@fgv/ts-extras 5.1.0-17 → 5.1.0-19

package/lib/packlets/crypto-utils/keystore/keyStore.js

@@ -99,8 +99,9 @@ function getCurrentTimestamp() {
  * @public
  */
 class KeyStore {
-    constructor(cryptoProvider, iterations, keystoreFile, isNew = true) {
+    constructor(cryptoProvider, iterations, keystoreFile, isNew, privateKeyStorage) {
         this._cryptoProvider = cryptoProvider;
+        this._privateKeyStorage = privateKeyStorage;
         this._iterations = iterations;
         this._keystoreFile = keystoreFile;
         this._state = 'locked';
@@ -123,7 +124,7 @@ class KeyStore {
         if (iterations < 1) {
             return (0, ts_utils_1.fail)('Iterations must be at least 1');
         }
-        return (0, ts_utils_1.succeed)(new KeyStore(params.cryptoProvider, iterations, undefined, true));
+        return (0, ts_utils_1.succeed)(new KeyStore(params.cryptoProvider, iterations, undefined, true, params.privateKeyStorage));
     }
     /**
      * Opens an existing encrypted key store.
@@ -139,7 +140,7 @@ class KeyStore {
             return (0, ts_utils_1.fail)(`Invalid key store file: ${fileResult.message}`);
         }
         const iterations = fileResult.value.keyDerivation.iterations;
-        return (0, ts_utils_1.succeed)(new KeyStore(params.cryptoProvider, iterations, fileResult.value, false));
+        return (0, ts_utils_1.succeed)(new KeyStore(params.cryptoProvider, iterations, fileResult.value, false, params.privateKeyStorage));
     }
     // ============================================================================
     // Lifecycle Methods
@@ -253,7 +254,9 @@ class KeyStore {
         // Clear secrets from memory (overwrite for security)
         if (this._secrets) {
             for (const entry of this._secrets.values()) {
-                entry.key.fill(0);
+                if (entry.type !== 'asymmetric-keypair') {
+                    entry.key.fill(0);
+                }
             }
             this._secrets.clear();
             this._secrets = undefined;
@@ -315,7 +318,9 @@ class KeyStore {
         return (0, ts_utils_1.succeed)(Array.from(this._secrets.keys()));
     }
     /**
-     * Gets a secret by name.
+     * Gets a secret by name. Returns the {@link CryptoUtils.KeyStore.IKeyStoreEntry | discriminated union}
+     * — callers must check `entry.type` before accessing `key`/`id` since asymmetric
+     * entries carry no raw key material.
      * @param name - Name of the secret
      * @returns Success with secret entry, Failure if not found or locked
      * @public
@@ -330,6 +335,27 @@ class KeyStore {
         }
         return (0, ts_utils_1.succeed)(entry);
     }
+    /**
+     * Returns the public-key JWK for an asymmetric-keypair entry.
+     * Available without {@link CryptoUtils.KeyStore.IPrivateKeyStorage} since the
+     * public key lives in the vault metadata directly.
+     * @param name - Name of the entry
+     * @returns Success with the JWK, Failure if not found, locked, or wrong type
+     * @public
+     */
+    getPublicKeyJwk(name) {
+        if (!this._secrets) {
+            return (0, ts_utils_1.fail)('Key store is locked');
+        }
+        const entry = this._secrets.get(name);
+        if (!entry) {
+            return (0, ts_utils_1.fail)(`Secret '${name}' not found`);
+        }
+        if (entry.type !== 'asymmetric-keypair') {
+            return (0, ts_utils_1.fail)(`Secret '${name}' is not an asymmetric keypair (type: ${entry.type})`);
+        }
+        return (0, ts_utils_1.succeed)(entry.publicKeyJwk);
+    }
     /**
      * Checks if a secret exists.
      * @param name - Name of the secret
@@ -356,7 +382,6 @@ class KeyStore {
         if (!name || name.length === 0) {
             return (0, ts_utils_1.fail)('Secret name cannot be empty');
         }
-        const replaced = this._secrets.has(name);
         // Generate a new random key
         const keyResult = await this._cryptoProvider.generateKey();
         /* c8 ignore next 3 - crypto provider errors tested but coverage intermittently missed */
@@ -370,9 +395,11 @@ class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const existing = this._secrets.get(name);
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return (0, ts_utils_1.succeed)({ entry, replaced });
+        return (0, ts_utils_1.succeed)({ entry, replaced: existing !== undefined, warning });
     }
     /**
      * Imports raw 32-byte key material into the vault.
@@ -388,7 +415,7 @@ class KeyStore {
      * @returns Success with entry, Failure if locked, key invalid, or exists and !replace
      * @public
      */
-    importSecret(name, key, options) {
+    async importSecret(name, key, options) {
         var _a;
         if (!this._secrets) {
             return (0, ts_utils_1.fail)('Key store is locked');
@@ -399,8 +426,8 @@ class KeyStore {
         if (key.length !== Constants.AES_256_KEY_SIZE) {
             return (0, ts_utils_1.fail)(`Key must be ${Constants.AES_256_KEY_SIZE} bytes, got ${key.length}`);
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return (0, ts_utils_1.fail)(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const entry = {
@@ -410,9 +437,10 @@ class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return (0, ts_utils_1.succeed)({ entry, replaced: exists });
+        return (0, ts_utils_1.succeed)({ entry, replaced: existing !== undefined, warning });
     }
     /**
      * Adds a secret derived from a password using PBKDF2.
@@ -439,8 +467,8 @@ class KeyStore {
         if (!password || password.length === 0) {
             return (0, ts_utils_1.fail)('Password cannot be empty');
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return (0, ts_utils_1.fail)(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const iterations = (_a = options === null || options === void 0 ? void 0 : options.iterations) !== null && _a !== void 0 ? _a : model_1.DEFAULT_SECRET_ITERATIONS;
@@ -463,11 +491,13 @@ class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
         return (0, ts_utils_1.succeed)({
             entry,
-            replaced: exists,
+            replaced: existing !== undefined,
+            warning,
             keyDerivation: {
                 kdf: 'pbkdf2',
                 salt: this._cryptoProvider.toBase64(saltResult.value),
@@ -476,12 +506,16 @@ class KeyStore {
         });
     }
     /**
-     * Removes a secret by name.
+     * Removes a secret by name. Vault-first: the in-memory vault entry is dropped
+     * before any storage cleanup runs. For asymmetric-keypair entries, best-effort
+     * calls {@link CryptoUtils.KeyStore.IPrivateKeyStorage}.delete on the entry's
+     * `id`; a failure is reported via `warning` on the result but does not roll
+     * back the vault removal.
      * @param name - Name of the secret to remove
-     * @returns Success with removed entry, Failure if not found or locked
+     * @returns Success with removed entry (and optional warning), Failure if not found or locked
      * @public
      */
-    removeSecret(name) {
+    async removeSecret(name) {
         if (!this._secrets) {
             return (0, ts_utils_1.fail)('Key store is locked');
         }
@@ -489,11 +523,12 @@ class KeyStore {
         if (!entry) {
             return (0, ts_utils_1.fail)(`Secret '${name}' not found`);
         }
-        // Clear the key before removing (security)
-        entry.key.fill(0);
+        // Vault-first: drop the in-memory entry before touching storage so a
+        // storage failure cannot block removal.
         this._secrets.delete(name);
         this._dirty = true;
-        return (0, ts_utils_1.succeed)(entry);
+        const warning = await this._releaseEntryResources(entry);
+        return (0, ts_utils_1.succeed)({ entry, warning });
     }
     /**
      * Imports an API key string into the vault.
@@ -504,7 +539,7 @@ class KeyStore {
      * @returns Success with entry, Failure if locked, empty, or exists and !replace
      * @public
      */
-    importApiKey(name, apiKey, options) {
+    async importApiKey(name, apiKey, options) {
         if (!this._secrets) {
             return (0, ts_utils_1.fail)('Key store is locked');
         }
@@ -514,8 +549,8 @@ class KeyStore {
         if (!apiKey || apiKey.length === 0) {
             return (0, ts_utils_1.fail)('API key cannot be empty');
         }
-        const exists = this._secrets.has(name);
-        if (exists && !(options === null || options === void 0 ? void 0 : options.replace)) {
+        const existing = this._secrets.get(name);
+        if (existing && !(options === null || options === void 0 ? void 0 : options.replace)) {
             return (0, ts_utils_1.fail)(`Secret '${name}' already exists - use replace=true to overwrite`);
         }
         const encoder = new TextEncoder();
@@ -526,9 +561,10 @@ class KeyStore {
             description: options === null || options === void 0 ? void 0 : options.description,
             createdAt: getCurrentTimestamp()
         };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
         this._secrets.set(name, entry);
         this._dirty = true;
-        return (0, ts_utils_1.succeed)({ entry, replaced: exists });
+        return (0, ts_utils_1.succeed)({ entry, replaced: existing !== undefined, warning });
     }
     /**
      * Retrieves an API key string by name.
@@ -551,6 +587,118 @@ class KeyStore {
         const decoder = new TextDecoder();
         return (0, ts_utils_1.succeed)(decoder.decode(entry.key));
     }
+    // ============================================================================
+    // Asymmetric Keypair Management
+    // ============================================================================
+    /**
+     * Adds a new asymmetric keypair to the vault. Storage-first: the private key
+     * is stored under a freshly-minted `id` before the public-key vault entry is
+     * committed. If the storage call fails, no vault entry is written and the
+     * operation returns Failure.
+     *
+     * When `replace: true` displaces an existing entry (asymmetric or symmetric),
+     * a fresh `id` is minted; the displaced entry's resources are released
+     * best-effort. Failure of the storage delete is reported via `warning` on the
+     * result but does not roll back the replacement.
+     *
+     * Requires a {@link CryptoUtils.KeyStore.IPrivateKeyStorage} backend
+     * supplied at construction.
+     *
+     * @param name - Unique name for the entry
+     * @param options - Algorithm, optional description, replace flag
+     * @returns Success with the new entry, Failure if locked, no provider, or storage write failed
+     * @public
+     */
+    async addKeyPair(name, options) {
+        if (!this._secrets) {
+            return (0, ts_utils_1.fail)('Key store is locked');
+        }
+        if (!name || name.length === 0) {
+            return (0, ts_utils_1.fail)('Entry name cannot be empty');
+        }
+        if (!this._privateKeyStorage) {
+            return (0, ts_utils_1.fail)('No private key storage configured');
+        }
+        const existing = this._secrets.get(name);
+        if (existing && !options.replace) {
+            return (0, ts_utils_1.fail)(`Secret '${name}' already exists - use replace=true to overwrite`);
+        }
+        // Generate the keypair before touching storage. extractable=true on backends
+        // that round-trip via JWK; extractable=false on backends that hold CryptoKey
+        // refs directly.
+        const extractable = !this._privateKeyStorage.supportsNonExtractable;
+        const keyPairResult = await this._cryptoProvider.generateKeyPair(options.algorithm, extractable);
+        /* c8 ignore next 3 - crypto provider errors covered in nodeCryptoProvider tests; cannot be triggered here without mocking */
+        if (keyPairResult.isFailure()) {
+            return (0, ts_utils_1.fail)(`Failed to generate keypair for '${name}': ${keyPairResult.message}`);
+        }
+        const { publicKey, privateKey } = keyPairResult.value;
+        const jwkResult = await this._cryptoProvider.exportPublicKeyJwk(publicKey);
+        /* c8 ignore next 3 - export of an extractable freshly-generated public key is hard to fail */
+        if (jwkResult.isFailure()) {
+            return (0, ts_utils_1.fail)(`Failed to export public key for '${name}': ${jwkResult.message}`);
+        }
+        const idResult = this._generateId();
+        /* c8 ignore next 3 - random-bytes failure is hard to trigger with a healthy provider */
+        if (idResult.isFailure()) {
+            return (0, ts_utils_1.fail)(`Failed to mint storage id for '${name}': ${idResult.message}`);
+        }
+        const id = idResult.value;
+        // Storage-first: write the private key before committing the vault entry.
+        const storeResult = await this._privateKeyStorage.store(id, privateKey);
+        if (storeResult.isFailure()) {
+            return (0, ts_utils_1.fail)(`Failed to persist private key for '${name}': ${storeResult.message}`);
+        }
+        const entry = {
+            name,
+            type: 'asymmetric-keypair',
+            id,
+            algorithm: options.algorithm,
+            publicKeyJwk: jwkResult.value,
+            description: options.description,
+            createdAt: getCurrentTimestamp()
+        };
+        const warning = existing ? await this._releaseEntryResources(existing) : undefined;
+        this._secrets.set(name, entry);
+        this._dirty = true;
+        return (0, ts_utils_1.succeed)({ entry, replaced: existing !== undefined, warning });
+    }
+    /**
+     * Retrieves the keypair for an asymmetric-keypair entry. The private key is
+     * loaded from {@link CryptoUtils.KeyStore.IPrivateKeyStorage} on every call —
+     * the keystore never caches private `CryptoKey` references between calls.
+     * The public key is re-imported from the vault's JWK so callers always
+     * receive a `CryptoKey` rather than the JWK form.
+     * @param name - Name of the entry
+     * @returns Success with `{ publicKey, privateKey }`, Failure if not found,
+     * locked, wrong type, no provider, or storage load failed.
+     * @public
+     */
+    async getKeyPair(name) {
+        if (!this._secrets) {
+            return (0, ts_utils_1.fail)('Key store is locked');
+        }
+        const entry = this._secrets.get(name);
+        if (!entry) {
+            return (0, ts_utils_1.fail)(`Secret '${name}' not found`);
+        }
+        if (entry.type !== 'asymmetric-keypair') {
+            return (0, ts_utils_1.fail)(`Secret '${name}' is not an asymmetric keypair (type: ${entry.type})`);
+        }
+        if (!this._privateKeyStorage) {
+            return (0, ts_utils_1.fail)('No private key storage configured');
+        }
+        const privateResult = await this._privateKeyStorage.load(entry.id);
+        if (privateResult.isFailure()) {
+            return (0, ts_utils_1.fail)(`Failed to load private key for '${name}': ${privateResult.message}`);
+        }
+        const publicResult = await this._cryptoProvider.importPublicKeyJwk(entry.publicKeyJwk, entry.algorithm);
+        /* c8 ignore next 3 - vault JWKs that previously exported cleanly are extremely unlikely to fail re-import */
+        if (publicResult.isFailure()) {
+            return (0, ts_utils_1.fail)(`Failed to re-import public key for '${name}': ${publicResult.message}`);
+        }
+        return (0, ts_utils_1.succeed)({ publicKey: publicResult.value, privateKey: privateResult.value });
+    }
     /**
      * Lists secret names filtered by type.
      * @param type - The secret type to filter by
@@ -590,7 +738,8 @@ class KeyStore {
         if (oldName !== newName && this._secrets.has(newName)) {
             return (0, ts_utils_1.fail)(`Secret '${newName}' already exists`);
         }
-        // Create new entry with new name (preserve type)
+        // Create new entry with new name. For asymmetric entries the spread
+        // preserves `id` so the storage handle survives the rename.
         const newEntry = Object.assign(Object.assign({}, entry), { name: newName });
         this._secrets.delete(oldName);
         this._secrets.set(newName, newEntry);
@@ -710,6 +859,9 @@ class KeyStore {
         if (secretResult.isFailure()) {
             return (0, ts_utils_1.fail)(`encryptByName: ${secretResult.message}`);
         }
+        if (secretResult.value.type === 'asymmetric-keypair') {
+            return (0, ts_utils_1.fail)(`encryptByName: secret '${secretName}' is an asymmetric keypair, not symmetric key material`);
+        }
         return (0, encryptedFile_1.createEncryptedFile)({
             content,
             secretName,
@@ -737,6 +889,9 @@ class KeyStore {
             if (!entry) {
                 return (0, ts_utils_1.fail)(`Secret '${secretName}' not found in key store`);
             }
+            if (entry.type === 'asymmetric-keypair') {
+                return (0, ts_utils_1.fail)(`Secret '${secretName}' is an asymmetric keypair, not symmetric key material`);
+            }
             return (0, ts_utils_1.succeed)(entry.key);
         };
         return (0, ts_utils_1.succeed)(provider);
@@ -770,13 +925,26 @@ class KeyStore {
         // Build vault contents
         const secretEntries = {};
         for (const [name, entry] of secrets) {
-            secretEntries[name] = {
-                name: entry.name,
-                type: entry.type,
-                key: this._cryptoProvider.toBase64(entry.key),
-                description: entry.description,
-                createdAt: entry.createdAt
-            };
+            if (entry.type === 'asymmetric-keypair') {
+                secretEntries[name] = {
+                    name: entry.name,
+                    type: entry.type,
+                    id: entry.id,
+                    algorithm: entry.algorithm,
+                    publicKeyJwk: entry.publicKeyJwk,
+                    description: entry.description,
+                    createdAt: entry.createdAt
+                };
+            }
+            else {
+                secretEntries[name] = {
+                    name: entry.name,
+                    type: entry.type,
+                    key: this._cryptoProvider.toBase64(entry.key),
+                    description: entry.description,
+                    createdAt: entry.createdAt
+                };
+            }
         }
         const vaultContents = {
             version: model_1.KEYSTORE_FORMAT,
@@ -816,7 +984,6 @@ class KeyStore {
      * Shared by `unlock()` and `unlockWithKey()`.
      */
     async _decryptVault(derivedKey) {
-        var _a;
         const keystoreFile = this._keystoreFile;
         if (keystoreFile === undefined) {
             return (0, ts_utils_1.fail)('No key store file loaded');
@@ -856,20 +1023,33 @@ class KeyStore {
         }
         const secrets = new Map();
         for (const [name, jsonEntry] of Object.entries(vaultResult.value.secrets)) {
-            const keyBytesResult = this._cryptoProvider.fromBase64(jsonEntry.key);
-            /* c8 ignore next 3 - error path tested but coverage intermittently missed */
-            if (keyBytesResult.isFailure()) {
-                return (0, ts_utils_1.fail)(`Invalid key for secret '${name}': ${keyBytesResult.message}`);
+            if (jsonEntry.type === 'asymmetric-keypair') {
+                const entry = {
+                    name,
+                    type: jsonEntry.type,
+                    id: jsonEntry.id,
+                    algorithm: jsonEntry.algorithm,
+                    publicKeyJwk: jsonEntry.publicKeyJwk,
+                    description: jsonEntry.description,
+                    createdAt: jsonEntry.createdAt
+                };
+                secrets.set(name, entry);
+            }
+            else {
+                const keyBytesResult = this._cryptoProvider.fromBase64(jsonEntry.key);
+                /* c8 ignore next 3 - error path tested but coverage intermittently missed */
+                if (keyBytesResult.isFailure()) {
+                    return (0, ts_utils_1.fail)(`Invalid key for secret '${name}': ${keyBytesResult.message}`);
+                }
+                const entry = {
+                    name,
+                    type: jsonEntry.type,
+                    key: keyBytesResult.value,
+                    description: jsonEntry.description,
+                    createdAt: jsonEntry.createdAt
+                };
+                secrets.set(name, entry);
             }
-            const entry = {
-                name,
-                /* c8 ignore next 1 - backwards compatibility: old vaults may lack type field */
-                type: (_a = jsonEntry.type) !== null && _a !== void 0 ? _a : 'encryption-key',
-                key: keyBytesResult.value,
-                description: jsonEntry.description,
-                createdAt: jsonEntry.createdAt
-            };
-            secrets.set(name, entry);
         }
         // All validation passed — commit state atomically
         this._salt = saltResult.value;
@@ -878,6 +1058,51 @@ class KeyStore {
         this._dirty = false;
         return (0, ts_utils_1.succeed)(this);
     }
+    // ============================================================================
+    // Private: Helpers for asymmetric flows
+    // ============================================================================
+    /**
+     * Releases the resources held by an entry being displaced from the vault.
+     * Symmetric entries get their key buffer zeroed in place. Asymmetric entries
+     * have their private-key blob best-effort deleted from
+     * {@link CryptoUtils.KeyStore.IPrivateKeyStorage}; if the storage call fails,
+     * a warning string is returned but the displacement still proceeds — the
+     * orphaned blob is left for consumer-side GC. Without a configured provider,
+     * asymmetric cleanup is silently skipped.
+     * @returns A warning string if storage cleanup failed, otherwise undefined.
+     */
+    async _releaseEntryResources(entry) {
+        if (entry.type === 'asymmetric-keypair') {
+            if (!this._privateKeyStorage) {
+                return undefined;
+            }
+            const deleteResult = await this._privateKeyStorage.delete(entry.id);
+            if (deleteResult.isFailure()) {
+                return `Failed to delete prior storage blob for '${entry.name}' (id ${entry.id}): ${deleteResult.message}`;
+            }
+            return undefined;
+        }
+        entry.key.fill(0);
+        return undefined;
+    }
+    /**
+     * Mints a fresh UUID v4 storage handle using the crypto provider's
+     * {@link CryptoUtils.ICryptoProvider.generateRandomBytes | generateRandomBytes}.
+     * Random-bytes failures propagate as Failure.
+     */
+    _generateId() {
+        return this._cryptoProvider.generateRandomBytes(16).onSuccess((bytes) => {
+            // Per RFC 4122 §4.4: set version (4) and variant (10xx) bits.
+            // eslint-disable-next-line no-bitwise
+            bytes[6] = (bytes[6] & 0x0f) | 0x40;
+            // eslint-disable-next-line no-bitwise
+            bytes[8] = (bytes[8] & 0x3f) | 0x80;
+            const hex = Array.from(bytes)
+                .map((b) => b.toString(16).padStart(2, '0'))
+                .join('');
+            return (0, ts_utils_1.succeed)(`${hex.slice(0, 8)}-${hex.slice(8, 12)}-${hex.slice(12, 16)}-${hex.slice(16, 20)}-${hex.slice(20, 32)}`);
+        });
+    }
 }
 exports.KeyStore = KeyStore;
 //# sourceMappingURL=keyStore.js.map