@sphereon/ssi-sdk-ext.kms-local 0.28.1-feature.esm.cjs.8 → 0.28.1-feature.jose.vcdm.19

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/index.cjs +4 -3
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.js +2 -1
  4. package/dist/index.js.map +1 -1
  5. package/dist/tsdoc-metadata.json +1 -1
  6. package/package.json +8 -7
  7. package/src/SphereonKeyManagementSystem.ts +6 -5
  8. package/src/index.ts +2 -2
package/dist/index.cjs CHANGED
@@ -42,8 +42,9 @@ var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.key-utils");
42
42
  var import_kms_local = require("@veramo/kms-local");
43
43
  var import_debug = __toESM(require("debug"), 1);
44
44
  var import_elliptic = __toESM(require("elliptic"), 1);
45
- var import_from_string = require("uint8arrays/from-string");
45
+ var u8a = __toESM(require("uint8arrays"), 1);
46
46
  var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.x509-utils");
47
+ var { fromString } = u8a;
47
48
  var debug = (0, import_debug.default)("sphereon:kms:local");
48
49
  var SphereonKeyManagementSystem = class extends import_kms_local.KeyManagementSystem {
49
50
  static {
@@ -165,7 +166,7 @@ var SphereonKeyManagementSystem = class extends import_kms_local.KeyManagementSy
165
166
  };
166
167
  break;
167
168
  case "Secp256k1": {
168
- const privateBytes = (0, import_from_string.fromString)(args.privateKeyHex.toLowerCase(), "base16");
169
+ const privateBytes = fromString(args.privateKeyHex.toLowerCase(), "base16");
169
170
  const secp256k1 = new import_elliptic.default.ec("secp256k1");
170
171
  const keyPair = secp256k1.keyFromPrivate(privateBytes, "hex");
171
172
  const publicKeyHex = keyPair.getPublic(true, "hex");
@@ -190,7 +191,7 @@ var SphereonKeyManagementSystem = class extends import_kms_local.KeyManagementSy
190
191
  break;
191
192
  }
192
193
  case "Secp256r1": {
193
- const privateBytes = (0, import_from_string.fromString)(args.privateKeyHex.toLowerCase(), "base16");
194
+ const privateBytes = fromString(args.privateKeyHex.toLowerCase(), "base16");
194
195
  const secp256r1 = new import_elliptic.default.ec("p256");
195
196
  const keyPair = secp256r1.keyFromPrivate(privateBytes, "hex");
196
197
  const publicKeyHex = keyPair.getPublic(true, "hex");
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/SphereonKeyManagementSystem.ts"],"sourcesContent":["import { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n","import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { KeyType, ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA;;;;;;;;ACHA,yBAA+E;AAI/E,uBAAoC;AACpC,mBAAkB;AAClB,sBAAqB;AAErB,yBAA2B;AAE3B,IAAAA,sBAQO;AAEP,IAAMC,YAAQC,aAAAA,SAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,qCAAAA;EAtBjD,OAsBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,UAAMW,0CAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,mBAAeC,+BAAW/B,KAAKK,cAAc2B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeP,cAAc,KAAA;AACvD,cAAMxB,eAAe8B,QAAQE,UAAU,MAAM,KAAA;AAC7CvB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJW,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMpC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,mBAAeC,+BAAW/B,KAAKK,cAAc2B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,gBAAAA,QAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeP,cAAc,KAAA;AACvD,cAAMxB,eAAe8B,QAAQE,UAAU,MAAM,KAAA;AAC7CvB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJW,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMpC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMe,OAAO5C,KAAK4B,MAAMgB;AACxB,cAAM/B,gBACJ+B,MAAM/B,kBAAkBb,KAAKK,cAAcwC,SAAS,KAAA,IAAS7C,KAAKK,oBAAgByC,8BAAS9C,KAAKK,eAAe,SAAA;AACjH,cAAM0C,mBAAeC,8BAASnC,eAAe,QAAA;AAC7C,cAAMoC,mBAAeC,8BAASH,cAAc,QAAA;AAC5C,cAAMzC,mBAAe6C,8BAASF,YAAAA;AAE9B,cAAMrB,OAAO,CAAC;AACd,YAAIgB,MAAM;AACRhB,eAAKgB,OAAO;YACVQ,IAAIR,KAAKQ,MAAMpD,KAAKU,SAASJ;UAC/B;AACA,cAAI+C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB5B,iBAAKgB,KAAKU,sBAAsBD;AAChC,kBAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA7B,iBAAKgB,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB/B,iBAAKgB,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA5C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMgB,MAAMQ,MAAM9C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCkB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM1C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkByC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASzB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEyD;MAAeC;IAAO,CAAA;AACzH,UAAMrC,YAAY,MAAMuC,OAAOhD,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkByC,kBAA0BnC,WAAmB;AAC3G,UAAM,EAAEoC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASxC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEwD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOxC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAayC,WAA2C;AACtD,YAAQ,MAAM,KAAKvE,gBAAgBwE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAChD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ADrRA,0BAAc,8BAFd;AAgBO,IAAKiD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["import_ssi_sdk_ext","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","fromString","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/SphereonKeyManagementSystem.ts"],"sourcesContent":["import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n","import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA;;;;;;;;ACHA,yBAAoF;AAIpF,uBAAoC;AACpC,mBAAkB;AAClB,sBAAqB;AAErB,UAAqB;AAGrB,IAAAA,sBAQO;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,YAAQC,aAAAA,SAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,qCAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,UAAMW,0CAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,gBAAAA,QAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO3C,KAAK4B,MAAMe;AACxB,cAAM9B,gBACJ8B,MAAM9B,kBAAkBb,KAAKK,cAAcuC,SAAS,KAAA,IAAS5C,KAAKK,oBAAgBwC,8BAAS7C,KAAKK,eAAe,SAAA;AACjH,cAAMyC,mBAAeC,8BAASlC,eAAe,QAAA;AAC7C,cAAMmC,mBAAeC,8BAASH,cAAc,QAAA;AAC5C,cAAMxC,mBAAe4C,8BAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMnD,KAAKU,SAASJ;UAC/B;AACA,cAAI8C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA3C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMe,MAAMQ,MAAM7C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAMzC,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkBwC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASxB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEwD;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAO/C,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkBwC,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASvC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEuD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKtE,gBAAgBuE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAC/C,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ADtRA,0BAAc,8BAFd;AAgBO,IAAKgD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["import_ssi_sdk_ext","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
package/dist/index.js CHANGED
@@ -6,8 +6,9 @@ import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk } from "@sphereon/
6
6
  import { KeyManagementSystem } from "@veramo/kms-local";
7
7
  import Debug from "debug";
8
8
  import elliptic from "elliptic";
9
- import { fromString } from "uint8arrays/from-string";
9
+ import * as u8a from "uint8arrays";
10
10
  import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk, RSASigner, signAlgorithmToSchemeAndHashAlg } from "@sphereon/ssi-sdk-ext.x509-utils";
11
+ var { fromString } = u8a;
11
12
  var debug = Debug("sphereon:kms:local");
12
13
  var SphereonKeyManagementSystem = class extends KeyManagementSystem {
13
14
  static {
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"sourcesContent":["import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { KeyType, ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,uBAAuBC,aAAuB;AAI/E,SAASC,2BAA2B;AACpC,OAAOC,WAAW;AAClB,OAAOC,cAAc;AAErB,SAASC,kBAAkB;AAE3B,SACEC,UACAC,UACAC,mBACAC,UACAC,UACAC,WACAC,uCACK;AAEP,IAAMC,QAAQC,MAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,oBAAAA;EAtBjD,OAsBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,MAAMW,sBAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAeC,WAAW/B,KAAKK,cAAc2B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,SAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeP,cAAc,KAAA;AACvD,cAAMxB,eAAe8B,QAAQE,UAAU,MAAM,KAAA;AAC7CvB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJW,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMpC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAeC,WAAW/B,KAAKK,cAAc2B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,SAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeP,cAAc,KAAA;AACvD,cAAMxB,eAAe8B,QAAQE,UAAU,MAAM,KAAA;AAC7CvB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJW,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMpC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMe,OAAO5C,KAAK4B,MAAMgB;AACxB,cAAM/B,gBACJ+B,MAAM/B,kBAAkBb,KAAKK,cAAcwC,SAAS,KAAA,IAAS7C,KAAKK,gBAAgByC,SAAS9C,KAAKK,eAAe,SAAA;AACjH,cAAM0C,eAAeC,SAASnC,eAAe,QAAA;AAC7C,cAAMoC,eAAeC,SAASH,cAAc,QAAA;AAC5C,cAAMzC,eAAe6C,SAASF,YAAAA;AAE9B,cAAMrB,OAAO,CAAC;AACd,YAAIgB,MAAM;AACRhB,eAAKgB,OAAO;YACVQ,IAAIR,KAAKQ,MAAMpD,KAAKU,SAASJ;UAC/B;AACA,cAAI+C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB5B,iBAAKgB,KAAKU,sBAAsBD;AAChC,kBAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA7B,iBAAKgB,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB/B,iBAAKgB,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA5C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMgB,MAAMQ,MAAM9C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCkB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM1C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkByC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASzB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEyD;MAAeC;IAAO,CAAA;AACzH,UAAMrC,YAAY,MAAMuC,OAAOhD,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkByC,kBAA0BnC,WAAmB;AAC3G,UAAM,EAAEoC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASxC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEwD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOxC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAayC,WAA2C;AACtD,YAAQ,MAAM,KAAKvE,gBAAgBwE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAChD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ACrRA,cAAc;AAcP,IAAKiD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["calculateJwkThumbprint","generatePrivateKeyHex","toJwk","KeyManagementSystem","Debug","elliptic","fromString","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","RSASigner","signAlgorithmToSchemeAndHashAlg","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","fromString","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
1
+ {"version":3,"sources":["../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"sourcesContent":["import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,uBAAuBC,aAA4B;AAIpF,SAASC,2BAA2B;AACpC,OAAOC,WAAW;AAClB,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,SACEC,UACAC,UACAC,mBACAC,UACAC,UACAC,WACAC,uCACK;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,QAAQC,MAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,oBAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,MAAMW,sBAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,SAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,SAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO3C,KAAK4B,MAAMe;AACxB,cAAM9B,gBACJ8B,MAAM9B,kBAAkBb,KAAKK,cAAcuC,SAAS,KAAA,IAAS5C,KAAKK,gBAAgBwC,SAAS7C,KAAKK,eAAe,SAAA;AACjH,cAAMyC,eAAeC,SAASlC,eAAe,QAAA;AAC7C,cAAMmC,eAAeC,SAASH,cAAc,QAAA;AAC5C,cAAMxC,eAAe4C,SAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMnD,KAAKU,SAASJ;UAC/B;AACA,cAAI8C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA3C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMe,MAAMQ,MAAM7C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAMzC,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkBwC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASxB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEwD;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAO/C,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkBwC,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASvC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEuD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKtE,gBAAgBuE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAC/C,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ACtRA,cAAc;AAcP,IAAKgD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["calculateJwkThumbprint","generatePrivateKeyHex","toJwk","KeyManagementSystem","Debug","elliptic","u8a","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","RSASigner","signAlgorithmToSchemeAndHashAlg","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
package/dist/tsdoc-metadata.json CHANGED
@@ -5,7 +5,7 @@
5
5
  "toolPackages": [
6
6
  {
7
7
  "packageName": "@microsoft/api-extractor",
8
- "packageVersion": "7.52.3"
8
+ "packageVersion": "7.52.5"
9
9
  }
10
10
  ]
11
11
  }
package/package.json CHANGED
@@ -1,13 +1,14 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk-ext.kms-local",
3
3
  "description": "Sphereon Local Key Management System with support for BLS/BBS+, RSA keys",
4
- "version": "0.28.1-feature.esm.cjs.8+4c162d1",
4
+ "version": "0.28.1-feature.jose.vcdm.19+2c20244",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
8
8
  "module": "./dist/index.js",
9
9
  "types": "./dist/index.d.ts",
10
10
  "exports": {
11
+ "react-native": "./dist/index.js",
11
12
  "import": {
12
13
  "types": "./dist/index.d.ts",
13
14
  "import": "./dist/index.js"
@@ -22,20 +23,20 @@
22
23
  "generate-plugin-schema": "sphereon dev generate-plugin-schema"
23
24
  },
24
25
  "dependencies": {
25
- "@sphereon/ssi-sdk-ext.did-utils": "^0.28.1-feature.esm.cjs.8+4c162d1",
26
- "@sphereon/ssi-sdk-ext.key-utils": "^0.28.1-feature.esm.cjs.8+4c162d1",
27
- "@sphereon/ssi-sdk-ext.x509-utils": "^0.28.1-feature.esm.cjs.8+4c162d1",
26
+ "@sphereon/ssi-sdk-ext.did-utils": "0.28.1-feature.jose.vcdm.19+2c20244",
27
+ "@sphereon/ssi-sdk-ext.key-utils": "0.28.1-feature.jose.vcdm.19+2c20244",
28
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.28.1-feature.jose.vcdm.19+2c20244",
28
29
  "@trust/keyto": "2.0.0-alpha1",
29
30
  "@veramo/core": "4.2.0",
30
31
  "@veramo/key-manager": "4.2.0",
31
32
  "@veramo/kms-local": "4.2.0",
32
33
  "debug": "^4.4.0",
33
34
  "elliptic": "^6.5.4",
34
- "uint8arrays": "5.1.0"
35
+ "uint8arrays": "3.1.1"
35
36
  },
36
37
  "devDependencies": {
37
38
  "@sphereon/jsencrypt": "3.3.2-unstable.0",
38
- "@sphereon/ssi-sdk.dev": " ^0.33",
39
+ "@sphereon/ssi-sdk.dev": "0.33.1-feature.jose.vcdm.56",
39
40
  "@types/elliptic": "6.4.14",
40
41
  "@veramo/cli": "4.2.0"
41
42
  },
@@ -57,5 +58,5 @@
57
58
  "kms",
58
59
  "Veramo"
59
60
  ],
60
- "gitHead": "4c162d14577f462070adeea3e7ec5a443c324ee7"
61
+ "gitHead": "2c2024461b7732a2b9c6e6940cc399d5ca4626ac"
61
62
  }
package/src/SphereonKeyManagementSystem.ts CHANGED
@@ -1,13 +1,14 @@
1
- import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
1
+ import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
2
2
 
3
- import { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'
4
- import { AbstractPrivateKeyStore, ManagedPrivateKey } from '@veramo/key-manager'
3
+ import type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'
4
+ import { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'
5
5
  import { KeyManagementSystem } from '@veramo/kms-local'
6
6
  import Debug from 'debug'
7
7
  import elliptic from 'elliptic'
8
8
  // @ts-ignore
9
- import { fromString } from 'uint8arrays/from-string'
10
- import { KeyType, ManagedKeyInfoArgs } from './index'
9
+ import * as u8a from 'uint8arrays'
10
+ const { fromString } = u8a
11
+ import { KeyType, type ManagedKeyInfoArgs } from './index'
11
12
  import {
12
13
  hexToPEM,
13
14
  jwkToPEM,
package/src/index.ts CHANGED
@@ -1,5 +1,5 @@
1
- import { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
2
- import { KeyMetadata, TKeyType } from '@veramo/core'
1
+ import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
2
+ import type { KeyMetadata, TKeyType } from '@veramo/core'
3
3
 
4
4
  export { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'
5
5