyAgreementAlgorithm[]\n\nfunction assertNodeSupportedEcdhKeyDerivationCrv<Jwk extends Kms.KmsJwkPrivateAsymmetric | Kms.KmsJwkPublicAsymmetric>(\n jwk: Jwk\n): asserts jwk is Jwk & { kty: 'OKP' | 'EC'; crv: (typeof nodeSupportedEcdhKeyDerivationEcCrv)[number] | 'X25519' } {\n if (\n (jwk.kty === 'OKP' && jwk.crv !== 'X25519') ||\n (jwk.kty === 'EC' && !(nodeSupportedEcdhKeyDerivationEcCrv as string[]).includes(jwk.crv))\n ) {\n throw new Kms.KeyManagementAlgorithmNotSupportedError(\n `key derivation with crv '${jwk.crv}' for kty '${jwk.kty}'`,\n 'node'\n )\n }\n}\n\ntype NodeSupportedKeyAgreementDecryptOptions = Kms.KmsKeyAgreementDecryptOptions & {\n algorithm: (typeof nodeSupportedKeyAgreementAlgorithms)[number]\n}\ntype NodeSupportedKeyAgreementEncryptOptions = Kms.KmsKeyAgreementEncryptOptions & {\n algorithm: (typeof nodeSupportedKeyAgreementAlgorithms)[number]\n}\n\nexport async function deriveEncryptionKey(options: {\n keyAgreement: NodeSupportedKeyAgreementEncryptOptions\n privateJwk: Kms.KmsJwkPrivateAsymmetric\n encryption: Kms.KmsEncryptDataEncryption\n}) {\n const { keyAgreement, encryption, privateJwk } = options\n\n if (keyAgreement.algorithm === 'ECDH-1PU+A256KW') {\n return deriveEncryptionKeyEcdh1Pu({\n keyAgreement,\n privateJwk: privateJwk as Kms.KmsJwkPrivateOkp,\n })\n }\n\n assertNodeSupportedEcdhKeyDerivationCrv(keyAgreement.externalPublicJwk)\n assertNodeSupportedEcdhKeyDerivationCrv(privateJwk)\n\n const keyLength =\n keyAgreement.algorithm === 'ECDH-ES'\n ? mapContentEncryptionAlgorithmToKeyLength(encryption.algorithm)\n : keyAgreement.algorithm === 'ECDH-ES+A128KW'\n ? 128\n : keyAgreement.algorithm === 'ECDH-ES+A192KW'\n ? 192\n : 256\n\n const derivedKeyBytes = await deriveKeyEcdhEs({\n keyLength,\n usageAlgorithm: keyAgreement.algorithm === 'ECDH-ES' ? encryption.algorithm : keyAgreement.algorithm,\n privateJwk,\n publicJwk: keyAgreement.externalPublicJwk,\n apu: keyAgreement.apu,\n apv: keyAgreement.apv,\n })\n\n if (keyAgreement.algorithm === 'ECDH-ES') {\n return {\n contentEncryptionKey: {\n kty: 'oct',\n k: derivedKeyBytes.toString('base64url'),\n } as const,\n }\n }\n\n const derivedKey = await subtle.importKey('raw', derivedKeyBytes, 'AES-KW', true, ['wrapKey'])\n const contentEncryptionKeyBytes = getRandomValues(\n new Uint8Array(mapContentEncryptionAlgorithmToKeyLength(encryption.algorithm) >> 3)\n )\n const contentEncryptionKey = await subtle.importKey('raw', contentEncryptionKeyBytes, 'AES-KW', true, ['wrapKey'])\n const encryptedContentEncryptionKey = await subtle.wrapKey('raw', contentEncryptionKey, derivedKey, 'AES-KW')\n\n return {\n encryptedContentEncryptionKey: {\n encrypted: new Uint8Array(encryptedContentEncryptionKey),\n } satisfies Kms.KmsEncryptedKey,\n contentEncryptionKey: {\n kty: 'oct',\n k: TypedArrayEncoder.toBase64Url(contentEncryptionKeyBytes),\n } as const,\n }\n}\n\nasync function deriveEncryptionKeyEcdh1Pu(options: {\n keyAgreement: Kms.KmsKeyAgreementEncryptOptions & { algorithm: 'ECDH-1PU+A256KW' }\n privateJwk: Kms.KmsJwkPrivateOkp\n}) {\n const { keyAgreement, privateJwk } = options\n if (privateJwk.crv !== 'X25519' || keyAgreement.externalPublicJwk.crv !== 'X25519') {\n throw new Kms.KeyManagementAlgorithmNotSupportedError('ECDH-1PU+A256KW requires X25519 keys', 'node')\n }\n\n const ecdh = createECDH('x25519')\n const ephemeralPrivate = getRandomValues(new Uint8Array(32))\n ecdh.setPrivateKey(Buffer.from(ephemeralPrivate))\n const recipientPub = Kms.PublicJwk.fromPublicJwk(keyAgreement.externalPublicJwk).publicKey\n if (recipientPub.kty !== 'OKP') throw new Kms.KeyManagementError('X25519 expected')\n const z1 = ecdh.computeSecret(recipientPub.publicKey)\n\n const senderEcdh = createECDH('x25519')\n senderEcdh.setPrivateKey(TypedArrayEncoder.fromBase64(privateJwk.d))\n const z2 = senderEcdh.computeSecret(recipientPub.publicKey)\n\n const Z = Buffer.concat([Buffer.from(z1), Buffer.from(z2)])\n const algorithmId = Buffer.from('ECDH-1PU+A256KW')\n const otherInfo = Buffer.concat([\n numberTo4ByteUint8Array(algorithmId.length),\n algorithmId,\n numberTo4ByteUint8Array(0),\n numberTo4ByteUint8Array(0),\n numberTo4ByteUint8Array(256),\n Buffer.alloc(0),\n ])\n const kek = concatKDF(Z, 256, 256, otherInfo)\n\n const derivedKey = await subtle.importKey('raw', kek, 'AES-KW', true, ['wrapKey'])\n const cekBytes = Buffer.from(getRandomValues(new Uint8Array(32)))\n const cek = await subtle.importKey('raw', cekBytes, 'AES-KW', true, ['wrapKey'])\n const encryptedCek = await subtle.wrapKey('raw', cek, derivedKey, 'AES-KW')\n\n const epkPub = ecdh.getPublicKey()\n const epkJwk = {\n kty: 'OKP' as const,\n crv: 'X25519' as const,\n x: TypedArrayEncoder.toBase64Url(epkPub),\n }\n\n return {\n encryptedContentEncryptionKey: {\n encrypted: Buffer.from(encryptedCek),\n ephemeralPublicKey: epkJwk,\n } satisfies Kms.KmsEncryptedKey,\n contentEncryptionKey: {\n kty: 'oct' as const,\n k: TypedArrayEncoder.toBase64Url(cekBytes),\n },\n }\n}\n\nexport async function deriveDecryptionKey(options: {\n keyAgreement: NodeSupportedKeyAgreementDecryptOptions\n privateJwk: Kms.KmsJwkPrivateAsymmetric\n decryption: Kms.KmsDecryptDataDecryption\n}) {\n const { keyAgreement, decryption, privateJwk } = options\n\n if (keyAgreement.algorithm === 'ECDH-1PU+A256KW') {\n return deriveDecryptionKeyEcdh1Pu({\n keyAgreement,\n privateJwk: privateJwk as Kms.KmsJwkPrivateOkp,\n })\n }\n\n assertNodeSupportedEcdhKeyDerivationCrv(keyAgreement.externalPublicJwk)\n assertNodeSupportedEcdhKeyDerivationCrv(privateJwk)\n\n const keyLength =\n keyAgreement.algorithm === 'ECDH-ES'\n ? mapContentEncryptionAlgorithmToKeyLength(decryption.algorithm)\n : keyAgreement.algorithm === 'ECDH-ES+A128KW'\n ? 128\n : keyAgreement.algorithm === 'ECDH-ES+A192KW'\n ? 192\n : 256\n\n const derivedKeyBytes = await deriveKeyEcdhEs({\n keyLength,\n usageAlgorithm: keyAgreement.algorithm === 'ECDH-ES' ? decryption.algorithm : keyAgreement.algorithm,\n privateJwk: privateJwk,\n publicJwk: keyAgreement.externalPublicJwk,\n apu: keyAgreement.apu,\n apv: keyAgreement.apv,\n })\n\n if (keyAgreement.algorithm === 'ECDH-ES') {\n return {\n // TODO: will be more efficient to return node key instance\n contentEncryptionKey: {\n kty: 'oct',\n k: derivedKeyBytes.toString('base64url'),\n } as const,\n }\n }\n\n // Key wrapping\n const derivedKey = await subtle.importKey('raw', derivedKeyBytes, 'AES-KW', true, ['wrapKey'])\n\n const contentEncryptionKey = await subtle.unwrapKey(\n 'raw',\n keyAgreement.encryptedKey.encrypted,\n derivedKey,\n 'AES-KW',\n { hash: 'SHA-256', name: 'HMAC' },\n true,\n ['decrypt']\n )\n\n return {\n contentEncryptionKey: (await subtle.exportKey('jwk', contentEncryptionKey)) as Kms.KmsJwkPrivate,\n }\n}\n\nasync function deriveDecryptionKeyEcdh1Pu(options: {\n keyAgreement: Kms.KmsKeyAgreementDecryptOptions & { algorithm: 'ECDH-1PU+A256KW' }\n privateJwk: Kms.KmsJwkPrivateOkp\n}) {\n const { keyAgreement, privateJwk } = options\n const { ephemeralPublicJwk, senderPublicJwk } = keyAgreement\n if (privateJwk.crv !== 'X25519') {\n throw new Kms.KeyManagementAlgorithmNotSupportedError('ECDH-1PU+A256KW requires X25519', 'node')\n }\n\n const recipientEcdh = createECDH('x25519')\n recipientEcdh.setPrivateKey(TypedArrayEncoder.fromBase64(privateJwk.d))\n const epk = Kms.PublicJwk.fromPublicJwk(ephemeralPublicJwk).publicKey\n const senderPub = Kms.PublicJwk.fromPublicJwk(senderPublicJwk).publicKey\n if (epk.kty !== 'OKP' || senderPub.kty !== 'OKP') {\n throw new Kms.KeyManagementError('X25519 keys expected')\n }\n\n const z1 = recipientEcdh.computeSecret(epk.publicKey)\n const z2 = recipientEcdh.computeSecret(senderPub.publicKey)\n const Z = Buffer.concat([Buffer.from(z1), Buffer.from(z2)])\n\n const algorithmId = Buffer.from('ECDH-1PU+A256KW')\n const otherInfo = Buffer.concat([\n numberTo4ByteUint8Array(algorithmId.length),\n algorithmId,\n numberTo4ByteUint8Array(0),\n numberTo4ByteUint8Array(0),\n numberTo4ByteUint8Array(256),\n Buffer.alloc(0),\n ])\n const kek = concatKDF(Z, 256, 256, otherInfo)\n const derivedKey = await subtle.importKey('raw', kek, 'AES-KW', true, ['unwrapKey'])\n\n const contentEncryptionKey = await subtle.unwrapKey(\n 'raw',\n keyAgreement.encryptedKey.encrypted,\n derivedKey,\n 'AES-KW',\n { hash: 'SHA-256', name: 'HMAC' },\n true,\n ['decrypt']\n )\n return {\n contentEncryptionKey: (await subtle.exportKey('jwk', contentEncryptionKey)) as Kms.KmsJwkPrivate,\n }\n}\n\n/**\n * Derive a key using ECDH and Concat KDF\n */\nasync function deriveKeyEcdhEs(options: {\n keyLength: number\n /**\n * This is only used for the AlgorithmID in KDF\n */\n usageAlgorithm: string\n apv?: Uint8Array\n apu?: Uint8Array\n privateJwk: Kms.KmsJwkPrivateEc | Kms.KmsJwkPrivateOkp\n publicJwk: Kms.KmsJwkPublicEc | Kms.KmsJwkPublicOkp\n}): Promise<Buffer> {\n // const privateKey = createPrivateKey({ format: 'jwk', key: options.privateJwk })\n // const publicKey = createPublicKey({ format: 'jwk', key: options.publicJwk })\n\n // Create ECDH instance based on curve\n const nodeEcdhCurveName = mapCrvToNodeEcdhCurveName(options.privateJwk.crv)\n const nodeConcatKdfHash = mapCrvToHashLength(options.publicJwk.crv)\n\n const ecdh = createECDH(nodeEcdhCurveName)\n\n // Set private key\n ecdh.setPrivateKey(TypedArrayEncoder.fromBase64Url(options.privateJwk.d))\n\n const publicKey = Kms.PublicJwk.fromPublicJwk(options.publicJwk).publicKey\n if (publicKey.kty === 'RSA') {\n throw new Kms.KeyManagementError('Key type RSA is not supported for ECDH-ES')\n }\n\n // Compute shared secret\n const sharedSecret = ecdh.computeSecret(publicKey.publicKey)\n\n // Prepare AlgorithmID for KDF (Datalen || Data)\n const algorithmData = TypedArrayEncoder.fromUtf8String(options.usageAlgorithm) // ASCII representation of alg\n const algorithmID = TypedArrayEncoder.concat([\n numberTo4ByteUint8Array(algorithmData.length), // Datalen: 32-bit big-endian counter\n algorithmData, // Data: ASCII representation of algorithm\n ])\n\n // Prepare PartyUInfo with proper length prefix\n const apu = options.apu || Buffer.alloc(0)\n const partyUInfo = Buffer.concat([\n numberTo4ByteUint8Array(apu.length), // Datalen: 32-bit big-endian counter\n apu, // Data: PartyUInfo value\n ])\n\n // Prepare PartyVInfo with proper length prefix\n const apv = options.apv || Buffer.alloc(0)\n const partyVInfo = Buffer.concat([\n numberTo4ByteUint8Array(apv.length), // Datalen: 32-bit big-endian counter\n apv, // Data: PartyVInfo value\n ])\n\n // Prepare otherInfo for KDF\n const otherInfo = Buffer.concat([\n algorithmID, // AlgorithmID: Datalen || Data\n partyUInfo, // PartyUInfo: Datalen || Data\n partyVInfo, // PartyVInfo: Datalen || Data\n numberTo4ByteUint8Array(options.keyLength), // SuppPubInfo: 32-bit big-endian rep of keydatalen\n Buffer.alloc(0), // SuppPrivInfo (empty octet sequence)\n ])\n\n // Derive final key using Concat KDF\n return concatKDF(sharedSecret, options.keyLength, nodeConcatKdfHash, otherInfo)\n}\n\nfunction numberTo4ByteUint8Array(number: number) {\n const buffer = new ArrayBuffer(4)\n const view = new DataView(buffer)\n view.setUint32(0, number)\n return new Uint8Array(buffer)\n}\n\n/**\n * Implements Concat KDF as per NIST SP 800-56A\n */\nfunction concatKDF(secret: Buffer, length: number, hashLength: ConcatKdfHashLength, otherInfo: Buffer): Buffer {\n const reps = Math.ceil((length >> 3) / (hashLength >> 3))\n const output = Buffer.alloc(reps * (hashLength >> 3))\n\n for (let i = 0; i < reps; i++) {\n const counter = Buffer.alloc(4 + secret.length + otherInfo.length)\n counter.writeUInt32BE(i + 1)\n counter.set(secret, 4)\n counter.set(otherInfo, 4 + secret.length)\n\n createHash(`sha${hashLength}`)\n .update(counter)\n .digest()\n .copy(output, (i * hashLength) >> 3)\n }\n\n return output.subarray(0, length >> 3)\n}\n\nfunction mapCrvToNodeEcdhCurveName(crv: Kms.KmsJwkPublicEc['crv'] | Kms.KmsJwkPublicOkp['crv']) {\n switch (crv) {\n case 'P-256':\n return 'prime256v1'\n case 'P-384':\n return 'secp384r1'\n case 'P-521':\n return 'secp521r1'\n case 'secp256k1':\n return 'secp256k1'\n case 'X25519':\n return 'x25519'\n default:\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`crv '${crv}' for ECDH-ES`, 'node')\n }\n}\n\ntype ConcatKdfHashLength = ReturnType<typeof mapCrvToHashLength>\nfunction mapCrvToHashLength(crv: Kms.KmsJwkPublicEc['crv'] | Kms.KmsJwkPublicOkp['crv']) {\n switch (crv) {\n case 'secp256k1':\n case 'X25519':\n case 'P-256':\n return 256\n case 'P-384':\n return 384\n case 'P-521':\n return 512\n default:\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`crv '${crv}' for ECDH-ES`, 'node')\n }\n}\n\n// TODO: might be worthwhile to add this to core?\n// TODO: we might want to have a separate definition per algorithm\n// defines things such as required key length.\nfunction mapContentEncryptionAlgorithmToKeyLength(\n encryptionAlgorithm: Kms.KnownJwaContentEncryptionAlgorithm | Kms.KnownJwaKeyEncryptionAlgorithm\n): number {\n switch (encryptionAlgorithm) {\n case 'A128CBC':\n case 'A128GCM':\n case 'A128KW':\n return 128\n case 'A192KW':\n return 192\n case 'A128CBC-HS256':\n case 'A256CBC':\n case 'A256GCM':\n case 'C20P':\n case 'XC20P':\n case 'A256KW':\n return 256\n\n case 'A192CBC-HS384':\n case 'A192GCM':\n return 384\n case 'A256CBC-HS512':\n return 512\n case 'XSALSA20-POLY1305':\n return 256\n }\n}\n"],"mappings":";;;;;AAKA,MAAM,sCAAsC;CAC1C;CACA;CACA;CACA;CACD;AAED,MAAa,sCAAsC;CACjD;CACA;CACA;CACA;CACA;CACD;AAED,SAAS,wCACP,KACkH;AAClH,KACG,IAAI,QAAQ,SAAS,IAAI,QAAQ,YACjC,IAAI,QAAQ,QAAQ,CAAE,oCAAiD,SAAS,IAAI,IAAI,CAEzF,OAAM,IAAI,IAAI,wCACZ,4BAA4B,IAAI,IAAI,aAAa,IAAI,IAAI,IACzD,OACD;;AAWL,eAAsB,oBAAoB,SAIvC;CACD,MAAM,EAAE,cAAc,YAAY,eAAe;AAEjD,KAAI,aAAa,cAAc,kBAC7B,QAAO,2BAA2B;EAChC;EACY;EACb,CAAC;AAGJ,yCAAwC,aAAa,kBAAkB;AACvE,yCAAwC,WAAW;CAWnD,MAAM,kBAAkB,MAAM,gBAAgB;EAC5C,WATA,aAAa,cAAc,YACvB,yCAAyC,WAAW,UAAU,GAC9D,aAAa,cAAc,mBACzB,MACA,aAAa,cAAc,mBACzB,MACA;EAIR,gBAAgB,aAAa,cAAc,YAAY,WAAW,YAAY,aAAa;EAC3F;EACA,WAAW,aAAa;EACxB,KAAK,aAAa;EAClB,KAAK,aAAa;EACnB,CAAC;AAEF,KAAI,aAAa,cAAc,UAC7B,QAAO,EACL,sBAAsB;EACpB,KAAK;EACL,GAAG,gBAAgB,SAAS,YAAY;EACzC,EACF;CAGH,MAAM,aAAa,MAAM,OAAO,UAAU,OAAO,iBAAiB,UAAU,MAAM,CAAC,UAAU,CAAC;CAC9F,MAAM,4BAA4B,gBAChC,IAAI,WAAW,yCAAyC,WAAW,UAAU,IAAI,EAAE,CACpF;CACD,MAAM,uBAAuB,MAAM,OAAO,UAAU,OAAO,2BAA2B,UAAU,MAAM,CAAC,UAAU,CAAC;CAClH,MAAM,gCAAgC,MAAM,OAAO,QAAQ,OAAO,sBAAsB,YAAY,SAAS;AAE7G,QAAO;EACL,+BAA+B,EAC7B,WAAW,IAAI,WAAW,8BAA8B,EACzD;EACD,sBAAsB;GACpB,KAAK;GACL,GAAG,kBAAkB,YAAY,0BAA0B;GAC5D;EACF;;AAGH,eAAe,2BAA2B,SAGvC;CACD,MAAM,EAAE,cAAc,eAAe;AACrC,KAAI,WAAW,QAAQ,YAAY,aAAa,kBAAkB,QAAQ,SACxE,OAAM,IAAI,IAAI,wCAAwC,wCAAwC,OAAO;CAGvG,MAAM,OAAO,WAAW,SAAS;CACjC,MAAM,mBAAmB,gBAAgB,IAAI,WAAW,GAAG,CAAC;AAC5D,MAAK,cAAc,OAAO,KAAK,iBAAiB,CAAC;CACjD,MAAM,eAAe,IAAI,UAAU,cAAc,aAAa,kBAAkB,CAAC;AACjF,KAAI,aAAa,QAAQ,MAAO,OAAM,IAAI,IAAI,mBAAmB,kBAAkB;CACnF,MAAM,KAAK,KAAK,cAAc,aAAa,UAAU;CAErD,MAAM,aAAa,WAAW,SAAS;AACvC,YAAW,cAAc,kBAAkB,WAAW,WAAW,EAAE,CAAC;CACpE,MAAM,KAAK,WAAW,cAAc,aAAa,UAAU;CAE3D,MAAM,IAAI,OAAO,OAAO,CAAC,OAAO,KAAK,GAAG,EAAE,OAAO,KAAK,GAAG,CAAC,CAAC;CAC3D,MAAM,cAAc,OAAO,KAAK,kBAAkB;CASlD,MAAM,MAAM,UAAU,GAAG,KAAK,KARZ,OAAO,OAAO;EAC9B,wBAAwB,YAAY,OAAO;EAC3C;EACA,wBAAwB,EAAE;EAC1B,wBAAwB,EAAE;EAC1B,wBAAwB,IAAI;EAC5B,OAAO,MAAM,EAAE;EAChB,CAAC,CAC2C;CAE7C,MAAM,aAAa,MAAM,OAAO,UAAU,OAAO,KAAK,UAAU,MAAM,CAAC,UAAU,CAAC;CAClF,MAAM,WAAW,OAAO,KAAK,gBAAgB,IAAI,WAAW,GAAG,CAAC,CAAC;CACjE,MAAM,MAAM,MAAM,OAAO,UAAU,OAAO,UAAU,UAAU,MAAM,CAAC,UAAU,CAAC;CAChF,MAAM,eAAe,MAAM,OAAO,QAAQ,OAAO,KAAK,YAAY,SAAS;CAE3E,MAAM,SAAS,KAAK,cAAc;CAClC,MAAM,SAAS;EACb,KAAK;EACL,KAAK;EACL,GAAG,kBAAkB,YAAY,OAAO;EACzC;AAED,QAAO;EACL,+BAA+B;GAC7B,WAAW,OAAO,KAAK,aAAa;GACpC,oBAAoB;GACrB;EACD,sBAAsB;GACpB,KAAK;GACL,GAAG,kBAAkB,YAAY,SAAS;GAC3C;EACF;;AAGH,eAAsB,oBAAoB,SAIvC;CACD,MAAM,EAAE,cAAc,YAAY,eAAe;AAEjD,KAAI,aAAa,cAAc,kBAC7B,QAAO,2BAA2B;EAChC;EACY;EACb,CAAC;AAGJ,yCAAwC,aAAa,kBAAkB;AACvE,yCAAwC,WAAW;CAWnD,MAAM,kBAAkB,MAAM,gBAAgB;EAC5C,WATA,aAAa,cAAc,YACvB,yCAAyC,WAAW,UAAU,GAC9D,aAAa,cAAc,mBACzB,MACA,aAAa,cAAc,mBACzB,MACA;EAIR,gBAAgB,aAAa,cAAc,YAAY,WAAW,YAAY,aAAa;EAC/E;EACZ,WAAW,aAAa;EACxB,KAAK,aAAa;EAClB,KAAK,aAAa;EACnB,CAAC;AAEF,KAAI,aAAa,cAAc,UAC7B,QAAO,EAEL,sBAAsB;EACpB,KAAK;EACL,GAAG,gBAAgB,SAAS,YAAY;EACzC,EACF;CAIH,MAAM,aAAa,MAAM,OAAO,UAAU,OAAO,iBAAiB,UAAU,MAAM,CAAC,UAAU,CAAC;CAE9F,MAAM,uBAAuB,MAAM,OAAO,UACxC,OACA,aAAa,aAAa,WAC1B,YACA,UACA;EAAE,MAAM;EAAW,MAAM;EAAQ,EACjC,MACA,CAAC,UAAU,CACZ;AAED,QAAO,EACL,sBAAuB,MAAM,OAAO,UAAU,OAAO,qBAAqB,EAC3E;;AAGH,eAAe,2BAA2B,SAGvC;CACD,MAAM,EAAE,cAAc,eAAe;CACrC,MAAM,EAAE,oBAAoB,oBAAoB;AAChD,KAAI,WAAW,QAAQ,SACrB,OAAM,IAAI,IAAI,wCAAwC,mCAAmC,OAAO;CAGlG,MAAM,gBAAgB,WAAW,SAAS;AAC1C,eAAc,cAAc,kBAAkB,WAAW,WAAW,EAAE,CAAC;CACvE,MAAM,MAAM,IAAI,UAAU,cAAc,mBAAmB,CAAC;CAC5D,MAAM,YAAY,IAAI,UAAU,cAAc,gBAAgB,CAAC;AAC/D,KAAI,IAAI,QAAQ,SAAS,UAAU,QAAQ,MACzC,OAAM,IAAI,IAAI,mBAAmB,uBAAuB;CAG1D,MAAM,KAAK,cAAc,cAAc,IAAI,UAAU;CACrD,MAAM,KAAK,cAAc,cAAc,UAAU,UAAU;CAC3D,MAAM,IAAI,OAAO,OAAO,CAAC,OAAO,KAAK,GAAG,EAAE,OAAO,KAAK,GAAG,CAAC,CAAC;CAE3D,MAAM,cAAc,OAAO,KAAK,kBAAkB;CASlD,MAAM,MAAM,UAAU,GAAG,KAAK,KARZ,OAAO,OAAO;EAC9B,wBAAwB,YAAY,OAAO;EAC3C;EACA,wBAAwB,EAAE;EAC1B,wBAAwB,EAAE;EAC1B,wBAAwB,IAAI;EAC5B,OAAO,MAAM,EAAE;EAChB,CAAC,CAC2C;CAC7C,MAAM,aAAa,MAAM,OAAO,UAAU,OAAO,KAAK,UAAU,MAAM,CAAC,YAAY,CAAC;CAEpF,MAAM,uBAAuB,MAAM,OAAO,UACxC,OACA,aAAa,aAAa,WAC1B,YACA,UACA;EAAE,MAAM;EAAW,MAAM;EAAQ,EACjC,MACA,CAAC,UAAU,CACZ;AACD,QAAO,EACL,sBAAuB,MAAM,OAAO,UAAU,OAAO,qBAAqB,EAC3E;;;;;AAMH,eAAe,gBAAgB,SAUX;CAKlB,MAAM,oBAAoB,0BAA0B,QAAQ,WAAW,IAAI;CAC3E,MAAM,oBAAoB,mBAAmB,QAAQ,UAAU,IAAI;CAEnE,MAAM,OAAO,WAAW,kBAAkB;AAG1C,MAAK,cAAc,kBAAkB,cAAc,QAAQ,WAAW,EAAE,CAAC;CAEzE,MAAM,YAAY,IAAI,UAAU,cAAc,QAAQ,UAAU,CAAC;AACjE,KAAI,UAAU,QAAQ,MACpB,OAAM,IAAI,IAAI,mBAAmB,4CAA4C;CAI/E,MAAM,eAAe,KAAK,cAAc,UAAU,UAAU;CAG5D,MAAM,gBAAgB,kBAAkB,eAAe,QAAQ,eAAe;CAC9E,MAAM,cAAc,kBAAkB,OAAO,CAC3C,wBAAwB,cAAc,OAAO,EAC7C,cACD,CAAC;CAGF,MAAM,MAAM,QAAQ,OAAO,OAAO,MAAM,EAAE;CAC1C,MAAM,aAAa,OAAO,OAAO,CAC/B,wBAAwB,IAAI,OAAO,EACnC,IACD,CAAC;CAGF,MAAM,MAAM,QAAQ,OAAO,OAAO,MAAM,EAAE;CAC1C,MAAM,aAAa,OAAO,OAAO,CAC/B,wBAAwB,IAAI,OAAO,EACnC,IACD,CAAC;CAGF,MAAM,YAAY,OAAO,OAAO;EAC9B;EACA;EACA;EACA,wBAAwB,QAAQ,UAAU;EAC1C,OAAO,MAAM,EAAE;EAChB,CAAC;AAGF,QAAO,UAAU,cAAc,QAAQ,WAAW,mBAAmB,UAAU;;AAGjF,SAAS,wBAAwB,QAAgB;CAC/C,MAAM,yBAAS,IAAI,YAAY,EAAE;AAEjC,CADa,IAAI,SAAS,OAAO,CAC5B,UAAU,GAAG,OAAO;AACzB,QAAO,IAAI,WAAW,OAAO;;;;;AAM/B,SAAS,UAAU,QAAgB,QAAgB,YAAiC,WAA2B;CAC7G,MAAM,OAAO,KAAK,MAAM,UAAU,MAAM,cAAc,GAAG;CACzD,MAAM,SAAS,OAAO,MAAM,QAAQ,cAAc,GAAG;AAErD,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,KAAK;EAC7B,MAAM,UAAU,OAAO,MAAM,IAAI,OAAO,SAAS,UAAU,OAAO;AAClE,UAAQ,cAAc,IAAI,EAAE;AAC5B,UAAQ,IAAI,QAAQ,EAAE;AACtB,UAAQ,IAAI,WAAW,IAAI,OAAO,OAAO;AAEzC,aAAW,MAAM,aAAa,CAC3B,OAAO,QAAQ,CACf,QAAQ,CACR,KAAK,QAAS,IAAI,cAAe,EAAE;;AAGxC,QAAO,OAAO,SAAS,GAAG,UAAU,EAAE;;AAGxC,SAAS,0BAA0B,KAA6D;AAC9F,SAAQ,KAAR;EACE,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,YACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,QACE,OAAM,IAAI,IAAI,wCAAwC,QAAQ,IAAI,gBAAgB,OAAO;;;AAK/F,SAAS,mBAAmB,KAA6D;AACvF,SAAQ,KAAR;EACE,KAAK;EACL,KAAK;EACL,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,QACE,OAAM,IAAI,IAAI,wCAAwC,QAAQ,IAAI,gBAAgB,OAAO;;;AAO/F,SAAS,yCACP,qBACQ;AACR,SAAQ,qBAAR;EACE,KAAK;EACL,KAAK;EACL,KAAK,SACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK,SACH,QAAO;EAET,KAAK;EACL,KAAK,UACH,QAAO;EACT,KAAK,gBACH,QAAO;EACT,KAAK,oBACH,QAAO"}
1
+ {"version":3,"file":"deriveKey.mjs","names":[],"sources":["../../../src/kms/crypto/deriveKey.ts"],"sourcesContent":["import { Buffer } from 'node:buffer'\nimport { createECDH, createHash, getRandomValues, subtle } from 'node:crypto'\nimport { Kms, TypedArrayEncoder } from '@credo-ts/core'\nimport type { NodeKmsSupportedEcCrvs } from './createKey'\n\nconst nodeSupportedEcdhKeyDerivationEcCrv = [\n 'P-256',\n 'P-384',\n 'P-521',\n 'secp256k1',\n] as const satisfies NodeKmsSupportedEcCrvs[]\n\nexport const nodeSupportedKeyAgreementAlgorithms = [\n 'ECDH-ES',\n 'ECDH-ES+A128KW',\n 'ECDH-ES+A192KW',\n 'ECDH-ES+A256KW',\n] satisfies Kms.KnownJwaKeyAgreementAlgorithm[]\n\nfunction assertNodeSupportedEcdhKeyDerivationCrv<Jwk extends Kms.KmsJwkPrivateAsymmetric | Kms.KmsJwkPublicAsymmetric>(\n jwk: Jwk\n): asserts jwk is Jwk & { kty: 'OKP' | 'EC'; crv: (typeof nodeSupportedEcdhKeyDerivationEcCrv)[number] | 'X25519' } {\n if (\n (jwk.kty === 'OKP' && jwk.crv !== 'X25519') ||\n (jwk.kty === 'EC' && !(nodeSupportedEcdhKeyDerivationEcCrv as string[]).includes(jwk.crv))\n ) {\n throw new Kms.KeyManagementAlgorithmNotSupportedError(\n `key derivation with crv '${jwk.crv}' for kty '${jwk.kty}'`,\n 'node'\n )\n }\n}\n\ntype NodeSupportedKeyAgreementDecryptOptions = Kms.KmsKeyAgreementDecryptOptions & {\n algorithm: (typeof nodeSupportedKeyAgreementAlgorithms)[number]\n}\ntype NodeSupportedKeyAgreementEncryptOptions = Kms.KmsKeyAgreementEncryptOptions & {\n algorithm: (typeof nodeSupportedKeyAgreementAlgorithms)[number]\n}\n\nexport async function deriveEncryptionKey(options: {\n keyAgreement: NodeSupportedKeyAgreementEncryptOptions\n privateJwk: Kms.KmsJwkPrivateAsymmetric\n encryption: Kms.KmsEncryptDataEncryption\n}) {\n const { keyAgreement, encryption, privateJwk } = options\n\n assertNodeSupportedEcdhKeyDerivationCrv(keyAgreement.externalPublicJwk)\n assertNodeSupportedEcdhKeyDerivationCrv(privateJwk)\n\n const keyLength =\n keyAgreement.algorithm === 'ECDH-ES'\n ? mapContentEncryptionAlgorithmToKeyLength(encryption.algorithm)\n : keyAgreement.algorithm === 'ECDH-ES+A128KW'\n ? 128\n : keyAgreement.algorithm === 'ECDH-ES+A192KW'\n ? 192\n : 256\n\n const derivedKeyBytes = await deriveKeyEcdhEs({\n keyLength,\n usageAlgorithm: keyAgreement.algorithm === 'ECDH-ES' ? encryption.algorithm : keyAgreement.algorithm,\n privateJwk,\n publicJwk: keyAgreement.externalPublicJwk,\n apu: keyAgreement.apu,\n apv: keyAgreement.apv,\n })\n\n if (keyAgreement.algorithm === 'ECDH-ES') {\n return {\n // TODO: will be more efficient to return node key instance\n contentEncryptionKey: {\n kty: 'oct',\n k: derivedKeyBytes.toString('base64url'),\n } as const,\n }\n }\n\n // Key wrapping\n const derivedKey = await subtle.importKey('raw', derivedKeyBytes, 'AES-KW', true, ['wrapKey'])\n const contentEncryptionKeyBytes = getRandomValues(\n new Uint8Array(mapContentEncryptionAlgorithmToKeyLength(encryption.algorithm) >> 3)\n )\n const contentEncryptionKey = await subtle.importKey('raw', contentEncryptionKeyBytes, 'AES-KW', true, ['wrapKey'])\n const encryptedContentEncryptionKey = await subtle.wrapKey('raw', contentEncryptionKey, derivedKey, 'AES-KW')\n\n return {\n encryptedContentEncryptionKey: {\n encrypted: new Uint8Array(encryptedContentEncryptionKey),\n } satisfies Kms.KmsEncryptedKey,\n contentEncryptionKey: {\n kty: 'oct',\n k: TypedArrayEncoder.toBase64Url(contentEncryptionKeyBytes),\n } as const,\n }\n}\n\nexport async function deriveDecryptionKey(options: {\n keyAgreement: NodeSupportedKeyAgreementDecryptOptions\n privateJwk: Kms.KmsJwkPrivateAsymmetric\n decryption: Kms.KmsDecryptDataDecryption\n}) {\n const { keyAgreement, decryption, privateJwk } = options\n\n assertNodeSupportedEcdhKeyDerivationCrv(keyAgreement.externalPublicJwk)\n assertNodeSupportedEcdhKeyDerivationCrv(privateJwk)\n\n const keyLength =\n keyAgreement.algorithm === 'ECDH-ES'\n ? mapContentEncryptionAlgorithmToKeyLength(decryption.algorithm)\n : keyAgreement.algorithm === 'ECDH-ES+A128KW'\n ? 128\n : keyAgreement.algorithm === 'ECDH-ES+A192KW'\n ? 192\n : 256\n\n const derivedKeyBytes = await deriveKeyEcdhEs({\n keyLength,\n usageAlgorithm: keyAgreement.algorithm === 'ECDH-ES' ? decryption.algorithm : keyAgreement.algorithm,\n privateJwk: privateJwk,\n publicJwk: keyAgreement.externalPublicJwk,\n apu: keyAgreement.apu,\n apv: keyAgreement.apv,\n })\n\n if (keyAgreement.algorithm === 'ECDH-ES') {\n return {\n // TODO: will be more efficient to return node key instance\n contentEncryptionKey: {\n kty: 'oct',\n k: derivedKeyBytes.toString('base64url'),\n } as const,\n }\n }\n\n // Key wrapping\n const derivedKey = await subtle.importKey('raw', derivedKeyBytes, 'AES-KW', true, ['wrapKey'])\n\n const contentEncryptionKey = await subtle.unwrapKey(\n 'raw',\n keyAgreement.encryptedKey.encrypted,\n derivedKey,\n 'AES-KW',\n // algorithm used is irrelevant\n { hash: 'SHA-256', name: 'HMAC' },\n true,\n ['decrypt']\n )\n\n return {\n contentEncryptionKey: (await subtle.exportKey('jwk', contentEncryptionKey)) as Kms.KmsJwkPrivate,\n }\n}\n\n/**\n * Derive a key using ECDH and Concat KDF\n */\nasync function deriveKeyEcdhEs(options: {\n keyLength: number\n /**\n * This is only used for the AlgorithmID in KDF\n */\n usageAlgorithm: string\n apv?: Uint8Array\n apu?: Uint8Array\n privateJwk: Kms.KmsJwkPrivateEc | Kms.KmsJwkPrivateOkp\n publicJwk: Kms.KmsJwkPublicEc | Kms.KmsJwkPublicOkp\n}): Promise<Buffer> {\n // const privateKey = createPrivateKey({ format: 'jwk', key: options.privateJwk })\n // const publicKey = createPublicKey({ format: 'jwk', key: options.publicJwk })\n\n // Create ECDH instance based on curve\n const nodeEcdhCurveName = mapCrvToNodeEcdhCurveName(options.privateJwk.crv)\n const nodeConcatKdfHash = mapCrvToHashLength(options.publicJwk.crv)\n\n const ecdh = createECDH(nodeEcdhCurveName)\n\n // Set private key\n ecdh.setPrivateKey(TypedArrayEncoder.fromBase64Url(options.privateJwk.d))\n\n const publicKey = Kms.PublicJwk.fromPublicJwk(options.publicJwk).publicKey\n if (publicKey.kty === 'RSA') {\n throw new Kms.KeyManagementError('Key type RSA is not supported for ECDH-ES')\n }\n\n // Compute shared secret\n const sharedSecret = ecdh.computeSecret(publicKey.publicKey)\n\n // Prepare AlgorithmID for KDF (Datalen || Data)\n const algorithmData = TypedArrayEncoder.fromUtf8String(options.usageAlgorithm) // ASCII representation of alg\n const algorithmID = TypedArrayEncoder.concat([\n numberTo4ByteUint8Array(algorithmData.length), // Datalen: 32-bit big-endian counter\n algorithmData, // Data: ASCII representation of algorithm\n ])\n\n // Prepare PartyUInfo with proper length prefix\n const apu = options.apu || Buffer.alloc(0)\n const partyUInfo = Buffer.concat([\n numberTo4ByteUint8Array(apu.length), // Datalen: 32-bit big-endian counter\n apu, // Data: PartyUInfo value\n ])\n\n // Prepare PartyVInfo with proper length prefix\n const apv = options.apv || Buffer.alloc(0)\n const partyVInfo = Buffer.concat([\n numberTo4ByteUint8Array(apv.length), // Datalen: 32-bit big-endian counter\n apv, // Data: PartyVInfo value\n ])\n\n // Prepare otherInfo for KDF\n const otherInfo = Buffer.concat([\n algorithmID, // AlgorithmID: Datalen || Data\n partyUInfo, // PartyUInfo: Datalen || Data\n partyVInfo, // PartyVInfo: Datalen || Data\n numberTo4ByteUint8Array(options.keyLength), // SuppPubInfo: 32-bit big-endian rep of keydatalen\n Buffer.alloc(0), // SuppPrivInfo (empty octet sequence)\n ])\n\n // Derive final key using Concat KDF\n return concatKDF(sharedSecret, options.keyLength, nodeConcatKdfHash, otherInfo)\n}\n\nfunction numberTo4ByteUint8Array(number: number) {\n const buffer = new ArrayBuffer(4)\n const view = new DataView(buffer)\n view.setUint32(0, number)\n return new Uint8Array(buffer)\n}\n\n/**\n * Implements Concat KDF as per NIST SP 800-56A\n */\nfunction concatKDF(secret: Buffer, length: number, hashLength: ConcatKdfHashLength, otherInfo: Buffer): Buffer {\n const reps = Math.ceil((length >> 3) / (hashLength >> 3))\n const output = Buffer.alloc(reps * (hashLength >> 3))\n\n for (let i = 0; i < reps; i++) {\n const counter = Buffer.alloc(4 + secret.length + otherInfo.length)\n counter.writeUInt32BE(i + 1)\n counter.set(secret, 4)\n counter.set(otherInfo, 4 + secret.length)\n\n createHash(`sha${hashLength}`)\n .update(counter)\n .digest()\n .copy(output, (i * hashLength) >> 3)\n }\n\n return output.subarray(0, length >> 3)\n}\n\nfunction mapCrvToNodeEcdhCurveName(crv: Kms.KmsJwkPublicEc['crv'] | Kms.KmsJwkPublicOkp['crv']) {\n switch (crv) {\n case 'P-256':\n return 'prime256v1'\n case 'P-384':\n return 'secp384r1'\n case 'P-521':\n return 'secp521r1'\n case 'secp256k1':\n return 'secp256k1'\n case 'X25519':\n return 'x25519'\n default:\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`crv '${crv}' for ECDH-ES`, 'node')\n }\n}\n\ntype ConcatKdfHashLength = ReturnType<typeof mapCrvToHashLength>\nfunction mapCrvToHashLength(crv: Kms.KmsJwkPublicEc['crv'] | Kms.KmsJwkPublicOkp['crv']) {\n switch (crv) {\n case 'secp256k1':\n case 'X25519':\n case 'P-256':\n return 256\n case 'P-384':\n return 384\n case 'P-521':\n return 512\n default:\n throw new Kms.KeyManagementAlgorithmNotSupportedError(`crv '${crv}' for ECDH-ES`, 'node')\n }\n}\n\n// TODO: might be worthwhile to add this to core?\n// TODO: we might want to have a separate definition per algorithm\n// defines things such as required key length.\nfunction mapContentEncryptionAlgorithmToKeyLength(\n encryptionAlgorithm: Kms.KnownJwaContentEncryptionAlgorithm | Kms.KnownJwaKeyEncryptionAlgorithm\n): number {\n switch (encryptionAlgorithm) {\n case 'A128CBC':\n case 'A128GCM':\n case 'A128KW':\n return 128\n case 'A192KW':\n return 192\n case 'A128CBC-HS256':\n case 'A256CBC':\n case 'A256GCM':\n case 'C20P':\n case 'XC20P':\n case 'A256KW':\n return 256\n\n case 'A192CBC-HS384':\n case 'A192GCM':\n return 384\n case 'A256CBC-HS512':\n return 512\n case 'XSALSA20-POLY1305':\n return 256\n }\n}\n"],"mappings":";;;;;AAKA,MAAM,sCAAsC;CAC1C;CACA;CACA;CACA;CACD;AAED,MAAa,sCAAsC;CACjD;CACA;CACA;CACA;CACD;AAED,SAAS,wCACP,KACkH;AAClH,KACG,IAAI,QAAQ,SAAS,IAAI,QAAQ,YACjC,IAAI,QAAQ,QAAQ,CAAE,oCAAiD,SAAS,IAAI,IAAI,CAEzF,OAAM,IAAI,IAAI,wCACZ,4BAA4B,IAAI,IAAI,aAAa,IAAI,IAAI,IACzD,OACD;;AAWL,eAAsB,oBAAoB,SAIvC;CACD,MAAM,EAAE,cAAc,YAAY,eAAe;AAEjD,yCAAwC,aAAa,kBAAkB;AACvE,yCAAwC,WAAW;CAWnD,MAAM,kBAAkB,MAAM,gBAAgB;EAC5C,WATA,aAAa,cAAc,YACvB,yCAAyC,WAAW,UAAU,GAC9D,aAAa,cAAc,mBACzB,MACA,aAAa,cAAc,mBACzB,MACA;EAIR,gBAAgB,aAAa,cAAc,YAAY,WAAW,YAAY,aAAa;EAC3F;EACA,WAAW,aAAa;EACxB,KAAK,aAAa;EAClB,KAAK,aAAa;EACnB,CAAC;AAEF,KAAI,aAAa,cAAc,UAC7B,QAAO,EAEL,sBAAsB;EACpB,KAAK;EACL,GAAG,gBAAgB,SAAS,YAAY;EACzC,EACF;CAIH,MAAM,aAAa,MAAM,OAAO,UAAU,OAAO,iBAAiB,UAAU,MAAM,CAAC,UAAU,CAAC;CAC9F,MAAM,4BAA4B,gBAChC,IAAI,WAAW,yCAAyC,WAAW,UAAU,IAAI,EAAE,CACpF;CACD,MAAM,uBAAuB,MAAM,OAAO,UAAU,OAAO,2BAA2B,UAAU,MAAM,CAAC,UAAU,CAAC;CAClH,MAAM,gCAAgC,MAAM,OAAO,QAAQ,OAAO,sBAAsB,YAAY,SAAS;AAE7G,QAAO;EACL,+BAA+B,EAC7B,WAAW,IAAI,WAAW,8BAA8B,EACzD;EACD,sBAAsB;GACpB,KAAK;GACL,GAAG,kBAAkB,YAAY,0BAA0B;GAC5D;EACF;;AAGH,eAAsB,oBAAoB,SAIvC;CACD,MAAM,EAAE,cAAc,YAAY,eAAe;AAEjD,yCAAwC,aAAa,kBAAkB;AACvE,yCAAwC,WAAW;CAWnD,MAAM,kBAAkB,MAAM,gBAAgB;EAC5C,WATA,aAAa,cAAc,YACvB,yCAAyC,WAAW,UAAU,GAC9D,aAAa,cAAc,mBACzB,MACA,aAAa,cAAc,mBACzB,MACA;EAIR,gBAAgB,aAAa,cAAc,YAAY,WAAW,YAAY,aAAa;EAC/E;EACZ,WAAW,aAAa;EACxB,KAAK,aAAa;EAClB,KAAK,aAAa;EACnB,CAAC;AAEF,KAAI,aAAa,cAAc,UAC7B,QAAO,EAEL,sBAAsB;EACpB,KAAK;EACL,GAAG,gBAAgB,SAAS,YAAY;EACzC,EACF;CAIH,MAAM,aAAa,MAAM,OAAO,UAAU,OAAO,iBAAiB,UAAU,MAAM,CAAC,UAAU,CAAC;CAE9F,MAAM,uBAAuB,MAAM,OAAO,UACxC,OACA,aAAa,aAAa,WAC1B,YACA,UAEA;EAAE,MAAM;EAAW,MAAM;EAAQ,EACjC,MACA,CAAC,UAAU,CACZ;AAED,QAAO,EACL,sBAAuB,MAAM,OAAO,UAAU,OAAO,qBAAqB,EAC3E;;;;;AAMH,eAAe,gBAAgB,SAUX;CAKlB,MAAM,oBAAoB,0BAA0B,QAAQ,WAAW,IAAI;CAC3E,MAAM,oBAAoB,mBAAmB,QAAQ,UAAU,IAAI;CAEnE,MAAM,OAAO,WAAW,kBAAkB;AAG1C,MAAK,cAAc,kBAAkB,cAAc,QAAQ,WAAW,EAAE,CAAC;CAEzE,MAAM,YAAY,IAAI,UAAU,cAAc,QAAQ,UAAU,CAAC;AACjE,KAAI,UAAU,QAAQ,MACpB,OAAM,IAAI,IAAI,mBAAmB,4CAA4C;CAI/E,MAAM,eAAe,KAAK,cAAc,UAAU,UAAU;CAG5D,MAAM,gBAAgB,kBAAkB,eAAe,QAAQ,eAAe;CAC9E,MAAM,cAAc,kBAAkB,OAAO,CAC3C,wBAAwB,cAAc,OAAO,EAC7C,cACD,CAAC;CAGF,MAAM,MAAM,QAAQ,OAAO,OAAO,MAAM,EAAE;CAC1C,MAAM,aAAa,OAAO,OAAO,CAC/B,wBAAwB,IAAI,OAAO,EACnC,IACD,CAAC;CAGF,MAAM,MAAM,QAAQ,OAAO,OAAO,MAAM,EAAE;CAC1C,MAAM,aAAa,OAAO,OAAO,CAC/B,wBAAwB,IAAI,OAAO,EACnC,IACD,CAAC;CAGF,MAAM,YAAY,OAAO,OAAO;EAC9B;EACA;EACA;EACA,wBAAwB,QAAQ,UAAU;EAC1C,OAAO,MAAM,EAAE;EAChB,CAAC;AAGF,QAAO,UAAU,cAAc,QAAQ,WAAW,mBAAmB,UAAU;;AAGjF,SAAS,wBAAwB,QAAgB;CAC/C,MAAM,yBAAS,IAAI,YAAY,EAAE;AAEjC,CADa,IAAI,SAAS,OAAO,CAC5B,UAAU,GAAG,OAAO;AACzB,QAAO,IAAI,WAAW,OAAO;;;;;AAM/B,SAAS,UAAU,QAAgB,QAAgB,YAAiC,WAA2B;CAC7G,MAAM,OAAO,KAAK,MAAM,UAAU,MAAM,cAAc,GAAG;CACzD,MAAM,SAAS,OAAO,MAAM,QAAQ,cAAc,GAAG;AAErD,MAAK,IAAI,IAAI,GAAG,IAAI,MAAM,KAAK;EAC7B,MAAM,UAAU,OAAO,MAAM,IAAI,OAAO,SAAS,UAAU,OAAO;AAClE,UAAQ,cAAc,IAAI,EAAE;AAC5B,UAAQ,IAAI,QAAQ,EAAE;AACtB,UAAQ,IAAI,WAAW,IAAI,OAAO,OAAO;AAEzC,aAAW,MAAM,aAAa,CAC3B,OAAO,QAAQ,CACf,QAAQ,CACR,KAAK,QAAS,IAAI,cAAe,EAAE;;AAGxC,QAAO,OAAO,SAAS,GAAG,UAAU,EAAE;;AAGxC,SAAS,0BAA0B,KAA6D;AAC9F,SAAQ,KAAR;EACE,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,YACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,QACE,OAAM,IAAI,IAAI,wCAAwC,QAAQ,IAAI,gBAAgB,OAAO;;;AAK/F,SAAS,mBAAmB,KAA6D;AACvF,SAAQ,KAAR;EACE,KAAK;EACL,KAAK;EACL,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,KAAK,QACH,QAAO;EACT,QACE,OAAM,IAAI,IAAI,wCAAwC,QAAQ,IAAI,gBAAgB,OAAO;;;AAO/F,SAAS,yCACP,qBACQ;AACR,SAAQ,qBAAR;EACE,KAAK;EACL,KAAK;EACL,KAAK,SACH,QAAO;EACT,KAAK,SACH,QAAO;EACT,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK;EACL,KAAK,SACH,QAAO;EAET,KAAK;EACL,KAAK,UACH,QAAO;EACT,KAAK,gBACH,QAAO;EACT,KAAK,oBACH,QAAO"}
package/package.json CHANGED
@@ -4,7 +4,7 @@
4
4
  ".": "./build/index.mjs",
5
5
  "./package.json": "./package.json"
6
6
  },
7
- "version": "0.7.0-pr-2704-20260425132842",
7
+ "version": "0.7.0",
8
8
  "files": [
9
9
  "build"
10
10
  ],
@@ -26,8 +26,8 @@
26
26
  "express": "^5.2.1",
27
27
  "rxjs": "^7.8.2",
28
28
  "ws": "^8.19.0",
29
- "@credo-ts/core": "0.7.0-pr-2704-20260425132842",
30
- "@credo-ts/didcomm": "0.7.0-pr-2704-20260425132842"
29
+ "@credo-ts/core": "0.7.0",
30
+ "@credo-ts/didcomm": "0.7.0"
31
31
  },
32
32
  "devDependencies": {
33
33
  "@types/node": "^20.19.31",