@sphereon/ssi-sdk-ext.key-utils 0.36.1-next.11 → 0.36.1-next.113

package/dist/index.d.ts

@@ -20,6 +20,7 @@ declare enum JwkKeyUse {
 declare const SIG_KEY_ALGS: string[];
 declare const ENC_KEY_ALGS: string[];
 type KeyVisibility = 'public' | 'private';
+type DigestAlgorithm = 'SHA-256' | 'sha256' | 'SHA-384' | 'sha384' | 'SHA-512' | 'sha512';
 interface X509Opts {
     cn?: string;
     privateKeyPEM?: string;
@@ -44,6 +45,7 @@ type SignatureAlgorithmFromKeyArgs = {
 };
 type SignatureAlgorithmFromKeyTypeArgs = {
     type: TKeyType;
+    algorithms?: string[];
 };
 type KeyTypeFromCryptographicSuiteArgs = {
     crv?: string;
@@ -86,7 +88,7 @@ declare const toBase64url: (input: string) => string;
  */
 declare const calculateJwkThumbprint: (args: {
     jwk: JWK;
-    digestAlgorithm?: "sha256" | "sha512";
+    digestAlgorithm?: DigestAlgorithm;
 }) => string;
 declare const toJwkFromKey: (key: IKey | MinimalImportableKey | ManagedKeyInfo, opts?: {
     use?: JwkKeyUse;
@@ -137,11 +139,13 @@ declare const isRawCompressedPublicKey: (key: Uint8Array) => boolean;
 declare const toRawCompressedHexPublicKey: (rawPublicKey: Uint8Array, keyType: TKeyType) => string;
 declare const hexStringFromUint8Array: (value: Uint8Array) => string;
 declare const signatureAlgorithmFromKey: (args: SignatureAlgorithmFromKeyArgs) => Promise<JoseSignatureAlgorithm>;
+declare function signatureAlgorithmToJoseAlgorithm(alg: string): JoseSignatureAlgorithm;
 declare const signatureAlgorithmFromKeyType: (args: SignatureAlgorithmFromKeyTypeArgs) => JoseSignatureAlgorithm;
 declare const keyTypeFromCryptographicSuite: (args: KeyTypeFromCryptographicSuiteArgs) => TKeyType;
 declare function removeNulls<T>(obj: T | any): any;
 declare const globalCrypto: (setGlobal: boolean, suppliedCrypto?: Crypto) => Crypto;
 declare const sanitizedJwk: (input: JWK | JsonWebKey) => JWK;
+declare const base64ToBase64Url: (input: string) => string;
 /**
  *
  */
@@ -169,6 +173,12 @@ declare function toPkcs1(derBytes: Uint8Array): Uint8Array;
  * @returns DER‐encoded PKCS#1 RSAPublicKey in hex
  */
 declare function toPkcs1FromHex(publicKeyHex: string): any;
+declare function joseAlgorithmToDigest(alg: string): DigestAlgorithm;
+declare function isHash(input: string): boolean;
+declare function isHashString(input: Uint8Array): boolean;
+type HashAlgorithm = 'SHA-256' | 'sha256' | 'SHA-384' | 'sha384' | 'SHA-512' | 'sha512';
+declare function normalizeHashAlgorithm(alg?: HashAlgorithm): 'SHA-256' | 'SHA-384' | 'SHA-512';
+declare function isSameHash(left: HashAlgorithm, right: HashAlgorithm): boolean;
 
 declare function coseKeyToJwk(coseKey: ICoseKeyJson): JWK;
 declare function jwkToCoseKey(jwk: JWK): ICoseKeyJson;
@@ -180,6 +190,11 @@ declare function joseToCoseKeyOperation(keyOp: JoseKeyOperation | JoseKeyOperati
 declare function coseToJoseKeyOperation(keyOp: ICoseKeyOperation): JoseKeyOperation;
 declare function joseToCoseCurve(curve: JoseCurve | JoseCurveString): ICoseCurve;
 declare function coseToJoseCurve(curve: ICoseCurve): JoseCurve;
+declare function joseSignatureAlgToWebCrypto(alg: JoseSignatureAlgorithm | JoseSignatureAlgorithmString): {
+    name: string;
+    hash: string;
+    saltLength?: number;
+};
 
 /**
  * Checks if the JWK is valid. It must contain all the required members.
@@ -221,13 +236,12 @@ declare function jwkJcsDecode(bytes: ByteView<JsonWebKey$1>): JsonWebKey$1;
 declare function jcsCanonicalize(object: any): string;
 
 declare const SupportedEncodings: any;
-type HashAlgorithm = 'SHA-256' | 'SHA-384' | 'SHA-512';
 type TDigestMethod = (input: string, encoding?: typeof SupportedEncodings) => string;
-declare const digestMethodParams: (hashAlgorithm: HashAlgorithm) => {
-    hashAlgorithm: HashAlgorithm;
+declare const digestMethodParams: (hashAlgorithm: DigestAlgorithm) => {
+    hashAlgorithm: DigestAlgorithm;
     digestMethod: TDigestMethod;
     hash: (data: Uint8Array) => Uint8Array;
 };
 declare const shaHasher: HasherSync;
 
-export { ENC_KEY_ALGS, type HashAlgorithm, type IImportProvidedOrGeneratedKeyArgs, type IKeyOpts, JWK_JCS_PUB_NAME, JWK_JCS_PUB_PREFIX, JwkKeyUse, Key, type KeyTypeFromCryptographicSuiteArgs, type KeyVisibility, SIG_KEY_ALGS, type SignatureAlgorithmFromKeyArgs, type SignatureAlgorithmFromKeyTypeArgs, type TDigestMethod, type TKeyType, type X509Opts, asn1DerToRawPublicKey, calculateJwkThumbprint, calculateJwkThumbprintForKey, coseKeyToJwk, coseToJoseCurve, coseToJoseKeyOperation, coseToJoseKty, coseToJoseSignatureAlg, digestMethodParams, generatePrivateKeyHex, getKms, globalCrypto, hexStringFromUint8Array, importProvidedOrGeneratedKey, isAsn1Der, isRawCompressedPublicKey, jcsCanonicalize, joseToCoseCurve, joseToCoseKeyOperation, joseToCoseKty, joseToCoseSignatureAlg, jwkDetermineUse, jwkJcsDecode, jwkJcsEncode, jwkToCoseKey, jwkToRawHexKey, keyTypeFromCryptographicSuite, logger, minimalJwk, padLeft, removeNulls, rsaJwkToRawHexKey, sanitizedJwk, shaHasher, signatureAlgorithmFromKey, signatureAlgorithmFromKeyType, toBase64url, toJwk, toJwkFromKey, toPkcs1, toPkcs1FromHex, toRawCompressedHexPublicKey, validateJwk, verifyRawSignature, x25519PublicHexFromPrivateHex };
+export { type DigestAlgorithm, ENC_KEY_ALGS, type HashAlgorithm, type IImportProvidedOrGeneratedKeyArgs, type IKeyOpts, JWK_JCS_PUB_NAME, JWK_JCS_PUB_PREFIX, JwkKeyUse, Key, type KeyTypeFromCryptographicSuiteArgs, type KeyVisibility, SIG_KEY_ALGS, type SignatureAlgorithmFromKeyArgs, type SignatureAlgorithmFromKeyTypeArgs, type TDigestMethod, type TKeyType, type X509Opts, asn1DerToRawPublicKey, base64ToBase64Url, calculateJwkThumbprint, calculateJwkThumbprintForKey, coseKeyToJwk, coseToJoseCurve, coseToJoseKeyOperation, coseToJoseKty, coseToJoseSignatureAlg, digestMethodParams, generatePrivateKeyHex, getKms, globalCrypto, hexStringFromUint8Array, importProvidedOrGeneratedKey, isAsn1Der, isHash, isHashString, isRawCompressedPublicKey, isSameHash, jcsCanonicalize, joseAlgorithmToDigest, joseSignatureAlgToWebCrypto, joseToCoseCurve, joseToCoseKeyOperation, joseToCoseKty, joseToCoseSignatureAlg, jwkDetermineUse, jwkJcsDecode, jwkJcsEncode, jwkToCoseKey, jwkToRawHexKey, keyTypeFromCryptographicSuite, logger, minimalJwk, normalizeHashAlgorithm, padLeft, removeNulls, rsaJwkToRawHexKey, sanitizedJwk, shaHasher, signatureAlgorithmFromKey, signatureAlgorithmFromKeyType, signatureAlgorithmToJoseAlgorithm, toBase64url, toJwk, toJwkFromKey, toPkcs1, toPkcs1FromHex, toRawCompressedHexPublicKey, validateJwk, verifyRawSignature, x25519PublicHexFromPrivateHex };

package/dist/index.js

@@ -24,24 +24,25 @@ import { sha384, sha512 } from "@noble/hashes/sha512";
 import * as u8a from "uint8arrays";
 var { fromString, toString, SupportedEncodings } = u8a;
 var digestMethodParams = /* @__PURE__ */ __name((hashAlgorithm) => {
-  if (hashAlgorithm === "SHA-256") {
-    return {
-      hashAlgorithm: "SHA-256",
-      digestMethod: sha256DigestMethod,
-      hash: sha256
-    };
-  } else if (hashAlgorithm === "SHA-384") {
-    return {
-      hashAlgorithm: "SHA-384",
-      digestMethod: sha384DigestMethod,
-      hash: sha384
-    };
-  } else {
-    return {
-      hashAlgorithm: "SHA-512",
-      digestMethod: sha512DigestMethod,
-      hash: sha512
-    };
+  switch (normalizeHashAlgorithm(hashAlgorithm)) {
+    case "SHA-256":
+      return {
+        hashAlgorithm: "SHA-256",
+        digestMethod: sha256DigestMethod,
+        hash: sha256
+      };
+    case "SHA-384":
+      return {
+        hashAlgorithm: "SHA-384",
+        digestMethod: sha384DigestMethod,
+        hash: sha384
+      };
+    case "SHA-512":
+      return {
+        hashAlgorithm: "SHA-512",
+        digestMethod: sha512DigestMethod,
+        hash: sha512
+      };
   }
 }, "digestMethodParams");
 var shaHasher = /* @__PURE__ */ __name((input, alg) => {
@@ -365,7 +366,7 @@ var assertJwkClaimPresent = /* @__PURE__ */ __name((value, description) => {
 }, "assertJwkClaimPresent");
 var toBase64url = /* @__PURE__ */ __name((input) => toString2(fromString2(input), "base64url"), "toBase64url");
 var calculateJwkThumbprint = /* @__PURE__ */ __name((args) => {
-  const { digestAlgorithm = "sha256" } = args;
+  const digestAlgorithm = normalizeHashAlgorithm(args.digestAlgorithm ?? "SHA-256");
   const jwk = sanitizedJwk(args.jwk);
   let components;
   switch (jwk.kty) {
@@ -409,7 +410,7 @@ var calculateJwkThumbprint = /* @__PURE__ */ __name((args) => {
       throw new Error('"kty" (Key Type) Parameter missing or unsupported');
   }
   const data = JSON.stringify(components);
-  return digestAlgorithm === "sha512" ? digestMethodParams("SHA-512").digestMethod(data, "base64url") : digestMethodParams("SHA-256").digestMethod(data, "base64url");
+  return digestMethodParams(digestAlgorithm).digestMethod(data, "base64url");
 }, "calculateJwkThumbprint");
 var toJwkFromKey = /* @__PURE__ */ __name((key, opts) => {
   const isPrivateKey = "privateKeyHex" in key;
@@ -867,11 +868,45 @@ var hexStringFromUint8Array = /* @__PURE__ */ __name((value) => toString2(value,
 var signatureAlgorithmFromKey = /* @__PURE__ */ __name(async (args) => {
   const { key } = args;
   return signatureAlgorithmFromKeyType({
-    type: key.type
+    type: key.type,
+    algorithms: key.meta?.algorithms
   });
 }, "signatureAlgorithmFromKey");
+function signatureAlgorithmToJoseAlgorithm(alg) {
+  switch (alg) {
+    case "RSA_SHA256":
+      return JoseSignatureAlgorithm.RS256;
+    case "RSA_SHA384":
+      return JoseSignatureAlgorithm.RS384;
+    case "RSA_SHA512":
+      return JoseSignatureAlgorithm.RS512;
+    case "RSA_SSA_PSS_SHA256_MGF1":
+      return JoseSignatureAlgorithm.PS256;
+    case "RSA_SSA_PSS_SHA384_MGF1":
+      return JoseSignatureAlgorithm.PS384;
+    case "RSA_SSA_PSS_SHA512_MGF1":
+      return JoseSignatureAlgorithm.PS512;
+    case "ECDSA_SHA256":
+      return JoseSignatureAlgorithm.ES256;
+    case "ECDSA_SHA384":
+      return JoseSignatureAlgorithm.ES384;
+    case "ECDSA_SHA512":
+      return JoseSignatureAlgorithm.ES512;
+    case "ES256K":
+      return JoseSignatureAlgorithm.ES256K;
+    case "ED25519":
+    case "EdDSA":
+      return JoseSignatureAlgorithm.EdDSA;
+    default:
+      return alg;
+  }
+}
+__name(signatureAlgorithmToJoseAlgorithm, "signatureAlgorithmToJoseAlgorithm");
 var signatureAlgorithmFromKeyType = /* @__PURE__ */ __name((args) => {
-  const { type } = args;
+  const { type, algorithms } = args;
+  if (algorithms && algorithms.length > 0) {
+    return signatureAlgorithmToJoseAlgorithm(algorithms[0]);
+  }
   switch (type) {
     case "Ed25519":
     case "X25519":
@@ -885,7 +920,7 @@ var signatureAlgorithmFromKeyType = /* @__PURE__ */ __name((args) => {
     case "Secp256k1":
       return JoseSignatureAlgorithm.ES256K;
     case "RSA":
-      return JoseSignatureAlgorithm.PS256;
+      return JoseSignatureAlgorithm.RS256;
     default:
       throw new Error(`Key type '${type}' not supported`);
   }
@@ -1136,6 +1171,75 @@ function toPkcs1FromHex(publicKeyHex) {
   return toString2(pkcs1, "hex");
 }
 __name(toPkcs1FromHex, "toPkcs1FromHex");
+function joseAlgorithmToDigest(alg) {
+  const normalized = alg.toUpperCase().replace(/-/g, "");
+  switch (normalized) {
+    case "RS256":
+    case "ES256":
+    case "ES256K":
+    case "PS256":
+    case "HS256":
+      return "SHA-256";
+    case "RS384":
+    case "ES384":
+    case "PS384":
+    case "HS384":
+      return "SHA-384";
+    case "RS512":
+    case "ES512":
+    case "PS512":
+    case "HS512":
+      return "SHA-512";
+    case "EDDSA":
+    case "ED25519":
+      return "SHA-512";
+    default:
+      throw new Error(`Unsupported JOSE algorithm: ${alg}. Cannot determine digest algorithm.`);
+  }
+}
+__name(joseAlgorithmToDigest, "joseAlgorithmToDigest");
+function isHash(input) {
+  const length = input.length;
+  if (length !== 64 && length !== 96 && length !== 128) {
+    return false;
+  }
+  return input.match(/^([0-9A-Fa-f])+$/g) !== null;
+}
+__name(isHash, "isHash");
+function isHashString(input) {
+  const length = input.length;
+  if (length !== 32 && length !== 48 && length !== 64) {
+    return false;
+  }
+  let printableCount = 0;
+  for (let i = 0; i < length; i++) {
+    const byte = input[i];
+    if (byte === void 0) {
+      return false;
+    }
+    if (byte >= 32 && byte <= 126) {
+      printableCount++;
+    }
+  }
+  const printableRatio = printableCount / length;
+  return printableRatio < 0.9;
+}
+__name(isHashString, "isHashString");
+function normalizeHashAlgorithm(alg) {
+  if (!alg) {
+    return "SHA-256";
+  }
+  const upper = alg.toUpperCase();
+  if (upper.includes("256")) return "SHA-256";
+  if (upper.includes("384")) return "SHA-384";
+  if (upper.includes("512")) return "SHA-512";
+  throw new Error(`Invalid hash algorithm: ${alg}`);
+}
+__name(normalizeHashAlgorithm, "normalizeHashAlgorithm");
+function isSameHash(left, right) {
+  return normalizeHashAlgorithm(left) === normalizeHashAlgorithm(right);
+}
+__name(isSameHash, "isSameHash");
 
 // src/conversion.ts
 import { ICoseCurve, ICoseKeyOperation, ICoseKeyType, ICoseSignatureAlgorithm, JoseCurve as JoseCurve2, JoseKeyOperation, JoseSignatureAlgorithm as JoseSignatureAlgorithm2, JwkKeyType as JwkKeyType2 } from "@sphereon/ssi-types";
@@ -1384,6 +1488,100 @@ function coseToJoseCurve(curve) {
   }
 }
 __name(coseToJoseCurve, "coseToJoseCurve");
+function joseSignatureAlgToWebCrypto(alg) {
+  switch (alg) {
+    case JoseSignatureAlgorithm2.RS256:
+    case "RS256":
+      return {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: "SHA-256"
+      };
+    case JoseSignatureAlgorithm2.RS384:
+    case "RS384":
+      return {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: "SHA-384"
+      };
+    case JoseSignatureAlgorithm2.RS512:
+    case "RS512":
+      return {
+        name: "RSASSA-PKCS1-v1_5",
+        hash: "SHA-512"
+      };
+    case JoseSignatureAlgorithm2.PS256:
+    case "PS256":
+      return {
+        name: "RSA-PSS",
+        hash: "SHA-256",
+        saltLength: 32
+      };
+    case JoseSignatureAlgorithm2.PS384:
+    case "PS384":
+      return {
+        name: "RSA-PSS",
+        hash: "SHA-384",
+        saltLength: 48
+      };
+    case JoseSignatureAlgorithm2.PS512:
+    case "PS512":
+      return {
+        name: "RSA-PSS",
+        hash: "SHA-512",
+        saltLength: 64
+      };
+    case JoseSignatureAlgorithm2.ES256:
+    case "ES256":
+      return {
+        name: "ECDSA",
+        hash: "SHA-256"
+      };
+    case JoseSignatureAlgorithm2.ES384:
+    case "ES384":
+      return {
+        name: "ECDSA",
+        hash: "SHA-384"
+      };
+    case JoseSignatureAlgorithm2.ES512:
+    case "ES512":
+      return {
+        name: "ECDSA",
+        hash: "SHA-512"
+      };
+    case JoseSignatureAlgorithm2.ES256K:
+    case "ES256K":
+      return {
+        name: "ECDSA",
+        hash: "SHA-256"
+      };
+    case JoseSignatureAlgorithm2.EdDSA:
+    case "EdDSA":
+      return {
+        name: "Ed25519",
+        hash: ""
+      };
+    case JoseSignatureAlgorithm2.HS256:
+    case "HS256":
+      return {
+        name: "HMAC",
+        hash: "SHA-256"
+      };
+    case JoseSignatureAlgorithm2.HS384:
+    case "HS384":
+      return {
+        name: "HMAC",
+        hash: "SHA-384"
+      };
+    case JoseSignatureAlgorithm2.HS512:
+    case "HS512":
+      return {
+        name: "HMAC",
+        hash: "SHA-512"
+      };
+    default:
+      throw Error(`Signature algorithm ${alg} not supported in Web Crypto API`);
+  }
+}
+__name(joseSignatureAlgToWebCrypto, "joseSignatureAlgToWebCrypto");
 export {
   ENC_KEY_ALGS,
   JWK_JCS_PUB_NAME,
@@ -1392,6 +1590,7 @@ export {
   Key,
   SIG_KEY_ALGS,
   asn1DerToRawPublicKey,
+  base64ToBase64Url,
   calculateJwkThumbprint,
   calculateJwkThumbprintForKey,
   coseKeyToJwk,
@@ -1406,8 +1605,13 @@ export {
   hexStringFromUint8Array,
   importProvidedOrGeneratedKey,
   isAsn1Der,
+  isHash,
+  isHashString,
   isRawCompressedPublicKey,
+  isSameHash,
   jcsCanonicalize,
+  joseAlgorithmToDigest,
+  joseSignatureAlgToWebCrypto,
   joseToCoseCurve,
   joseToCoseKeyOperation,
   joseToCoseKty,
@@ -1420,6 +1624,7 @@ export {
   keyTypeFromCryptographicSuite,
   logger,
   minimalJwk,
+  normalizeHashAlgorithm,
   padLeft,
   removeNulls,
   rsaJwkToRawHexKey,
@@ -1427,6 +1632,7 @@ export {
   shaHasher,
   signatureAlgorithmFromKey,
   signatureAlgorithmFromKeyType,
+  signatureAlgorithmToJoseAlgorithm,
   toBase64url,
   toJwk,
   toJwkFromKey,