@haneullabs/signers 0.1.0

package/dist/cjs/ledger/objects.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/ledger/objects.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport type { Transaction } from '@haneullabs/haneul/transactions';\nimport type { HaneulClient } from '@haneullabs/haneul/client';\nimport { HaneulMoveObject } from './bcs.js';\n\nexport const getInputObjects = async (transaction: Transaction, client: HaneulClient) => {\n\tconst data = transaction.getData();\n\n\tconst gasObjectIds = data.gasData.payment?.map((object) => object.objectId) ?? [];\n\tconst inputObjectIds = data.inputs\n\t\t.map((input) => {\n\t\t\treturn input.$kind === 'Object' && input.Object.$kind === 'ImmOrOwnedObject'\n\t\t\t\t? input.Object.ImmOrOwnedObject.objectId\n\t\t\t\t: null;\n\t\t})\n\t\t.filter((objectId): objectId is string => !!objectId);\n\n\tconst objects = await client.multiGetObjects({\n\t\tids: [...gasObjectIds, ...inputObjectIds],\n\t\toptions: {\n\t\t\tshowBcs: true,\n\t\t\tshowPreviousTransaction: true,\n\t\t\tshowStorageRebate: true,\n\t\t\tshowOwner: true,\n\t\t},\n\t});\n\n\t// NOTE: We should probably get rid of this manual serialization logic in favor of using the\n\t// already serialized object bytes from the GraphQL API once there is more mainstream support\n\t// for it + we can enforce the transport type on the Haneul client.\n\tconst bcsObjects = objects\n\t\t.map((object) => {\n\t\t\tif (object.error || !object.data || object.data.bcs?.dataType !== 'moveObject') {\n\t\t\t\treturn null;\n\t\t\t}\n\n\t\t\treturn HaneulMoveObject.serialize({\n\t\t\t\tdata: {\n\t\t\t\t\tMoveObject: {\n\t\t\t\t\t\ttype: object.data.bcs.type,\n\t\t\t\t\t\thasPublicTransfer: object.data.bcs.hasPublicTransfer,\n\t\t\t\t\t\tversion: object.data.bcs.version,\n\t\t\t\t\t\tcontents: object.data.bcs.bcsBytes,\n\t\t\t\t\t},\n\t\t\t\t},\n\t\t\t\towner: object.data.owner!,\n\t\t\t\tpreviousTransaction: object.data.previousTransaction!,\n\t\t\t\tstorageRebate: object.data.storageRebate!,\n\t\t\t}).toBytes();\n\t\t})\n\t\t.filter((bcsBytes): bcsBytes is Uint8Array<ArrayBuffer> => !!bcsBytes);\n\n\treturn { bcsObjects };\n};\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAKA,iBAAiC;AAE1B,MAAM,kBAAkB,OAAO,aAA0B,WAAyB;AACxF,QAAM,OAAO,YAAY,QAAQ;AAEjC,QAAM,eAAe,KAAK,QAAQ,SAAS,IAAI,CAAC,WAAW,OAAO,QAAQ,KAAK,CAAC;AAChF,QAAM,iBAAiB,KAAK,OAC1B,IAAI,CAAC,UAAU;AACf,WAAO,MAAM,UAAU,YAAY,MAAM,OAAO,UAAU,qBACvD,MAAM,OAAO,iBAAiB,WAC9B;AAAA,EACJ,CAAC,EACA,OAAO,CAAC,aAAiC,CAAC,CAAC,QAAQ;AAErD,QAAM,UAAU,MAAM,OAAO,gBAAgB;AAAA,IAC5C,KAAK,CAAC,GAAG,cAAc,GAAG,cAAc;AAAA,IACxC,SAAS;AAAA,MACR,SAAS;AAAA,MACT,yBAAyB;AAAA,MACzB,mBAAmB;AAAA,MACnB,WAAW;AAAA,IACZ;AAAA,EACD,CAAC;AAKD,QAAM,aAAa,QACjB,IAAI,CAAC,WAAW;AAChB,QAAI,OAAO,SAAS,CAAC,OAAO,QAAQ,OAAO,KAAK,KAAK,aAAa,cAAc;AAC/E,aAAO;AAAA,IACR;AAEA,WAAO,4BAAiB,UAAU;AAAA,MACjC,MAAM;AAAA,QACL,YAAY;AAAA,UACX,MAAM,OAAO,KAAK,IAAI;AAAA,UACtB,mBAAmB,OAAO,KAAK,IAAI;AAAA,UACnC,SAAS,OAAO,KAAK,IAAI;AAAA,UACzB,UAAU,OAAO,KAAK,IAAI;AAAA,QAC3B;AAAA,MACD;AAAA,MACA,OAAO,OAAO,KAAK;AAAA,MACnB,qBAAqB,OAAO,KAAK;AAAA,MACjC,eAAe,OAAO,KAAK;AAAA,IAC5B,CAAC,EAAE,QAAQ;AAAA,EACZ,CAAC,EACA,OAAO,CAAC,aAAkD,CAAC,CAAC,QAAQ;AAEtE,SAAO,EAAE,WAAW;AACrB;",
+  "names": []
+}

package/dist/cjs/package.json

@@ -0,0 +1,5 @@
+{
+  "private": true,
+  "type": "commonjs",
+  "sideEffects": false
+}

package/dist/cjs/utils/utils.d.ts

@@ -0,0 +1,18 @@
+/** The total number of bits in the DER bit string for the uncompressed public key. */
+export declare const DER_BIT_STRING_LENGTH = 520;
+/** The total number of bytes corresponding to the DER bit string length. */
+export declare const DER_BYTES_LENGTH: number;
+export declare function publicKeyFromDER(derBytes: Uint8Array): Uint8Array<ArrayBufferLike>;
+export declare function getConcatenatedSignature(signature: Uint8Array, keyScheme: string): Uint8Array<ArrayBuffer>;
+/**
+ * Compresses an uncompressed public key into its compressed form.
+ *
+ * The uncompressed key must follow the DER bit string format as specified in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#section-2.2)
+ * and [SEC 1: Elliptic Curve Cryptography](https://www.secg.org/sec1-v2.pdf).
+ *
+ * @param uncompressedKey - A `Uint8ClampedArray` representing the uncompressed public key bits.
+ * @returns A `Uint8Array` containing the compressed public key.
+ *
+ * @throws {Error} If the uncompressed key has an unexpected length or does not start with the expected prefix.
+ */
+export declare function compressPublicKeyClamped(uncompressedKey: Uint8ClampedArray): Uint8Array;

package/dist/cjs/utils/utils.js

@@ -0,0 +1,85 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var utils_exports = {};
+__export(utils_exports, {
+  DER_BIT_STRING_LENGTH: () => DER_BIT_STRING_LENGTH,
+  DER_BYTES_LENGTH: () => DER_BYTES_LENGTH,
+  compressPublicKeyClamped: () => compressPublicKeyClamped,
+  getConcatenatedSignature: () => getConcatenatedSignature,
+  publicKeyFromDER: () => publicKeyFromDER
+});
+module.exports = __toCommonJS(utils_exports);
+var import_p256 = require("@noble/curves/p256");
+var import_secp256k1 = require("@noble/curves/secp256k1");
+var import_asn1_ts = require("asn1-ts");
+const DER_BIT_STRING_LENGTH = 520;
+const DER_BYTES_LENGTH = DER_BIT_STRING_LENGTH / 8;
+function bitsToBytes(bitsArray) {
+  const bytes = new Uint8Array(DER_BYTES_LENGTH);
+  for (let i = 0; i < DER_BIT_STRING_LENGTH; i++) {
+    if (bitsArray[i] === 1) {
+      bytes[Math.floor(i / 8)] |= 1 << 7 - i % 8;
+    }
+  }
+  return bytes;
+}
+function publicKeyFromDER(derBytes) {
+  const encodedData = derBytes;
+  const derElement = new import_asn1_ts.DERElement();
+  derElement.fromBytes(encodedData);
+  if (!(derElement.tagClass === import_asn1_ts.ASN1TagClass.universal && derElement.construction === import_asn1_ts.ASN1Construction.constructed)) {
+    throw new Error("Unexpected ASN.1 structure");
+  }
+  const components = derElement.components;
+  const publicKeyElement = components[1];
+  if (!publicKeyElement) {
+    throw new Error("Public Key not found in the DER structure");
+  }
+  return compressPublicKeyClamped(publicKeyElement.bitString);
+}
+function getConcatenatedSignature(signature, keyScheme) {
+  if (!signature || signature.length === 0) {
+    throw new Error("Invalid signature");
+  }
+  const derElement = new import_asn1_ts.DERElement();
+  derElement.fromBytes(signature);
+  const [r, s] = derElement.toJSON();
+  switch (keyScheme) {
+    case "Secp256k1":
+      return new import_secp256k1.secp256k1.Signature(BigInt(r), BigInt(s)).normalizeS().toCompactRawBytes();
+    case "Secp256r1":
+      return new import_p256.secp256r1.Signature(BigInt(r), BigInt(s)).normalizeS().toCompactRawBytes();
+    default:
+      throw new Error("Unsupported key scheme");
+  }
+}
+function compressPublicKeyClamped(uncompressedKey) {
+  if (uncompressedKey.length !== DER_BIT_STRING_LENGTH) {
+    throw new Error("Unexpected length for an uncompressed public key");
+  }
+  const uncompressedBytes = bitsToBytes(uncompressedKey);
+  if (uncompressedBytes[0] !== 4) {
+    throw new Error("Public key does not start with 0x04");
+  }
+  const xCoord = uncompressedBytes.slice(1, 33);
+  const yCoordLastByte = uncompressedBytes[64];
+  const parityByte = yCoordLastByte % 2 === 0 ? 2 : 3;
+  return new Uint8Array([parityByte, ...xCoord]);
+}
+//# sourceMappingURL=utils.js.map

package/dist/cjs/utils/utils.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/utils/utils.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { secp256r1 } from '@noble/curves/p256';\nimport { secp256k1 } from '@noble/curves/secp256k1';\nimport { ASN1Construction, ASN1TagClass, DERElement } from 'asn1-ts';\n\n/** The total number of bits in the DER bit string for the uncompressed public key. */\nexport const DER_BIT_STRING_LENGTH = 520;\n\n/** The total number of bytes corresponding to the DER bit string length. */\nexport const DER_BYTES_LENGTH = DER_BIT_STRING_LENGTH / 8;\n\n// Reference Specifications:\n// https://datatracker.ietf.org/doc/html/rfc5480#section-2.2\n// https://www.secg.org/sec1-v2.pdf\n\n/**\n * Converts an array of bits into a byte array.\n *\n * @param bitsArray - A `Uint8ClampedArray` representing the bits to convert.\n * @returns A `Uint8Array` containing the corresponding bytes.\n *\n * @throws {Error} If the input array does not have the expected length.\n */\nfunction bitsToBytes(bitsArray: Uint8ClampedArray): Uint8Array {\n\tconst bytes = new Uint8Array(DER_BYTES_LENGTH);\n\tfor (let i = 0; i < DER_BIT_STRING_LENGTH; i++) {\n\t\tif (bitsArray[i] === 1) {\n\t\t\tbytes[Math.floor(i / 8)] |= 1 << (7 - (i % 8));\n\t\t}\n\t}\n\treturn bytes;\n}\n\nexport function publicKeyFromDER(derBytes: Uint8Array) {\n\tconst encodedData: Uint8Array = derBytes;\n\tconst derElement = new DERElement();\n\tderElement.fromBytes(encodedData);\n\n\t// Validate the ASN.1 structure of the public key\n\tif (\n\t\t!(\n\t\t\tderElement.tagClass === ASN1TagClass.universal &&\n\t\t\tderElement.construction === ASN1Construction.constructed\n\t\t)\n\t) {\n\t\tthrow new Error('Unexpected ASN.1 structure');\n\t}\n\n\tconst components = derElement.components;\n\tconst publicKeyElement = components[1];\n\n\tif (!publicKeyElement) {\n\t\tthrow new Error('Public Key not found in the DER structure');\n\t}\n\n\treturn compressPublicKeyClamped(publicKeyElement.bitString);\n}\n\nexport function getConcatenatedSignature(signature: Uint8Array, keyScheme: string) {\n\tif (!signature || signature.length === 0) {\n\t\tthrow new Error('Invalid signature');\n\t}\n\n\t// Initialize a DERElement to parse the DER-encoded signature\n\tconst derElement = new DERElement();\n\tderElement.fromBytes(signature);\n\n\tconst [r, s] = derElement.toJSON() as [string, string];\n\n\tswitch (keyScheme) {\n\t\tcase 'Secp256k1':\n\t\t\treturn new secp256k1.Signature(BigInt(r), BigInt(s))\n\t\t\t\t.normalizeS()\n\t\t\t\t.toCompactRawBytes() as Uint8Array<ArrayBuffer>;\n\t\tcase 'Secp256r1':\n\t\t\treturn new secp256r1.Signature(BigInt(r), BigInt(s))\n\t\t\t\t.normalizeS()\n\t\t\t\t.toCompactRawBytes() as Uint8Array<ArrayBuffer>;\n\t\tdefault:\n\t\t\tthrow new Error('Unsupported key scheme');\n\t}\n}\n\n/**\n * Compresses an uncompressed public key into its compressed form.\n *\n * The uncompressed key must follow the DER bit string format as specified in [RFC 5480](https://datatracker.ietf.org/doc/html/rfc5480#section-2.2)\n * and [SEC 1: Elliptic Curve Cryptography](https://www.secg.org/sec1-v2.pdf).\n *\n * @param uncompressedKey - A `Uint8ClampedArray` representing the uncompressed public key bits.\n * @returns A `Uint8Array` containing the compressed public key.\n *\n * @throws {Error} If the uncompressed key has an unexpected length or does not start with the expected prefix.\n */\nexport function compressPublicKeyClamped(uncompressedKey: Uint8ClampedArray): Uint8Array {\n\tif (uncompressedKey.length !== DER_BIT_STRING_LENGTH) {\n\t\tthrow new Error('Unexpected length for an uncompressed public key');\n\t}\n\n\t// Convert bits to bytes\n\tconst uncompressedBytes = bitsToBytes(uncompressedKey);\n\n\t// Ensure the public key starts with the standard uncompressed prefix 0x04\n\tif (uncompressedBytes[0] !== 0x04) {\n\t\tthrow new Error('Public key does not start with 0x04');\n\t}\n\n\t// Extract X-Coordinate (skip the first byte, which is the prefix 0x04)\n\tconst xCoord = uncompressedBytes.slice(1, 33);\n\n\t// Determine parity byte for Y coordinate based on the last byte\n\tconst yCoordLastByte = uncompressedBytes[64];\n\tconst parityByte = yCoordLastByte % 2 === 0 ? 0x02 : 0x03;\n\n\t// Return the compressed public key consisting of the parity byte and X-coordinate\n\treturn new Uint8Array([parityByte, ...xCoord]);\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAGA,kBAA0B;AAC1B,uBAA0B;AAC1B,qBAA2D;AAGpD,MAAM,wBAAwB;AAG9B,MAAM,mBAAmB,wBAAwB;AAcxD,SAAS,YAAY,WAA0C;AAC9D,QAAM,QAAQ,IAAI,WAAW,gBAAgB;AAC7C,WAAS,IAAI,GAAG,IAAI,uBAAuB,KAAK;AAC/C,QAAI,UAAU,CAAC,MAAM,GAAG;AACvB,YAAM,KAAK,MAAM,IAAI,CAAC,CAAC,KAAK,KAAM,IAAK,IAAI;AAAA,IAC5C;AAAA,EACD;AACA,SAAO;AACR;AAEO,SAAS,iBAAiB,UAAsB;AACtD,QAAM,cAA0B;AAChC,QAAM,aAAa,IAAI,0BAAW;AAClC,aAAW,UAAU,WAAW;AAGhC,MACC,EACC,WAAW,aAAa,4BAAa,aACrC,WAAW,iBAAiB,gCAAiB,cAE7C;AACD,UAAM,IAAI,MAAM,4BAA4B;AAAA,EAC7C;AAEA,QAAM,aAAa,WAAW;AAC9B,QAAM,mBAAmB,WAAW,CAAC;AAErC,MAAI,CAAC,kBAAkB;AACtB,UAAM,IAAI,MAAM,2CAA2C;AAAA,EAC5D;AAEA,SAAO,yBAAyB,iBAAiB,SAAS;AAC3D;AAEO,SAAS,yBAAyB,WAAuB,WAAmB;AAClF,MAAI,CAAC,aAAa,UAAU,WAAW,GAAG;AACzC,UAAM,IAAI,MAAM,mBAAmB;AAAA,EACpC;AAGA,QAAM,aAAa,IAAI,0BAAW;AAClC,aAAW,UAAU,SAAS;AAE9B,QAAM,CAAC,GAAG,CAAC,IAAI,WAAW,OAAO;AAEjC,UAAQ,WAAW;AAAA,IAClB,KAAK;AACJ,aAAO,IAAI,2BAAU,UAAU,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,EACjD,WAAW,EACX,kBAAkB;AAAA,IACrB,KAAK;AACJ,aAAO,IAAI,sBAAU,UAAU,OAAO,CAAC,GAAG,OAAO,CAAC,CAAC,EACjD,WAAW,EACX,kBAAkB;AAAA,IACrB;AACC,YAAM,IAAI,MAAM,wBAAwB;AAAA,EAC1C;AACD;AAaO,SAAS,yBAAyB,iBAAgD;AACxF,MAAI,gBAAgB,WAAW,uBAAuB;AACrD,UAAM,IAAI,MAAM,kDAAkD;AAAA,EACnE;AAGA,QAAM,oBAAoB,YAAY,eAAe;AAGrD,MAAI,kBAAkB,CAAC,MAAM,GAAM;AAClC,UAAM,IAAI,MAAM,qCAAqC;AAAA,EACtD;AAGA,QAAM,SAAS,kBAAkB,MAAM,GAAG,EAAE;AAG5C,QAAM,iBAAiB,kBAAkB,EAAE;AAC3C,QAAM,aAAa,iBAAiB,MAAM,IAAI,IAAO;AAGrD,SAAO,IAAI,WAAW,CAAC,YAAY,GAAG,MAAM,CAAC;AAC9C;",
+  "names": []
+}

package/dist/cjs/webcrypto/index.d.ts

@@ -0,0 +1,26 @@
+import type { SignatureScheme } from '@haneullabs/haneul/cryptography';
+import { Signer } from '@haneullabs/haneul/cryptography';
+import { Secp256r1PublicKey } from '@haneullabs/haneul/keypairs/secp256r1';
+export interface ExportedWebCryptoKeypair {
+    privateKey: CryptoKey;
+    publicKey: Uint8Array<ArrayBuffer>;
+}
+export declare class WebCryptoSigner extends Signer {
+    #private;
+    privateKey: CryptoKey;
+    static generate({ extractable }?: {
+        extractable?: boolean;
+    }): Promise<WebCryptoSigner>;
+    /**
+     * Imports a keypair using the value returned by `export()`.
+     */
+    static import(data: ExportedWebCryptoKeypair): WebCryptoSigner;
+    getKeyScheme(): SignatureScheme;
+    constructor(privateKey: CryptoKey, publicKey: Uint8Array);
+    /**
+     * Exports the keypair so that it can be stored in IndexedDB.
+     */
+    export(): ExportedWebCryptoKeypair;
+    getPublicKey(): Secp256r1PublicKey;
+    sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>>;
+}

package/dist/cjs/webcrypto/index.js

@@ -0,0 +1,112 @@
+"use strict";
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var webcrypto_exports = {};
+__export(webcrypto_exports, {
+  WebCryptoSigner: () => WebCryptoSigner
+});
+module.exports = __toCommonJS(webcrypto_exports);
+var import_cryptography = require("@haneullabs/haneul/cryptography");
+var import_secp256r1 = require("@haneullabs/haneul/keypairs/secp256r1");
+var import_p256 = require("@noble/curves/p256");
+var _publicKey;
+function getCompressedPublicKey(publicKey) {
+  const rawBytes = new Uint8Array(publicKey);
+  const x = rawBytes.slice(1, 33);
+  const y = rawBytes.slice(33, 65);
+  const prefix = (y[31] & 1) === 0 ? 2 : 3;
+  const compressed = new Uint8Array(import_secp256r1.Secp256r1PublicKey.SIZE);
+  compressed[0] = prefix;
+  compressed.set(x, 1);
+  return compressed;
+}
+const _WebCryptoSigner = class _WebCryptoSigner extends import_cryptography.Signer {
+  constructor(privateKey, publicKey) {
+    super();
+    __privateAdd(this, _publicKey);
+    this.privateKey = privateKey;
+    __privateSet(this, _publicKey, new import_secp256r1.Secp256r1PublicKey(publicKey));
+  }
+  static async generate({ extractable = false } = {}) {
+    const keypair = await globalThis.crypto.subtle.generateKey(
+      {
+        name: "ECDSA",
+        namedCurve: "P-256"
+      },
+      extractable,
+      ["sign", "verify"]
+    );
+    const publicKey = await globalThis.crypto.subtle.exportKey("raw", keypair.publicKey);
+    return new _WebCryptoSigner(
+      keypair.privateKey,
+      getCompressedPublicKey(new Uint8Array(publicKey))
+    );
+  }
+  /**
+   * Imports a keypair using the value returned by `export()`.
+   */
+  static import(data) {
+    return new _WebCryptoSigner(data.privateKey, data.publicKey);
+  }
+  getKeyScheme() {
+    return "Secp256r1";
+  }
+  /**
+   * Exports the keypair so that it can be stored in IndexedDB.
+   */
+  export() {
+    const exportedKeypair = {
+      privateKey: this.privateKey,
+      publicKey: __privateGet(this, _publicKey).toRawBytes()
+    };
+    Object.defineProperty(exportedKeypair, "toJSON", {
+      enumerable: false,
+      value: () => {
+        throw new Error(
+          "The exported keypair must not be serialized. It must be stored in IndexedDB directly."
+        );
+      }
+    });
+    return exportedKeypair;
+  }
+  getPublicKey() {
+    return __privateGet(this, _publicKey);
+  }
+  async sign(bytes) {
+    const rawSignature = await globalThis.crypto.subtle.sign(
+      {
+        name: "ECDSA",
+        hash: "SHA-256"
+      },
+      this.privateKey,
+      bytes
+    );
+    const signature = import_p256.secp256r1.Signature.fromCompact(new Uint8Array(rawSignature));
+    return signature.normalizeS().toCompactRawBytes();
+  }
+};
+_publicKey = new WeakMap();
+let WebCryptoSigner = _WebCryptoSigner;
+//# sourceMappingURL=index.js.map

package/dist/cjs/webcrypto/index.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/webcrypto/index.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport type { SignatureScheme } from '@haneullabs/haneul/cryptography';\nimport { Signer } from '@haneullabs/haneul/cryptography';\nimport { Secp256r1PublicKey } from '@haneullabs/haneul/keypairs/secp256r1';\nimport { secp256r1 } from '@noble/curves/p256';\n\n// Convert from uncompressed (65 bytes) to compressed (33 bytes) format\nfunction getCompressedPublicKey(publicKey: Uint8Array) {\n\tconst rawBytes = new Uint8Array(publicKey);\n\tconst x = rawBytes.slice(1, 33);\n\tconst y = rawBytes.slice(33, 65);\n\n\tconst prefix = (y[31] & 1) === 0 ? 0x02 : 0x03;\n\n\tconst compressed = new Uint8Array(Secp256r1PublicKey.SIZE);\n\tcompressed[0] = prefix;\n\tcompressed.set(x, 1);\n\n\treturn compressed;\n}\n\nexport interface ExportedWebCryptoKeypair {\n\tprivateKey: CryptoKey;\n\tpublicKey: Uint8Array<ArrayBuffer>;\n}\n\nexport class WebCryptoSigner extends Signer {\n\tprivateKey: CryptoKey;\n\n\t#publicKey: Secp256r1PublicKey;\n\n\tstatic async generate({ extractable = false }: { extractable?: boolean } = {}) {\n\t\tconst keypair = await globalThis.crypto.subtle.generateKey(\n\t\t\t{\n\t\t\t\tname: 'ECDSA',\n\t\t\t\tnamedCurve: 'P-256',\n\t\t\t},\n\t\t\textractable,\n\t\t\t['sign', 'verify'],\n\t\t);\n\n\t\tconst publicKey = await globalThis.crypto.subtle.exportKey('raw', keypair.publicKey);\n\n\t\treturn new WebCryptoSigner(\n\t\t\tkeypair.privateKey,\n\t\t\tgetCompressedPublicKey(new Uint8Array(publicKey)),\n\t\t);\n\t}\n\n\t/**\n\t * Imports a keypair using the value returned by `export()`.\n\t */\n\tstatic import(data: ExportedWebCryptoKeypair) {\n\t\treturn new WebCryptoSigner(data.privateKey, data.publicKey);\n\t}\n\n\tgetKeyScheme(): SignatureScheme {\n\t\treturn 'Secp256r1';\n\t}\n\n\tconstructor(privateKey: CryptoKey, publicKey: Uint8Array) {\n\t\tsuper();\n\t\tthis.privateKey = privateKey;\n\t\tthis.#publicKey = new Secp256r1PublicKey(publicKey);\n\t}\n\n\t/**\n\t * Exports the keypair so that it can be stored in IndexedDB.\n\t */\n\texport(): ExportedWebCryptoKeypair {\n\t\tconst exportedKeypair = {\n\t\t\tprivateKey: this.privateKey,\n\t\t\tpublicKey: this.#publicKey.toRawBytes(),\n\t\t};\n\n\t\tObject.defineProperty(exportedKeypair, 'toJSON', {\n\t\t\tenumerable: false,\n\t\t\tvalue: () => {\n\t\t\t\tthrow new Error(\n\t\t\t\t\t'The exported keypair must not be serialized. It must be stored in IndexedDB directly.',\n\t\t\t\t);\n\t\t\t},\n\t\t});\n\n\t\treturn exportedKeypair;\n\t}\n\n\tgetPublicKey() {\n\t\treturn this.#publicKey;\n\t}\n\n\tasync sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>> {\n\t\tconst rawSignature = await globalThis.crypto.subtle.sign(\n\t\t\t{\n\t\t\t\tname: 'ECDSA',\n\t\t\t\thash: 'SHA-256',\n\t\t\t},\n\t\t\tthis.privateKey,\n\t\t\tbytes as BufferSource,\n\t\t);\n\n\t\tconst signature = secp256r1.Signature.fromCompact(new Uint8Array(rawSignature));\n\n\t\treturn signature.normalizeS().toCompactRawBytes() as Uint8Array<ArrayBuffer>;\n\t}\n}\n"],
+  "mappings": ";;;;;;;;;;;;;;;;;;;;;;;;;AAAA;AAAA;AAAA;AAAA;AAAA;AAIA,0BAAuB;AACvB,uBAAmC;AACnC,kBAA0B;AAN1B;AASA,SAAS,uBAAuB,WAAuB;AACtD,QAAM,WAAW,IAAI,WAAW,SAAS;AACzC,QAAM,IAAI,SAAS,MAAM,GAAG,EAAE;AAC9B,QAAM,IAAI,SAAS,MAAM,IAAI,EAAE;AAE/B,QAAM,UAAU,EAAE,EAAE,IAAI,OAAO,IAAI,IAAO;AAE1C,QAAM,aAAa,IAAI,WAAW,oCAAmB,IAAI;AACzD,aAAW,CAAC,IAAI;AAChB,aAAW,IAAI,GAAG,CAAC;AAEnB,SAAO;AACR;AAOO,MAAM,mBAAN,MAAM,yBAAwB,2BAAO;AAAA,EAkC3C,YAAY,YAAuB,WAAuB;AACzD,UAAM;AAhCP;AAiCC,SAAK,aAAa;AAClB,uBAAK,YAAa,IAAI,oCAAmB,SAAS;AAAA,EACnD;AAAA,EAjCA,aAAa,SAAS,EAAE,cAAc,MAAM,IAA+B,CAAC,GAAG;AAC9E,UAAM,UAAU,MAAM,WAAW,OAAO,OAAO;AAAA,MAC9C;AAAA,QACC,MAAM;AAAA,QACN,YAAY;AAAA,MACb;AAAA,MACA;AAAA,MACA,CAAC,QAAQ,QAAQ;AAAA,IAClB;AAEA,UAAM,YAAY,MAAM,WAAW,OAAO,OAAO,UAAU,OAAO,QAAQ,SAAS;AAEnF,WAAO,IAAI;AAAA,MACV,QAAQ;AAAA,MACR,uBAAuB,IAAI,WAAW,SAAS,CAAC;AAAA,IACjD;AAAA,EACD;AAAA;AAAA;AAAA;AAAA,EAKA,OAAO,OAAO,MAAgC;AAC7C,WAAO,IAAI,iBAAgB,KAAK,YAAY,KAAK,SAAS;AAAA,EAC3D;AAAA,EAEA,eAAgC;AAC/B,WAAO;AAAA,EACR;AAAA;AAAA;AAAA;AAAA,EAWA,SAAmC;AAClC,UAAM,kBAAkB;AAAA,MACvB,YAAY,KAAK;AAAA,MACjB,WAAW,mBAAK,YAAW,WAAW;AAAA,IACvC;AAEA,WAAO,eAAe,iBAAiB,UAAU;AAAA,MAChD,YAAY;AAAA,MACZ,OAAO,MAAM;AACZ,cAAM,IAAI;AAAA,UACT;AAAA,QACD;AAAA,MACD;AAAA,IACD,CAAC;AAED,WAAO;AAAA,EACR;AAAA,EAEA,eAAe;AACd,WAAO,mBAAK;AAAA,EACb;AAAA,EAEA,MAAM,KAAK,OAAqD;AAC/D,UAAM,eAAe,MAAM,WAAW,OAAO,OAAO;AAAA,MACnD;AAAA,QACC,MAAM;AAAA,QACN,MAAM;AAAA,MACP;AAAA,MACA,KAAK;AAAA,MACL;AAAA,IACD;AAEA,UAAM,YAAY,sBAAU,UAAU,YAAY,IAAI,WAAW,YAAY,CAAC;AAE9E,WAAO,UAAU,WAAW,EAAE,kBAAkB;AAAA,EACjD;AACD;AA5EC;AAHM,IAAM,kBAAN;",
+  "names": []
+}

package/dist/esm/aws/aws-client.d.ts

@@ -0,0 +1,43 @@
+import { Secp256k1PublicKey } from '@haneullabs/haneul/keypairs/secp256k1';
+import { Secp256r1PublicKey } from '@haneullabs/haneul/keypairs/secp256r1';
+import { AwsClient } from './aws4fetch.js';
+interface KmsCommands {
+    Sign: {
+        request: {
+            KeyId: string;
+            Message: string;
+            MessageType: 'RAW' | 'DIGEST';
+            SigningAlgorithm: 'ECDSA_SHA_256';
+        };
+        response: {
+            KeyId: string;
+            KeyOrigin: string;
+            Signature: string;
+            SigningAlgorithm: string;
+        };
+    };
+    GetPublicKey: {
+        request: {
+            KeyId: string;
+        };
+        response: {
+            CustomerMasterKeySpec: string;
+            KeyId: string;
+            KeyOrigin: string;
+            KeySpec: string;
+            KeyUsage: string;
+            PublicKey: string;
+            SigningAlgorithms: string[];
+        };
+    };
+}
+export interface AwsClientOptions extends Partial<ConstructorParameters<typeof AwsClient>[0]> {
+}
+export declare class AwsKmsClient extends AwsClient {
+    constructor(options?: AwsClientOptions);
+    getPublicKey(keyId: string): Promise<Secp256r1PublicKey | Secp256k1PublicKey>;
+    runCommand<T extends keyof KmsCommands>(command: T, body: KmsCommands[T]['request'], { region, }?: {
+        region?: string;
+    }): Promise<KmsCommands[T]['response']>;
+}
+export {};

package/dist/esm/aws/aws-client.js

@@ -0,0 +1,59 @@
+import { Secp256k1PublicKey } from "@haneullabs/haneul/keypairs/secp256k1";
+import { Secp256r1PublicKey } from "@haneullabs/haneul/keypairs/secp256r1";
+import { fromBase64 } from "@haneullabs/haneul/utils";
+import { publicKeyFromDER } from "../utils/utils.js";
+import { AwsClient } from "./aws4fetch.js";
+class AwsKmsClient extends AwsClient {
+  constructor(options = {}) {
+    if (!options.accessKeyId || !options.secretAccessKey) {
+      throw new Error("AWS Access Key ID and Secret Access Key are required");
+    }
+    if (!options.region) {
+      throw new Error("Region is required");
+    }
+    super({
+      region: options.region,
+      accessKeyId: options.accessKeyId,
+      secretAccessKey: options.secretAccessKey,
+      service: "kms",
+      ...options
+    });
+  }
+  async getPublicKey(keyId) {
+    const publicKeyResponse = await this.runCommand("GetPublicKey", { KeyId: keyId });
+    if (!publicKeyResponse.PublicKey) {
+      throw new Error("Public Key not found for the supplied `keyId`");
+    }
+    const compressedKey = publicKeyFromDER(fromBase64(publicKeyResponse.PublicKey));
+    switch (publicKeyResponse.KeySpec) {
+      case "ECC_NIST_P256":
+        return new Secp256r1PublicKey(compressedKey);
+      case "ECC_SECG_P256K1":
+        return new Secp256k1PublicKey(compressedKey);
+      default:
+        throw new Error("Unsupported key spec: " + publicKeyResponse.KeySpec);
+    }
+  }
+  async runCommand(command, body, {
+    region = this.region
+  } = {}) {
+    if (!region) {
+      throw new Error("Region is required");
+    }
+    const res = await this.fetch(`https://kms.${region}.amazonaws.com/`, {
+      headers: {
+        "Content-Type": "application/x-amz-json-1.1",
+        "X-Amz-Target": `TrentService.${command}`
+      },
+      body: JSON.stringify(body)
+    });
+    if (!res.ok) {
+      throw new Error(await res.text());
+    }
+    return res.json();
+  }
+}
+export {
+  AwsKmsClient
+};
+//# sourceMappingURL=aws-client.js.map

package/dist/esm/aws/aws-client.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/aws/aws-client.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\n\nimport { Secp256k1PublicKey } from '@haneullabs/haneul/keypairs/secp256k1';\nimport { Secp256r1PublicKey } from '@haneullabs/haneul/keypairs/secp256r1';\nimport { fromBase64 } from '@haneullabs/haneul/utils';\n\nimport { publicKeyFromDER } from '../utils/utils.js';\nimport { AwsClient } from './aws4fetch.js';\n\ninterface KmsCommands {\n\tSign: {\n\t\trequest: {\n\t\t\tKeyId: string;\n\t\t\tMessage: string;\n\t\t\tMessageType: 'RAW' | 'DIGEST';\n\t\t\tSigningAlgorithm: 'ECDSA_SHA_256';\n\t\t};\n\t\tresponse: {\n\t\t\tKeyId: string;\n\t\t\tKeyOrigin: string;\n\t\t\tSignature: string;\n\t\t\tSigningAlgorithm: string;\n\t\t};\n\t};\n\tGetPublicKey: {\n\t\trequest: { KeyId: string };\n\t\tresponse: {\n\t\t\tCustomerMasterKeySpec: string;\n\t\t\tKeyId: string;\n\t\t\tKeyOrigin: string;\n\t\t\tKeySpec: string;\n\t\t\tKeyUsage: string;\n\t\t\tPublicKey: string;\n\t\t\tSigningAlgorithms: string[];\n\t\t};\n\t};\n}\n\nexport interface AwsClientOptions extends Partial<ConstructorParameters<typeof AwsClient>[0]> {}\n\nexport class AwsKmsClient extends AwsClient {\n\tconstructor(options: AwsClientOptions = {}) {\n\t\tif (!options.accessKeyId || !options.secretAccessKey) {\n\t\t\tthrow new Error('AWS Access Key ID and Secret Access Key are required');\n\t\t}\n\n\t\tif (!options.region) {\n\t\t\tthrow new Error('Region is required');\n\t\t}\n\n\t\tsuper({\n\t\t\tregion: options.region,\n\t\t\taccessKeyId: options.accessKeyId,\n\t\t\tsecretAccessKey: options.secretAccessKey,\n\t\t\tservice: 'kms',\n\t\t\t...options,\n\t\t});\n\t}\n\n\tasync getPublicKey(keyId: string) {\n\t\tconst publicKeyResponse = await this.runCommand('GetPublicKey', { KeyId: keyId });\n\n\t\tif (!publicKeyResponse.PublicKey) {\n\t\t\tthrow new Error('Public Key not found for the supplied `keyId`');\n\t\t}\n\n\t\tconst compressedKey = publicKeyFromDER(fromBase64(publicKeyResponse.PublicKey));\n\n\t\tswitch (publicKeyResponse.KeySpec) {\n\t\t\tcase 'ECC_NIST_P256':\n\t\t\t\treturn new Secp256r1PublicKey(compressedKey);\n\t\t\tcase 'ECC_SECG_P256K1':\n\t\t\t\treturn new Secp256k1PublicKey(compressedKey);\n\t\t\tdefault:\n\t\t\t\tthrow new Error('Unsupported key spec: ' + publicKeyResponse.KeySpec);\n\t\t}\n\t}\n\n\tasync runCommand<T extends keyof KmsCommands>(\n\t\tcommand: T,\n\t\tbody: KmsCommands[T]['request'],\n\t\t{\n\t\t\tregion = this.region!,\n\t\t}: {\n\t\t\tregion?: string;\n\t\t} = {},\n\t): Promise<KmsCommands[T]['response']> {\n\t\tif (!region) {\n\t\t\tthrow new Error('Region is required');\n\t\t}\n\n\t\tconst res = await this.fetch(`https://kms.${region}.amazonaws.com/`, {\n\t\t\theaders: {\n\t\t\t\t'Content-Type': 'application/x-amz-json-1.1',\n\t\t\t\t'X-Amz-Target': `TrentService.${command}`,\n\t\t\t},\n\t\t\tbody: JSON.stringify(body),\n\t\t});\n\n\t\tif (!res.ok) {\n\t\t\tthrow new Error(await res.text());\n\t\t}\n\n\t\treturn res.json();\n\t}\n}\n"],
+  "mappings": "AAGA,SAAS,0BAA0B;AACnC,SAAS,0BAA0B;AACnC,SAAS,kBAAkB;AAE3B,SAAS,wBAAwB;AACjC,SAAS,iBAAiB;AAiCnB,MAAM,qBAAqB,UAAU;AAAA,EAC3C,YAAY,UAA4B,CAAC,GAAG;AAC3C,QAAI,CAAC,QAAQ,eAAe,CAAC,QAAQ,iBAAiB;AACrD,YAAM,IAAI,MAAM,sDAAsD;AAAA,IACvE;AAEA,QAAI,CAAC,QAAQ,QAAQ;AACpB,YAAM,IAAI,MAAM,oBAAoB;AAAA,IACrC;AAEA,UAAM;AAAA,MACL,QAAQ,QAAQ;AAAA,MAChB,aAAa,QAAQ;AAAA,MACrB,iBAAiB,QAAQ;AAAA,MACzB,SAAS;AAAA,MACT,GAAG;AAAA,IACJ,CAAC;AAAA,EACF;AAAA,EAEA,MAAM,aAAa,OAAe;AACjC,UAAM,oBAAoB,MAAM,KAAK,WAAW,gBAAgB,EAAE,OAAO,MAAM,CAAC;AAEhF,QAAI,CAAC,kBAAkB,WAAW;AACjC,YAAM,IAAI,MAAM,+CAA+C;AAAA,IAChE;AAEA,UAAM,gBAAgB,iBAAiB,WAAW,kBAAkB,SAAS,CAAC;AAE9E,YAAQ,kBAAkB,SAAS;AAAA,MAClC,KAAK;AACJ,eAAO,IAAI,mBAAmB,aAAa;AAAA,MAC5C,KAAK;AACJ,eAAO,IAAI,mBAAmB,aAAa;AAAA,MAC5C;AACC,cAAM,IAAI,MAAM,2BAA2B,kBAAkB,OAAO;AAAA,IACtE;AAAA,EACD;AAAA,EAEA,MAAM,WACL,SACA,MACA;AAAA,IACC,SAAS,KAAK;AAAA,EACf,IAEI,CAAC,GACiC;AACtC,QAAI,CAAC,QAAQ;AACZ,YAAM,IAAI,MAAM,oBAAoB;AAAA,IACrC;AAEA,UAAM,MAAM,MAAM,KAAK,MAAM,eAAe,MAAM,mBAAmB;AAAA,MACpE,SAAS;AAAA,QACR,gBAAgB;AAAA,QAChB,gBAAgB,gBAAgB,OAAO;AAAA,MACxC;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC1B,CAAC;AAED,QAAI,CAAC,IAAI,IAAI;AACZ,YAAM,IAAI,MAAM,MAAM,IAAI,KAAK,CAAC;AAAA,IACjC;AAEA,WAAO,IAAI,KAAK;AAAA,EACjB;AACD;",
+  "names": []
+}

package/dist/esm/aws/aws-kms-signer.d.ts

@@ -0,0 +1,61 @@
+import type { PublicKey } from '@haneullabs/haneul/cryptography';
+import { Signer } from '@haneullabs/haneul/cryptography';
+import type { AwsClientOptions } from './aws-client.js';
+import { AwsKmsClient } from './aws-client.js';
+/**
+ * Configuration options for initializing the AwsKmsSigner.
+ */
+export interface AwsKmsSignerOptions {
+    /** AWS KMS Key ID used for signing */
+    kmsKeyId: string;
+    /** Options for setting up the AWS KMS client */
+    client: AwsKmsClient;
+    /** Public key */
+    publicKey: PublicKey;
+}
+/**
+ * Aws KMS Signer integrates AWS Key Management Service (KMS) with the Haneul blockchain
+ * to provide signing capabilities using AWS-managed cryptographic keys.
+ */
+export declare class AwsKmsSigner extends Signer {
+    #private;
+    /**
+     * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.
+     * For example:
+     * ```
+     * const signer = await AwsKmsSigner.fromKeyId(keyId, options);
+     * ```
+     * @throws Will throw an error if required AWS credentials or region are not provided.
+     */
+    constructor({ kmsKeyId, client, publicKey }: AwsKmsSignerOptions);
+    /**
+     * Retrieves the key scheme used by this signer.
+     * @returns AWS supports only Secp256k1 and Secp256r1 schemes.
+     */
+    getKeyScheme(): "Secp256k1" | "Secp256r1" | "ED25519" | "MultiSig" | "ZkLogin" | "Passkey";
+    /**
+     * Retrieves the public key associated with this signer.
+     * @returns The Secp256k1PublicKey instance.
+     * @throws Will throw an error if the public key has not been initialized.
+     */
+    getPublicKey(): PublicKey;
+    /**
+     * Signs the given data using AWS KMS.
+     * @param bytes - The data to be signed as a Uint8Array.
+     * @returns A promise that resolves to the signature as a Uint8Array.
+     * @throws Will throw an error if the public key is not initialized or if signing fails.
+     */
+    sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>>;
+    /**
+     * Synchronous signing is not supported by AWS KMS.
+     * @throws Always throws an error indicating synchronous signing is unsupported.
+     * @deprecated use `sign` instead
+     */
+    signData(): never;
+    /**
+     * Prepares the signer by fetching and setting the public key from AWS KMS.
+     * It is recommended to initialize an `AwsKmsSigner` instance using this function.
+     * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).
+     */
+    static fromKeyId(keyId: string, options: AwsClientOptions): Promise<AwsKmsSigner>;
+}

package/dist/esm/aws/aws-kms-signer.js

@@ -0,0 +1,94 @@
+var __typeError = (msg) => {
+  throw TypeError(msg);
+};
+var __accessCheck = (obj, member, msg) => member.has(obj) || __typeError("Cannot " + msg);
+var __privateGet = (obj, member, getter) => (__accessCheck(obj, member, "read from private field"), getter ? getter.call(obj) : member.get(obj));
+var __privateAdd = (obj, member, value) => member.has(obj) ? __typeError("Cannot add the same private member more than once") : member instanceof WeakSet ? member.add(obj) : member.set(obj, value);
+var __privateSet = (obj, member, value, setter) => (__accessCheck(obj, member, "write to private field"), setter ? setter.call(obj, value) : member.set(obj, value), value);
+var _publicKey, _client, _kmsKeyId;
+import { SIGNATURE_FLAG_TO_SCHEME, Signer } from "@haneullabs/haneul/cryptography";
+import { fromBase64, toBase64 } from "@haneullabs/haneul/utils";
+import { getConcatenatedSignature } from "../utils/utils.js";
+import { AwsKmsClient } from "./aws-client.js";
+const _AwsKmsSigner = class _AwsKmsSigner extends Signer {
+  /**
+   * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.
+   * For example:
+   * ```
+   * const signer = await AwsKmsSigner.fromKeyId(keyId, options);
+   * ```
+   * @throws Will throw an error if required AWS credentials or region are not provided.
+   */
+  constructor({ kmsKeyId, client, publicKey }) {
+    super();
+    __privateAdd(this, _publicKey);
+    /** AWS KMS client instance */
+    __privateAdd(this, _client);
+    /** AWS KMS Key ID used for signing */
+    __privateAdd(this, _kmsKeyId);
+    if (!kmsKeyId) throw new Error("KMS Key ID is required");
+    __privateSet(this, _client, client);
+    __privateSet(this, _kmsKeyId, kmsKeyId);
+    __privateSet(this, _publicKey, publicKey);
+  }
+  /**
+   * Retrieves the key scheme used by this signer.
+   * @returns AWS supports only Secp256k1 and Secp256r1 schemes.
+   */
+  getKeyScheme() {
+    return SIGNATURE_FLAG_TO_SCHEME[__privateGet(this, _publicKey).flag()];
+  }
+  /**
+   * Retrieves the public key associated with this signer.
+   * @returns The Secp256k1PublicKey instance.
+   * @throws Will throw an error if the public key has not been initialized.
+   */
+  getPublicKey() {
+    return __privateGet(this, _publicKey);
+  }
+  /**
+   * Signs the given data using AWS KMS.
+   * @param bytes - The data to be signed as a Uint8Array.
+   * @returns A promise that resolves to the signature as a Uint8Array.
+   * @throws Will throw an error if the public key is not initialized or if signing fails.
+   */
+  async sign(bytes) {
+    const signResponse = await __privateGet(this, _client).runCommand("Sign", {
+      KeyId: __privateGet(this, _kmsKeyId),
+      Message: toBase64(bytes),
+      MessageType: "RAW",
+      SigningAlgorithm: "ECDSA_SHA_256"
+    });
+    return getConcatenatedSignature(fromBase64(signResponse.Signature), this.getKeyScheme());
+  }
+  /**
+   * Synchronous signing is not supported by AWS KMS.
+   * @throws Always throws an error indicating synchronous signing is unsupported.
+   * @deprecated use `sign` instead
+   */
+  signData() {
+    throw new Error("KMS Signer does not support sync signing");
+  }
+  /**
+   * Prepares the signer by fetching and setting the public key from AWS KMS.
+   * It is recommended to initialize an `AwsKmsSigner` instance using this function.
+   * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).
+   */
+  static async fromKeyId(keyId, options) {
+    const client = new AwsKmsClient(options);
+    const pubKey = await client.getPublicKey(keyId);
+    return new _AwsKmsSigner({
+      kmsKeyId: keyId,
+      client,
+      publicKey: pubKey
+    });
+  }
+};
+_publicKey = new WeakMap();
+_client = new WeakMap();
+_kmsKeyId = new WeakMap();
+let AwsKmsSigner = _AwsKmsSigner;
+export {
+  AwsKmsSigner
+};
+//# sourceMappingURL=aws-kms-signer.js.map

package/dist/esm/aws/aws-kms-signer.js.map

@@ -0,0 +1,7 @@
+{
+  "version": 3,
+  "sources": ["../../../src/aws/aws-kms-signer.ts"],
+  "sourcesContent": ["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport type { PublicKey, SignatureFlag } from '@haneullabs/haneul/cryptography';\nimport { SIGNATURE_FLAG_TO_SCHEME, Signer } from '@haneullabs/haneul/cryptography';\nimport { fromBase64, toBase64 } from '@haneullabs/haneul/utils';\n\nimport { getConcatenatedSignature } from '../utils/utils.js';\nimport type { AwsClientOptions } from './aws-client.js';\nimport { AwsKmsClient } from './aws-client.js';\n\n/**\n * Configuration options for initializing the AwsKmsSigner.\n */\nexport interface AwsKmsSignerOptions {\n\t/** AWS KMS Key ID used for signing */\n\tkmsKeyId: string;\n\t/** Options for setting up the AWS KMS client */\n\tclient: AwsKmsClient;\n\t/** Public key */\n\tpublicKey: PublicKey;\n}\n\n/**\n * Aws KMS Signer integrates AWS Key Management Service (KMS) with the Haneul blockchain\n * to provide signing capabilities using AWS-managed cryptographic keys.\n */\nexport class AwsKmsSigner extends Signer {\n\t#publicKey: PublicKey;\n\t/** AWS KMS client instance */\n\t#client: AwsKmsClient;\n\t/** AWS KMS Key ID used for signing */\n\t#kmsKeyId: string;\n\n\t/**\n\t * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.\n\t * For example:\n\t * ```\n\t * const signer = await AwsKmsSigner.fromKeyId(keyId, options);\n\t * ```\n\t * @throws Will throw an error if required AWS credentials or region are not provided.\n\t */\n\tconstructor({ kmsKeyId, client, publicKey }: AwsKmsSignerOptions) {\n\t\tsuper();\n\t\tif (!kmsKeyId) throw new Error('KMS Key ID is required');\n\n\t\tthis.#client = client;\n\t\tthis.#kmsKeyId = kmsKeyId;\n\t\tthis.#publicKey = publicKey;\n\t}\n\n\t/**\n\t * Retrieves the key scheme used by this signer.\n\t * @returns AWS supports only Secp256k1 and Secp256r1 schemes.\n\t */\n\tgetKeyScheme() {\n\t\treturn SIGNATURE_FLAG_TO_SCHEME[this.#publicKey.flag() as SignatureFlag];\n\t}\n\n\t/**\n\t * Retrieves the public key associated with this signer.\n\t * @returns The Secp256k1PublicKey instance.\n\t * @throws Will throw an error if the public key has not been initialized.\n\t */\n\tgetPublicKey() {\n\t\treturn this.#publicKey;\n\t}\n\n\t/**\n\t * Signs the given data using AWS KMS.\n\t * @param bytes - The data to be signed as a Uint8Array.\n\t * @returns A promise that resolves to the signature as a Uint8Array.\n\t * @throws Will throw an error if the public key is not initialized or if signing fails.\n\t */\n\tasync sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>> {\n\t\tconst signResponse = await this.#client.runCommand('Sign', {\n\t\t\tKeyId: this.#kmsKeyId,\n\t\t\tMessage: toBase64(bytes),\n\t\t\tMessageType: 'RAW',\n\t\t\tSigningAlgorithm: 'ECDSA_SHA_256',\n\t\t});\n\n\t\t// Concatenate the signature components into a compact form\n\t\treturn getConcatenatedSignature(fromBase64(signResponse.Signature), this.getKeyScheme());\n\t}\n\n\t/**\n\t * Synchronous signing is not supported by AWS KMS.\n\t * @throws Always throws an error indicating synchronous signing is unsupported.\n\t * @deprecated use `sign` instead\n\t */\n\tsignData(): never {\n\t\tthrow new Error('KMS Signer does not support sync signing');\n\t}\n\n\t/**\n\t * Prepares the signer by fetching and setting the public key from AWS KMS.\n\t * It is recommended to initialize an `AwsKmsSigner` instance using this function.\n\t * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).\n\t */\n\tstatic async fromKeyId(keyId: string, options: AwsClientOptions) {\n\t\tconst client = new AwsKmsClient(options);\n\n\t\tconst pubKey = await client.getPublicKey(keyId);\n\n\t\treturn new AwsKmsSigner({\n\t\t\tkmsKeyId: keyId,\n\t\t\tclient,\n\t\t\tpublicKey: pubKey,\n\t\t});\n\t}\n}\n"],
+  "mappings": ";;;;;;;AAAA;AAGA,SAAS,0BAA0B,cAAc;AACjD,SAAS,YAAY,gBAAgB;AAErC,SAAS,gCAAgC;AAEzC,SAAS,oBAAoB;AAkBtB,MAAM,gBAAN,MAAM,sBAAqB,OAAO;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAexC,YAAY,EAAE,UAAU,QAAQ,UAAU,GAAwB;AACjE,UAAM;AAfP;AAEA;AAAA;AAEA;AAAA;AAYC,QAAI,CAAC,SAAU,OAAM,IAAI,MAAM,wBAAwB;AAEvD,uBAAK,SAAU;AACf,uBAAK,WAAY;AACjB,uBAAK,YAAa;AAAA,EACnB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,eAAe;AACd,WAAO,yBAAyB,mBAAK,YAAW,KAAK,CAAkB;AAAA,EACxE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,eAAe;AACd,WAAO,mBAAK;AAAA,EACb;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,KAAK,OAAqD;AAC/D,UAAM,eAAe,MAAM,mBAAK,SAAQ,WAAW,QAAQ;AAAA,MAC1D,OAAO,mBAAK;AAAA,MACZ,SAAS,SAAS,KAAK;AAAA,MACvB,aAAa;AAAA,MACb,kBAAkB;AAAA,IACnB,CAAC;AAGD,WAAO,yBAAyB,WAAW,aAAa,SAAS,GAAG,KAAK,aAAa,CAAC;AAAA,EACxF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,WAAkB;AACjB,UAAM,IAAI,MAAM,0CAA0C;AAAA,EAC3D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,aAAa,UAAU,OAAe,SAA2B;AAChE,UAAM,SAAS,IAAI,aAAa,OAAO;AAEvC,UAAM,SAAS,MAAM,OAAO,aAAa,KAAK;AAE9C,WAAO,IAAI,cAAa;AAAA,MACvB,UAAU;AAAA,MACV;AAAA,MACA,WAAW;AAAA,IACZ,CAAC;AAAA,EACF;AACD;AAnFC;AAEA;AAEA;AALM,IAAM,eAAN;",
+  "names": []
+}