npm - @sphereon/ssi-sdk-ext.key-utils - Versions diffs - 0.36.1-feature.SSISDK.44.finish.dcql.1 → 0.36.1-feature.SSISDK.70.integrate.digidentity.55 - Mend

@sphereon/ssi-sdk-ext.key-utils 0.36.1-feature.SSISDK.44.finish.dcql.1 → 0.36.1-feature.SSISDK.70.integrate.digidentity.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/index.cjs +129 -23
package/dist/index.cjs.map +1 -1
package/dist/index.d.cts +13 -5
package/dist/index.d.ts +13 -5
package/dist/index.js +129 -23
package/dist/index.js.map +1 -1
package/package.json +4 -4
package/src/digest-methods.ts +13 -11
package/src/functions.ts +115 -9
package/src/types/key-util-types.ts +3 -0

package/src/functions.ts CHANGED Viewed

@@ -31,6 +31,7 @@ import * as u8a from 'uint8arrays'
 import { digestMethodParams } from './digest-methods'
 import { validateJwk } from './jwk-jcs'
 import {
+  DigestAlgorithm,
   ENC_KEY_ALGS,
   type IImportProvidedOrGeneratedKeyArgs,
   JwkKeyUse,
@@ -198,8 +199,8 @@ export const toBase64url = (input: string): string => toString(fromString(input)
  * Calculate the JWK thumbprint
  * @param args
  */
-export const calculateJwkThumbprint = (args: { jwk: JWK; digestAlgorithm?: 'sha256' | 'sha512' }): string => {
-  const { digestAlgorithm = 'sha256' } = args
+export const calculateJwkThumbprint = (args: { jwk: JWK; digestAlgorithm?: DigestAlgorithm }): string => {
+  const digestAlgorithm = normalizeHashAlgorithm(args.digestAlgorithm ?? 'SHA-256')
   const jwk = sanitizedJwk(args.jwk)
   let components
   switch (jwk.kty) {
@@ -227,10 +228,7 @@ export const calculateJwkThumbprint = (args: { jwk: JWK; digestAlgorithm?: 'sha2
       throw new Error('"kty" (Key Type) Parameter missing or unsupported')
   }
   const data = JSON.stringify(components)
-  return digestAlgorithm === 'sha512'
-    ? digestMethodParams('SHA-512').digestMethod(data, 'base64url')
-    : digestMethodParams('SHA-256').digestMethod(data, 'base64url')
+  return digestMethodParams(digestAlgorithm).digestMethod(data, 'base64url')
 }
 export const toJwkFromKey = (
@@ -791,11 +789,49 @@ export const hexStringFromUint8Array = (value: Uint8Array): string => toString(v
 export const signatureAlgorithmFromKey = async (args: SignatureAlgorithmFromKeyArgs): Promise<JoseSignatureAlgorithm> => {
   const { key } = args
-  return signatureAlgorithmFromKeyType({ type: key.type })
+  return signatureAlgorithmFromKeyType({ type: key.type, algorithms: key.meta?.algorithms })
+}
+export function signatureAlgorithmToJoseAlgorithm(alg: string): JoseSignatureAlgorithm {
+  switch (alg) {
+    case 'RSA_SHA256':
+      return JoseSignatureAlgorithm.RS256
+    case 'RSA_SHA384':
+      return JoseSignatureAlgorithm.RS384
+    case 'RSA_SHA512':
+      return JoseSignatureAlgorithm.RS512
+    case 'RSA_SSA_PSS_SHA256_MGF1':
+      return JoseSignatureAlgorithm.PS256
+    case 'RSA_SSA_PSS_SHA384_MGF1':
+      return JoseSignatureAlgorithm.PS384
+    case 'RSA_SSA_PSS_SHA512_MGF1':
+      return JoseSignatureAlgorithm.PS512
+    case 'ECDSA_SHA256':
+      return JoseSignatureAlgorithm.ES256
+    case 'ECDSA_SHA384':
+      return JoseSignatureAlgorithm.ES384
+    case 'ECDSA_SHA512':
+      return JoseSignatureAlgorithm.ES512
+    case 'ES256K':
+      return JoseSignatureAlgorithm.ES256K
+    case 'ED25519':
+    case 'EdDSA':
+      return JoseSignatureAlgorithm.EdDSA
+    default:
+      // If already in JOSE format, return as-is
+      return alg as JoseSignatureAlgorithm
+  }
 }
 export const signatureAlgorithmFromKeyType = (args: SignatureAlgorithmFromKeyTypeArgs): JoseSignatureAlgorithm => {
-  const { type } = args
+  const { type, algorithms } = args
+  // If algorithms metadata is provided, use the first one
+  if (algorithms && algorithms.length > 0) {
+    return signatureAlgorithmToJoseAlgorithm(algorithms[0])
+  }
+  // Fallback to type-based defaults
   switch (type) {
     case 'Ed25519':
     case 'X25519':
@@ -809,7 +845,7 @@ export const signatureAlgorithmFromKeyType = (args: SignatureAlgorithmFromKeyTyp
     case 'Secp256k1':
       return JoseSignatureAlgorithm.ES256K
     case 'RSA':
-      return JoseSignatureAlgorithm.PS256
+      return JoseSignatureAlgorithm.RS256 // Default to RS256 instead of PS256
     default:
       throw new Error(`Key type '${type}' not supported`)
   }
@@ -1122,3 +1158,73 @@ export function toPkcs1FromHex(publicKeyHex: string) {
   const pkcs1 = toPkcs1(fromString(publicKeyHex, 'hex'))
   return toString(pkcs1, 'hex')
 }
+export function joseAlgorithmToDigest(alg: string): DigestAlgorithm {
+  switch (alg.toUpperCase().replace('-', '')) {
+    case 'RS256':
+    case 'ES256':
+    case 'ES256K':
+    case 'PS256':
+    case 'HS256':
+      return 'SHA-256'
+    case 'RS384':
+    case 'ES384':
+    case 'PS384':
+    case 'HS384':
+      return 'SHA-384'
+    case 'RS512':
+    case 'ES512':
+    case 'PS512':
+    case 'HS512':
+      return 'SHA-512'
+    case 'EdDSA':
+      return 'SHA-512'
+    default:
+      return 'SHA-256'
+  }
+}
+export function isHash(input: string): boolean {
+  const length = input.length
+  // SHA-256: 64 hex chars, SHA-384: 96 hex chars, SHA-512: 128 hex chars
+  if (length !== 64 && length !== 96 && length !== 128) {
+    return false
+  }
+  return input.match(/^([0-9A-Fa-f])+$/g) !== null
+}
+export function isHashString(input: Uint8Array): boolean {
+  const length = input.length
+  // SHA-256: 32 bytes, SHA-384: 48 bytes, SHA-512: 64 bytes
+  if (length !== 32 && length !== 48 && length !== 64) {
+    return false
+  }
+  for (let i = 0; i < length; i++) {
+    const byte = input[i]
+    if (byte === undefined) {
+      return false
+    }
+    // 0-9: 48-57, A-F: 65-70, a-f: 97-102
+    if (!((byte >= 48 && byte <= 57) || (byte >= 65 && byte <= 70) || (byte >= 97 && byte <= 102))) {
+      return false
+    }
+  }
+  return true
+}
+export type HashAlgorithm = 'SHA-256' | 'sha256' | 'SHA-384' | 'sha384' | 'SHA-512' | 'sha512'
+export function normalizeHashAlgorithm(alg?: HashAlgorithm): 'SHA-256' | 'SHA-384' | 'SHA-512' {
+  if (!alg) {
+    return 'SHA-256'
+  }
+  const upper = alg.toUpperCase()
+  if (upper.includes('256')) return 'SHA-256'
+  if (upper.includes('384')) return 'SHA-384'
+  if (upper.includes('512')) return 'SHA-512'
+  throw new Error(`Invalid hash algorithm: ${alg}`)
+}
+export function isSameHash(left: HashAlgorithm, right: HashAlgorithm): boolean {
+  return normalizeHashAlgorithm(left) === normalizeHashAlgorithm(right)
+}

package/src/types/key-util-types.ts CHANGED Viewed

@@ -21,6 +21,8 @@ export const ENC_KEY_ALGS = ['X25519', 'ECDH_ES_A256KW', 'RSA_OAEP_256']
 export type KeyVisibility = 'public' | 'private'
+export type DigestAlgorithm = 'SHA-256' | 'sha256' | 'SHA-384' | 'sha384' | 'SHA-512' | 'sha512'
 export interface X509Opts {
   cn?: string // The certificate Common Name. Will be used as the KID for the private key. Uses alias if not provided.
   privateKeyPEM?: string // Optional as you also need to provide it in hex format, but advisable to use it
@@ -53,6 +55,7 @@ export type SignatureAlgorithmFromKeyArgs = {
 export type SignatureAlgorithmFromKeyTypeArgs = {
   type: TKeyType
+  algorithms?: string[]
 }
 export type KeyTypeFromCryptographicSuiteArgs = {