@opentdf/sdk 0.3.1 → 0.3.2-beta.1

package/src/access/access-fetch.ts

@@ -0,0 +1,202 @@
+import {
+  KasPublicKeyAlgorithm,
+  KasPublicKeyInfo,
+  noteInvalidPublicKey,
+  OriginAllowList,
+} from '../access.js';
+import { type AuthProvider } from '../auth/auth.js';
+import {
+  ConfigurationError,
+  InvalidFileError,
+  NetworkError,
+  PermissionDeniedError,
+  ServiceError,
+  UnauthenticatedError,
+} from '../errors.js';
+import { pemToCryptoPublicKey, validateSecureUrl } from '../utils.js';
+
+export type RewrapRequest = {
+  signedRequestToken: string;
+};
+
+export type RewrapResponseLegacy = {
+  metadata: Record<string, unknown>;
+  entityWrappedKey: string;
+  sessionPublicKey: string;
+  schemaVersion: string;
+};
+
+/**
+ * Get a rewrapped access key to the document, if possible
+ * @param url Key access server rewrap endpoint
+ * @param requestBody a signed request with an encrypted document key
+ * @param authProvider Authorization middleware
+ */
+export async function fetchWrappedKey(
+  url: string,
+  requestBody: RewrapRequest,
+  authProvider: AuthProvider
+): Promise<RewrapResponseLegacy> {
+  const req = await authProvider.withCreds({
+    url,
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify(requestBody),
+  });
+
+  let response: Response;
+
+  try {
+    response = await fetch(req.url, {
+      method: req.method,
+      mode: 'cors', // no-cors, *cors, same-origin
+      cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
+      credentials: 'same-origin', // include, *same-origin, omit
+      headers: req.headers,
+      redirect: 'follow', // manual, *follow, error
+      referrerPolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
+      body: req.body as BodyInit,
+    });
+  } catch (e) {
+    throw new NetworkError(`unable to fetch wrapped key from [${url}]`, e);
+  }
+
+  if (!response.ok) {
+    switch (response.status) {
+      case 400:
+        throw new InvalidFileError(
+          `400 for [${req.url}]: rewrap bad request [${await response.text()}]`
+        );
+      case 401:
+        throw new UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
+      case 403:
+        throw new PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied`);
+      default:
+        if (response.status >= 500) {
+          throw new ServiceError(
+            `${response.status} for [${req.url}]: rewrap failure due to service error [${await response.text()}]`
+          );
+        }
+        throw new NetworkError(
+          `${req.method} ${req.url} => ${response.status} ${response.statusText}`
+        );
+    }
+  }
+
+  return response.json();
+}
+
+export async function fetchKeyAccessServers(
+  platformUrl: string,
+  authProvider: AuthProvider
+): Promise<OriginAllowList> {
+  let nextOffset = 0;
+  const allServers = [];
+  do {
+    const req = await authProvider.withCreds({
+      url: `${platformUrl}/key-access-servers?pagination.offset=${nextOffset}`,
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+    });
+    let response: Response;
+    try {
+      response = await fetch(req.url, {
+        method: req.method,
+        headers: req.headers,
+        body: req.body as BodyInit,
+        mode: 'cors',
+        cache: 'no-cache',
+        credentials: 'same-origin',
+        redirect: 'follow',
+        referrerPolicy: 'no-referrer',
+      });
+    } catch (e) {
+      throw new NetworkError(`unable to fetch kas list from [${req.url}]`, e);
+    }
+    // if we get an error from the kas registry, throw an error
+    if (!response.ok) {
+      throw new ServiceError(
+        `unable to fetch kas list from [${req.url}], status: ${response.status}`
+      );
+    }
+    const { keyAccessServers = [], pagination = {} } = await response.json();
+    allServers.push(...keyAccessServers);
+    nextOffset = pagination.nextOffset || 0;
+  } while (nextOffset > 0);
+
+  const serverUrls = allServers.map((server) => server.uri);
+  // add base platform kas
+  if (!serverUrls.includes(`${platformUrl}/kas`)) {
+    serverUrls.push(`${platformUrl}/kas`);
+  }
+
+  return new OriginAllowList(serverUrls, false);
+}
+
+export async function fetchKasPubKey(
+  kasEndpoint: string,
+  algorithm?: KasPublicKeyAlgorithm
+): Promise<KasPublicKeyInfo> {
+  if (!kasEndpoint) {
+    throw new ConfigurationError('KAS definition not found');
+  }
+  // Logs insecure KAS. Secure is enforced in constructor
+  validateSecureUrl(kasEndpoint);
+
+  // Parse kasEndpoint to URL, then append to its path and update its query parameters
+  let pkUrlV2: URL;
+  try {
+    pkUrlV2 = new URL(kasEndpoint);
+  } catch (e) {
+    throw new ConfigurationError(`KAS definition invalid: [${kasEndpoint}]`, e);
+  }
+  if (!pkUrlV2.pathname.endsWith('kas_public_key')) {
+    if (!pkUrlV2.pathname.endsWith('/')) {
+      pkUrlV2.pathname += '/';
+    }
+    pkUrlV2.pathname += 'v2/kas_public_key';
+  }
+  pkUrlV2.searchParams.set('algorithm', algorithm || 'rsa:2048');
+  if (!pkUrlV2.searchParams.get('v')) {
+    pkUrlV2.searchParams.set('v', '2');
+  }
+
+  let kasPubKeyResponseV2: Response;
+  try {
+    kasPubKeyResponseV2 = await fetch(pkUrlV2);
+  } catch (e) {
+    throw new NetworkError(`unable to fetch public key from [${pkUrlV2}]`, e);
+  }
+  if (!kasPubKeyResponseV2.ok) {
+    switch (kasPubKeyResponseV2.status) {
+      case 404:
+        throw new ConfigurationError(`404 for [${pkUrlV2}]`);
+      case 401:
+        throw new UnauthenticatedError(`401 for [${pkUrlV2}]`);
+      case 403:
+        throw new PermissionDeniedError(`403 for [${pkUrlV2}]`);
+      default:
+        throw new NetworkError(
+          `${pkUrlV2} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`
+        );
+    }
+  }
+  const jsonContent = await kasPubKeyResponseV2.json();
+  const { publicKey, kid }: KasPublicKeyInfo = jsonContent;
+  if (!publicKey) {
+    throw new NetworkError(
+      `invalid response from public key endpoint [${JSON.stringify(jsonContent)}]`
+    );
+  }
+  return {
+    key: noteInvalidPublicKey(pkUrlV2, pemToCryptoPublicKey(publicKey)),
+    publicKey,
+    url: kasEndpoint,
+    algorithm: algorithm || 'rsa:2048',
+    ...(kid && { kid }),
+  };
+}

package/src/access/access-rpc.ts

@@ -0,0 +1,175 @@
+import {
+  isPublicKeyAlgorithm,
+  KasPublicKeyAlgorithm,
+  KasPublicKeyInfo,
+  noteInvalidPublicKey,
+  OriginAllowList,
+} from '../access.js';
+import { type AuthProvider } from '../auth/auth.js';
+import { ConfigurationError, NetworkError } from '../errors.js';
+import { PlatformClient } from '../platform.js';
+import { RewrapResponse } from '../platform/kas/kas_pb.js';
+import { ListKeyAccessServersResponse } from '../platform/policy/kasregistry/key_access_server_registry_pb.js';
+import {
+  extractRpcErrorMessage,
+  getPlatformUrlFromKasEndpoint,
+  pemToCryptoPublicKey,
+  validateSecureUrl,
+} from '../utils.js';
+
+/**
+ * Get a rewrapped access key to the document, if possible
+ * @param url Key access server rewrap endpoint
+ * @param requestBody a signed request with an encrypted document key
+ * @param authProvider Authorization middleware
+ * @param clientVersion
+ */
+export async function fetchWrappedKey(
+  url: string,
+  signedRequestToken: string,
+  authProvider: AuthProvider
+): Promise<RewrapResponse> {
+  const platformUrl = getPlatformUrlFromKasEndpoint(url);
+  const platform = new PlatformClient({ authProvider, platformUrl });
+  try {
+    return await platform.v1.access.rewrap({
+      signedRequestToken,
+    });
+  } catch (e) {
+    throw new NetworkError(`[${platformUrl}] [Rewrap] ${extractRpcErrorMessage(e)}`);
+  }
+}
+
+export async function fetchKeyAccessServers(
+  platformUrl: string,
+  authProvider: AuthProvider
+): Promise<OriginAllowList> {
+  let nextOffset = 0;
+  const allServers = [];
+  const platform = new PlatformClient({ authProvider, platformUrl });
+
+  do {
+    let response: ListKeyAccessServersResponse;
+    try {
+      response = await platform.v1.keyAccessServerRegistry.listKeyAccessServers({
+        pagination: {
+          offset: nextOffset,
+        },
+      });
+    } catch (e) {
+      throw new NetworkError(
+        `[${platformUrl}] [ListKeyAccessServers] ${extractRpcErrorMessage(e)}`
+      );
+    }
+
+    allServers.push(...response.keyAccessServers);
+    nextOffset = response?.pagination?.nextOffset || 0;
+  } while (nextOffset > 0);
+
+  const serverUrls = allServers.map((server) => server.uri);
+  // add base platform kas
+  if (!serverUrls.includes(`${platformUrl}/kas`)) {
+    serverUrls.push(`${platformUrl}/kas`);
+  }
+
+  return new OriginAllowList(serverUrls, false);
+}
+
+interface PlatformBaseKey {
+  kas_id?: string;
+  kas_uri: string;
+  public_key: {
+    algorithm: KasPublicKeyAlgorithm;
+    kid: string;
+    pem: string;
+  };
+}
+
+function isBaseKey(baseKey?: unknown): baseKey is PlatformBaseKey {
+  if (!baseKey) {
+    return false;
+  }
+  const bk = baseKey as PlatformBaseKey;
+  return (
+    !!bk.kas_uri &&
+    !!bk.public_key &&
+    typeof bk.public_key === 'object' &&
+    !!bk.public_key.pem &&
+    !!bk.public_key.algorithm &&
+    isPublicKeyAlgorithm(bk.public_key.algorithm)
+  );
+}
+
+export async function fetchKasPubKey(
+  kasEndpoint: string,
+  algorithm?: KasPublicKeyAlgorithm
+): Promise<KasPublicKeyInfo> {
+  if (!kasEndpoint) {
+    throw new ConfigurationError('KAS definition not found');
+  }
+  // Logs insecure KAS. Secure is enforced in constructor
+  validateSecureUrl(kasEndpoint);
+
+  const platformUrl = getPlatformUrlFromKasEndpoint(kasEndpoint);
+  const platform = new PlatformClient({
+    platformUrl,
+  });
+  try {
+    const { kid, publicKey } = await platform.v1.access.publicKey({
+      algorithm: algorithm || 'rsa:2048',
+      v: '2',
+    });
+    const result: KasPublicKeyInfo = {
+      key: noteInvalidPublicKey(new URL(platformUrl), pemToCryptoPublicKey(publicKey)),
+      publicKey,
+      url: kasEndpoint,
+      algorithm: algorithm || 'rsa:2048',
+      ...(kid && { kid }),
+    };
+    return result;
+  } catch (e) {
+    throw new NetworkError(`[${platformUrl}] [PublicKey] ${extractRpcErrorMessage(e)}`);
+  }
+}
+
+/**
+ * Fetch the base public key from WellKnownConfiguration of the platform.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @throws {ConfigurationError} If the KAS endpoint is not defined.
+ * @throws {NetworkError} If there is an error fetching the public key from the KAS endpoint.
+ * @returns The base public key information for the KAS endpoint.
+ */
+export async function fetchKasBasePubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
+  if (!kasEndpoint) {
+    throw new ConfigurationError('KAS definition not found');
+  }
+  validateSecureUrl(kasEndpoint);
+
+  const platformUrl = getPlatformUrlFromKasEndpoint(kasEndpoint);
+  const platform = new PlatformClient({
+    platformUrl,
+  });
+  try {
+    const { configuration } = await platform.v1.wellknown.getWellKnownConfiguration({});
+    const baseKey = configuration?.base_key as unknown as PlatformBaseKey;
+    if (!isBaseKey(baseKey)) {
+      throw new NetworkError(
+        `Invalid Platform Configuration: [${kasEndpoint}] is missing BaseKey in WellKnownConfiguration`
+      );
+    }
+
+    const result: KasPublicKeyInfo = {
+      key: noteInvalidPublicKey(
+        new URL(baseKey.kas_uri),
+        pemToCryptoPublicKey(baseKey.public_key.pem)
+      ),
+      publicKey: baseKey.public_key.pem,
+      url: baseKey.kas_uri,
+      algorithm: baseKey.public_key.algorithm,
+      kid: baseKey.public_key.kid,
+    };
+    return result;
+  } catch (e) {
+    throw new NetworkError(`[${platformUrl}] [PublicKey] ${extractRpcErrorMessage(e)}`);
+  }
+}

package/src/access.ts

@@ -1,25 +1,22 @@
 import { type AuthProvider } from './auth/auth.js';
+import { ServiceError } from './errors.js';
+import { RewrapResponse } from './platform/kas/kas_pb.js';
+import { getPlatformUrlFromKasEndpoint, validateSecureUrl } from './utils.js';
+
 import {
-  ConfigurationError,
-  InvalidFileError,
-  NetworkError,
-  PermissionDeniedError,
-  ServiceError,
-  UnauthenticatedError,
-} from './errors.js';
-import { pemToCryptoPublicKey, validateSecureUrl } from './utils.js';
+  fetchKasBasePubKey,
+  fetchKeyAccessServers as fetchKeyAccessServersRpc,
+} from './access/access-rpc.js';
+import { fetchKeyAccessServers as fetchKeyAccessServersLegacy } from './access/access-fetch.js';
+import { fetchWrappedKey as fetchWrappedKeysRpc } from './access/access-rpc.js';
+import { fetchWrappedKey as fetchWrappedKeysLegacy } from './access/access-fetch.js';
+import { fetchKasPubKey as fetchKasPubKeyRpc } from './access/access-rpc.js';
+import { fetchKasPubKey as fetchKasPubKeyLegacy } from './access/access-fetch.js';
 
 export type RewrapRequest = {
   signedRequestToken: string;
 };
 
-export type RewrapResponse = {
-  metadata: Record<string, unknown>;
-  entityWrappedKey: string;
-  sessionPublicKey: string;
-  schemaVersion: string;
-};
-
 /**
  * Get a rewrapped access key to the document, if possible
  * @param url Key access server rewrap endpoint
@@ -29,85 +26,60 @@ export type RewrapResponse = {
  */
 export async function fetchWrappedKey(
   url: string,
-  requestBody: RewrapRequest,
-  authProvider: AuthProvider,
-  clientVersion: string
+  signedRequestToken: string,
+  authProvider: AuthProvider
 ): Promise<RewrapResponse> {
-  const req = await authProvider.withCreds({
-    url,
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify(requestBody),
-  });
-
-  let response: Response;
-
-  try {
-    response = await fetch(req.url, {
-      method: req.method,
-      mode: 'cors', // no-cors, *cors, same-origin
-      cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
-      credentials: 'same-origin', // include, *same-origin, omit
-      headers: req.headers,
-      redirect: 'follow', // manual, *follow, error
-      referrerPolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
-      body: req.body as BodyInit,
-    });
-  } catch (e) {
-    throw new NetworkError(`unable to fetch wrapped key from [${url}]`, e);
-  }
-
-  if (!response.ok) {
-    switch (response.status) {
-      case 400:
-        throw new InvalidFileError(
-          `400 for [${req.url}]: rewrap bad request [${await response.text()}]`
-        );
-      case 401:
-        throw new UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
-      case 403:
-        throw new PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied`);
-      default:
-        if (response.status >= 500) {
-          throw new ServiceError(
-            `${response.status} for [${req.url}]: rewrap failure due to service error [${await response.text()}]`
-          );
-        }
-        throw new NetworkError(
-          `${req.method} ${req.url} => ${response.status} ${response.statusText}`
-        );
-    }
-  }
-
-  return response.json();
+  const platformUrl = getPlatformUrlFromKasEndpoint(url);
+
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchWrappedKeysRpc(platformUrl, signedRequestToken, authProvider),
+    () =>
+      fetchWrappedKeysLegacy(
+        url,
+        { signedRequestToken },
+        authProvider
+      ) as unknown as Promise<RewrapResponse>
+  );
 }
 
-export type KasPublicKeyAlgorithm = 'ec:secp256r1' | 'rsa:2048';
+export type KasPublicKeyAlgorithm =
+  | 'ec:secp256r1'
+  | 'ec:secp384r1'
+  | 'ec:secp521r1'
+  | 'rsa:2048'
+  | 'rsa:4096';
 
 export const isPublicKeyAlgorithm = (a: string): a is KasPublicKeyAlgorithm => {
   return a === 'ec:secp256r1' || a === 'rsa:2048';
 };
 
-export const keyAlgorithmToPublicKeyAlgorithm = (a: KeyAlgorithm): KasPublicKeyAlgorithm => {
+export const keyAlgorithmToPublicKeyAlgorithm = (k: CryptoKey): KasPublicKeyAlgorithm => {
+  const a = k.algorithm;
   if (a.name === 'ECDSA' || a.name === 'ECDH') {
     const eca = a as EcKeyAlgorithm;
-    if (eca.namedCurve === 'P-256') {
-      return 'ec:secp256r1';
+    switch (eca.namedCurve) {
+      case 'P-256':
+        return 'ec:secp256r1';
+      case 'P-384':
+        return 'ec:secp384r1';
+      case 'P-521':
+        return 'ec:secp521r1';
+      default:
+        throw new Error(`unsupported EC curve: ${eca.namedCurve}`);
     }
-    throw new Error(`unsupported EC curve: ${eca.namedCurve}`);
   }
-  if (a.name === 'RSA-OAEP') {
+  if (a.name === 'RSA-OAEP' || a.name === 'RSASSA-PKCS1-v1_5') {
     const rsaa = a as RsaHashedKeyAlgorithm;
-    if (rsaa.modulusLength === 2048) {
-      // if (rsaa.hash.name !== 'RSASSA-PKCS1-v1_5') {
-      //   throw new Error(`unsupported RSA hash: ${rsaa.hash.name}`);
-      // }
-      if (rsaa.publicExponent.toString() !== '1,0,1') {
-        throw new Error(`unsupported RSA public exponent: ${rsaa.publicExponent}`);
-      }
-      return 'rsa:2048';
+    if (rsaa.publicExponent.toString() !== '1,0,1') {
+      throw new Error(`unsupported RSA public exponent: ${rsaa.publicExponent}`);
+    }
+    switch (rsaa.modulusLength) {
+      case 2048:
+        return 'rsa:2048';
+      case 4096:
+        return 'rsa:4096';
+      default:
+        throw new Error(`unsupported RSA modulus length: ${rsaa.modulusLength}`);
     }
   }
   throw new Error(`unsupported key algorithm: ${a.name}`);
@@ -119,6 +91,14 @@ export const publicKeyAlgorithmToJwa = (a: KasPublicKeyAlgorithm): string => {
       return 'ES256';
     case 'rsa:2048':
       return 'RS256';
+    case 'rsa:4096':
+      return 'RS512';
+    case 'ec:secp384r1':
+      return 'ES384';
+    case 'ec:secp521r1':
+      return 'ES512';
+    default:
+      throw new Error(`unsupported public key algorithm: ${a}`);
   }
 };
 
@@ -145,7 +125,7 @@ export type KasPublicKeyInfo = {
   key: Promise<CryptoKey>;
 };
 
-async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<CryptoKey> {
+export async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<CryptoKey> {
   try {
     return await r;
   } catch (e) {
@@ -156,76 +136,49 @@ async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<Cr
   }
 }
 
+export async function fetchKeyAccessServers(
+  platformUrl: string,
+  authProvider: AuthProvider
+): Promise<OriginAllowList> {
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchKeyAccessServersRpc(platformUrl, authProvider),
+    () => fetchKeyAccessServersLegacy(platformUrl, authProvider)
+  );
+}
+
 /**
- * If we have KAS url but not public key we can fetch it from KAS, fetching
- * the value from `${kas}/kas_public_key`.
+ * Fetch the EC (secp256r1) public key for a KAS endpoint.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @returns The public key information for the KAS endpoint.
  */
 export async function fetchECKasPubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
   return fetchKasPubKey(kasEndpoint, 'ec:secp256r1');
 }
 
+/**
+ * Fetch the public key for a KAS endpoint.
+ * This function will first try to fetch the base public key,
+ * then it will try to fetch the public key using the RPC method,
+ * and finally it will try to fetch the public key using the legacy method.
+ * If all attempts fail, it will return the error from RPC Public Key fetch.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @param algorithm Optional algorithm to fetch the public key for.
+ * @returns The public key information.
+ */
 export async function fetchKasPubKey(
   kasEndpoint: string,
   algorithm?: KasPublicKeyAlgorithm
 ): Promise<KasPublicKeyInfo> {
-  if (!kasEndpoint) {
-    throw new ConfigurationError('KAS definition not found');
-  }
-  // Logs insecure KAS. Secure is enforced in constructor
-  validateSecureUrl(kasEndpoint);
-
-  // Parse kasEndpoint to URL, then append to its path and update its query parameters
-  let pkUrlV2: URL;
   try {
-    pkUrlV2 = new URL(kasEndpoint);
+    return await fetchKasBasePubKey(kasEndpoint);
   } catch (e) {
-    throw new ConfigurationError(`KAS definition invalid: [${kasEndpoint}]`, e);
-  }
-  if (!pkUrlV2.pathname.endsWith('kas_public_key')) {
-    if (!pkUrlV2.pathname.endsWith('/')) {
-      pkUrlV2.pathname += '/';
-    }
-    pkUrlV2.pathname += 'v2/kas_public_key';
-  }
-  pkUrlV2.searchParams.set('algorithm', algorithm || 'rsa:2048');
-  if (!pkUrlV2.searchParams.get('v')) {
-    pkUrlV2.searchParams.set('v', '2');
+    console.log(e);
   }
 
-  let kasPubKeyResponseV2: Response;
-  try {
-    kasPubKeyResponseV2 = await fetch(pkUrlV2);
-  } catch (e) {
-    throw new NetworkError(`unable to fetch public key from [${pkUrlV2}]`, e);
-  }
-  if (!kasPubKeyResponseV2.ok) {
-    switch (kasPubKeyResponseV2.status) {
-      case 404:
-        throw new ConfigurationError(`404 for [${pkUrlV2}]`);
-      case 401:
-        throw new UnauthenticatedError(`401 for [${pkUrlV2}]`);
-      case 403:
-        throw new PermissionDeniedError(`403 for [${pkUrlV2}]`);
-      default:
-        throw new NetworkError(
-          `${pkUrlV2} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`
-        );
-    }
-  }
-  const jsonContent = await kasPubKeyResponseV2.json();
-  const { publicKey, kid }: KasPublicKeyInfo = jsonContent;
-  if (!publicKey) {
-    throw new NetworkError(
-      `invalid response from public key endpoint [${JSON.stringify(jsonContent)}]`
-    );
-  }
-  return {
-    key: noteInvalidPublicKey(pkUrlV2, pemToCryptoPublicKey(publicKey)),
-    publicKey,
-    url: kasEndpoint,
-    algorithm: algorithm || 'rsa:2048',
-    ...(kid && { kid }),
-  };
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchKasPubKeyRpc(kasEndpoint, algorithm),
+    () => fetchKasPubKeyLegacy(kasEndpoint, algorithm)
+  );
 }
 
 const origin = (u: string): string => {
@@ -252,3 +205,25 @@ export class OriginAllowList {
     return this.origins.includes(origin(url));
   }
 }
+
+/**
+ * Tries two promise-returning functions in order and returns the first successful result.
+ * If both fail, throws the error from the second.
+ * @param first First function returning a promise to try.
+ * @param second Second function returning a promise to try if the first fails.
+ */
+async function tryPromisesUntilFirstSuccess<T>(
+  first: () => Promise<T>,
+  second: () => Promise<T>
+): Promise<T> {
+  try {
+    return await first();
+  } catch (e1) {
+    console.info('v2 request error', e1);
+    try {
+      return await second();
+    } catch (err) {
+      throw err;
+    }
+  }
+}