@sphereon/ssi-sdk-ext.key-utils 0.34.1-fix.80 → 0.34.1-next.299

package/src/functions.ts

@@ -1,7 +1,7 @@
 import { randomBytes } from '@ethersproject/random'
 // Do not change these require statements to imports before we change to ESM. Breaks external CJS packages depending on this module
 import { bls12_381 } from '@noble/curves/bls12-381'
-import { ed25519 } from '@noble/curves/ed25519'
+import { ed25519, x25519 } from '@noble/curves/ed25519'
 import { p256 } from '@noble/curves/p256'
 import { p384 } from '@noble/curves/p384'
 import { p521 } from '@noble/curves/p521'
@@ -115,19 +115,25 @@ export async function importProvidedOrGeneratedKey(
   args: IImportProvidedOrGeneratedKeyArgs & {
     kms: string
   },
-  context: IAgentContext<IKeyManager>
+  context: IAgentContext<IKeyManager>,
 ): Promise<IKey> {
   // @ts-ignore
   const type = args.options?.type ?? args.options?.key?.type ?? args.options?.keyType ?? 'Secp256r1'
   const key = args?.options?.key
-  // Make sure x509 options are also set on the metadata as that is what the kms will look for
-  if (args.options?.x509 && key) {
+  if (key) {
     key.meta = {
-      ...key.meta,
-      x509: {
-        ...args.options.x509,
-        ...key.meta?.x509,
-      },
+      providerName: args.providerName,
+    }
+
+    // Make sure x509 options are also set on the metadata as that is what the kms will look for
+    if (args.options?.x509) {
+      key.meta = {
+        ...key.meta,
+        x509: {
+          ...args.options.x509,
+          ...key.meta?.x509,
+        },
+      }
     }
   }
 
@@ -172,8 +178,8 @@ export const calculateJwkThumbprintForKey = (args: {
   const jwk = key.publicKeyHex
     ? toJwk(key.publicKeyHex, key.type, { key: key, isPrivateKey: false })
     : 'privateKeyHex' in key && key.privateKeyHex
-    ? toJwk(key.privateKeyHex, key.type, { isPrivateKey: true })
-    : undefined
+      ? toJwk(key.privateKeyHex, key.type, { isPrivateKey: true })
+      : undefined
   if (!jwk) {
     throw Error(`Could not determine jwk from key ${key.kid}`)
   }
@@ -231,7 +237,7 @@ export const toJwkFromKey = (
   opts?: {
     use?: JwkKeyUse
     noKidThumbprint?: boolean
-  }
+  },
 ): JWK => {
   const isPrivateKey = 'privateKeyHex' in key
   return toJwk(key.publicKeyHex!, key.type, { ...opts, key, isPrivateKey })
@@ -247,7 +253,7 @@ export const toJwkFromKey = (
 export const toJwk = (
   publicKeyHex: string,
   type: TKeyType,
-  opts?: { use?: JwkKeyUse; key?: IKey | MinimalImportableKey; isPrivateKey?: boolean; noKidThumbprint?: boolean }
+  opts?: { use?: JwkKeyUse; key?: IKey | MinimalImportableKey; isPrivateKey?: boolean; noKidThumbprint?: boolean },
 ): JWK => {
   const { key, noKidThumbprint = false } = opts ?? {}
   if (key && key.publicKeyHex !== publicKeyHex && opts?.isPrivateKey !== true) {
@@ -367,7 +373,7 @@ export function rsaJwkToRawHexKey(jwk: JsonWebKey): string {
     // We are converting from base64 to base64url to be sure. The spec uses base64url, but in the wild we sometimes encounter a base64 string
     const modulus = fromString(jwk.n.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url') // 'n' is the modulus
     const exponent = fromString(jwk.e.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url') // 'e' is the exponent
-  
+
     return toString(modulus, 'hex') + toString(exponent, 'hex')*/
 }
 
@@ -423,6 +429,17 @@ function octJwkToRawHexKey(jwk: JsonWebKey): string {
   return toString(key, 'hex')
 }
 
+export function x25519PublicHexFromPrivateHex(privateKeyHex: string): string {
+  if (!/^[0-9a-fA-F]{64}$/.test(privateKeyHex)) {
+    throw new Error('Private key must be 32-byte hex (64 chars)')
+  }
+
+  const priv = Uint8Array.from(Buffer.from(privateKeyHex, 'hex'))
+  const pub = x25519.getPublicKey(priv)
+
+  return Buffer.from(pub).toString('hex')
+}
+
 /**
  * Determines the use param based upon the key/signature type or supplied use value.
  *
@@ -433,10 +450,10 @@ export const jwkDetermineUse = (type: TKeyType, suppliedUse?: JwkKeyUse): JwkKey
   return suppliedUse
     ? suppliedUse
     : SIG_KEY_ALGS.includes(type)
-    ? JwkKeyUse.Signature
-    : ENC_KEY_ALGS.includes(type)
-    ? JwkKeyUse.Encryption
-    : undefined
+      ? JwkKeyUse.Signature
+      : ENC_KEY_ALGS.includes(type)
+        ? JwkKeyUse.Encryption
+        : undefined
 }
 
 /**
@@ -451,7 +468,7 @@ const assertProperKeyLength = (keyHex: string, expectedKeyLength: number | numbe
       throw Error(
         `Invalid key length. Needs to be a hex string with length from ${JSON.stringify(expectedKeyLength)} instead of ${
           keyHex.length
-        }. Input: ${keyHex}`
+        }. Input: ${keyHex}`,
       )
     }
   } else if (keyHex.length !== expectedKeyLength) {
@@ -484,8 +501,8 @@ const toSecp256k1Jwk = (keyHex: string, opts?: { use?: JwkKeyUse; isPrivateKey?:
     ...(use !== undefined && { use }),
     kty: JwkKeyType.EC,
     crv: JoseCurve.secp256k1,
-    x: hexToBase64(pubPoint.getX().toString('hex'), 'base64url'),
-    y: hexToBase64(pubPoint.getY().toString('hex'), 'base64url'),
+    x: hexToBase64(pubPoint.getX().toString('hex').padStart(64, '0'), 'base64url'),
+    y: hexToBase64(pubPoint.getY().toString('hex').padStart(64, '0'), 'base64url'),
     ...(opts?.isPrivateKey && { d: hexToBase64(keyPair.getPrivate('hex'), 'base64url') }),
   })
 }
@@ -515,8 +532,8 @@ const toSecp256r1Jwk = (keyHex: string, opts?: { use?: JwkKeyUse; isPrivateKey?:
     ...(use !== undefined && { use }),
     kty: JwkKeyType.EC,
     crv: JoseCurve.P_256,
-    x: hexToBase64(pubPoint.getX().toString('hex'), 'base64url'),
-    y: hexToBase64(pubPoint.getY().toString('hex'), 'base64url'),
+    x: hexToBase64(pubPoint.getX().toString('hex').padStart(64, '0'), 'base64url'),
+    y: hexToBase64(pubPoint.getY().toString('hex').padStart(64, '0'), 'base64url'),
     ...(opts?.isPrivateKey && { d: hexToBase64(keyPair.getPrivate('hex'), 'base64url') }),
   })
 }
@@ -532,7 +549,7 @@ const toEd25519OrX25519Jwk = (
   opts: {
     use?: JwkKeyUse
     crv: JoseCurve.Ed25519 | JoseCurve.X25519
-  }
+  },
 ): JWK => {
   assertProperKeyLength(publicKeyHex, 64)
   const { use } = opts ?? {}
@@ -954,8 +971,8 @@ export async function verifyRawSignature({
           signatureAlgorithm === JoseSignatureAlgorithm.RS512 || signatureAlgorithm === JoseSignatureAlgorithm.PS512
             ? sha512
             : signatureAlgorithm === JoseSignatureAlgorithm.RS384 || signatureAlgorithm === JoseSignatureAlgorithm.PS384
-            ? sha384
-            : sha256
+              ? sha384
+              : sha256
         switch (signatureAlgorithm) {
           case JoseSignatureAlgorithm.RS256:
             return rsa.PKCS1_SHA256.verify(
@@ -964,7 +981,7 @@ export async function verifyRawSignature({
                 e: jwkPropertyToBigInt(jwk.e!),
               },
               data,
-              signature
+              signature,
             )
           case JoseSignatureAlgorithm.RS384:
             return rsa.PKCS1_SHA384.verify(
@@ -973,7 +990,7 @@ export async function verifyRawSignature({
                 e: jwkPropertyToBigInt(jwk.e!),
               },
               data,
-              signature
+              signature,
             )
           case JoseSignatureAlgorithm.RS512:
             return rsa.PKCS1_SHA512.verify(
@@ -982,7 +999,7 @@ export async function verifyRawSignature({
                 e: jwkPropertyToBigInt(jwk.e!),
               },
               data,
-              signature
+              signature,
             )
           case JoseSignatureAlgorithm.PS256:
           case JoseSignatureAlgorithm.PS384:
@@ -1002,7 +1019,7 @@ export async function verifyRawSignature({
                 e: jwkPropertyToBigInt(jwk.e!),
               },
               data,
-              signature
+              signature,
             )
         }
       }

package/src/types/key-util-types.ts

@@ -30,6 +30,7 @@ export interface X509Opts {
 }
 
 export interface IImportProvidedOrGeneratedKeyArgs {
+  providerName: string
   kms?: string
   alias?: string
   options?: IKeyOpts