@enbox/agent 0.0.1

package/src/prototyping/crypto/primitives/hkdf.ts

@@ -0,0 +1,121 @@
+// ! TODO : Make sure I remove `@noble/ciphers` from the Agent package.json once this is moved to the `@enbox/crypto` package.
+import { getWebcryptoSubtle } from '@noble/ciphers/webcrypto';
+
+import { Convert } from '@enbox/common';
+import { DeriveKeyBytesParams } from '../types/params-direct.js';
+
+/**
+ * The object that should be passed into `Hkdf.deriveKey()`, when using the HKDF algorithm.
+ */
+export type HkdfParams = {
+  /**
+   * A string representing the digest algorithm to use. This may be one of:
+   * - 'SHA-256'
+   * - 'SHA-384'
+   * - 'SHA-512'
+   */
+  hash: 'SHA-256' | 'SHA-384' | 'SHA-512';
+
+  /**
+   * The salt value to use in the derivation process.
+   *
+   * Ideally, the salt is a random or pseudo-random value with the same length as the output of the
+   * digest function. Unlike the input key material passed into deriveKey(), salt does not need to
+   * be kept secret.
+   *
+   * Note: The {@link https://datatracker.ietf.org/doc/html/rfc5869 | HKDF specification} states
+   *       that adding salt "adds significantly to the strength of HKDF".
+   */
+  salt: string | Uint8Array;
+
+  /**
+   * Optional application-specific information to use in the HKDF.
+   *
+   * If given, this value is used to bind the derived key to application-specific contextual
+   * information. This makes it possible to derive different keys for different contexts while using
+   * the same input key material.
+   *
+   * If not provided, the `info` value is set to an empty array.
+   *
+   * Note: It is important that the `info` value be independent and unrelated to the input key
+   * material.
+   */
+  info?: string | Uint8Array,
+};
+
+/**
+ * The `Hkdf` class provides an interface for HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
+ * as defined in RFC 5869.
+ *
+ * Note: The `baseKeyBytes` that will be the input key material for HKDF should be a high-entropy secret
+ * value, such as a cryptographic key. It should be kept confidential and not be derived from a
+ * low-entropy value, such as a password.
+ *
+ * @example
+ * ```ts
+ * const info = new Uint8Array([...]);
+ * const derivedKeyBytes = await Hkdf.deriveKeyBytes({
+ *   baseKeyBytes: new Uint8Array([...]), // Input keying material
+ *   hash: 'SHA-256', // The hash function to use ('SHA-256', 'SHA-384', 'SHA-512')
+ *   salt: new Uint8Array([...]), // The salt value
+ *   info: new Uint8Array([...]), // Optional application-specific information
+ *   length: 256 // The length of the derived key in bits
+ * });
+ * ```
+ */
+export class Hkdf {
+  /**
+   * Derives a key using the HMAC-based Extract-and-Expand Key Derivation Function (HKDF).
+   *
+   * This method generates a derived key using a hash function from input keying material given as
+   * `baseKeyBytes`. The length of the derived key can be specified. Optionally, it can also use a salt
+   * and info for the derivation process.
+   *
+   * HKDF is useful in various cryptographic applications and protocols, especially when
+   * there's a need to derive multiple keys from a single source of key material.
+   *
+   * Note: The `baseKeyBytes` that will be the input key material for HKDF should be a high-entropy
+   * secret value, such as a cryptographic key. It should be kept confidential and not be derived
+   * from a low-entropy value, such as a password.
+   *
+   * @example
+   * ```ts
+   * const info = new Uint8Array([...]);
+   * const derivedKeyBytes = await Hkdf.deriveKeyBytes({
+   *   baseKeyBytes: new Uint8Array([...]), // Input keying material
+   *   hash: 'SHA-256', // The hash function to use ('SHA-256', 'SHA-384', 'SHA-512')
+   *   salt: new Uint8Array([...]), // The salt value
+   *   info: new Uint8Array([...]), // Optional application-specific information
+   *   length: 256 // The length of the derived key in bits
+   * });
+   * ```
+   *
+   * @param params - The parameters for key derivation.
+   * @returns A Promise that resolves to the derived key as a byte array.
+   */
+  public static async deriveKeyBytes({ baseKeyBytes, length, hash, salt, info = new Uint8Array() }:
+    DeriveKeyBytesParams & HkdfParams
+  ): Promise<Uint8Array> {
+    // Get the Web Crypto API interface.
+    const webCrypto = getWebcryptoSubtle() as SubtleCrypto;
+
+    // Import the baseKeyBytes into the Web Crypto API to use for the key derivation operation.
+    const webCryptoKey = await webCrypto.importKey('raw', baseKeyBytes, { name: 'HKDF' }, false, ['deriveBits']);
+
+    // Convert the salt and info to Uint8Array if they are provided as strings.
+    salt = typeof salt === 'string' ? Convert.string(salt).toUint8Array() : salt;
+    info = typeof info === 'string' ? Convert.string(info).toUint8Array() : info;
+
+    // Derive the bytes using the Web Crypto API.
+    const derivedKeyBuffer = await crypto.subtle.deriveBits(
+      { name: 'HKDF', hash, salt, info },
+      webCryptoKey,
+      length
+    );
+
+    // Convert from ArrayBuffer to Uint8Array.
+    const derivedKeyBytes = new Uint8Array(derivedKeyBuffer);
+
+    return derivedKeyBytes;
+  }
+}

package/src/prototyping/crypto/primitives/pbkdf2.ts

@@ -0,0 +1,116 @@
+// ! TODO : Make sure I remove `@noble/ciphers` from the Agent package.json once this is moved to the `@enbox/crypto` package.
+import { getWebcryptoSubtle } from '@noble/ciphers/webcrypto';
+
+import type { DeriveKeyBytesParams } from '../types/params-direct.js';
+
+/**
+ * The object that should be passed into `Pbkdf2.deriveKeyBytes()`, when using the PBKDF2 algorithm.
+ */
+export interface Pbkdf2Params {
+  /**
+   * A string representing the digest algorithm to use. This may be one of:
+   * - 'SHA-256'
+   * - 'SHA-384'
+   * - 'SHA-512'
+   */
+  hash: 'SHA-256' | 'SHA-384' | 'SHA-512';
+
+  /**
+   * The salt value to use in the derivation process, as a Uint8Array. This should be a random or
+   * pseudo-random value of at least 16 bytes. Unlike the `password`, `salt` does not need to be
+   * kept secret.
+   */
+  salt: Uint8Array;
+
+  /**
+   * A `Number` representing the number of iterations the hash function will be executed in
+   * `deriveKey()`. This impacts the computational cost of the `deriveKey()` operation, making it
+   * more resistant to dictionary attacks. The higher the number, the more secure, but also slower,
+   * the operation. Choose a value that balances security needs and performance for your
+   * application.
+   */
+  iterations: number;
+}
+
+/**
+ * The `Pbkdf2` class provides a secure way to derive cryptographic keys from a password
+ * using the PBKDF2 (Password-Based Key Derivation Function 2) algorithm.
+ *
+ * The PBKDF2 algorithm is widely used for generating keys from passwords, as it applies
+ * a pseudorandom function to the input password along with a salt value and iterates the
+ * process multiple times to increase the key's resistance to brute-force attacks.
+ *
+ * Notes:
+ * - The `baseKeyBytes` that will be the input key material for PBKDF2 is expected to be a low-entropy
+ *   value, such as a password or passphrase. It should be kept confidential.
+ * - In 2023, {@link https://web.archive.org/web/20230123232056/https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 | OWASP recommended}
+ *   a minimum of 600,000 iterations for PBKDF2-HMAC-SHA256 and 210,000 for PBKDF2-HMAC-SHA512.
+ *
+ * @example
+ * ```ts
+ * // Key Derivation
+ * const derivedKeyBytes = await Pbkdf2.deriveKeyBytes({
+ *   baseKeyBytes: new TextEncoder().encode('password'), // The password as a Uint8Array
+ *   hash: 'SHA-256', // The hash function to use ('SHA-256', 'SHA-384', 'SHA-512')
+ *   salt: new Uint8Array([...]), // The salt value
+ *   iterations: 600_000, // The number of iterations
+ *   length: 256 // The length of the derived key in bits
+ * });
+ * ```
+ *
+ * @remarks
+ * This class relies on the availability of the Web Crypto API.
+ */
+export class Pbkdf2 {
+  /**
+   * Derives a cryptographic key from a password using the PBKDF2 algorithm.
+   *
+   * @remarks
+   * This method applies the PBKDF2 algorithm to the provided password along with
+   * a salt value and iterates the process a specified number of times. It uses
+   * a cryptographic hash function to enhance security and produce a key of the
+   * desired length. The method is capable of utilizing either the Web Crypto API
+   * or the Node.js Crypto module, depending on the environment's support.
+   *
+   * @example
+   * ```ts
+   * const derivedKeyBytes = await Pbkdf2.deriveKeyBytes({
+   *   baseKeyBytes: new TextEncoder().encode('password'), // The password as a Uint8Array
+   *   hash: 'SHA-256', // The hash function to use ('SHA-256', 'SHA-384', 'SHA-512')
+   *   salt: new Uint8Array([...]), // The salt value
+   *   iterations: 600_000, // The number of iterations
+   *   length: 256 // The length of the derived key in bits
+   * });
+   * ```
+   *
+   * @param params - The parameters for key derivation.
+   * @returns A Promise that resolves to the derived key as a byte array.
+   */
+  public static async deriveKeyBytes({ baseKeyBytes, hash, salt, iterations, length }:
+    DeriveKeyBytesParams & Pbkdf2Params
+  ): Promise<Uint8Array> {
+    // Get the Web Crypto API interface.
+    const webCrypto = getWebcryptoSubtle() as SubtleCrypto;
+
+    // Import the password as a raw key for use with the Web Crypto API.
+    const webCryptoKey = await webCrypto.importKey(
+      'raw',              // key format is raw bytes
+      baseKeyBytes,       // key data to import
+      { name: 'PBKDF2' }, // algorithm identifier
+      false,              // key is not extractable
+      ['deriveBits']      // key usages
+    );
+
+    // Derive the bytes using the Web Crypto API.
+    const derivedKeyBuffer = await webCrypto.deriveBits(
+      { name: 'PBKDF2', hash, salt, iterations },
+      webCryptoKey,
+      length
+    );
+
+    // Convert from ArrayBuffer to Uint8Array.
+    const derivedKeyBytes = new Uint8Array(derivedKeyBuffer);
+
+    return derivedKeyBytes;
+  }
+}

package/src/prototyping/crypto/types/cipher.ts

@@ -0,0 +1,17 @@
+export type InferCipherAlgorithm<T> = T extends {
+  /**
+   * The `encrypt` method signature from which the algorithm type is inferred.
+   * This is an internal implementation detail and not part of the public API.
+   */
+  encrypt(params: infer P): any;
+}
+? P extends {
+    /**
+     * The `algorithm` property within the parameters of `encrypt`.
+     * This internal element is used to infer the algorithm type.
+     */
+    algorithm: infer A
+  }
+  ? A
+  : never
+: never;

package/src/prototyping/crypto/types/crypto-api.ts

@@ -0,0 +1,78 @@
+import type {
+  Jwk,
+  CryptoApi as OldCryptoApi,
+  KeyWrapper,
+  SignParams,
+  DigestParams,
+  VerifyParams,
+  GenerateKeyParams,
+  GetPublicKeyParams,
+  Cipher,
+} from '@enbox/crypto';
+
+import type { KeyConverter } from './key-converter.js';
+import type { AsymmetricKeyConverter } from './key-converter.js';
+import type { KeyBytesDeriver, KeyDeriver } from './key-deriver.js';
+import type { BytesToPrivateKeyParams, BytesToPublicKeyParams, CipherParams, DeriveKeyBytesParams, DeriveKeyParams, PrivateKeyToBytesParams, PublicKeyToBytesParams, UnwrapKeyParams, WrapKeyParams } from './params-direct.js';
+
+/**
+ * The `DsaApi` interface integrates key generation, hashing, and signing functionalities,
+ * designed for use with a Key Management System (KMS). It extends `AsymmetricKeyGenerator` for
+ * generating asymmetric keys, `Hasher` for hash digest computations, and `Signer` for signing and
+ * verifying operations.
+ *
+ * Concrete implementations of this interface are intended to be used with a KMS, which is
+ * responsible for generating and storing cryptographic keys. The KMS is also responsible for
+ * performing cryptographic operations using the keys it manages. The KMS is typically a cloud
+ * service, but it can also be a hardware device or software application.
+ *
+ * Guidelines for implementing this interface:
+ * - Must use JSON Web Keys ({@link Jwk | JWK}) as the key format.
+ * - Must IANA registered JSON Object Signing and Encryption
+ *   {@ link https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms | (JOSE)}
+ *   names for algorithm, curves, etc. whenever possible.
+ * - All I/O that interacts with private or secret keys must be done via reference using a
+ *   {@link KeyIdentifier | `KeyIdentifier`}. Implementations can use any string as the key
+ *   identifier (e.g. JWK thumbprint, UUID generated by hosted KMS, etc.).
+ * - Must support key generation, hashing, signing, and verifying operations.
+ * - May be extended to support other cryptographic operations.
+ * - Implementations of the `DsaApi` interface can be passed as an argument to the public API
+ *   methods of Web5 libraries that involve key material (e.g., DID creation, VC signing, arbitrary
+ *   data signing/verification, etc.).
+ */
+export interface DsaApi<
+  GenerateKeyInput = GenerateKeyParams,
+  GenerateKeyOutput = Jwk,
+  GetPublicKeyInput = GetPublicKeyParams,
+  DigestInput = DigestParams,
+  SignInput = SignParams,
+  VerifyInput = VerifyParams
+> extends OldCryptoApi<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput, DigestInput, SignInput, VerifyInput> {}
+
+export interface CryptoApi<
+  GenerateKeyInput = GenerateKeyParams,
+  GenerateKeyOutput = Jwk,
+  GetPublicKeyInput = GetPublicKeyParams,
+  DigestInput = DigestParams,
+  SignInput = SignParams,
+  VerifyInput = VerifyParams,
+  EncryptInput = CipherParams,
+  DecryptInput = CipherParams,
+  BytesToPublicKeyInput = BytesToPublicKeyParams,
+  PublicKeyToBytesInput = PublicKeyToBytesParams,
+  BytesToPrivateKeyInput = BytesToPrivateKeyParams,
+  PrivateKeyToBytesInput = PrivateKeyToBytesParams,
+  DeriveKeyInput = DeriveKeyParams,
+  DeriveKeyOutput = Jwk,
+  DeriveKeyBytesInput = DeriveKeyBytesParams,
+  DeriveKeyBytesOutput = Uint8Array,
+  WrapKeyInput = WrapKeyParams,
+  UnwrapKeyInput = UnwrapKeyParams
+> extends
+  DsaApi<GenerateKeyInput, GenerateKeyOutput, GetPublicKeyInput, DigestInput, SignInput, VerifyInput>,
+  Cipher<EncryptInput, DecryptInput>,
+  AsymmetricKeyConverter<BytesToPublicKeyInput, PublicKeyToBytesInput>,
+  KeyConverter<BytesToPrivateKeyInput, PrivateKeyToBytesInput>,
+  KeyDeriver<DeriveKeyInput, DeriveKeyOutput>,
+  KeyBytesDeriver<DeriveKeyBytesInput, DeriveKeyBytesOutput>,
+  KeyWrapper<WrapKeyInput, UnwrapKeyInput> {}

package/src/prototyping/crypto/types/key-converter.ts

@@ -0,0 +1,53 @@
+import type { Jwk } from '@enbox/crypto';
+
+/**
+ * `KeyConverter` interface for converting private keys between byte array and JWK formats.
+ */
+export interface KeyConverter<BytesToPrivateKeyInput, PrivateKeyToBytesInput> {
+
+  /**
+   * Converts a private key from a byte array to JWK format.
+   *
+   * @param params - The parameters for the private key conversion.
+   * @param params.privateKeyBytes - The raw private key as a Uint8Array.
+   *
+   * @returns A Promise that resolves to the private key in JWK format.
+   */
+  bytesToPrivateKey(params: BytesToPrivateKeyInput): Promise<Jwk>;
+
+  /**
+   * Converts a private key from JWK format to a byte array.
+   *
+   * @param params - The parameters for the private key conversion.
+   * @param params.privateKey - The private key in JWK format.
+   *
+   * @returns A Promise that resolves to the private key as a Uint8Array.
+   */
+  privateKeyToBytes(params: PrivateKeyToBytesInput): Promise<Uint8Array>;
+}
+
+/**
+ * `AsymmetricKeyConverter` interface extends {@link KeyConverter |`KeyConverter`}, adding support
+ * for public key conversions.
+ */
+export interface AsymmetricKeyConverter<BytesToPublicKeyInput, PublicKeyToBytesInput> {
+  /**
+   * Converts a public key from a byte array to JWK format.
+   *
+   * @param params - The parameters for the public key conversion.
+   * @param params.publicKeyBytes - The raw public key as a Uint8Array.
+   *
+   * @returns A Promise that resolves to the public key in JWK format.
+   */
+  bytesToPublicKey(params: BytesToPublicKeyInput): Promise<Jwk>;
+
+  /**
+   * Converts a public key from JWK format to a byte array.
+   *
+   * @param params - The parameters for the public key conversion.
+   * @param params.publicKey - The public key in JWK format.
+   *
+   * @returns A Promise that resolves to the public key as a Uint8Array.
+   */
+  publicKeyToBytes(params: PublicKeyToBytesInput): Promise<Uint8Array>;
+}

package/src/prototyping/crypto/types/key-deriver.ts

@@ -0,0 +1,56 @@
+/**
+ * The `KeyDeriver` interface provide a method for key derivation.
+ *
+ * The `deriveKey()` method derives a {@link Jwk | JWK} from input data using the specified key
+ * derivation algorithm. This interface is designed to support various key derivation
+ * algorithms, accommodating different input and output types.
+ */
+export interface KeyDeriver<
+  DeriveKeyInput,
+  DeriveKeyOutput,
+> {
+  /**
+   * Derives a cryptographic key in JWK format based on the provided input parameters.
+   *
+   * @remarks
+   * The `deriveKey()` method of the {@link KeyDeriver | `KeyDeriver`} interface is utilized to
+   * generate cryptographic keys for operations like encryption, decryption, or signing. The method
+   * takes in parameters tailored to the key derivation algorithm being used and returns a promise
+   * that resolves to the derived key.
+   *
+   * @param params - The parameters for the key derivation process, specific to the chosen
+   *                 algorithm.
+   *
+   * @returns A Promise resolving to the derived key in the specified output format.
+   */
+  deriveKey(params: DeriveKeyInput): Promise<DeriveKeyOutput>;
+}
+
+/**
+ * The `KeyBytesDeriver` interface provide a method for deriving a byte array using a key derivation
+ * algorithm.
+ *
+ * The `deriveKeyBytes()` method to derives cryptographic bits from input data using the specified
+ * key derivation algorithm. This interface is designed to support various key derivation
+ * algorithms, accommodating different input and output types.
+ */
+export interface KeyBytesDeriver<
+  DeriveKeyBytesInput,
+  DeriveKeyBytesOutput
+> {
+  /**
+   * Generates a specified number of cryptographic bits from given input parameters.
+   *
+   * @remarks
+   * The `deriveKeyBytes()` method of the {@link KeyBytesDeriver | `KeyBytesDeriver`} interface is
+   * used to create cryptographic material such as initialization vectors or keys from various
+   * sources. The method takes in parameters specific to the chosen key derivation algorithm and
+   * outputs a promise that resolves to a `Uint8Array` containing the derived bits.
+   *
+   * @param params - The parameters for the key derivation process, specific to the chosen
+   *                 algorithm.
+   *
+   * @returns A Promise resolving to the derived bits in the specified format.
+   */
+  deriveKeyBytes(params: DeriveKeyBytesInput): Promise<DeriveKeyBytesOutput>;
+}

package/src/prototyping/crypto/types/key-io.ts

@@ -0,0 +1,51 @@
+import type { Jwk } from '@enbox/crypto';
+
+/**
+ * The `KeyExporter` interface provides a method for exporting cryptographic keys.
+ */
+export interface KeyExporter<ExportKeyInput, ExportKeyOutput = Jwk> {
+  /**
+   * Exports a cryptographic key to an external JWK object.
+   *
+   * @remarks
+   * The `exportKey()` method of the {@link KeyImporterExporter | `KeyImporterExporter`} interface
+   * returns a cryptographic key in JWK format, facilitating interoperability and backup.
+   *
+   * @param params - The parameters for the key export operation.
+   *
+   * @returns A Promise resolving to the exported key in JWK format.
+   */
+  exportKey(params: ExportKeyInput): Promise<ExportKeyOutput>;
+}
+
+/**
+ * The `KeyImporter` interface provides a method for importing cryptographic keys.
+ */
+export interface KeyImporter<ImportKeyInput, ImportKeyOutput = void> {
+  /**
+   * Imports an external key in JWK format.
+   *
+   * @remarks
+   * The `importKey()` method of the {@link KeyImporterExporter | `KeyImporterExporter`} interface
+   * takes as input an external key in JWK format and typically returns a key identifier reference
+   * for the imported key.
+   *
+   * @param params - The parameters for the key import operation.
+   *
+   * @returns A Promise resolving to the key identifier of the imported key.
+   */
+  importKey(params: ImportKeyInput): Promise<ImportKeyOutput>;
+}
+
+export interface KeyDeleter<DeleteKeyInput> {
+  /**
+   * Deletes a cryptographic key.
+   *
+   * @remarks
+   * The `deleteKey()` method of the {@link KeyDeleter | `KeyDeleter`} interface deletes a cryptographic
+   * key from the key store.
+   *
+   * @param params - The parameters for the key deletion operation.
+   */
+  deleteKey(params: DeleteKeyInput): Promise<void>;
+}

package/src/prototyping/crypto/types/key-manager.ts

@@ -0,0 +1,83 @@
+import type {
+  KeyIdentifier,
+  KmsSignParams,
+  KmsDigestParams,
+  KmsVerifyParams,
+  KmsGetKeyUriParams,
+  KmsGenerateKeyParams,
+  KmsGetPublicKeyParams,
+} from '@enbox/crypto';
+
+import type { DsaApi } from './crypto-api.js';
+import type { KmsCipherParams } from './params-kms.js';
+// import type { Web5PlatformAgent } from '../../../types/agent.js';
+
+export interface KeyManagerParams {
+  CipherInput?: unknown;
+  GenerateKeyInput?: unknown;
+  GenerateKeyOutput?: unknown;
+  GetPublicKeyInput?: unknown;
+  SignInput?: unknown;
+  VerifyInput?: unknown;
+}
+
+export interface DefaultKeyManagerParams {
+  CipherInput: KmsCipherParams;
+  GenerateKeyInput: KmsGenerateKeyParams;
+  GenerateKeyOutput: KeyIdentifier;
+  GetPublicKeyInput: KmsGetPublicKeyParams;
+  SignInput: KmsSignParams;
+  VerifyInput: KmsVerifyParams;
+}
+
+/**
+ * The `KeyManager` interface integrates key generation and signing capabilities.
+ *
+ * Concrete implementations of this interface are intended to be used as a Key Management System
+ * (KMS), which is responsible for generating and storing cryptographic keys. The KMS is also
+ * responsible for performing cryptographic operations using the keys it manages. The KMS can be
+ * a local software based KMS, a cloud service, or a hardware device.
+ *
+ * Guidelines for implementing this interface:
+ * - Must use JSON Web Keys ({@link Jwk | JWK}) as the key format.
+ * - Must IANA registered JSON Object Signing and Encryption
+ *   {@ link https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms | (JOSE)}
+ *   names for algorithm, curves, etc. whenever possible.
+ * - All I/O that interacts with private or secret keys must be done via reference using a
+ *   {@link KeyIdentifier | `KeyIdentifier`}. Implementations can use any string as the key
+ *   identifier (e.g. JWK thumbprint, UUID generated by hosted KMS, etc.).
+ * - Must support key generation an signing operations.
+ * - May be extended to support other cryptographic operations.
+ * - Implementations of the `CryptoApi` interface can be passed as an argument to the public API
+ *   methods of Web5 libraries that involve key material (e.g., DID creation, VC signing, arbitrary
+ *   data signing/verification, etc.).
+ *
+ * @example
+ * ```ts
+ * // Example of using the KeyManager interface with default types
+ * class DefaultKeyManager implements KeyManager {} // Uses default types
+ *
+ * // Example of using the KeyManager interface with custom types
+ * class CustomKeyManager implements KeyManager<{
+ *   GenerateKeyInput: CustomGenerateKeyParams, // Custom type
+ *   KmsGetPublicKeyParams: CustomGetPublicKeyParams, // Custom type
+ *   KmsSignParams: CustomSignParams, // Custom type
+ *   // Omitting KmsVerifyParams to use the default
+ * }> {
+ *   // Implementation here
+ * }
+ * ```
+ *
+ * @typeParam T - The type of the key manager parameters.
+ */
+export interface KeyManager<T extends KeyManagerParams = DefaultKeyManagerParams>
+  extends DsaApi<T['GenerateKeyInput'], T['GenerateKeyOutput'], T['GetPublicKeyInput'], KmsDigestParams, T['SignInput'], T['VerifyInput']> {
+
+  /**
+   *
+   * @param params - The parameters for getting the key URI.
+   * @param params.key - The key to get the URI for.
+   * @returns The key URI.
+   */
+  getKeyUri(params: KmsGetKeyUriParams): Promise<KeyIdentifier>;
+}

package/src/prototyping/crypto/types/key-wrapper.ts

@@ -0,0 +1,17 @@
+export type InferKeyUnwrapAlgorithm<T> = T extends {
+  /**
+   * The `unwrapKey` method signature from which the algorithm type is inferred.
+   * This is an internal implementation detail and not part of the public API.
+   */
+  unwrapKey(params: infer P): any;
+}
+? P extends {
+    /**
+     * The `wrappedKeyAlgorithm` property within the parameters of `unwrapKey`.
+     * This internal element is used to infer the algorithm type.
+     */
+    wrappedKeyAlgorithm: infer A
+  }
+  ? A
+  : never
+: never;