@sphereon/ssi-sdk-ext.kms-local 0.10.2-next.8

package/src/__tests__/certs.ts

@@ -0,0 +1,127 @@
+export const PEM_PRIV_KEY =
+  '-----BEGIN PRIVATE KEY-----\n' +
+  'MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDV6x+HCJFKkVgb\n' +
+  'eUWy9iCWOFm1J5vNnbODDMasHPjp8m7Pj2zBqdkUsJn62cTENgAI0b6VB/iTtqwy\n' +
+  'pdYUQxTajEhnUm/9FeQf8vj8C34OI880PehgeviCQrClWrLzjDccEvoQVSKtz8A1\n' +
+  'Yzc3Squw8uQfFKVqPCDKy6nVjhTeDHj9txBJTfomH+WYHpD3sumRXu3GB5xZQGwC\n' +
+  '6H23craJpV1Rw3D/z7nFlqlg9AQZwSnjvI+LE4nZKZemhHaJOm9krhk3IXcnGopC\n' +
+  'DakYmpVtWi+2FLB3FCQ6oXbWhtB3oiIly8OacdLEujoOIcEZgRjEk7zc9KRNjdfK\n' +
+  'HvJkwCRTAgMBAAECggEBAJV2aFrSs6EkGClp/DbkHTSYPqWB/SwWyXwBCzbqL0hW\n' +
+  'KPJAxb4yTAhWs98/FGn7SN7gnYZHQXkDoyDoGcGidQmWBmiagsCT8QYZn7mK1hJP\n' +
+  'FtDriFcQ1F0+92kxC+N6zm6BG9MZiNdkVml23vd05q0FqDnHFSQ6yramwg0B7raN\n' +
+  'PQ7sg7CY087aMeyjKkISG1kin0JJdfRwYQBtdmpsvhjVhXteBqiyXhyg/Xkrt6+5\n' +
+  'K4PH1BgEgvg7vODPVfs7ZApyzZPeD0Gf5+Chxg1JVkGvxc1pLAveTHH94NNQHlts\n' +
+  '+KooVRRhPB5zmdIJGOODp9qjcK+Jjd4kJC80hgBuUDECgYEA9JjPr8ewBGgtaQKm\n' +
+  'e59+MWBRqzdcNRk+P5MH1TBB99jhwjhQNWGvUs0j4f9+1sULMun/OL+v0Osr2L1f\n' +
+  'TDDEnSEBk4wEiv8QX+PmbGCs3qBp5c75V1J3q3N2Nsd64NCLv1YIP+U9lnsMapUy\n' +
+  'w6RN8HQq1Y8DDo2G5VREsWYhSY0CgYEA3+Qsf1mNB2Y6fbVi2EDSy5tdkCyPKFUY\n' +
+  'Sy58VVaoA8td8StjUk0FhHYwaoo63GFOuvtJTF/MRl8IMbgXQFBhKXsVqVVl1KS9\n' +
+  'gg+maVlZDDLvmSlinF8Wo46FkdVeBW/PWXrbb5l7v9yu9eqWkqvXNzelkRy11Z7U\n' +
+  'Sw4NCI5sfV8CgYBEnc29gSZWxibfC5hKm96Z2WxvvLMITlGRIh0TaFtJPTVv975A\n' +
+  'i2vUranAT510gIh4uv4XHGclE6QURGPEivXNIqI/kwr/NziPve45PxGfzp6Gkn6O\n' +
+  'SZs6pMRn76QAB2D8xxS/X/7cBR7hk4NPMPuQVfZiPKFd5sQN94rhvUXfTQKBgQC5\n' +
+  'xA+rprjeP9MeRKb7+WUtrP6HxoENnPVoQ+zDvf/wDggnN7HUMrX2Pz5S19iYzGBP\n' +
+  'wnoB1aafaPBamH0qTscfbNH/Sy0Pr5TR2nxgAtNgzM6CTZVVW4xkLrfi1Z+KcUgg\n' +
+  '3VA/G6FTAx9kSb2fetc6KIDGk4TH91373G+x/sJDjwKBgQDfMzwxV+XoYfwbtNuR\n' +
+  'DGKLXcv/SB8O0DbEp/KlF/85DLDFy7RPwCNRc44N9007U0XEjnKMus0XUqwE+0go\n' +
+  'KcMDfw3m+PjempOVqnQLB6JgiHfrVwQGq6JVY90fGH9rnAs+muxxSHxWmZqRQ2oO\n' +
+  'dtonyvREV44ngrwe4nGK8O5N4A==\n' +
+  '-----END PRIVATE KEY-----'
+
+export const PEM_CERT =
+  '-----BEGIN CERTIFICATE-----\n' +
+  'MIIFRDCCBCygAwIBAgISA9XiEfV2I/bCdv4X1NgKQijKMA0GCSqGSIb3DQEBCwUA\n' +
+  'MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD\n' +
+  'EwJSMzAeFw0yMzAxMDIxMTU0NTlaFw0yMzA0MDIxMTU0NThaMCoxKDAmBgNVBAMT\n' +
+  'H2Y4MjUtODctMjEzLTI0MS0yNTEuZXUubmdyb2suaW8wggEiMA0GCSqGSIb3DQEB\n' +
+  'AQUAA4IBDwAwggEKAoIBAQDV6x+HCJFKkVgbeUWy9iCWOFm1J5vNnbODDMasHPjp\n' +
+  '8m7Pj2zBqdkUsJn62cTENgAI0b6VB/iTtqwypdYUQxTajEhnUm/9FeQf8vj8C34O\n' +
+  'I880PehgeviCQrClWrLzjDccEvoQVSKtz8A1Yzc3Squw8uQfFKVqPCDKy6nVjhTe\n' +
+  'DHj9txBJTfomH+WYHpD3sumRXu3GB5xZQGwC6H23craJpV1Rw3D/z7nFlqlg9AQZ\n' +
+  'wSnjvI+LE4nZKZemhHaJOm9krhk3IXcnGopCDakYmpVtWi+2FLB3FCQ6oXbWhtB3\n' +
+  'oiIly8OacdLEujoOIcEZgRjEk7zc9KRNjdfKHvJkwCRTAgMBAAGjggJaMIICVjAO\n' +
+  'BgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwG\n' +
+  'A1UdEwEB/wQCMAAwHQYDVR0OBBYEFLNsFqhuvQ7AVtoFYdt3H4TNc88rMB8GA1Ud\n' +
+  'IwQYMBaAFBQusxe3WFbLrlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggr\n' +
+  'BgEFBQcwAYYVaHR0cDovL3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRw\n' +
+  'Oi8vcjMuaS5sZW5jci5vcmcvMCoGA1UdEQQjMCGCH2Y4MjUtODctMjEzLTI0MS0y\n' +
+  'NTEuZXUubmdyb2suaW8wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMB\n' +
+  'AQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEE\n' +
+  'BgorBgEEAdZ5AgQCBIH1BIHyAPAAdgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSe\n' +
+  'HQmBJe20mQAAAYVyjKwhAAAEAwBHMEUCIF1xp237jcAJFNNg/u4AglOW57CGcESp\n' +
+  'vyFOzQRYyrtxAiEAtJPM85K04y6LJEn6o9+XB9SXKzzDXTYT/0rhUav0Hf8AdgCt\n' +
+  '9776fP8QyIudPZwePhhqtGcpXc+xDCTKhYY069yCigAAAYVyjKxLAAAEAwBHMEUC\n' +
+  'IQCI3/3G0nuoXtrjY8v/FS18hSFQiMQyAdZ7AJP/wWafKwIgZQYm/17cF/bAAUmV\n' +
+  'cJVRNBm9uOW5/h7+bq+KcRbb5TMwDQYJKoZIhvcNAQELBQADggEBACiqjMGRHKpa\n' +
+  's4cqhyK4XWzFCjqS1KOyGv8vtC5EAC1ywUiSB7eYEev3Iba3SpQf6Ur3jD+ER5+I\n' +
+  'G+Xk15BtheslWb0oV3jCxxSCLxHObuF01fOP9WnA18hwoOW6PdjYl2KwluBfpsOu\n' +
+  'MlXZPl7k/X8JqJCHMyEwn37OSwflkiu9ansM8Q9Dnm3+nl66HFYUZzp5l5lS60v2\n' +
+  'i4cusxxVWy32k0Qa7cyu+wdTk9KEoEzpnuDvfCdlz+fuSGf8usPtFyPEM2MFQyVN\n' +
+  '9V2icZrMwwIBxn9YvTndy6NpYlcXotSbb64ko4ss68I6f8Rf78vjmeFHaac8wz+k\n' +
+  '1zNHGxNMFnI=\n' +
+  '-----END CERTIFICATE-----'
+export const PEM_CHAIN =
+  '-----BEGIN CERTIFICATE-----\n' +
+  'MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw\n' +
+  'TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n' +
+  'cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw\n' +
+  'WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg\n' +
+  'RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK\n' +
+  'AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP\n' +
+  'R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx\n' +
+  'sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm\n' +
+  'NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg\n' +
+  'Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG\n' +
+  '/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC\n' +
+  'AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB\n' +
+  'Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA\n' +
+  'FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw\n' +
+  'AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw\n' +
+  'Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB\n' +
+  'gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W\n' +
+  'PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl\n' +
+  'ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz\n' +
+  'CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm\n' +
+  'lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4\n' +
+  'avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2\n' +
+  'yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O\n' +
+  'yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids\n' +
+  'hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+\n' +
+  'HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv\n' +
+  'MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX\n' +
+  'nLRbwHOoq7hHwg==\n' +
+  '-----END CERTIFICATE-----\n' +
+  '\n' +
+  '-----BEGIN CERTIFICATE-----\n' +
+  'MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/\n' +
+  'MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\n' +
+  'DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow\n' +
+  'TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh\n' +
+  'cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB\n' +
+  'AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC\n' +
+  'ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL\n' +
+  'wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D\n' +
+  'LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK\n' +
+  '4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5\n' +
+  'bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y\n' +
+  'sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ\n' +
+  'Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4\n' +
+  'FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc\n' +
+  'SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql\n' +
+  'PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND\n' +
+  'TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw\n' +
+  'SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1\n' +
+  'c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx\n' +
+  '+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB\n' +
+  'ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu\n' +
+  'b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E\n' +
+  'U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu\n' +
+  'MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC\n' +
+  '5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW\n' +
+  '9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG\n' +
+  'WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O\n' +
+  'he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC\n' +
+  'Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5\n' +
+  '-----END CERTIFICATE-----'
+
+export const PEM_FULL_CHAIN = `${PEM_CERT}\n${PEM_CHAIN}`

package/src/__tests__/rsa.test.ts

@@ -0,0 +1,156 @@
+import JSEncrypt from '@sphereon/jsencrypt'
+import { PEM_CERT, PEM_CHAIN, PEM_FULL_CHAIN, PEM_PRIV_KEY } from './certs'
+import { digestMethodParams } from '../x509/digest-methods'
+import { SphereonKeyManagementSystem } from '../SphereonKeyManagementSystem'
+import { MemoryPrivateKeyStore } from '@veramo/key-manager'
+import * as u8a from 'uint8arrays'
+import {
+  pemCertChainTox5c,
+  PEMToJwk,
+  privateKeyHexFromPEM,
+  publicKeyHexFromPEM,
+  toKeyObject,
+  X509Opts,
+  x5cToPemCertChain,
+} from '@sphereon/ssi-sdk-did-utils'
+import { RSASigner } from '../x509/rsa-signer'
+
+describe('X509 PEMs', () => {
+  it('should get public key from private key', () => {
+    const publicKeyFromPrivateKey = publicKeyHexFromPEM(PEM_PRIV_KEY)
+    expect(publicKeyFromPrivateKey).toEqual(
+      '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001'
+    )
+  })
+
+  it('cert chains should be converted to x5c and vice versa', async () => {
+    const x5c = pemCertChainTox5c(PEM_FULL_CHAIN)
+    expect(x5c).toHaveLength(3)
+    const chain = x5cToPemCertChain(x5c)
+    expect(chain).toHaveLength(PEM_FULL_CHAIN.length)
+    expect(chain).toContain(PEM_CERT)
+  })
+})
+describe('x509 keys', () => {
+  it('should sign and verify', async () => {
+    const jsEncryptGenerated = new JSEncrypt()
+    const keyPair = jsEncryptGenerated.getKey()
+    const privPEM = keyPair.getPrivateKey()
+    const pubPEM = keyPair.getPublicKey()
+
+    const jsEncryptImported = new JSEncrypt()
+    jsEncryptImported.setKey(privPEM)
+
+    const jsEncryptPubOnly = new JSEncrypt()
+    jsEncryptPubOnly.setKey(pubPEM)
+
+    const sha256 = digestMethodParams('SHA-256')
+    const signed = jsEncryptImported.sign('test', sha256.digestMethod, sha256.hashAlgorithm)
+    expect(signed).toHaveLength(172)
+
+    expect(jsEncryptPubOnly.verify('test', signed as string, sha256.digestMethod)).toBeTruthy()
+  })
+  it('should export private key to private Key Object', async () => {
+    const keyObject = toKeyObject(PEM_PRIV_KEY, 'private')
+    expect(keyObject.keyType).toEqual('private')
+    expect(keyObject.keyHex).toEqual(
+      '308204bf020100300d06092a864886f70d0101010500048204a9308204a50201000282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c02453020301000102820101009576685ad2b3a124182969fc36e41d34983ea581fd2c16c97c010b36ea2f485628f240c5be324c0856b3df3f1469fb48dee09d8647417903a320e819c1a275099606689a82c093f106199fb98ad6124f16d0eb885710d45d3ef769310be37ace6e811bd31988d764566976def774e6ad05a839c715243acab6a6c20d01eeb68d3d0eec83b098d3ceda31eca32a42121b59229f424975f47061006d766a6cbe18d5857b5e06a8b25e1ca0fd792bb7afb92b83c7d4180482f83bbce0cf55fb3b640a72cd93de0f419fe7e0a1c60d495641afc5cd692c0bde4c71fde0d3501e5b6cf8aa285514613c1e7399d20918e383a7daa370af898dde24242f3486006e503102818100f498cfafc7b004682d6902a67b9f7e316051ab375c35193e3f9307d53041f7d8e1c238503561af52cd23e1ff7ed6c50b32e9ff38bfafd0eb2bd8bd5f4c30c49d2101938c048aff105fe3e66c60acdea069e5cef9575277ab737636c77ae0d08bbf56083fe53d967b0c6a9532c3a44df0742ad58f030e8d86e55444b16621498d02818100dfe42c7f598d07663a7db562d840d2cb9b5d902c8f2855184b2e7c5556a803cb5df12b63524d058476306a8a3adc614ebafb494c5fcc465f0831b817405061297b15a95565d4a4bd820fa66959590c32ef9929629c5f16a38e8591d55e056fcf597adb6f997bbfdcaef5ea9692abd73737a5911cb5d59ed44b0e0d088e6c7d5f028180449dcdbd812656c626df0b984a9bde99d96c6fbcb3084e5191221d13685b493d356ff7be408b6bd4ada9c04f9d74808878bafe171c672513a4144463c48af5cd22a23f930aff37388fbdee393f119fce9e86927e8e499b3aa4c467efa4000760fcc714bf5ffedc051ee193834f30fb9055f6623ca15de6c40df78ae1bd45df4d02818100b9c40faba6b8de3fd31e44a6fbf9652dacfe87c6810d9cf56843ecc3bdfff00e082737b1d432b5f63f3e52d7d898cc604fc27a01d5a69f68f05a987d2a4ec71f6cd1ff4b2d0faf94d1da7c6002d360ccce824d95555b8c642eb7e2d59f8a714820dd503f1ba153031f6449bd9f7ad73a2880c69384c7f75dfbdc6fb1fec2438f02818100df333c3157e5e861fc1bb4db910c628b5dcbff481f0ed036c4a7f2a517ff390cb0c5cbb44fc02351738e0df74d3b5345c48e728cbacd1752ac04fb482829c3037f0de6f8f8de9a9395aa740b07a2608877eb570406aba25563dd1f187f6b9c0b3e9aec71487c56999a91436a0e76da27caf444578e2782bc1ee2718af0ee4de0'
+    )
+    expect(keyObject.pem).toEqual(PEM_PRIV_KEY + '\n')
+    expect(keyObject.jwk).toEqual({
+      kty: 'RSA',
+      n: '1esfhwiRSpFYG3lFsvYgljhZtSebzZ2zgwzGrBz46fJuz49swanZFLCZ-tnExDYACNG-lQf4k7asMqXWFEMU2oxIZ1Jv_RXkH_L4_At-DiPPND3oYHr4gkKwpVqy84w3HBL6EFUirc_ANWM3N0qrsPLkHxSlajwgysup1Y4U3gx4_bcQSU36Jh_lmB6Q97LpkV7txgecWUBsAuh9t3K2iaVdUcNw_8-5xZapYPQEGcEp47yPixOJ2SmXpoR2iTpvZK4ZNyF3JxqKQg2pGJqVbVovthSwdxQkOqF21obQd6IiJcvDmnHSxLo6DiHBGYEYxJO83PSkTY3Xyh7yZMAkUw',
+      e: 'AQAB',
+      d: 'lXZoWtKzoSQYKWn8NuQdNJg-pYH9LBbJfAELNuovSFYo8kDFvjJMCFaz3z8UaftI3uCdhkdBeQOjIOgZwaJ1CZYGaJqCwJPxBhmfuYrWEk8W0OuIVxDUXT73aTEL43rOboEb0xmI12RWaXbe93TmrQWoOccVJDrKtqbCDQHuto09DuyDsJjTztox7KMqQhIbWSKfQkl19HBhAG12amy-GNWFe14GqLJeHKD9eSu3r7krg8fUGASC-Du84M9V-ztkCnLNk94PQZ_n4KHGDUlWQa_FzWksC95Mcf3g01AeW2z4qihVFGE8HnOZ0gkY44On2qNwr4mN3iQkLzSGAG5QMQ',
+      p: '9JjPr8ewBGgtaQKme59-MWBRqzdcNRk-P5MH1TBB99jhwjhQNWGvUs0j4f9-1sULMun_OL-v0Osr2L1fTDDEnSEBk4wEiv8QX-PmbGCs3qBp5c75V1J3q3N2Nsd64NCLv1YIP-U9lnsMapUyw6RN8HQq1Y8DDo2G5VREsWYhSY0',
+      q: '3-Qsf1mNB2Y6fbVi2EDSy5tdkCyPKFUYSy58VVaoA8td8StjUk0FhHYwaoo63GFOuvtJTF_MRl8IMbgXQFBhKXsVqVVl1KS9gg-maVlZDDLvmSlinF8Wo46FkdVeBW_PWXrbb5l7v9yu9eqWkqvXNzelkRy11Z7USw4NCI5sfV8',
+      dp: 'RJ3NvYEmVsYm3wuYSpvemdlsb7yzCE5RkSIdE2hbST01b_e-QItr1K2pwE-ddICIeLr-FxxnJROkFERjxIr1zSKiP5MK_zc4j73uOT8Rn86ehpJ-jkmbOqTEZ--kAAdg_McUv1_-3AUe4ZODTzD7kFX2YjyhXebEDfeK4b1F300',
+      dq: 'ucQPq6a43j_THkSm-_llLaz-h8aBDZz1aEPsw73_8A4IJzex1DK19j8-UtfYmMxgT8J6AdWmn2jwWph9Kk7HH2zR_0stD6-U0dp8YALTYMzOgk2VVVuMZC634tWfinFIIN1QPxuhUwMfZEm9n3rXOiiAxpOEx_dd-9xvsf7CQ48',
+      qi: '3zM8MVfl6GH8G7TbkQxii13L_0gfDtA2xKfypRf_OQywxcu0T8AjUXOODfdNO1NFxI5yjLrNF1KsBPtIKCnDA38N5vj43pqTlap0CweiYIh361cEBquiVWPdHxh_a5wLPprscUh8VpmakUNqDnbaJ8r0RFeOJ4K8HuJxivDuTeA',
+    })
+  })
+
+  it('should export private key to public Key Object', async () => {
+    const keyObject = toKeyObject(PEM_PRIV_KEY, 'public')
+    expect(keyObject.keyType).toEqual('public')
+    expect(keyObject.keyHex).toEqual(
+      '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001'
+    )
+    expect(keyObject.pem).toEqual(
+      '-----BEGIN PUBLIC KEY-----\n' +
+        'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1esfhwiRSpFYG3lFsvYg\n' +
+        'ljhZtSebzZ2zgwzGrBz46fJuz49swanZFLCZ+tnExDYACNG+lQf4k7asMqXWFEMU\n' +
+        '2oxIZ1Jv/RXkH/L4/At+DiPPND3oYHr4gkKwpVqy84w3HBL6EFUirc/ANWM3N0qr\n' +
+        'sPLkHxSlajwgysup1Y4U3gx4/bcQSU36Jh/lmB6Q97LpkV7txgecWUBsAuh9t3K2\n' +
+        'iaVdUcNw/8+5xZapYPQEGcEp47yPixOJ2SmXpoR2iTpvZK4ZNyF3JxqKQg2pGJqV\n' +
+        'bVovthSwdxQkOqF21obQd6IiJcvDmnHSxLo6DiHBGYEYxJO83PSkTY3Xyh7yZMAk\n' +
+        'UwIDAQAB\n' +
+        '-----END PUBLIC KEY-----\n'
+    )
+    expect(keyObject.jwk).toEqual({
+      e: 'AQAB',
+      kty: 'RSA',
+      n: '1esfhwiRSpFYG3lFsvYgljhZtSebzZ2zgwzGrBz46fJuz49swanZFLCZ-tnExDYACNG-lQf4k7asMqXWFEMU2oxIZ1Jv_RXkH_L4_At-DiPPND3oYHr4gkKwpVqy84w3HBL6EFUirc_ANWM3N0qrsPLkHxSlajwgysup1Y4U3gx4_bcQSU36Jh_lmB6Q97LpkV7txgecWUBsAuh9t3K2iaVdUcNw_8-5xZapYPQEGcEp47yPixOJ2SmXpoR2iTpvZK4ZNyF3JxqKQg2pGJqVbVovthSwdxQkOqF21obQd6IiJcvDmnHSxLo6DiHBGYEYxJO83PSkTY3Xyh7yZMAkUw',
+    })
+  })
+})
+
+describe('@veramo/kms-local x509 import', () => {
+  const x509: X509Opts = {
+    cn: 'f825-87-213-241-251.eu.ngrok.io',
+    certificatePEM: PEM_CERT,
+    certificateChainPEM: PEM_CHAIN,
+    privateKeyPEM: PEM_PRIV_KEY,
+    certificateChainURL: 'https://example.com/.wellknown/fullchain.pem',
+  }
+  const privateKeyHex = privateKeyHexFromPEM(PEM_PRIV_KEY)
+  const meta = {
+    x509,
+  }
+
+  it('should import a cert with chain', async () => {
+    const kms = new SphereonKeyManagementSystem(new MemoryPrivateKeyStore())
+
+    // @ts-ignore
+    const key = await kms.importKey({ kid: 'test', privateKeyHex, type: 'RSA', meta })
+    expect(key.type).toEqual('RSA')
+    expect(key.publicKeyHex).toEqual(
+      '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001'
+    )
+    expect(key.kid).toEqual('test')
+    expect(key.meta?.algorithms).toEqual(['RS256', 'RS512', 'PS256', 'PS512'])
+
+    expect(key.meta?.publicKeyPEM).toBeDefined()
+    await expect(key.meta?.publicKeyJwk).toMatchObject({
+      kty: 'RSA',
+      n: '1esfhwiRSpFYG3lFsvYgljhZtSebzZ2zgwzGrBz46fJuz49swanZFLCZ-tnExDYACNG-lQf4k7asMqXWFEMU2oxIZ1Jv_RXkH_L4_At-DiPPND3oYHr4gkKwpVqy84w3HBL6EFUirc_ANWM3N0qrsPLkHxSlajwgysup1Y4U3gx4_bcQSU36Jh_lmB6Q97LpkV7txgecWUBsAuh9t3K2iaVdUcNw_8-5xZapYPQEGcEp47yPixOJ2SmXpoR2iTpvZK4ZNyF3JxqKQg2pGJqVbVovthSwdxQkOqF21obQd6IiJcvDmnHSxLo6DiHBGYEYxJO83PSkTY3Xyh7yZMAkUw',
+      e: 'AQAB',
+      x5u: 'https://example.com/.wellknown/fullchain.pem',
+    })
+  })
+
+  it('should sign input data', async () => {
+    const kms = new SphereonKeyManagementSystem(new MemoryPrivateKeyStore())
+    const data = u8a.fromString('test', 'utf-8')
+
+    // @ts-ignore
+    const key = await kms.importKey({ kid: 'test', privateKeyHex, type: 'RSA', meta })
+    const signature = await kms.sign({ keyRef: key, data, algorithm: 'RS256' })
+    expect(signature).toEqual(
+      'PAgf2uRWJa-pmlUL80NVnxkExJkcpfLPB8udX1WoFGtAnIuFCfq8r1C43NL0xr9Qtn8TBK5pVHmAPPd7XlTkXU_LQ_JoBYxjzjtaRzGOo4-S-TAtKaW-evGI5rpXFWCeta0gwzTCVfDjbouRUg3_krK0B1cLLK1Kiih83n-6hadTxPLiQqNpbWxbnoHbZXw-V-5maCE1erY9cvO9LZeO2S_PXiqb19gk4mOEG3ZRQm12eHAlOVTnqRYiLmwWfSnT231jkJnF99RuLUjxlQNO5K6B-vYIhfVoqDliqaW6IEOamJJHUWG6RlqZfU7TzanZzR0YmDf5HIJEiDG4D_lF6g'
+    )
+  })
+})
+
+describe('RSA Signer', () => {
+  it('should sign and verify', async () => {
+    const signer = new RSASigner(PEMToJwk(PEM_PRIV_KEY, 'private'), {
+      hashAlgorithm: 'SHA-256',
+      scheme: 'RSASSA-PKCS1-V1_5',
+    })
+    const signature = await signer.sign('test123')
+    expect(signature).toBeDefined()
+    const result = await signer.verify('test123', signature)
+    expect(result).toBeTruthy()
+  })
+})

package/src/index.ts

@@ -0,0 +1,6 @@
+import { TKeyType } from '@veramo/core'
+export { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'
+export type BlsManagedKeyInfoArgs = { alias?: string; type: TKeyType; privateKeyHex: string; publicKeyHex?: string }
+export enum KeyType {
+  Bls12381G2 = 'Bls12381G2',
+}

package/src/x509/digest-methods.ts

@@ -0,0 +1,74 @@
+import { hash as sha256 } from '@stablelib/sha256'
+import { hash as sha512 } from '@stablelib/sha512'
+import * as u8a from 'uint8arrays'
+
+export type HashAlgorithm = 'SHA-256' | 'SHA-512'
+export type TDigestMethod = (input: string) => string
+
+export const digestMethodParams = (hashAlgorithm: HashAlgorithm): { hashAlgorithm: HashAlgorithm; digestMethod: TDigestMethod } => {
+  if (hashAlgorithm === 'SHA-256') {
+    return { hashAlgorithm: 'SHA-256', digestMethod: sha256DigestMethod }
+  } else {
+    return { hashAlgorithm: 'SHA-512', digestMethod: sha512DigestMethod }
+  }
+}
+
+const sha256DigestMethod = (input: string): string => {
+  return u8a.toString(sha256(u8a.fromString(input, 'utf-8')), 'base16')
+}
+
+const sha512DigestMethod = (input: string): string => {
+  return u8a.toString(sha512(u8a.fromString(input, 'utf-8')), 'base16')
+}
+
+/*
+// PKCS#1 (PSS) mask generation function
+function pss_mgf1_str(seed, len, hash) {
+    var mask = '', i = 0;
+
+    while (mask.length < len) {
+        mask += hextorstr(hash(rstrtohex(seed + String.fromCharCode.apply(String, [
+                (i & 0xff000000) >> 24,
+                (i & 0x00ff0000) >> 16,
+                (i & 0x0000ff00) >> 8,
+                i & 0x000000ff]))));
+        i += 1;
+    }
+
+    return mask;
+}
+
+ */
+
+/*
+
+/!**
+ * Generate mask of specified length.
+ *
+ * @param {String} seed The seed for mask generation.
+ * @param maskLen Number of bytes to generate.
+ * @return {String} The generated mask.
+ *!/
+export const mgf1 = (dm: TDigestMethod, seed: string, maskLen: number) => {
+  /!* 2. Let T be the empty octet string. *!/
+  var t = new forge.util.ByteBuffer();
+
+  /!* 3. For counter from 0 to ceil(maskLen / hLen), do the following: *!/
+  var len = Math.ceil(maskLen / md.digestLength);
+  for(var i = 0; i < len; i++) {
+    /!* a. Convert counter to an octet string C of length 4 octets *!/
+    var c = new forge.util.ByteBuffer();
+    c.putInt32(i);
+
+    /!* b. Concatenate the hash of the seed mgfSeed and C to the octet
+     * string T: *!/
+    md.start();
+    md.update(seed + c.getBytes());
+    t.putBuffer(md.digest());
+  }
+
+  /!* Output the leading maskLen octets of T as the octet string mask. *!/
+  t.truncate(t.length() - maskLen);
+  return t.getBytes();
+}
+*/

package/src/x509/rsa-key.ts

@@ -0,0 +1,61 @@
+import { base64ToPEM, JWK } from '@sphereon/ssi-sdk-did-utils'
+import crypto from '@sphereon/isomorphic-webcrypto'
+import { HashAlgorithm } from './digest-methods'
+import * as u8a from 'uint8arrays'
+
+export type RSASignatureSchemes = 'RSASSA-PKCS1-V1_5' | 'RSA-PSS'
+
+export type RSAEncryptionSchemes = 'RSAES-PKCS-v1_5 ' | 'RSAES-OAEP'
+
+const usage = (jwk: JWK): KeyUsage[] => {
+  // "decrypt" | "deriveBits" | "deriveKey" | "encrypt" | "sign" | "unwrapKey" | "verify" | "wrapKey";
+  return jwk.d ? ['sign', 'decrypt', 'verify', 'encrypt'] : ['verify', 'encrypt']
+}
+
+export const signAlgorithmToSchemeAndHashAlg = (signingAlg: string) => {
+  const alg = signingAlg.toUpperCase()
+  let scheme: RSAEncryptionSchemes | RSASignatureSchemes
+  if (alg.startsWith('RS')) {
+    scheme = 'RSASSA-PKCS1-V1_5'
+  } else if (alg.startsWith('PS')) {
+    scheme = 'RSA-PSS'
+  } else {
+    throw Error(`Invalid signing algorithm supplied ${signingAlg}`)
+  }
+
+  const hashAlgorithm = `SHA-${alg.substring(2)}` as HashAlgorithm
+  return { scheme, hashAlgorithm }
+}
+
+export const importRSAKey = async (
+  jwk: JWK,
+  scheme: RSAEncryptionSchemes | RSASignatureSchemes,
+  hashAlgorithm?: HashAlgorithm
+): Promise<CryptoKey> => {
+  const hashName = hashAlgorithm ? hashAlgorithm : jwk.alg ? `SHA-${jwk.alg.substring(2)}` : 'SHA-256'
+
+  const importParams: RsaHashedImportParams = { name: scheme, hash: hashName }
+  return await crypto.subtle.importKey('jwk', jwk as JsonWebKey, importParams, false, usage(jwk))
+}
+
+export const generateRSAKeyAsPEM = async (
+  scheme: RSAEncryptionSchemes | RSASignatureSchemes,
+  hashAlgorithm?: HashAlgorithm,
+  modulusLength?: number
+): Promise<string> => {
+  const hashName = hashAlgorithm ? hashAlgorithm : 'SHA-256'
+
+  const params: RsaHashedKeyGenParams = {
+    name: scheme,
+    hash: hashName,
+    modulusLength: modulusLength ? modulusLength : 2048,
+    publicExponent: new Uint8Array([1, 0, 1]),
+  }
+  const keyUsage: KeyUsage[] = scheme === 'RSA-PSS' || scheme === 'RSASSA-PKCS1-V1_5' ? ['sign', 'verify'] : ['encrypt', 'decrypt']
+
+  const keypair = await crypto.subtle.generateKey(params, true, keyUsage)
+  const pkcs8 = await crypto.subtle.exportKey('pkcs8', keypair.privateKey)
+
+  const uint8Array = new Uint8Array(pkcs8)
+  return base64ToPEM(u8a.toString(uint8Array, 'base64pad'), 'RSA PRIVATE KEY')
+}

package/src/x509/rsa-signer.ts

@@ -0,0 +1,67 @@
+import { JWK, PEMToJwk } from '@sphereon/ssi-sdk-did-utils'
+import * as u8a from 'uint8arrays'
+import { HashAlgorithm } from './digest-methods'
+import crypto from '@sphereon/isomorphic-webcrypto'
+import { importRSAKey, RSAEncryptionSchemes, RSASignatureSchemes } from './rsa-key'
+
+export class RSASigner {
+  private readonly hashAlgorithm: HashAlgorithm
+  private readonly jwk: JWK
+
+  private key: CryptoKey | undefined
+  private readonly scheme: RSAEncryptionSchemes | RSASignatureSchemes
+
+  /**
+   *
+   * @param key Either in PEM or JWK format (no raw hex keys here!)
+   * @param hashAlgorithm
+   */
+  constructor(key: string | JWK, opts?: { hashAlgorithm?: HashAlgorithm; scheme?: RSAEncryptionSchemes | RSASignatureSchemes }) {
+    if (typeof key === 'string') {
+      this.jwk = PEMToJwk(key)
+    } else {
+      this.jwk = key
+    }
+
+    this.hashAlgorithm = opts?.hashAlgorithm ?? 'SHA-256'
+    this.scheme = opts?.scheme ?? 'RSA-PSS'
+  }
+
+  private getImportParams(): AlgorithmIdentifier {
+    // console.log({ name: this.scheme /*, hash: this.hashAlgorithm*/ })
+    return { name: this.scheme /*, hash: this.hashAlgorithm*/ }
+  }
+
+  private async getKey(): Promise<CryptoKey> {
+    if (!this.key) {
+      this.key = await importRSAKey(this.jwk, this.scheme, this.hashAlgorithm)
+    }
+    return this.key
+  }
+
+  private bufferToString(buf: ArrayBuffer) {
+    const uint8Array = new Uint8Array(buf)
+    return u8a.toString(uint8Array, 'base64url') // Needs to be base64url for JsonWebSignature2020. Don't change!
+  }
+
+  public async sign(data: string | Uint8Array): Promise<string> {
+    const input = typeof data === 'string' ? u8a.fromString(data, 'utf-8') : data
+    const key = await this.getKey()
+    const signature = this.bufferToString(await crypto.subtle.sign(this.getImportParams(), key, input))
+    if (!signature) {
+      throw Error('Could not sign input data')
+    }
+
+    //  base64url signature
+    return signature
+  }
+
+  public async verify(data: string | Uint8Array, signature: string | Uint8Array): Promise<boolean> {
+    const sig = typeof signature === 'string' ? signature : u8a.toString(signature, 'base64url')
+    const jws = sig.includes('.') ? sig.split('.')[2] : sig
+
+    const input = typeof data == 'string' ? u8a.fromString(data, 'utf-8') : data
+    const verificationResult = await crypto.subtle.verify(this.getImportParams(), await this.getKey(), u8a.fromString(jws, 'base64url'), input)
+    return verificationResult
+  }
+}