@sphereon/ssi-sdk-ext.key-utils 0.28.1-feature.oyd.cmsm.improv.21 → 0.28.1-next.53

package/dist/functions.js

@@ -1,756 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
-};
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-var __importDefault = (this && this.__importDefault) || function (mod) {
-    return (mod && mod.__esModule) ? mod : { "default": mod };
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.sanitizedJwk = exports.globalCrypto = exports.keyTypeFromCryptographicSuite = exports.signatureAlgorithmFromKeyType = exports.signatureAlgorithmFromKey = exports.hexStringFromUint8Array = exports.toRawCompressedHexPublicKey = exports.isRawCompressedPublicKey = exports.asn1DerToRawPublicKey = exports.isAsn1Der = exports.padLeft = exports.jwkDetermineUse = exports.jwkToRawHexKey = exports.toJwk = exports.toJwkFromKey = exports.calculateJwkThumbprint = exports.toBase64url = exports.calculateJwkThumbprintForKey = exports.generatePrivateKeyHex = exports.getKms = exports.logger = void 0;
-exports.importProvidedOrGeneratedKey = importProvidedOrGeneratedKey;
-exports.removeNulls = removeNulls;
-exports.verifyRawSignature = verifyRawSignature;
-const random_1 = require("@ethersproject/random");
-// Do not change these require statements to imports before we change to ESM. Breaks external CJS packages depending on this module
-const bls12_381_1 = require("@noble/curves/bls12-381");
-const ed25519_1 = require("@noble/curves/ed25519");
-const p256_1 = require("@noble/curves/p256");
-const p384_1 = require("@noble/curves/p384");
-const p521_1 = require("@noble/curves/p521");
-const secp256k1_1 = require("@noble/curves/secp256k1");
-const sha256_1 = require("@noble/hashes/sha256");
-const sha512_1 = require("@noble/hashes/sha512");
-const ssi_sdk_ext_x509_utils_1 = require("@sphereon/ssi-sdk-ext.x509-utils");
-const ssi_types_1 = require("@sphereon/ssi-types");
-const ed25519_2 = require("@stablelib/ed25519");
-const debug_1 = __importDefault(require("debug"));
-const elliptic_1 = __importDefault(require("elliptic"));
-const rsa = __importStar(require("micro-rsa-dsa-dh/rsa.js"));
-const u8a = __importStar(require("uint8arrays"));
-const digest_methods_1 = require("./digest-methods");
-const jwk_jcs_1 = require("./jwk-jcs");
-const types_1 = require("./types");
-exports.logger = ssi_types_1.Loggers.DEFAULT.get('sphereon:key-utils');
-/**
- * Function that returns the provided KMS name or the default KMS name if none is provided.
- * The default KMS is either explicitly defined during agent construction, or the first KMS available in the system
- * @param context
- * @param kms. Optional KMS to use. If provided will be the returned name. Otherwise the default KMS will be returned
- */
-const getKms = (context, kms) => __awaiter(void 0, void 0, void 0, function* () {
-    if (kms) {
-        return kms;
-    }
-    if (!context.agent.availableMethods().includes('keyManagerGetDefaultKeyManagementSystem')) {
-        throw Error('Cannot determine default KMS if not provided and a non Sphereon Key Manager is being used');
-    }
-    return context.agent.keyManagerGetDefaultKeyManagementSystem();
-});
-exports.getKms = getKms;
-/**
- * Generates a random Private Hex Key for the specified key type
- * @param type The key type
- * @return The private key in Hex form
- */
-const generatePrivateKeyHex = (type) => __awaiter(void 0, void 0, void 0, function* () {
-    switch (type) {
-        case 'Ed25519': {
-            const keyPairEd25519 = (0, ed25519_2.generateKeyPair)();
-            return u8a.toString(keyPairEd25519.secretKey, 'base16');
-        }
-        // The Secp256 types use the same method to generate the key
-        case 'Secp256r1':
-        case 'Secp256k1': {
-            const privateBytes = (0, random_1.randomBytes)(32);
-            return u8a.toString(privateBytes, 'base16');
-        }
-        case 'RSA': {
-            const pem = yield (0, ssi_sdk_ext_x509_utils_1.generateRSAKeyAsPEM)('RSA-PSS', 'SHA-256', 2048);
-            return (0, ssi_sdk_ext_x509_utils_1.privateKeyHexFromPEM)(pem);
-        }
-        default:
-            throw Error(`not_supported: Key type ${type} not yet supported for this did:jwk implementation`);
-    }
-});
-exports.generatePrivateKeyHex = generatePrivateKeyHex;
-const keyMetaAlgorithmsFromKeyType = (type) => {
-    switch (type) {
-        case 'Ed25519':
-            return ['Ed25519', 'EdDSA'];
-        case 'ES256K':
-        case 'Secp256k1':
-            return ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'];
-        case 'Secp256r1':
-            return ['ES256'];
-        case 'X25519':
-            return ['ECDH', 'ECDH-ES', 'ECDH-1PU'];
-        case 'RSA':
-            return ['RS256', 'RS512', 'PS256', 'PS512'];
-    }
-    return [type];
-};
-/**
- * We optionally generate and then import our own keys.
- *
- * @param args The key arguments
- * @param context The Veramo agent context
- * @private
- */
-function importProvidedOrGeneratedKey(args, context) {
-    return __awaiter(this, void 0, void 0, function* () {
-        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l, _m, _o, _p, _q, _r;
-        // @ts-ignore
-        const type = (_g = (_e = (_b = (_a = args.options) === null || _a === void 0 ? void 0 : _a.type) !== null && _b !== void 0 ? _b : (_d = (_c = args.options) === null || _c === void 0 ? void 0 : _c.key) === null || _d === void 0 ? void 0 : _d.type) !== null && _e !== void 0 ? _e : (_f = args.options) === null || _f === void 0 ? void 0 : _f.keyType) !== null && _g !== void 0 ? _g : 'Secp256r1';
-        const key = (_h = args === null || args === void 0 ? void 0 : args.options) === null || _h === void 0 ? void 0 : _h.key;
-        // Make sure x509 options are also set on the metadata as that is what the kms will look for
-        if (((_j = args.options) === null || _j === void 0 ? void 0 : _j.x509) && key) {
-            key.meta = Object.assign(Object.assign({}, key.meta), { x509: Object.assign(Object.assign({}, args.options.x509), (_k = key.meta) === null || _k === void 0 ? void 0 : _k.x509) });
-        }
-        if (args.options && ((_l = args.options) === null || _l === void 0 ? void 0 : _l.use) === types_1.JwkKeyUse.Encryption && !types_1.ENC_KEY_ALGS.includes(type)) {
-            throw new Error(`${type} keys are not valid for encryption`);
-        }
-        let privateKeyHex = undefined;
-        if (key) {
-            privateKeyHex = (_m = key.privateKeyHex) !== null && _m !== void 0 ? _m : (_p = (_o = key.meta) === null || _o === void 0 ? void 0 : _o.x509) === null || _p === void 0 ? void 0 : _p.privateKeyHex;
-            if ((!privateKeyHex || privateKeyHex.trim() === '') && ((_r = (_q = key === null || key === void 0 ? void 0 : key.meta) === null || _q === void 0 ? void 0 : _q.x509) === null || _r === void 0 ? void 0 : _r.privateKeyPEM)) {
-                // If we do not have a privateKeyHex but do have a PEM
-                privateKeyHex = (0, ssi_sdk_ext_x509_utils_1.privateKeyHexFromPEM)(key.meta.x509.privateKeyPEM);
-            }
-        }
-        if (privateKeyHex) {
-            return context.agent.keyManagerImport(Object.assign(Object.assign({}, key), { kms: args.kms, type, privateKeyHex: privateKeyHex }));
-        }
-        return context.agent.keyManagerCreate({
-            type,
-            kms: args.kms,
-            meta: Object.assign(Object.assign({}, key === null || key === void 0 ? void 0 : key.meta), { algorithms: keyMetaAlgorithmsFromKeyType(type), keyAlias: args.alias }),
-        });
-    });
-}
-const calculateJwkThumbprintForKey = (args) => {
-    const { key } = args;
-    const jwk = key.publicKeyHex
-        ? (0, exports.toJwk)(key.publicKeyHex, key.type, { key: key, isPrivateKey: false })
-        : 'privateKeyHex' in key && key.privateKeyHex
-            ? (0, exports.toJwk)(key.privateKeyHex, key.type, { isPrivateKey: true })
-            : undefined;
-    if (!jwk) {
-        throw Error(`Could not determine jwk from key ${key.kid}`);
-    }
-    return (0, exports.calculateJwkThumbprint)({ jwk, digestAlgorithm: args.digestAlgorithm });
-};
-exports.calculateJwkThumbprintForKey = calculateJwkThumbprintForKey;
-const assertJwkClaimPresent = (value, description) => {
-    if (typeof value !== 'string' || !value) {
-        throw new Error(`${description} missing or invalid`);
-    }
-};
-const toBase64url = (input) => u8a.toString(u8a.fromString(input), 'base64url');
-exports.toBase64url = toBase64url;
-/**
- * Calculate the JWK thumbprint
- * @param args
- */
-const calculateJwkThumbprint = (args) => {
-    const { digestAlgorithm = 'sha256' } = args;
-    const jwk = (0, exports.sanitizedJwk)(args.jwk);
-    let components;
-    switch (jwk.kty) {
-        case 'EC':
-            assertJwkClaimPresent(jwk.crv, '"crv" (Curve) Parameter');
-            assertJwkClaimPresent(jwk.x, '"x" (X Coordinate) Parameter');
-            assertJwkClaimPresent(jwk.y, '"y" (Y Coordinate) Parameter');
-            components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x, y: jwk.y };
-            break;
-        case 'OKP':
-            assertJwkClaimPresent(jwk.crv, '"crv" (Subtype of Key Pair) Parameter');
-            assertJwkClaimPresent(jwk.x, '"x" (Public Key) Parameter');
-            components = { crv: jwk.crv, kty: jwk.kty, x: jwk.x };
-            break;
-        case 'RSA':
-            assertJwkClaimPresent(jwk.e, '"e" (Exponent) Parameter');
-            assertJwkClaimPresent(jwk.n, '"n" (Modulus) Parameter');
-            components = { e: jwk.e, kty: jwk.kty, n: jwk.n };
-            break;
-        case 'oct':
-            assertJwkClaimPresent(jwk.k, '"k" (Key Value) Parameter');
-            components = { k: jwk.k, kty: jwk.kty };
-            break;
-        default:
-            throw new Error('"kty" (Key Type) Parameter missing or unsupported');
-    }
-    const data = JSON.stringify(components);
-    return digestAlgorithm === 'sha512'
-        ? (0, digest_methods_1.digestMethodParams)('SHA-512').digestMethod(data, 'base64url')
-        : (0, digest_methods_1.digestMethodParams)('SHA-256').digestMethod(data, 'base64url');
-};
-exports.calculateJwkThumbprint = calculateJwkThumbprint;
-const toJwkFromKey = (key, opts) => {
-    const isPrivateKey = 'privateKeyHex' in key;
-    return (0, exports.toJwk)(key.publicKeyHex, key.type, Object.assign(Object.assign({}, opts), { key, isPrivateKey }));
-};
-exports.toJwkFromKey = toJwkFromKey;
-/**
- * Converts a public key in hex format to a JWK
- * @param publicKeyHex public key in hex
- * @param type The type of the key (Ed25519, Secp256k1/r1)
- * @param opts. Options, like the optional use for the key (sig/enc)
- * @return The JWK
- */
-const toJwk = (publicKeyHex, type, opts) => {
-    const { key, noKidThumbprint = false } = opts !== null && opts !== void 0 ? opts : {};
-    if (key && key.publicKeyHex !== publicKeyHex && (opts === null || opts === void 0 ? void 0 : opts.isPrivateKey) !== true) {
-        throw Error(`Provided key with id ${key.kid}, has a different public key hex ${key.publicKeyHex} than supplied public key ${publicKeyHex}`);
-    }
-    let jwk;
-    switch (type) {
-        case 'Ed25519':
-            jwk = toEd25519OrX25519Jwk(publicKeyHex, Object.assign(Object.assign({}, opts), { crv: ssi_types_1.JoseCurve.Ed25519 }));
-            break;
-        case 'X25519':
-            jwk = toEd25519OrX25519Jwk(publicKeyHex, Object.assign(Object.assign({}, opts), { crv: ssi_types_1.JoseCurve.X25519 }));
-            break;
-        case 'Secp256k1':
-            jwk = toSecp256k1Jwk(publicKeyHex, opts);
-            break;
-        case 'Secp256r1':
-            jwk = toSecp256r1Jwk(publicKeyHex, opts);
-            break;
-        case 'RSA':
-            jwk = toRSAJwk(publicKeyHex, opts);
-            break;
-        default:
-            throw new Error(`not_supported: Key type ${type} not yet supported for this did:jwk implementation`);
-    }
-    if (!jwk.kid && !noKidThumbprint) {
-        jwk['kid'] = (0, exports.calculateJwkThumbprint)({ jwk });
-    }
-    return (0, exports.sanitizedJwk)(jwk);
-};
-exports.toJwk = toJwk;
-/**
- * Convert a JWK to a raw hex key.
- * Currently supports `RSA` and `EC` keys. Extendable for other key types.
- * @param jwk - The JSON Web Key object.
- * @returns A string representing the key in raw hexadecimal format.
- */
-const jwkToRawHexKey = (jwk) => __awaiter(void 0, void 0, void 0, function* () {
-    // TODO: Probably makes sense to have an option to do the same for private keys
-    jwk = (0, exports.sanitizedJwk)(jwk);
-    if (jwk.kty === 'RSA') {
-        return rsaJwkToRawHexKey(jwk);
-    }
-    else if (jwk.kty === 'EC') {
-        return ecJwkToRawHexKey(jwk);
-    }
-    else if (jwk.kty === 'OKP') {
-        return okpJwkToRawHexKey(jwk);
-    }
-    else if (jwk.kty === 'oct') {
-        return octJwkToRawHexKey(jwk);
-    }
-    else {
-        throw new Error(`Unsupported key type: ${jwk.kty}`);
-    }
-});
-exports.jwkToRawHexKey = jwkToRawHexKey;
-/**
- * Convert an RSA JWK to a raw hex key.
- * @param jwk - The RSA JWK object.
- * @returns A string representing the RSA key in raw hexadecimal format.
- */
-function rsaJwkToRawHexKey(jwk) {
-    jwk = (0, exports.sanitizedJwk)(jwk);
-    if (!jwk.n || !jwk.e) {
-        throw new Error("RSA JWK must contain 'n' and 'e' properties.");
-    }
-    // We are converting from base64 to base64url to be sure. The spec uses base64url, but in the wild we sometimes encounter a base64 string
-    const modulus = u8a.fromString(jwk.n.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url'); // 'n' is the modulus
-    const exponent = u8a.fromString(jwk.e.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url'); // 'e' is the exponent
-    return u8a.toString(modulus, 'hex') + u8a.toString(exponent, 'hex');
-}
-/**
- * Convert an EC JWK to a raw hex key.
- * @param jwk - The EC JWK object.
- * @returns A string representing the EC key in raw hexadecimal format.
- */
-function ecJwkToRawHexKey(jwk) {
-    jwk = (0, exports.sanitizedJwk)(jwk);
-    if (!jwk.x || !jwk.y) {
-        throw new Error("EC JWK must contain 'x' and 'y' properties.");
-    }
-    // We are converting from base64 to base64url to be sure. The spec uses base64url, but in the wild we sometimes encounter a base64 string
-    const x = u8a.fromString(jwk.x.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url');
-    const y = u8a.fromString(jwk.y.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url');
-    return '04' + u8a.toString(x, 'hex') + u8a.toString(y, 'hex');
-}
-/**
- * Convert an EC JWK to a raw hex key.
- * @param jwk - The EC JWK object.
- * @returns A string representing the EC key in raw hexadecimal format.
- */
-function okpJwkToRawHexKey(jwk) {
-    jwk = (0, exports.sanitizedJwk)(jwk);
-    if (!jwk.x) {
-        throw new Error("OKP JWK must contain 'x' property.");
-    }
-    // We are converting from base64 to base64url to be sure. The spec uses base64url, but in the wild we sometimes encounter a base64 string
-    const x = u8a.fromString(jwk.x.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url');
-    return u8a.toString(x, 'hex');
-}
-/**
- * Convert an octet JWK to a raw hex key.
- * @param jwk - The octet JWK object.
- * @returns A string representing the octet key in raw hexadecimal format.
- */
-function octJwkToRawHexKey(jwk) {
-    jwk = (0, exports.sanitizedJwk)(jwk);
-    if (!jwk.k) {
-        throw new Error("Octet JWK must contain 'k' property.");
-    }
-    // We are converting from base64 to base64url to be sure. The spec uses base64url, but in the wild we sometimes encounter a base64 string
-    const key = u8a.fromString(jwk.k.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url');
-    return u8a.toString(key, 'hex');
-}
-/**
- * Determines the use param based upon the key/signature type or supplied use value.
- *
- * @param type The key type
- * @param suppliedUse A supplied use. Will be used in case it is present
- */
-const jwkDetermineUse = (type, suppliedUse) => {
-    return suppliedUse
-        ? suppliedUse
-        : types_1.SIG_KEY_ALGS.includes(type)
-            ? types_1.JwkKeyUse.Signature
-            : types_1.ENC_KEY_ALGS.includes(type)
-                ? types_1.JwkKeyUse.Encryption
-                : undefined;
-};
-exports.jwkDetermineUse = jwkDetermineUse;
-/**
- * Assert the key has a proper length
- *
- * @param keyHex Input key
- * @param expectedKeyLength Expected key length(s)
- */
-const assertProperKeyLength = (keyHex, expectedKeyLength) => {
-    if (Array.isArray(expectedKeyLength)) {
-        if (!expectedKeyLength.includes(keyHex.length)) {
-            throw Error(`Invalid key length. Needs to be a hex string with length from ${JSON.stringify(expectedKeyLength)} instead of ${keyHex.length}. Input: ${keyHex}`);
-        }
-    }
-    else if (keyHex.length !== expectedKeyLength) {
-        throw Error(`Invalid key length. Needs to be a hex string with length ${expectedKeyLength} instead of ${keyHex.length}. Input: ${keyHex}`);
-    }
-};
-/**
- * Generates a JWK from a Secp256k1 public key
- * @param keyHex Secp256k1 public or private key in hex
- * @param use The use for the key
- * @return The JWK
- */
-const toSecp256k1Jwk = (keyHex, opts) => {
-    const { use } = opts !== null && opts !== void 0 ? opts : {};
-    exports.logger.debug(`toSecp256k1Jwk keyHex: ${keyHex}, length: ${keyHex.length}`);
-    if (opts === null || opts === void 0 ? void 0 : opts.isPrivateKey) {
-        assertProperKeyLength(keyHex, [64]);
-    }
-    else {
-        assertProperKeyLength(keyHex, [66, 130]);
-    }
-    const secp256k1 = new elliptic_1.default.ec('secp256k1');
-    const keyBytes = u8a.fromString(keyHex, 'base16');
-    const keyPair = (opts === null || opts === void 0 ? void 0 : opts.isPrivateKey) ? secp256k1.keyFromPrivate(keyBytes) : secp256k1.keyFromPublic(keyBytes);
-    const pubPoint = keyPair.getPublic();
-    return (0, exports.sanitizedJwk)(Object.assign(Object.assign(Object.assign({ alg: ssi_types_1.JoseSignatureAlgorithm.ES256K }, (use !== undefined && { use })), { kty: ssi_types_1.JwkKeyType.EC, crv: ssi_types_1.JoseCurve.secp256k1, x: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(pubPoint.getX().toString('hex'), 'base64url'), y: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(pubPoint.getY().toString('hex'), 'base64url') }), ((opts === null || opts === void 0 ? void 0 : opts.isPrivateKey) && { d: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(keyPair.getPrivate('hex'), 'base64url') })));
-};
-/**
- * Generates a JWK from a Secp256r1 public key
- * @param keyHex Secp256r1 public key in hex
- * @param use The use for the key
- * @return The JWK
- */
-const toSecp256r1Jwk = (keyHex, opts) => {
-    const { use } = opts !== null && opts !== void 0 ? opts : {};
-    exports.logger.debug(`toSecp256r1Jwk keyHex: ${keyHex}, length: ${keyHex.length}`);
-    if (opts === null || opts === void 0 ? void 0 : opts.isPrivateKey) {
-        assertProperKeyLength(keyHex, [64]);
-    }
-    else {
-        assertProperKeyLength(keyHex, [66, 130]);
-    }
-    const secp256r1 = new elliptic_1.default.ec('p256');
-    const keyBytes = u8a.fromString(keyHex, 'base16');
-    exports.logger.debug(`keyBytes length: ${keyBytes}`);
-    const keyPair = (opts === null || opts === void 0 ? void 0 : opts.isPrivateKey) ? secp256r1.keyFromPrivate(keyBytes) : secp256r1.keyFromPublic(keyBytes);
-    const pubPoint = keyPair.getPublic();
-    return (0, exports.sanitizedJwk)(Object.assign(Object.assign(Object.assign({ alg: ssi_types_1.JoseSignatureAlgorithm.ES256 }, (use !== undefined && { use })), { kty: ssi_types_1.JwkKeyType.EC, crv: ssi_types_1.JoseCurve.P_256, x: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(pubPoint.getX().toString('hex'), 'base64url'), y: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(pubPoint.getY().toString('hex'), 'base64url') }), ((opts === null || opts === void 0 ? void 0 : opts.isPrivateKey) && { d: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(keyPair.getPrivate('hex'), 'base64url') })));
-};
-/**
- * Generates a JWK from an Ed25519/X25519 public key
- * @param publicKeyHex Ed25519/X25519 public key in hex
- * @param opts
- * @return The JWK
- */
-const toEd25519OrX25519Jwk = (publicKeyHex, opts) => {
-    var _a;
-    assertProperKeyLength(publicKeyHex, 64);
-    const { use } = opts !== null && opts !== void 0 ? opts : {};
-    return (0, exports.sanitizedJwk)(Object.assign(Object.assign({ alg: ssi_types_1.JoseSignatureAlgorithm.EdDSA }, (use !== undefined && { use })), { kty: ssi_types_1.JwkKeyType.OKP, crv: (_a = opts === null || opts === void 0 ? void 0 : opts.crv) !== null && _a !== void 0 ? _a : ssi_types_1.JoseCurve.Ed25519, x: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(publicKeyHex, 'base64url') }));
-};
-const toRSAJwk = (publicKeyHex, opts) => {
-    var _a, _b;
-    const meta = (_a = opts === null || opts === void 0 ? void 0 : opts.key) === null || _a === void 0 ? void 0 : _a.meta;
-    if ((meta === null || meta === void 0 ? void 0 : meta.publicKeyJwk) || (meta === null || meta === void 0 ? void 0 : meta.publicKeyPEM)) {
-        if (meta === null || meta === void 0 ? void 0 : meta.publicKeyJwk) {
-            return meta.publicKeyJwk;
-        }
-        const publicKeyPEM = (_b = meta === null || meta === void 0 ? void 0 : meta.publicKeyPEM) !== null && _b !== void 0 ? _b : (0, ssi_sdk_ext_x509_utils_1.hexToPEM)(publicKeyHex, 'public');
-        return (0, ssi_sdk_ext_x509_utils_1.PEMToJwk)(publicKeyPEM, 'public');
-    }
-    // exponent (e) is 5 chars long, rest is modulus (n)
-    // const publicKey = publicKeyHex
-    // assertProperKeyLength(publicKey, [2048, 3072, 4096])
-    const exponent = publicKeyHex.slice(-5);
-    const modulus = publicKeyHex.slice(0, -5);
-    // const modulusBitLength  = (modulus.length / 2) * 8
-    // const alg = modulusBitLength === 2048 ? JoseSignatureAlgorithm.RS256 : modulusBitLength === 3072 ? JoseSignatureAlgorithm.RS384 : modulusBitLength === 4096 ? JoseSignatureAlgorithm.RS512 : undefined
-    return (0, exports.sanitizedJwk)({
-        kty: 'RSA',
-        n: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(modulus, 'base64url'),
-        e: (0, ssi_sdk_ext_x509_utils_1.hexToBase64)(exponent, 'base64url'),
-        // ...(alg && { alg }),
-    });
-};
-const padLeft = (args) => {
-    var _a, _b;
-    const { data } = args;
-    const size = (_a = args.size) !== null && _a !== void 0 ? _a : 32;
-    const padString = (_b = args.padString) !== null && _b !== void 0 ? _b : '0';
-    if (data.length >= size) {
-        return data;
-    }
-    if (padString && padString.length === 0) {
-        throw Error(`Pad string needs to have at least a length of 1`);
-    }
-    const length = padString.length;
-    return padString.repeat((size - data.length) / length) + data;
-};
-exports.padLeft = padLeft;
-var OIDType;
-(function (OIDType) {
-    OIDType[OIDType["Secp256k1"] = 0] = "Secp256k1";
-    OIDType[OIDType["Secp256r1"] = 1] = "Secp256r1";
-    OIDType[OIDType["Ed25519"] = 2] = "Ed25519";
-})(OIDType || (OIDType = {}));
-const OID = {
-    [OIDType.Secp256k1]: new Uint8Array([0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, 0x01]),
-    [OIDType.Secp256r1]: new Uint8Array([0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07]),
-    [OIDType.Ed25519]: new Uint8Array([0x06, 0x03, 0x2b, 0x65, 0x70]),
-};
-const compareUint8Arrays = (a, b) => {
-    if (a.length !== b.length) {
-        return false;
-    }
-    for (let i = 0; i < a.length; i++) {
-        if (a[i] !== b[i]) {
-            return false;
-        }
-    }
-    return true;
-};
-const findSubarray = (haystack, needle) => {
-    for (let i = 0; i <= haystack.length - needle.length; i++) {
-        if (compareUint8Arrays(haystack.subarray(i, i + needle.length), needle)) {
-            return i;
-        }
-    }
-    return -1;
-};
-const getTargetOID = (keyType) => {
-    switch (keyType) {
-        case 'Secp256k1':
-            return OID[OIDType.Secp256k1];
-        case 'Secp256r1':
-            return OID[OIDType.Secp256r1];
-        case 'Ed25519':
-            return OID[OIDType.Ed25519];
-        default:
-            throw new Error(`Unsupported key type: ${keyType}`);
-    }
-};
-const isAsn1Der = (key) => key[0] === 0x30;
-exports.isAsn1Der = isAsn1Der;
-const asn1DerToRawPublicKey = (derKey, keyType) => {
-    if (!(0, exports.isAsn1Der)(derKey)) {
-        throw new Error('Invalid DER encoding: Expected to start with sequence tag');
-    }
-    let index = 2;
-    if (derKey[1] & 0x80) {
-        const lengthBytesCount = derKey[1] & 0x7f;
-        index += lengthBytesCount;
-    }
-    const targetOid = getTargetOID(keyType);
-    const oidIndex = findSubarray(derKey, targetOid);
-    if (oidIndex === -1) {
-        throw new Error(`OID for ${keyType} not found in DER encoding`);
-    }
-    index = oidIndex + targetOid.length;
-    while (index < derKey.length && derKey[index] !== 0x03) {
-        index++;
-    }
-    if (index >= derKey.length) {
-        throw new Error('Invalid DER encoding: Bit string not found');
-    }
-    // Skip the bit string tag (0x03) and length byte
-    index += 2;
-    // Skip the unused bits count byte
-    index++;
-    return derKey.slice(index);
-};
-exports.asn1DerToRawPublicKey = asn1DerToRawPublicKey;
-const isRawCompressedPublicKey = (key) => key.length === 33 && (key[0] === 0x02 || key[0] === 0x03);
-exports.isRawCompressedPublicKey = isRawCompressedPublicKey;
-const toRawCompressedHexPublicKey = (rawPublicKey, keyType) => {
-    if ((0, exports.isRawCompressedPublicKey)(rawPublicKey)) {
-        return (0, exports.hexStringFromUint8Array)(rawPublicKey);
-    }
-    if (keyType === 'Secp256k1' || keyType === 'Secp256r1') {
-        if (rawPublicKey[0] === 0x04 && rawPublicKey.length === 65) {
-            const xCoordinate = rawPublicKey.slice(1, 33);
-            const yCoordinate = rawPublicKey.slice(33);
-            const prefix = new Uint8Array([yCoordinate[31] % 2 === 0 ? 0x02 : 0x03]);
-            const resultKey = (0, exports.hexStringFromUint8Array)(new Uint8Array([...prefix, ...xCoordinate]));
-            exports.logger.debug(`converted public key ${(0, exports.hexStringFromUint8Array)(rawPublicKey)} to ${resultKey}`);
-            return resultKey;
-        }
-        return u8a.toString(rawPublicKey, 'base16');
-    }
-    else if (keyType === 'Ed25519') {
-        // Ed25519 keys are always in compressed form
-        return u8a.toString(rawPublicKey, 'base16');
-    }
-    throw new Error(`Unsupported key type: ${keyType}`);
-};
-exports.toRawCompressedHexPublicKey = toRawCompressedHexPublicKey;
-const hexStringFromUint8Array = (value) => u8a.toString(value, 'base16');
-exports.hexStringFromUint8Array = hexStringFromUint8Array;
-const signatureAlgorithmFromKey = (args) => __awaiter(void 0, void 0, void 0, function* () {
-    const { key } = args;
-    return (0, exports.signatureAlgorithmFromKeyType)({ type: key.type });
-});
-exports.signatureAlgorithmFromKey = signatureAlgorithmFromKey;
-const signatureAlgorithmFromKeyType = (args) => {
-    const { type } = args;
-    switch (type) {
-        case 'Ed25519':
-        case 'X25519':
-            return ssi_types_1.JoseSignatureAlgorithm.EdDSA;
-        case 'Secp256r1':
-            return ssi_types_1.JoseSignatureAlgorithm.ES256;
-        case 'Secp384r1':
-            return ssi_types_1.JoseSignatureAlgorithm.ES384;
-        case 'Secp521r1':
-            return ssi_types_1.JoseSignatureAlgorithm.ES512;
-        case 'Secp256k1':
-            return ssi_types_1.JoseSignatureAlgorithm.ES256K;
-        default:
-            throw new Error(`Key type '${type}' not supported`);
-    }
-};
-exports.signatureAlgorithmFromKeyType = signatureAlgorithmFromKeyType;
-// TODO improve this conversion for jwt and jsonld, not a fan of current structure
-const keyTypeFromCryptographicSuite = (args) => {
-    const { crv, kty, alg } = args;
-    switch (alg) {
-        case 'RSASSA-PSS':
-        case 'RS256':
-        case 'RS384':
-        case 'RS512':
-        case 'PS256':
-        case 'PS384':
-        case 'PS512':
-            return 'RSA';
-    }
-    switch (crv) {
-        case 'EdDSA':
-        case 'Ed25519':
-        case 'Ed25519Signature2018':
-        case 'Ed25519Signature2020':
-        case 'JcsEd25519Signature2020':
-            return 'Ed25519';
-        case 'JsonWebSignature2020':
-        case 'ES256':
-        case 'ECDSA':
-        case 'P-256':
-            return 'Secp256r1';
-        case 'ES384':
-        case 'P-384':
-            return 'Secp384r1';
-        case 'ES512':
-        case 'P-521':
-            return 'Secp521r1';
-        case 'EcdsaSecp256k1Signature2019':
-        case 'secp256k1':
-        case 'ES256K':
-            return 'Secp256k1';
-    }
-    if (kty) {
-        return kty;
-    }
-    throw new Error(`Cryptographic suite '${crv}' not supported`);
-};
-exports.keyTypeFromCryptographicSuite = keyTypeFromCryptographicSuite;
-function removeNulls(obj) {
-    Object.keys(obj).forEach((key) => {
-        if (obj[key] && typeof obj[key] === 'object')
-            removeNulls(obj[key]);
-        else if (obj[key] == null)
-            delete obj[key];
-    });
-    return obj;
-}
-const globalCrypto = (setGlobal, suppliedCrypto) => {
-    var _a, _b;
-    let webcrypto;
-    if (typeof suppliedCrypto !== 'undefined') {
-        webcrypto = suppliedCrypto;
-    }
-    else if (typeof crypto !== 'undefined') {
-        webcrypto = crypto;
-    }
-    else if (typeof global.crypto !== 'undefined') {
-        webcrypto = global.crypto;
-    }
-    else if (typeof ((_b = (_a = global.window) === null || _a === void 0 ? void 0 : _a.crypto) === null || _b === void 0 ? void 0 : _b.subtle) !== 'undefined') {
-        webcrypto = global.window.crypto;
-    }
-    else {
-        webcrypto = require('crypto');
-    }
-    if (setGlobal) {
-        global.crypto = webcrypto;
-    }
-    return webcrypto;
-};
-exports.globalCrypto = globalCrypto;
-const sanitizedJwk = (input) => {
-    const inputJwk = typeof input['toJsonDTO'] === 'function' ? input['toJsonDTO']() : Object.assign({}, input); // KMP code can expose this. It converts a KMP JWK with mangled names into a clean JWK
-    const jwk = Object.assign(Object.assign(Object.assign(Object.assign(Object.assign(Object.assign(Object.assign({}, inputJwk), (inputJwk.x && { x: base64ToBase64Url(inputJwk.x) })), (inputJwk.y && { y: base64ToBase64Url(inputJwk.y) })), (inputJwk.d && { d: base64ToBase64Url(inputJwk.d) })), (inputJwk.n && { n: base64ToBase64Url(inputJwk.n) })), (inputJwk.e && { e: base64ToBase64Url(inputJwk.e) })), (inputJwk.k && { k: base64ToBase64Url(inputJwk.k) }));
-    return removeNulls(jwk);
-};
-exports.sanitizedJwk = sanitizedJwk;
-const base64ToBase64Url = (input) => {
-    return input.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
-};
-/**
- *
- */
-function verifyRawSignature(_a) {
-    return __awaiter(this, arguments, void 0, function* ({ data, signature, key: inputKey, opts, }) {
-        var _b, _c;
-        /**
-         * Converts a Base64URL-encoded JWK property to a BigInt.
-         * @param jwkProp - The Base64URL-encoded string.
-         * @returns The BigInt representation of the decoded value.
-         */
-        function jwkPropertyToBigInt(jwkProp) {
-            // Decode Base64URL to Uint8Array
-            const byteArray = u8a.fromString(jwkProp, 'base64url');
-            // Convert Uint8Array to hexadecimal string and then to BigInt
-            const hex = u8a.toString(byteArray, 'hex');
-            return BigInt(`0x${hex}`);
-        }
-        try {
-            (0, debug_1.default)(`verifyRawSignature for: ${inputKey}`);
-            const jwk = (0, exports.sanitizedJwk)(inputKey);
-            (0, jwk_jcs_1.validateJwk)(jwk, { crvOptional: true });
-            const keyType = (0, exports.keyTypeFromCryptographicSuite)({ crv: jwk.crv, kty: jwk.kty, alg: jwk.alg });
-            const publicKeyHex = yield (0, exports.jwkToRawHexKey)(jwk);
-            // TODO: We really should look at the signature alg first if provided! From key type should be the last resort
-            switch (keyType) {
-                case 'Secp256k1':
-                    return secp256k1_1.secp256k1.verify(signature, data, publicKeyHex, { format: 'compact', prehash: true });
-                case 'Secp256r1':
-                    return p256_1.p256.verify(signature, data, publicKeyHex, { format: 'compact', prehash: true });
-                case 'Secp384r1':
-                    return p384_1.p384.verify(signature, data, publicKeyHex, { format: 'compact', prehash: true });
-                case 'Secp521r1':
-                    return p521_1.p521.verify(signature, data, publicKeyHex, { format: 'compact', prehash: true });
-                case 'Ed25519':
-                    return ed25519_1.ed25519.verify(signature, data, u8a.fromString(publicKeyHex, 'hex'));
-                case 'Bls12381G1':
-                case 'Bls12381G2':
-                    return bls12_381_1.bls12_381.verify(signature, data, u8a.fromString(publicKeyHex, 'hex'));
-                case 'RSA': {
-                    const signatureAlgorithm = (_c = (_b = opts === null || opts === void 0 ? void 0 : opts.signatureAlg) !== null && _b !== void 0 ? _b : jwk.alg) !== null && _c !== void 0 ? _c : ssi_types_1.JoseSignatureAlgorithm.PS256;
-                    const hashAlg = signatureAlgorithm === (ssi_types_1.JoseSignatureAlgorithm.RS512 || ssi_types_1.JoseSignatureAlgorithm.PS512)
-                        ? sha512_1.sha512
-                        : signatureAlgorithm === (ssi_types_1.JoseSignatureAlgorithm.RS384 || ssi_types_1.JoseSignatureAlgorithm.PS384)
-                            ? sha512_1.sha384
-                            : sha256_1.sha256;
-                    switch (signatureAlgorithm) {
-                        case ssi_types_1.JoseSignatureAlgorithm.RS256:
-                            return rsa.PKCS1_SHA256.verify({
-                                n: jwkPropertyToBigInt(jwk.n),
-                                e: jwkPropertyToBigInt(jwk.e),
-                            }, data, signature);
-                        case ssi_types_1.JoseSignatureAlgorithm.RS384:
-                            return rsa.PKCS1_SHA384.verify({
-                                n: jwkPropertyToBigInt(jwk.n),
-                                e: jwkPropertyToBigInt(jwk.e),
-                            }, data, signature);
-                        case ssi_types_1.JoseSignatureAlgorithm.RS512:
-                            return rsa.PKCS1_SHA512.verify({
-                                n: jwkPropertyToBigInt(jwk.n),
-                                e: jwkPropertyToBigInt(jwk.e),
-                            }, data, signature);
-                        case ssi_types_1.JoseSignatureAlgorithm.PS256:
-                        case ssi_types_1.JoseSignatureAlgorithm.PS384:
-                        case ssi_types_1.JoseSignatureAlgorithm.PS512:
-                            return rsa.PSS(hashAlg, rsa.mgf1(hashAlg)).verify({
-                                n: jwkPropertyToBigInt(jwk.n),
-                                e: jwkPropertyToBigInt(jwk.e),
-                            }, data, signature);
-                    }
-                }
-            }
-            throw Error(`Unsupported key type for signature validation: ${keyType}`);
-        }
-        catch (error) {
-            exports.logger.error(`Error: ${error}`);
-            throw error;
-        }
-    });
-}
-//# sourceMappingURL=functions.js.map