@haneullabs/signers 0.1.0

package/README.md

@@ -0,0 +1,200 @@
+# Haneul KMS Signers
+
+The Haneul KMS Signers package provides a set of tools for securely signing transactions using Key
+Management Services (KMS) like AWS KMS and GCP KMS.
+
+## Table of Contents
+
+- [Haneul KMS Signers](#haneul-kms-signers)
+  - [Table of Contents](#table-of-contents)
+  - [AWS KMS Signer](#aws-kms-signer)
+    - [Usage](#usage)
+    - [API](#api)
+      - [fromKeyId](#fromkeyid)
+        - [Parameters](#parameters)
+        - [Examples](#examples)
+  - [GCP KMS Signer](#gcp-kms-signer)
+    - [Usage](#usage-1)
+      - [fromOptions](#fromoptions)
+        - [Parameters](#parameters-1)
+        - [Examples](#examples-1)
+  - [Ledger Signer](#ledger-signer)
+    - [Usage](#usage-2)
+      - [fromDerivationPath](#fromderivationpath)
+        - [Parameters](#parameters-2)
+        - [Examples](#examples-2)
+
+## AWS KMS Signer
+
+The AWS KMS Signer allows you to leverage AWS's Key Management Service to sign Haneul transactions.
+
+### Usage
+
+```typescript
+import { AwsKmsSigner } from '@haneullabs/signers/aws';
+
+const prepareSigner = async () => {
+	const { AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION, AWS_KMS_KEY_ID } = process.env;
+
+	return AwsKmsSigner.fromKeyId(AWS_KMS_KEY_ID, {
+		region: AWS_REGION,
+		accessKeyId: AWS_ACCESS_KEY_ID,
+		secretAccessKey: AWS_SECRET_ACCESS_KEY,
+	});
+};
+```
+
+### API
+
+#### fromKeyId
+
+Create an AWS KMS signer from AWS Key ID and AWS credentials. This method initializes the signer
+with the necessary AWS credentials and region information, allowing it to interact with AWS KMS to
+perform cryptographic operations.
+
+##### Parameters
+
+- `keyId`
+  **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+  The AWS KMS key ID.
+- `options`
+  **[object](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Object)** An
+  object containing AWS credentials and region.
+  - `region`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The AWS region.
+  - `accessKeyId`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The AWS access key ID.
+  - `secretAccessKey`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The AWS secret access key.
+
+##### Examples
+
+```typescript
+const signer = await AwsKmsSigner.fromKeyId('your-kms-key-id', {
+	region: 'us-west-2',
+	accessKeyId: 'your-access-key-id',
+	secretAccessKey: 'your-secret-access-key',
+});
+```
+
+Returns
+**[Promise](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Promise)<[AwsKmsSigner](https://github.com/GeunhwaJeong/haneul-ts-sdks/blob/main/packages/signers/src/aws/aws-kms-signer.ts)>**
+An instance of AwsKmsSigner.
+
+**Notice**: AWS Signer requires Node >=20 due to dependency on `crypto`
+
+## GCP KMS Signer
+
+The GCP KMS Signer allows you to leverage Google Cloud's Key Management Service to sign Haneul
+transactions.
+
+### Usage
+
+#### fromOptions
+
+Create a GCP KMS signer from the provided options. This method initializes the signer with the
+necessary GCP credentials and configuration, allowing it to interact with GCP KMS to perform
+cryptographic operations.
+
+##### Parameters
+
+- `options`
+  **[object](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Object)** An
+  object containing GCP credentials and configuration.
+  - `projectId`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The GCP project ID.
+  - `location`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The GCP location.
+  - `keyRing`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The GCP key ring.
+  - `cryptoKey`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The GCP crypto key.
+  - `cryptoKeyVersion`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The GCP crypto key version.
+
+##### Examples
+
+```typescript
+const signer = await GcpKmsSigner.fromOptions({
+	projectId: 'your-google-project-id',
+	location: 'your-google-location',
+	keyRing: 'your-google-keyring',
+	cryptoKey: 'your-google-key-name',
+	cryptoKeyVersion: 'your-google-key-name-version',
+});
+
+// Retrieve the public key and get the Haneul address
+const publicKey = signer.getPublicKey();
+console.log(publicKey.toHaneulAddress());
+
+// Define a test message
+const testMessage = 'Hello, GCP KMS Signer!';
+const messageBytes = new TextEncoder().encode(testMessage);
+
+// Sign the test message
+const { signature } = await signer.signPersonalMessage(messageBytes);
+
+// Verify the signature against the public key
+const isValid = await publicKey.verifyPersonalMessage(messageBytes, signature);
+console.log(isValid); // Should print true if the signature is valid
+```
+
+## Ledger Signer
+
+The Ledger Signer allows you to leverage a Ledger hardware wallet to sign Haneul transactions.
+
+### Usage
+
+#### fromDerivationPath
+
+Creates a Ledger signer from the provided options. This method initializes the signer with the
+necessary configuration, allowing it to interact with a Ledger hardare wallet to perform
+cryptographic operations.
+
+##### Parameters
+
+- `options`
+  **[object](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/Object)** An
+  object containing GCP credentials and configuration.
+  - `projectId`
+    **[string](https://developer.mozilla.org/docs/Web/JavaScript/Reference/Global_Objects/String)**
+    The GCP project ID.
+
+##### Examples
+
+```typescript
+import Transport from '@ledgerhq/hw-transport-node-hid';
+import HaneulLedgerClient from '@haneullabs/ledgerjs-hw-app-haneul';
+import { LedgerSigner } from '@haneullabs/signers/ledger';
+import { getFullnodeUrl, HaneulClient } from '@haneullabs/haneul/client';
+import { Transaction } from '@haneullabs/haneul/transactions';
+
+const transport = await Transport.open(undefined);
+const ledgerClient = new HaneulLedgerClient(transport);
+const haneulClient = new HaneulClient({ url: getFullnodeUrl('testnet') });
+
+const signer = await LedgerSigner.fromDerivationPath(
+	"m/44'/784'/0'/0'/0'",
+	ledgerClient,
+	haneulClient,
+);
+
+// Log the Haneul address:
+console.log(signer.toHaneulAddress());
+
+// Define a test transaction:
+const testTransaction = new Transaction();
+const transactionBytes = await testTransaction.build();
+
+// Sign a test transaction:
+const { signature } = await signer.signTransaction(transactionBytes);
+console.log(signature);
+```

package/aws/package.json

@@ -0,0 +1,6 @@
+{
+	"private": true,
+	"import": "../dist/esm/aws/index.js",
+	"main": "../dist/cjs/aws/index.js",
+	"sideEffects": false
+}

package/dist/cjs/aws/aws-client.d.ts

@@ -0,0 +1,43 @@
+import { Secp256k1PublicKey } from '@haneullabs/haneul/keypairs/secp256k1';
+import { Secp256r1PublicKey } from '@haneullabs/haneul/keypairs/secp256r1';
+import { AwsClient } from './aws4fetch.js';
+interface KmsCommands {
+    Sign: {
+        request: {
+            KeyId: string;
+            Message: string;
+            MessageType: 'RAW' | 'DIGEST';
+            SigningAlgorithm: 'ECDSA_SHA_256';
+        };
+        response: {
+            KeyId: string;
+            KeyOrigin: string;
+            Signature: string;
+            SigningAlgorithm: string;
+        };
+    };
+    GetPublicKey: {
+        request: {
+            KeyId: string;
+        };
+        response: {
+            CustomerMasterKeySpec: string;
+            KeyId: string;
+            KeyOrigin: string;
+            KeySpec: string;
+            KeyUsage: string;
+            PublicKey: string;
+            SigningAlgorithms: string[];
+        };
+    };
+}
+export interface AwsClientOptions extends Partial<ConstructorParameters<typeof AwsClient>[0]> {
+}
+export declare class AwsKmsClient extends AwsClient {
+    constructor(options?: AwsClientOptions);
+    getPublicKey(keyId: string): Promise<Secp256r1PublicKey | Secp256k1PublicKey>;
+    runCommand<T extends keyof KmsCommands>(command: T, body: KmsCommands[T]['request'], { region, }?: {
+        region?: string;
+    }): Promise<KmsCommands[T]['response']>;
+}
+export {};

package/dist/cjs/aws/aws-client.js

@@ -0,0 +1,79 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var aws_client_exports = {};
+__export(aws_client_exports, {
+  AwsKmsClient: () => AwsKmsClient
+});
+module.exports = __toCommonJS(aws_client_exports);
+var import_secp256k1 = require("@haneullabs/haneul/keypairs/secp256k1");
+var import_secp256r1 = require("@haneullabs/haneul/keypairs/secp256r1");
+var import_utils = require("@haneullabs/haneul/utils");
+var import_utils2 = require("../utils/utils.js");
+var import_aws4fetch = require("./aws4fetch.js");
+class AwsKmsClient extends import_aws4fetch.AwsClient {
+  constructor(options = {}) {
+    if (!options.accessKeyId || !options.secretAccessKey) {
+      throw new Error("AWS Access Key ID and Secret Access Key are required");
+    }
+    if (!options.region) {
+      throw new Error("Region is required");
+    }
+    super({
+      region: options.region,
+      accessKeyId: options.accessKeyId,
+      secretAccessKey: options.secretAccessKey,
+      service: "kms",
+      ...options
+    });
+  }
+  async getPublicKey(keyId) {
+    const publicKeyResponse = await this.runCommand("GetPublicKey", { KeyId: keyId });
+    if (!publicKeyResponse.PublicKey) {
+      throw new Error("Public Key not found for the supplied `keyId`");
+    }
+    const compressedKey = (0, import_utils2.publicKeyFromDER)((0, import_utils.fromBase64)(publicKeyResponse.PublicKey));
+    switch (publicKeyResponse.KeySpec) {
+      case "ECC_NIST_P256":
+        return new import_secp256r1.Secp256r1PublicKey(compressedKey);
+      case "ECC_SECG_P256K1":
+        return new import_secp256k1.Secp256k1PublicKey(compressedKey);
+      default:
+        throw new Error("Unsupported key spec: " + publicKeyResponse.KeySpec);
+    }
+  }
+  async runCommand(command, body, {
+    region = this.region
+  } = {}) {
+    if (!region) {
+      throw new Error("Region is required");
+    }
+    const res = await this.fetch(`https://kms.${region}.amazonaws.com/`, {
+      headers: {
+        "Content-Type": "application/x-amz-json-1.1",
+        "X-Amz-Target": `TrentService.${command}`
+      },
+      body: JSON.stringify(body)
+    });
+    if (!res.ok) {
+      throw new Error(await res.text());
+    }
+    return res.json();
+  }
+}
+//# sourceMappingURL=aws-client.js.map

package/dist/cjs/aws/aws-client.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/aws/aws-client.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Secp256k1PublicKey } from '@haneullabs/haneul/keypairs/secp256k1';\nimport { Secp256r1PublicKey } from '@haneullabs/haneul/keypairs/secp256r1';\nimport { fromBase64 } from '@haneullabs/haneul/utils';\n\nimport { publicKeyFromDER } from '../utils/utils.js';\nimport { AwsClient } from './aws4fetch.js';\n\ninterface KmsCommands {\n\tSign: {\n\t\trequest: {\n\t\t\tKeyId: string;\n\t\t\tMessage: string;\n\t\t\tMessageType: 'RAW' | 'DIGEST';\n\t\t\tSigningAlgorithm: 'ECDSA_SHA_256';\n\t\t};\n\t\tresponse: {\n\t\t\tKeyId: string;\n\t\t\tKeyOrigin: string;\n\t\t\tSignature: string;\n\t\t\tSigningAlgorithm: string;\n\t\t};\n\t};\n\tGetPublicKey: {\n\t\trequest: { KeyId: string };\n\t\tresponse: {\n\t\t\tCustomerMasterKeySpec: string;\n\t\t\tKeyId: string;\n\t\t\tKeyOrigin: string;\n\t\t\tKeySpec: string;\n\t\t\tKeyUsage: string;\n\t\t\tPublicKey: string;\n\t\t\tSigningAlgorithms: string[];\n\t\t};\n\t};\n}\n\nexport interface AwsClientOptions extends Partial<ConstructorParameters<typeof AwsClient>[0]> {}\n\nexport class AwsKmsClient extends AwsClient {\n\tconstructor(options: AwsClientOptions = {}) {\n\t\tif (!options.accessKeyId || !options.secretAccessKey) {\n\t\t\tthrow new Error('AWS Access Key ID and Secret Access Key are required');\n\t\t}\n\n\t\tif (!options.region) {\n\t\t\tthrow new Error('Region is required');\n\t\t}\n\n\t\tsuper({\n\t\t\tregion: options.region,\n\t\t\taccessKeyId: options.accessKeyId,\n\t\t\tsecretAccessKey: options.secretAccessKey,\n\t\t\tservice: 'kms',\n\t\t\t...options,\n\t\t});\n\t}\n\n\tasync getPublicKey(keyId: string) {\n\t\tconst publicKeyResponse = await this.runCommand('GetPublicKey', { KeyId: keyId });\n\n\t\tif (!publicKeyResponse.PublicKey) {\n\t\t\tthrow new Error('Public Key not found for the supplied `keyId`');\n\t\t}\n\n\t\tconst compressedKey = publicKeyFromDER(fromBase64(publicKeyResponse.PublicKey));\n\n\t\tswitch (publicKeyResponse.KeySpec) {\n\t\t\tcase 'ECC_NIST_P256':\n\t\t\t\treturn new Secp256r1PublicKey(compressedKey);\n\t\t\tcase 'ECC_SECG_P256K1':\n\t\t\t\treturn new Secp256k1PublicKey(compressedKey);\n\t\t\tdefault:\n\t\t\t\tthrow new Error('Unsupported key spec: ' + publicKeyResponse.KeySpec);\n\t\t}\n\t}\n\n\tasync runCommand<T extends keyof KmsCommands>(\n\t\tcommand: T,\n\t\tbody: KmsCommands[T]['request'],\n\t\t{\n\t\t\tregion = this.region!,\n\t\t}: {\n\t\t\tregion?: string;\n\t\t} = {},\n\t): Promise<KmsCommands[T]['response']> {\n\t\tif (!region) {\n\t\t\tthrow new Error('Region is required');\n\t\t}\n\n\t\tconst res = await this.fetch(`https://kms.${region}.amazonaws.com/`, {\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-amz-json-1.1',\n\t\t\t\t'X-Amz-Target': `TrentService.${command}`,\n\t\t\t},\n\t\t\tbody: JSON.stringify(body),\n\t\t});\n\n\t\tif (!res.ok) {\n\t\t\tthrow new Error(await res.text());\n\t\t}\n\n\t\treturn res.json();\n\t}\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,uBAAmC;AACnC,uBAAmC;AACnC,mBAA2B;AAE3B,IAAAA,gBAAiC;AACjC,uBAA0B;AAiCnB,MAAM,qBAAqB,2BAAU;AAAA,EAC3C,YAAY,UAA4B,CAAC,GAAG;AAC3C,QAAI,CAAC,QAAQ,eAAe,CAAC,QAAQ,iBAAiB;AACrD,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACvE;AAEA,QAAI,CAAC,QAAQ,QAAQ;AACpB,YAAM,IAAI,MAAM,oBAAoB;AAAA,IACrC;AAEA,UAAM;AAAA,MACL,QAAQ,QAAQ;AAAA,MAChB,aAAa,QAAQ;AAAA,MACrB,iBAAiB,QAAQ;AAAA,MACzB,SAAS;AAAA,MACT,GAAG;AAAA,IACJ,CAAC;AAAA,EACF;AAAA,EAEA,MAAM,aAAa,OAAe;AACjC,UAAM,oBAAoB,MAAM,KAAK,WAAW,gBAAgB,EAAE,OAAO,MAAM,CAAC;AAEhF,QAAI,CAAC,kBAAkB,WAAW;AACjC,YAAM,IAAI,MAAM,+CAA+C;AAAA,IAChE;AAEA,UAAM,oBAAgB,oCAAiB,yBAAW,kBAAkB,SAAS,CAAC;AAE9E,YAAQ,kBAAkB,SAAS;AAAA,MAClC,KAAK;AACJ,eAAO,IAAI,oCAAmB,aAAa;AAAA,MAC5C,KAAK;AACJ,eAAO,IAAI,oCAAmB,aAAa;AAAA,MAC5C;AACC,cAAM,IAAI,MAAM,2BAA2B,kBAAkB,OAAO;AAAA,IACtE;AAAA,EACD;AAAA,EAEA,MAAM,WACL,SACA,MACA;AAAA,IACC,SAAS,KAAK;AAAA,EACf,IAEI,CAAC,GACiC;AACtC,QAAI,CAAC,QAAQ;AACZ,YAAM,IAAI,MAAM,oBAAoB;AAAA,IACrC;AAEA,UAAM,MAAM,MAAM,KAAK,MAAM,eAAe,MAAM,mBAAmB;AAAA,MACpE,SAAS;AAAA,QACR,gBAAgB;AAAA,QAChB,gBAAgB,gBAAgB,OAAO;AAAA,MACxC;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC1B,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACZ,YAAM,IAAI,MAAM,MAAM,IAAI,KAAK,CAAC;AAAA,IACjC;AAEA,WAAO,IAAI,KAAK;AAAA,EACjB;AACD;",
+  "names": ["import_utils"]
+}

package/dist/cjs/aws/aws-kms-signer.d.ts

@@ -0,0 +1,61 @@
+import type { PublicKey } from '@haneullabs/haneul/cryptography';
+import { Signer } from '@haneullabs/haneul/cryptography';
+import type { AwsClientOptions } from './aws-client.js';
+import { AwsKmsClient } from './aws-client.js';
+/**
+ * Configuration options for initializing the AwsKmsSigner.
+ */
+export interface AwsKmsSignerOptions {
+    /** AWS KMS Key ID used for signing */
+    kmsKeyId: string;
+    /** Options for setting up the AWS KMS client */
+    client: AwsKmsClient;
+    /** Public key */
+    publicKey: PublicKey;
+}
+/**
+ * Aws KMS Signer integrates AWS Key Management Service (KMS) with the Haneul blockchain
+ * to provide signing capabilities using AWS-managed cryptographic keys.
+ */
+export declare class AwsKmsSigner extends Signer {
+    #private;
+    /**
+     * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.
+     * For example:
+     * ```
+     * const signer = await AwsKmsSigner.fromKeyId(keyId, options);
+     * ```
+     * @throws Will throw an error if required AWS credentials or region are not provided.
+     */
+    constructor({ kmsKeyId, client, publicKey }: AwsKmsSignerOptions);
+    /**
+     * Retrieves the key scheme used by this signer.
+     * @returns AWS supports only Secp256k1 and Secp256r1 schemes.
+     */
+    getKeyScheme(): "Secp256k1" | "Secp256r1" | "ED25519" | "MultiSig" | "ZkLogin" | "Passkey";
+    /**
+     * Retrieves the public key associated with this signer.
+     * @returns The Secp256k1PublicKey instance.
+     * @throws Will throw an error if the public key has not been initialized.
+     */
+    getPublicKey(): PublicKey;
+    /**
+     * Signs the given data using AWS KMS.
+     * @param bytes - The data to be signed as a Uint8Array.
+     * @returns A promise that resolves to the signature as a Uint8Array.
+     * @throws Will throw an error if the public key is not initialized or if signing fails.
+     */
+    sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>>;
+    /**
+     * Synchronous signing is not supported by AWS KMS.
+     * @throws Always throws an error indicating synchronous signing is unsupported.
+     * @deprecated use `sign` instead
+     */
+    signData(): never;
+    /**
+     * Prepares the signer by fetching and setting the public key from AWS KMS.
+     * It is recommended to initialize an `AwsKmsSigner` instance using this function.
+     * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).
+     */
+    static fromKeyId(keyId: string, options: AwsClientOptions): Promise<AwsKmsSigner>;
+}

package/dist/cjs/aws/aws-kms-signer.js

@@ -0,0 +1,114 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var aws_kms_signer_exports = {};
+__export(aws_kms_signer_exports, {
+  AwsKmsSigner: () => AwsKmsSigner
+});
+module.exports = __toCommonJS(aws_kms_signer_exports);
+var import_cryptography = require("@haneullabs/haneul/cryptography");
+var import_utils = require("@haneullabs/haneul/utils");
+var import_utils2 = require("../utils/utils.js");
+var import_aws_client = require("./aws-client.js");
+var _publicKey, _client, _kmsKeyId;
+const _AwsKmsSigner = class _AwsKmsSigner extends import_cryptography.Signer {
+  /**
+   * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.
+   * For example:
+   * ```
+   * const signer = await AwsKmsSigner.fromKeyId(keyId, options);
+   * ```
+   * @throws Will throw an error if required AWS credentials or region are not provided.
+   */
+  constructor({ kmsKeyId, client, publicKey }) {
+    super();
+    __privateAdd(this, _publicKey);
+    /** AWS KMS client instance */
+    __privateAdd(this, _client);
+    /** AWS KMS Key ID used for signing */
+    __privateAdd(this, _kmsKeyId);
+    if (!kmsKeyId) throw new Error("KMS Key ID is required");
+    __privateSet(this, _client, client);
+    __privateSet(this, _kmsKeyId, kmsKeyId);
+    __privateSet(this, _publicKey, publicKey);
+  }
+  /**
+   * Retrieves the key scheme used by this signer.
+   * @returns AWS supports only Secp256k1 and Secp256r1 schemes.
+   */
+  getKeyScheme() {
+    return import_cryptography.SIGNATURE_FLAG_TO_SCHEME[__privateGet(this, _publicKey).flag()];
+  }
+  /**
+   * Retrieves the public key associated with this signer.
+   * @returns The Secp256k1PublicKey instance.
+   * @throws Will throw an error if the public key has not been initialized.
+   */
+  getPublicKey() {
+    return __privateGet(this, _publicKey);
+  }
+  /**
+   * Signs the given data using AWS KMS.
+   * @param bytes - The data to be signed as a Uint8Array.
+   * @returns A promise that resolves to the signature as a Uint8Array.
+   * @throws Will throw an error if the public key is not initialized or if signing fails.
+   */
+  async sign(bytes) {
+    const signResponse = await __privateGet(this, _client).runCommand("Sign", {
+      KeyId: __privateGet(this, _kmsKeyId),
+      Message: (0, import_utils.toBase64)(bytes),
+      MessageType: "RAW",
+      SigningAlgorithm: "ECDSA_SHA_256"
+    });
+    return (0, import_utils2.getConcatenatedSignature)((0, import_utils.fromBase64)(signResponse.Signature), this.getKeyScheme());
+  }
+  /**
+   * Synchronous signing is not supported by AWS KMS.
+   * @throws Always throws an error indicating synchronous signing is unsupported.
+   * @deprecated use `sign` instead
+   */
+  signData() {
+    throw new Error("KMS Signer does not support sync signing");
+  }
+  /**
+   * Prepares the signer by fetching and setting the public key from AWS KMS.
+   * It is recommended to initialize an `AwsKmsSigner` instance using this function.
+   * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).
+   */
+  static async fromKeyId(keyId, options) {
+    const client = new import_aws_client.AwsKmsClient(options);
+    const pubKey = await client.getPublicKey(keyId);
+    return new _AwsKmsSigner({
+      kmsKeyId: keyId,
+      client,
+      publicKey: pubKey
+    });
+  }
+};
+_publicKey = new WeakMap();
+_client = new WeakMap();
+_kmsKeyId = new WeakMap();
+let AwsKmsSigner = _AwsKmsSigner;
+//# sourceMappingURL=aws-kms-signer.js.map

package/dist/cjs/aws/aws-kms-signer.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/aws/aws-kms-signer.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport type { PublicKey, SignatureFlag } from '@haneullabs/haneul/cryptography';\nimport { SIGNATURE_FLAG_TO_SCHEME, Signer } from '@haneullabs/haneul/cryptography';\nimport { fromBase64, toBase64 } from '@haneullabs/haneul/utils';\n\nimport { getConcatenatedSignature } from '../utils/utils.js';\nimport type { AwsClientOptions } from './aws-client.js';\nimport { AwsKmsClient } from './aws-client.js';\n\n/**\n * Configuration options for initializing the AwsKmsSigner.\n */\nexport interface AwsKmsSignerOptions {\n\t/** AWS KMS Key ID used for signing */\n\tkmsKeyId: string;\n\t/** Options for setting up the AWS KMS client */\n\tclient: AwsKmsClient;\n\t/** Public key */\n\tpublicKey: PublicKey;\n}\n\n/**\n * Aws KMS Signer integrates AWS Key Management Service (KMS) with the Haneul blockchain\n * to provide signing capabilities using AWS-managed cryptographic keys.\n */\nexport class AwsKmsSigner extends Signer {\n\t#publicKey: PublicKey;\n\t/** AWS KMS client instance */\n\t#client: AwsKmsClient;\n\t/** AWS KMS Key ID used for signing */\n\t#kmsKeyId: string;\n\n\t/**\n\t * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.\n\t * For example:\n\t * ```\n\t * const signer = await AwsKmsSigner.fromKeyId(keyId, options);\n\t * ```\n\t * @throws Will throw an error if required AWS credentials or region are not provided.\n\t */\n\tconstructor({ kmsKeyId, client, publicKey }: AwsKmsSignerOptions) {\n\t\tsuper();\n\t\tif (!kmsKeyId) throw new Error('KMS Key ID is required');\n\n\t\tthis.#client = client;\n\t\tthis.#kmsKeyId = kmsKeyId;\n\t\tthis.#publicKey = publicKey;\n\t}\n\n\t/**\n\t * Retrieves the key scheme used by this signer.\n\t * @returns AWS supports only Secp256k1 and Secp256r1 schemes.\n\t */\n\tgetKeyScheme() {\n\t\treturn SIGNATURE_FLAG_TO_SCHEME[this.#publicKey.flag() as SignatureFlag];\n\t}\n\n\t/**\n\t * Retrieves the public key associated with this signer.\n\t * @returns The Secp256k1PublicKey instance.\n\t * @throws Will throw an error if the public key has not been initialized.\n\t */\n\tgetPublicKey() {\n\t\treturn this.#publicKey;\n\t}\n\n\t/**\n\t * Signs the given data using AWS KMS.\n\t * @param bytes - The data to be signed as a Uint8Array.\n\t * @returns A promise that resolves to the signature as a Uint8Array.\n\t * @throws Will throw an error if the public key is not initialized or if signing fails.\n\t */\n\tasync sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>> {\n\t\tconst signResponse = await this.#client.runCommand('Sign', {\n\t\t\tKeyId: this.#kmsKeyId,\n\t\t\tMessage: toBase64(bytes),\n\t\t\tMessageType: 'RAW',\n\t\t\tSigningAlgorithm: 'ECDSA_SHA_256',\n\t\t});\n\n\t\t// Concatenate the signature components into a compact form\n\t\treturn getConcatenatedSignature(fromBase64(signResponse.Signature), this.getKeyScheme());\n\t}\n\n\t/**\n\t * Synchronous signing is not supported by AWS KMS.\n\t * @throws Always throws an error indicating synchronous signing is unsupported.\n\t * @deprecated use `sign` instead\n\t */\n\tsignData(): never {\n\t\tthrow new Error('KMS Signer does not support sync signing');\n\t}\n\n\t/**\n\t * Prepares the signer by fetching and setting the public key from AWS KMS.\n\t * It is recommended to initialize an `AwsKmsSigner` instance using this function.\n\t * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).\n\t */\n\tstatic async fromKeyId(keyId: string, options: AwsClientOptions) {\n\t\tconst client = new AwsKmsClient(options);\n\n\t\tconst pubKey = await client.getPublicKey(keyId);\n\n\t\treturn new AwsKmsSigner({\n\t\t\tkmsKeyId: keyId,\n\t\t\tclient,\n\t\t\tpublicKey: pubKey,\n\t\t});\n\t}\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,0BAAiD;AACjD,mBAAqC;AAErC,IAAAA,gBAAyC;AAEzC,wBAA6B;AAR7B;AA0BO,MAAM,gBAAN,MAAM,sBAAqB,2BAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAexC,YAAY,EAAE,UAAU,QAAQ,UAAU,GAAwB;AACjE,UAAM;AAfP;AAEA;AAAA;AAEA;AAAA;AAYC,QAAI,CAAC,SAAU,OAAM,IAAI,MAAM,wBAAwB;AAEvD,uBAAK,SAAU;AACf,uBAAK,WAAY;AACjB,uBAAK,YAAa;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe;AACd,WAAO,6CAAyB,mBAAK,YAAW,KAAK,CAAkB;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,eAAe;AACd,WAAO,mBAAK;AAAA,EACb;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,KAAK,OAAqD;AAC/D,UAAM,eAAe,MAAM,mBAAK,SAAQ,WAAW,QAAQ;AAAA,MAC1D,OAAO,mBAAK;AAAA,MACZ,aAAS,uBAAS,KAAK;AAAA,MACvB,aAAa;AAAA,MACb,kBAAkB;AAAA,IACnB,CAAC;AAGD,eAAO,4CAAyB,yBAAW,aAAa,SAAS,GAAG,KAAK,aAAa,CAAC;AAAA,EACxF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAkB;AACjB,UAAM,IAAI,MAAM,0CAA0C;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,UAAU,OAAe,SAA2B;AAChE,UAAM,SAAS,IAAI,+BAAa,OAAO;AAEvC,UAAM,SAAS,MAAM,OAAO,aAAa,KAAK;AAE9C,WAAO,IAAI,cAAa;AAAA,MACvB,UAAU;AAAA,MACV;AAAA,MACA,WAAW;AAAA,IACZ,CAAC;AAAA,EACF;AACD;AAnFC;AAEA;AAEA;AALM,IAAM,eAAN;",
+  "names": ["import_utils"]
+}

package/dist/cjs/aws/aws4fetch.d.ts

@@ -0,0 +1,125 @@
+type AwsRequestInit = RequestInit & {
+    aws?: {
+        accessKeyId?: string;
+        secretAccessKey?: string;
+        sessionToken?: string;
+        service?: string;
+        region?: string;
+        cache?: Map<string, ArrayBuffer>;
+        datetime?: string;
+        signQuery?: boolean;
+        appendSessionToken?: boolean;
+        allHeaders?: boolean;
+        singleEncode?: boolean;
+    };
+};
+export declare class AwsClient {
+    accessKeyId: string;
+    secretAccessKey: string;
+    sessionToken: string | undefined;
+    service: string | undefined;
+    region: string | undefined;
+    cache: Map<any, any>;
+    retries: number;
+    initRetryMs: number;
+    /**
+     * @param {} options
+     */
+    constructor({ accessKeyId, secretAccessKey, sessionToken, service, region, cache, retries, initRetryMs, }: {
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken?: string;
+        service?: string;
+        region?: string;
+        cache?: Map<string, ArrayBuffer>;
+        retries?: number;
+        initRetryMs?: number;
+    });
+    sign(input: Request | {
+        toString: () => string;
+    }, init: AwsRequestInit): Promise<Request>;
+    /**
+     * @param {Request | { toString: () => string }} input
+     * @param {?AwsRequestInit} [init]
+     * @returns {Promise<Response>}
+     */
+    fetch(input: Request | {
+        toString: () => string;
+    }, init: AwsRequestInit): Promise<Response>;
+}
+export declare class AwsV4Signer {
+    method: any;
+    url: URL;
+    headers: Headers;
+    body: any;
+    accessKeyId: any;
+    secretAccessKey: any;
+    sessionToken: any;
+    service: any;
+    region: any;
+    cache: any;
+    datetime: any;
+    signQuery: any;
+    appendSessionToken: any;
+    signableHeaders: any[];
+    signedHeaders: any;
+    canonicalHeaders: any;
+    credentialString: string;
+    encodedPath: string;
+    encodedSearch: string;
+    /**
+     * @param {} options
+     */
+    constructor({ method, url, headers, body, accessKeyId, secretAccessKey, sessionToken, service, region, cache, datetime, signQuery, appendSessionToken, allHeaders, singleEncode, }: {
+        method?: string;
+        url: string;
+        headers?: HeadersInit;
+        body?: BodyInit | null;
+        accessKeyId: string;
+        secretAccessKey: string;
+        sessionToken?: string;
+        service?: string;
+        region?: string;
+        cache?: Map<string, ArrayBuffer>;
+        datetime?: string;
+        signQuery?: boolean;
+        appendSessionToken?: boolean;
+        allHeaders?: boolean;
+        singleEncode?: boolean;
+    });
+    /**
+     * @returns {Promise<{
+     *   method: string
+     *   url: URL
+     *   headers: Headers
+     *   body?: BodyInit | null
+     * }>}
+     */
+    sign(): Promise<{
+        method: any;
+        url: URL;
+        headers: Headers;
+        body: any;
+    }>;
+    /**
+     * @returns {Promise<string>}
+     */
+    authHeader(): Promise<string>;
+    /**
+     * @returns {Promise<string>}
+     */
+    signature(): Promise<string>;
+    /**
+     * @returns {Promise<string>}
+     */
+    stringToSign(): Promise<string>;
+    /**
+     * @returns {Promise<string>}
+     */
+    canonicalString(): Promise<string>;
+    /**
+     * @returns {Promise<string>}
+     */
+    hexBodyHash(): Promise<string>;
+}
+export {};