@sphereon/ssi-sdk-ext.kms-local 0.28.1-feature.esm.cjs.9 → 0.28.1-feature.jose.vcdm.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/index.cjs +75 -42
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.js +2 -1
  4. package/dist/index.js.map +1 -1
  5. package/dist/tsdoc-metadata.json +1 -1
  6. package/package.json +8 -7
  7. package/src/SphereonKeyManagementSystem.ts +6 -5
  8. package/src/index.ts +2 -2
package/dist/index.cjs CHANGED
@@ -1,19 +1,56 @@
1
- "use strict";Object.defineProperty(exports, "__esModule", {value: true}); function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { default: obj }; } function _createStarExport(obj) { Object.keys(obj) .filter((key) => key !== "default" && key !== "__esModule") .forEach((key) => { if (exports.hasOwnProperty(key)) { return; } Object.defineProperty(exports, key, {enumerable: true, configurable: true, get: () => obj[key]}); }); } function _nullishCoalesce(lhs, rhsFn) { if (lhs != null) { return lhs; } else { return rhsFn(); } } function _optionalChain(ops) { let lastAccessLHS = undefined; let value = ops[0]; let i = 1; while (i < ops.length) { const op = ops[i]; const fn = ops[i + 1]; i += 2; if ((op === 'optionalAccess' || op === 'optionalCall') && value == null) { return undefined; } if (op === 'access' || op === 'optionalAccess') { lastAccessLHS = value; value = fn(value); } else if (op === 'call' || op === 'optionalCall') { value = fn((...args) => value.call(lastAccessLHS, ...args)); lastAccessLHS = undefined; } } return value; }var __defProp = Object.defineProperty;
1
+ "use strict";
2
+ var __create = Object.create;
3
+ var __defProp = Object.defineProperty;
4
+ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
5
+ var __getOwnPropNames = Object.getOwnPropertyNames;
6
+ var __getProtoOf = Object.getPrototypeOf;
7
+ var __hasOwnProp = Object.prototype.hasOwnProperty;
2
8
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
9
+ var __export = (target, all) => {
10
+ for (var name in all)
11
+ __defProp(target, name, { get: all[name], enumerable: true });
12
+ };
13
+ var __copyProps = (to, from, except, desc) => {
14
+ if (from && typeof from === "object" || typeof from === "function") {
15
+ for (let key of __getOwnPropNames(from))
16
+ if (!__hasOwnProp.call(to, key) && key !== except)
17
+ __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
18
+ }
19
+ return to;
20
+ };
21
+ var __reExport = (target, mod, secondTarget) => (__copyProps(target, mod, "default"), secondTarget && __copyProps(secondTarget, mod, "default"));
22
+ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
23
+ // If the importer is in node compatibility mode or this is not an ESM
24
+ // file that has been converted to a CommonJS file using a Babel-
25
+ // compatible transform (i.e. "__esModule" has not been set), then set
26
+ // "default" to the CommonJS "module.exports" for node compatibility.
27
+ isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
28
+ mod
29
+ ));
30
+ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
31
+
32
+ // src/index.ts
33
+ var index_exports = {};
34
+ __export(index_exports, {
35
+ KeyType: () => KeyType,
36
+ SphereonKeyManagementSystem: () => SphereonKeyManagementSystem
37
+ });
38
+ module.exports = __toCommonJS(index_exports);
3
39
 
4
40
  // src/SphereonKeyManagementSystem.ts
5
- var _ssisdkextkeyutils = require('@sphereon/ssi-sdk-ext.key-utils');
6
- var _kmslocal = require('@veramo/kms-local'); _createStarExport(_kmslocal);
7
- var _debug = require('debug'); var _debug2 = _interopRequireDefault(_debug);
8
- var _elliptic = require('elliptic'); var _elliptic2 = _interopRequireDefault(_elliptic);
9
- var _fromstring = require('uint8arrays/from-string');
10
- var _ssisdkextx509utils = require('@sphereon/ssi-sdk-ext.x509-utils');
11
- var debug = _debug2.default.call(void 0, "sphereon:kms:local");
12
- var SphereonKeyManagementSystem = class extends _kmslocal.KeyManagementSystem {
41
+ var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.key-utils");
42
+ var import_kms_local = require("@veramo/kms-local");
43
+ var import_debug = __toESM(require("debug"), 1);
44
+ var import_elliptic = __toESM(require("elliptic"), 1);
45
+ var u8a = __toESM(require("uint8arrays"), 1);
46
+ var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.x509-utils");
47
+ var { fromString } = u8a;
48
+ var debug = (0, import_debug.default)("sphereon:kms:local");
49
+ var SphereonKeyManagementSystem = class extends import_kms_local.KeyManagementSystem {
13
50
  static {
14
51
  __name(this, "SphereonKeyManagementSystem");
15
52
  }
16
-
53
+ privateKeyStore;
17
54
  constructor(keyStore) {
18
55
  super(keyStore);
19
56
  this.privateKeyStore = keyStore;
@@ -67,7 +104,7 @@ var SphereonKeyManagementSystem = class extends _kmslocal.KeyManagementSystem {
67
104
  }
68
105
  // @ts-ignore
69
106
  case "RSA": {
70
- const privateKeyHex = await _ssisdkextkeyutils.generatePrivateKeyHex.call(void 0, type);
107
+ const privateKeyHex = await (0, import_ssi_sdk_ext.generatePrivateKeyHex)(type);
71
108
  key = await this.importKey({
72
109
  type,
73
110
  privateKeyHex
@@ -97,7 +134,7 @@ var SphereonKeyManagementSystem = class extends _kmslocal.KeyManagementSystem {
97
134
  // @ts-ignore
98
135
  privateKey.type === "RSA" && (typeof algorithm === "undefined" || algorithm === "RS256" || algorithm === "RS512" || algorithm === "PS256" || algorithm === "PS512")
99
136
  ) {
100
- return await this.signRSA(privateKey, data, _nullishCoalesce(algorithm, () => ( "PS256")));
137
+ return await this.signRSA(privateKey, data, algorithm ?? "PS256");
101
138
  } else {
102
139
  return await super.sign({
103
140
  keyRef,
@@ -109,7 +146,7 @@ var SphereonKeyManagementSystem = class extends _kmslocal.KeyManagementSystem {
109
146
  }
110
147
  async verify({ publicKeyHex, type, algorithm, data, signature }) {
111
148
  if (type === "RSA") {
112
- return await this.verifyRSA(publicKeyHex, data, _nullishCoalesce(algorithm, () => ( "PS256")), signature);
149
+ return await this.verifyRSA(publicKeyHex, data, algorithm ?? "PS256", signature);
113
150
  }
114
151
  throw Error(`KMS verify is not implemented yet for ${type}`);
115
152
  }
@@ -119,7 +156,7 @@ var SphereonKeyManagementSystem = class extends _kmslocal.KeyManagementSystem {
119
156
  case KeyType.Bls12381G2:
120
157
  key = {
121
158
  type: args.type,
122
- kid: _nullishCoalesce(args.alias, () => ( args.publicKeyHex)),
159
+ kid: args.alias ?? args.publicKeyHex,
123
160
  publicKeyHex: args.publicKeyHex,
124
161
  meta: {
125
162
  algorithms: [
@@ -129,17 +166,17 @@ var SphereonKeyManagementSystem = class extends _kmslocal.KeyManagementSystem {
129
166
  };
130
167
  break;
131
168
  case "Secp256k1": {
132
- const privateBytes = _fromstring.fromString.call(void 0, args.privateKeyHex.toLowerCase(), "base16");
133
- const secp256k1 = new _elliptic2.default.ec("secp256k1");
169
+ const privateBytes = fromString(args.privateKeyHex.toLowerCase(), "base16");
170
+ const secp256k1 = new import_elliptic.default.ec("secp256k1");
134
171
  const keyPair = secp256k1.keyFromPrivate(privateBytes, "hex");
135
172
  const publicKeyHex = keyPair.getPublic(true, "hex");
136
173
  key = {
137
174
  type: args.type,
138
- kid: _nullishCoalesce(args.alias, () => ( publicKeyHex)),
175
+ kid: args.alias ?? publicKeyHex,
139
176
  publicKeyHex,
140
177
  meta: {
141
- jwkThumbprint: _ssisdkextkeyutils.calculateJwkThumbprint.call(void 0, {
142
- jwk: _ssisdkextkeyutils.toJwk.call(void 0, publicKeyHex, "Secp256k1")
178
+ jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
179
+ jwk: (0, import_ssi_sdk_ext.toJwk)(publicKeyHex, "Secp256k1")
143
180
  }),
144
181
  algorithms: [
145
182
  "ES256K",
@@ -154,17 +191,17 @@ var SphereonKeyManagementSystem = class extends _kmslocal.KeyManagementSystem {
154
191
  break;
155
192
  }
156
193
  case "Secp256r1": {
157
- const privateBytes = _fromstring.fromString.call(void 0, args.privateKeyHex.toLowerCase(), "base16");
158
- const secp256r1 = new _elliptic2.default.ec("p256");
194
+ const privateBytes = fromString(args.privateKeyHex.toLowerCase(), "base16");
195
+ const secp256r1 = new import_elliptic.default.ec("p256");
159
196
  const keyPair = secp256r1.keyFromPrivate(privateBytes, "hex");
160
197
  const publicKeyHex = keyPair.getPublic(true, "hex");
161
198
  key = {
162
199
  type: args.type,
163
- kid: _nullishCoalesce(args.alias, () => ( publicKeyHex)),
200
+ kid: args.alias ?? publicKeyHex,
164
201
  publicKeyHex,
165
202
  meta: {
166
- jwkThumbprint: _ssisdkextkeyutils.calculateJwkThumbprint.call(void 0, {
167
- jwk: _ssisdkextkeyutils.toJwk.call(void 0, publicKeyHex, "Secp256r1")
203
+ jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
204
+ jwk: (0, import_ssi_sdk_ext.toJwk)(publicKeyHex, "Secp256r1")
168
205
  }),
169
206
  algorithms: [
170
207
  "ES256"
@@ -175,17 +212,17 @@ var SphereonKeyManagementSystem = class extends _kmslocal.KeyManagementSystem {
175
212
  }
176
213
  // @ts-ignore
177
214
  case "RSA": {
178
- const x509 = _optionalChain([args, 'access', _ => _.meta, 'optionalAccess', _2 => _2.x509]);
179
- const privateKeyPEM = _nullishCoalesce(_optionalChain([x509, 'optionalAccess', _3 => _3.privateKeyPEM]), () => ( (args.privateKeyHex.includes("---") ? args.privateKeyHex : _ssisdkextx509utils.hexToPEM.call(void 0, args.privateKeyHex, "private"))));
180
- const publicKeyJwk = _ssisdkextx509utils.PEMToJwk.call(void 0, privateKeyPEM, "public");
181
- const publicKeyPEM = _ssisdkextx509utils.jwkToPEM.call(void 0, publicKeyJwk, "public");
182
- const publicKeyHex = _ssisdkextx509utils.PEMToHex.call(void 0, publicKeyPEM);
215
+ const x509 = args.meta?.x509;
216
+ const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes("---") ? args.privateKeyHex : (0, import_ssi_sdk_ext2.hexToPEM)(args.privateKeyHex, "private"));
217
+ const publicKeyJwk = (0, import_ssi_sdk_ext2.PEMToJwk)(privateKeyPEM, "public");
218
+ const publicKeyPEM = (0, import_ssi_sdk_ext2.jwkToPEM)(publicKeyJwk, "public");
219
+ const publicKeyHex = (0, import_ssi_sdk_ext2.PEMToHex)(publicKeyPEM);
183
220
  const meta = {};
184
221
  if (x509) {
185
222
  meta.x509 = {
186
- cn: _nullishCoalesce(_nullishCoalesce(x509.cn, () => ( args.alias)), () => ( publicKeyHex))
223
+ cn: x509.cn ?? args.alias ?? publicKeyHex
187
224
  };
188
- let certChain = _nullishCoalesce(x509.certificateChainPEM, () => ( ""));
225
+ let certChain = x509.certificateChainPEM ?? "";
189
226
  if (x509.certificatePEM) {
190
227
  if (!certChain.includes(x509.certificatePEM)) {
191
228
  certChain = `${x509.certificatePEM}
@@ -194,7 +231,7 @@ ${certChain}`;
194
231
  }
195
232
  if (certChain.length > 0) {
196
233
  meta.x509.certificateChainPEM = certChain;
197
- const x5c = _ssisdkextx509utils.pemCertChainTox5c.call(void 0, certChain);
234
+ const x5c = (0, import_ssi_sdk_ext2.pemCertChainTox5c)(certChain);
198
235
  if (!x509.certificateChainURL) {
199
236
  publicKeyJwk.x5c = x5c;
200
237
  }
@@ -207,7 +244,7 @@ ${certChain}`;
207
244
  }
208
245
  key = {
209
246
  type: args.type,
210
- kid: _nullishCoalesce(_nullishCoalesce(args.alias, () => ( _optionalChain([meta, 'optionalAccess', _4 => _4.x509, 'optionalAccess', _5 => _5.cn]))), () => ( publicKeyHex)),
247
+ kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,
211
248
  publicKeyHex,
212
249
  meta: {
213
250
  ...meta,
@@ -233,8 +270,8 @@ ${certChain}`;
233
270
  * @returns a base64url encoded signature for the `RS256` alg
234
271
  */
235
272
  async signRSA(privateKey, data, signingAlgorithm) {
236
- const { hashAlgorithm, scheme } = _ssisdkextx509utils.signAlgorithmToSchemeAndHashAlg.call(void 0, signingAlgorithm);
237
- const signer = new (0, _ssisdkextx509utils.RSASigner)(_ssisdkextx509utils.PEMToJwk.call(void 0, _ssisdkextx509utils.hexToPEM.call(void 0, privateKey.privateKeyHex, "private"), "private"), {
273
+ const { hashAlgorithm, scheme } = (0, import_ssi_sdk_ext2.signAlgorithmToSchemeAndHashAlg)(signingAlgorithm);
274
+ const signer = new import_ssi_sdk_ext2.RSASigner((0, import_ssi_sdk_ext2.PEMToJwk)((0, import_ssi_sdk_ext2.hexToPEM)(privateKey.privateKeyHex, "private"), "private"), {
238
275
  hashAlgorithm,
239
276
  scheme
240
277
  });
@@ -242,8 +279,8 @@ ${certChain}`;
242
279
  return signature;
243
280
  }
244
281
  async verifyRSA(publicKeyHex, data, signingAlgorithm, signature) {
245
- const { hashAlgorithm, scheme } = _ssisdkextx509utils.signAlgorithmToSchemeAndHashAlg.call(void 0, signingAlgorithm);
246
- const signer = new (0, _ssisdkextx509utils.RSASigner)(_ssisdkextx509utils.PEMToJwk.call(void 0, _ssisdkextx509utils.hexToPEM.call(void 0, publicKeyHex, "public"), "public"), {
282
+ const { hashAlgorithm, scheme } = (0, import_ssi_sdk_ext2.signAlgorithmToSchemeAndHashAlg)(signingAlgorithm);
283
+ const signer = new import_ssi_sdk_ext2.RSASigner((0, import_ssi_sdk_ext2.PEMToJwk)((0, import_ssi_sdk_ext2.hexToPEM)(publicKeyHex, "public"), "public"), {
247
284
  hashAlgorithm,
248
285
  scheme
249
286
  });
@@ -255,13 +292,9 @@ ${certChain}`;
255
292
  };
256
293
 
257
294
  // src/index.ts
258
-
295
+ __reExport(index_exports, require("@veramo/kms-local"), module.exports);
259
296
  var KeyType = /* @__PURE__ */ function(KeyType2) {
260
297
  KeyType2["Bls12381G2"] = "Bls12381G2";
261
298
  return KeyType2;
262
299
  }({});
263
-
264
-
265
-
266
- exports.KeyType = KeyType; exports.SphereonKeyManagementSystem = SphereonKeyManagementSystem;
267
300
  //# sourceMappingURL=index.cjs.map
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["/home/runner/work/SSI-SDK-crypto-extensions/SSI-SDK-crypto-extensions/packages/kms-local/dist/index.cjs","../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"names":["debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signature","x509","includes","publicKeyPEM","certChain","x5c","certificateChainURL","meta","publicKeyJwk","signingAlgorithm","hashAlgorithm","scheme"],"mappings":"AAAA,6iCAAI,UAAU,EAAE,MAAM,CAAC,cAAc;AACrC,IAAI,OAAO,EAAE,CAAC,MAAM,EAAE,KAAK,EAAE,GAAG,SAAS,CAAC,MAAM,EAAE,MAAM,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,CAAC,CAAC;AACxF;AACA;ACHA,oEAA+E;AAI/E,2EAAoC;AACpC,4EAAkB;AAClB,wFAAqB;AAErB,qDAA2B;AAE3B,sEAQO;AAEP,IAAMA,MAAAA,EAAQC,6BAAAA,oBAAM,CAAA;AAEb,IAAMC,4BAAAA,EAAN,MAAA,QAA0CC,8BAAAA;ADVjD,ECZA,OAsBiDA;ADTjD,IAAI,MAAM,CAAC,IAAI,EAAE,6BAA6B,CAAC;AAC/C,EAAE;AACF,ECQmBC;ADPnB,ECSEC,WAAAA,CAAYC,QAAAA,EAAmC;AAC7C,IAAA,KAAA,CAAMA,QAAAA,CAAAA;AACN,IAAA,IAAA,CAAKF,gBAAAA,EAAkBE,QAAAA;ADR3B,ECSE;ADRF,ECUE,MAAMC,SAAAA,CAAUC,IAAAA,EAA+F;AAC7G,IAAA,OAAA,CAAQA,IAAAA,CAAKC,IAAAA,EAAI;ADTrB,MCUM,KAAKC,OAAAA,CAAQC,UAAAA,CAAWC,QAAAA,CAAQ,CAAA;AAC9B,QAAA,GAAA,CAAI,CAACJ,IAAAA,CAAKK,cAAAA,GAAiB,CAACL,IAAAA,CAAKM,YAAAA,EAAc;AAC7C,UAAA,MAAM,IAAIC,KAAAA,CAAM,qFAAA,CAAA;ADT1B,QCUQ;AACA,QAAA,MAAMC,WAAAA,EAAa,IAAA,CAAKC,wBAAAA,CAAyB;ADTzD,UCUU,GAAGT,IAAAA;ADTb,UCUUU,KAAAA,EAAOV,IAAAA,CAAKW,GAAAA;ADTtB,UCUUN,aAAAA,EAAeL,IAAAA,CAAKK,aAAAA;ADT9B,UCUUC,YAAAA,EAAcN,IAAAA,CAAKM,YAAAA;ADT7B,UCUUL,IAAAA,EAAMD,IAAAA,CAAKC;ADTrB,QCUQ,CAAA,CAAA;AACA,QAAA,MAAM,IAAA,CAAKL,eAAAA,CAAgBgB,MAAAA,CAAO;ADT1C,UCS4CF,KAAAA,EAAOF,UAAAA,CAAWG,GAAAA;ADR9D,UCQmE,GAAGX;ADPtE,QCO2E,CAAA,CAAA;AACnER,QAAAA,KAAAA,CAAM,cAAA,EAAgBgB,UAAAA,CAAWP,IAAAA,EAAMO,UAAAA,CAAWF,YAAY,CAAA;AAC9D,QAAA,OAAOE,UAAAA;ADNf,MCQM,KAAK,WAAA;ADPX,MCQM,KAAK,WAAA;ADPX;AACA,MCQM,KAAK,KAAA,EAAO;AACV,QAAA,GAAA,CAAI,CAACR,IAAAA,CAAKK,cAAAA,GAAiB,CAACL,IAAAA,CAAKa,aAAAA,EAAe;AAC9C,UAAA,MAAM,IAAIN,KAAAA,CAAM,kGAAA,CAAA;ADP1B,QCQQ;AACA,QAAA,MAAMC,YAAAA,EAAa,IAAA,CAAKC,wBAAAA,CAAyB;ADPzD,UCO2DC,KAAAA,EAAOV,IAAAA,CAAKW,GAAAA;ADNvE,UCM4E,GAAGX;ADL/E,QCKoF,CAAA,CAAA;AAC5E,QAAA,MAAM,IAAA,CAAKJ,eAAAA,CAAgBgB,MAAAA,CAAO;ADJ1C,UCI4CF,KAAAA,EAAOF,WAAAA,CAAWG,GAAAA;ADH9D,UCGmE,GAAGX;ADFtE,QCE2E,CAAA,CAAA;AACnER,QAAAA,KAAAA,CAAM,cAAA,EAAgBgB,WAAAA,CAAWP,IAAAA,EAAMO,WAAAA,CAAWF,YAAY,CAAA;AAC9D,QAAA,OAAOE,WAAAA;ADDf,MCEM;ADDN,MCEM,OAAA;AACE,QAAA,OAAO,MAAM,KAAA,CAAMT,SAAAA,CAAUC,IAAAA,CAAAA;ADDrC,ICEI;ADDJ,ECEE;ADDF,ECGE,MAAMc,SAAAA,CAAU,EAAEb,KAAI,CAAA,EAAiD;AACrE,IAAA,IAAIc,GAAAA;AAEJ,IAAA,OAAA,CAAQd,IAAAA,EAAAA;ADHZ,MCIM,KAAKC,OAAAA,CAAQC,UAAAA,EAAY;AACvB,QAAA,MAAMI,KAAAA,CACJ,mLAAA,CAAA;ADJV,MCiBM;ADhBN;AACA,MCkBM,KAAK,KAAA,EAAO;AACV,QAAA,MAAMF,cAAAA,EAAgB,MAAMW,sDAAAA,IAAsBf,CAAAA;AAClDc,QAAAA,IAAAA,EAAM,MAAM,IAAA,CAAKhB,SAAAA,CAAU;ADjBnC,UCkBUE,IAAAA;ADjBV,UCkBUI;ADjBV,QCkBQ,CAAA,CAAA;AACA,QAAA,KAAA;ADjBR,MCkBM;ADjBN,MCkBM,OAAA;AACEU,QAAAA,IAAAA,EAAM,MAAM,KAAA,CAAMD,SAAAA,CAAU;ADjBpC,UCiBsCb;ADhBtC,QCgB2C,CAAA,CAAA;ADf3C,ICgBI;AAEAT,IAAAA,KAAAA,CAAM,aAAA,EAAeS,IAAAA,EAAMc,GAAAA,CAAIT,YAAY,CAAA;AAE3C,IAAA,OAAOS,GAAAA;ADjBX,ECkBE;ADjBF,ECmBE,MAAME,IAAAA,CAAK,EAAEC,MAAAA,EAAQC,SAAAA,EAAWC,KAAI,CAAA,EAA0F;AAC5H,IAAA,IAAIC,UAAAA;AACJ,IAAA,IAAI;AACFA,MAAAA,WAAAA,EAAa,MAAM,IAAA,CAAKzB,eAAAA,CAAgB0B,GAAAA,CAAI;ADlBlD,QCkBoDZ,KAAAA,EAAOQ,MAAAA,CAAOP;ADjBlE,MCiBsE,CAAA,CAAA;ADhBtE,ICiBI,EAAA,MAAA,CAASY,CAAAA,EAAG;AACV,MAAA,MAAM,IAAIhB,KAAAA,CAAM,CAAA,0CAAA,EAA6CW,MAAAA,CAAOP,GAAG,CAAA,CAAA;AACzE,IAAA;AAE4C,IAAA;AAExC,MAAA;AAgBJ,IAAA;ADjC0E;ACoCnCQ,MAAAA;AACrC,IAAA;AACyD,MAAA;AACpD,IAAA;AACmB,MAAA;AAAED,QAAAA;AAAQC,QAAAA;AAAWC,QAAAA;AAAK,MAAA;AACpD,IAAA;AACuEnB,IAAAA;AACzE,EAAA;AAcqB,EAAA;AACC,IAAA;AACoDuB,MAAAA;AACxE,IAAA;AAC2D,IAAA;AAC7D,EAAA;AAE2E,EAAA;AACrET,IAAAA;AACa,IAAA;AACFZ,MAAAA;AACL,QAAA;AACOF,UAAAA;AACaK,UAAAA;AACLA,UAAAA;AACb,UAAA;AACQ,YAAA;AAAC,cAAA;AD3CqD,YAAA;AC4CpE,UAAA;AACF,QAAA;AACA,QAAA;AACgB,MAAA;AACkD,QAAA;AAChC,QAAA;AACqB,QAAA;AACV,QAAA;AACvC,QAAA;AACOL,UAAAA;AACQK,UAAAA;AACnBA,UAAAA;AACM,UAAA;AACkC,YAAA;AAA2B,cAAA;AAAa,YAAA;AAClE,YAAA;AAAC,cAAA;AAAU,cAAA;AAAY,cAAA;AAAuB,cAAA;AAAqB,cAAA;AAAmB,cAAA;ADlChC,YAAA;ACmCpE,UAAA;AACF,QAAA;AACA,QAAA;AACF,MAAA;AACkB,MAAA;AACkD,QAAA;AAChC,QAAA;AACqB,QAAA;AACV,QAAA;AACvC,QAAA;AACOL,UAAAA;AACQK,UAAAA;AACnBA,UAAAA;AACM,UAAA;AACkC,YAAA;AAA2B,cAAA;AAAa,YAAA;AAClE,YAAA;AAAC,cAAA;AD9BqD,YAAA;AC+BpE,UAAA;AACF,QAAA;AACA,QAAA;AACF,MAAA;AD7BwE;AC+B5D,MAAA;AACcmB,QAAAA;AAEqBC,QAAAA;AACA,QAAA;AACD,QAAA;AACdC,QAAAA;AAEhB,QAAA;AACJ,QAAA;AACI,UAAA;AACmBrB,YAAAA;AAC/B,UAAA;AACoD,UAAA;AAC3B,UAAA;AACuB,YAAA;AACV,cAAA;AAAKsB;AACzC,YAAA;AACF,UAAA;AAC0B,UAAA;AACQA,YAAAA;AACFA,YAAAA;AACC,YAAA;AAGVC,cAAAA;AACrB,YAAA;AACgBA,YAAAA;AAClB,UAAA;AAC8B,UAAA;AAEJC,YAAAA;AACHA,YAAAA;AACvB,UAAA;AACF,QAAA;AAEM,QAAA;AACO7B,UAAAA;AAC0BK,UAAAA;AACrCA,UAAAA;AACM,UAAA;AACDyB,YAAAA;ADlC+D;ACoCtD,YAAA;AAAC,cAAA;AAAS,cAAA;AAAS,cAAA;AAAS,cAAA;AD9B0B,YAAA;AC+BlEC,YAAAA;AACAL,YAAAA;AACF,UAAA;AACF,QAAA;AACA,QAAA;AACF,MAAA;AAEA,MAAA;AACmE,QAAA;AACrE,IAAA;AACOZ,IAAAA;AACT,EAAA;AD9B4E;AACA;AACA;ACiCsC,EAAA;AAC9CkB,IAAAA;AACO,IAAA;AAA0BC,MAAAA;AAAeC,MAAAA;AAAO,IAAA;AACrFf,IAAAA;AAC7BI,IAAAA;AACT,EAAA;AAE6G,EAAA;AACzCS,IAAAA;AACM,IAAA;AAAaC,MAAAA;AAAeC,MAAAA;AAAO,IAAA;AAC1EX,IAAAA;AACnC,EAAA;AAEwD,EAAA;AACmCf,IAAAA;AAC3F,EAAA;AACF;AD3B8E;AACA;AE3PhE;AAcFP;AFgPkE,EAAA;AEhPlEA,EAAAA;AFkPkE;AACA;AACA;AACA;AACA","file":"/home/runner/work/SSI-SDK-crypto-extensions/SSI-SDK-crypto-extensions/packages/kms-local/dist/index.cjs","sourcesContent":[null,"import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { KeyType, ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/SphereonKeyManagementSystem.ts"],"sourcesContent":["import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n","import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA;;;;;;;;ACHA,yBAAoF;AAIpF,uBAAoC;AACpC,mBAAkB;AAClB,sBAAqB;AAErB,UAAqB;AAGrB,IAAAA,sBAQO;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,YAAQC,aAAAA,SAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,qCAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,UAAMW,0CAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,gBAAAA,QAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO3C,KAAK4B,MAAMe;AACxB,cAAM9B,gBACJ8B,MAAM9B,kBAAkBb,KAAKK,cAAcuC,SAAS,KAAA,IAAS5C,KAAKK,oBAAgBwC,8BAAS7C,KAAKK,eAAe,SAAA;AACjH,cAAMyC,mBAAeC,8BAASlC,eAAe,QAAA;AAC7C,cAAMmC,mBAAeC,8BAASH,cAAc,QAAA;AAC5C,cAAMxC,mBAAe4C,8BAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMnD,KAAKU,SAASJ;UAC/B;AACA,cAAI8C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA3C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMe,MAAMQ,MAAM7C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAMzC,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkBwC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASxB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEwD;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAO/C,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkBwC,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASvC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEuD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKtE,gBAAgBuE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAC/C,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ADtRA,0BAAc,8BAFd;AAgBO,IAAKgD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["import_ssi_sdk_ext","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
package/dist/index.js CHANGED
@@ -6,8 +6,9 @@ import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk } from "@sphereon/
6
6
  import { KeyManagementSystem } from "@veramo/kms-local";
7
7
  import Debug from "debug";
8
8
  import elliptic from "elliptic";
9
- import { fromString } from "uint8arrays/from-string";
9
+ import * as u8a from "uint8arrays";
10
10
  import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk, RSASigner, signAlgorithmToSchemeAndHashAlg } from "@sphereon/ssi-sdk-ext.x509-utils";
11
+ var { fromString } = u8a;
11
12
  var debug = Debug("sphereon:kms:local");
12
13
  var SphereonKeyManagementSystem = class extends KeyManagementSystem {
13
14
  static {
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"sourcesContent":["import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport { fromString } from 'uint8arrays/from-string'\nimport { KeyType, ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,uBAAuBC,aAAuB;AAI/E,SAASC,2BAA2B;AACpC,OAAOC,WAAW;AAClB,OAAOC,cAAc;AAErB,SAASC,kBAAkB;AAE3B,SACEC,UACAC,UACAC,mBACAC,UACAC,UACAC,WACAC,uCACK;AAEP,IAAMC,QAAQC,MAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,oBAAAA;EAtBjD,OAsBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,MAAMW,sBAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAeC,WAAW/B,KAAKK,cAAc2B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,SAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeP,cAAc,KAAA;AACvD,cAAMxB,eAAe8B,QAAQE,UAAU,MAAM,KAAA;AAC7CvB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJW,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMpC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAeC,WAAW/B,KAAKK,cAAc2B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,SAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeP,cAAc,KAAA;AACvD,cAAMxB,eAAe8B,QAAQE,UAAU,MAAM,KAAA;AAC7CvB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJW,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMpC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMe,OAAO5C,KAAK4B,MAAMgB;AACxB,cAAM/B,gBACJ+B,MAAM/B,kBAAkBb,KAAKK,cAAcwC,SAAS,KAAA,IAAS7C,KAAKK,gBAAgByC,SAAS9C,KAAKK,eAAe,SAAA;AACjH,cAAM0C,eAAeC,SAASnC,eAAe,QAAA;AAC7C,cAAMoC,eAAeC,SAASH,cAAc,QAAA;AAC5C,cAAMzC,eAAe6C,SAASF,YAAAA;AAE9B,cAAMrB,OAAO,CAAC;AACd,YAAIgB,MAAM;AACRhB,eAAKgB,OAAO;YACVQ,IAAIR,KAAKQ,MAAMpD,KAAKU,SAASJ;UAC/B;AACA,cAAI+C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB5B,iBAAKgB,KAAKU,sBAAsBD;AAChC,kBAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA7B,iBAAKgB,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB/B,iBAAKgB,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA5C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMgB,MAAMQ,MAAM9C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCkB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM1C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkByC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASzB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEyD;MAAeC;IAAO,CAAA;AACzH,UAAMrC,YAAY,MAAMuC,OAAOhD,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkByC,kBAA0BnC,WAAmB;AAC3G,UAAM,EAAEoC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASxC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEwD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOxC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAayC,WAA2C;AACtD,YAAQ,MAAM,KAAKvE,gBAAgBwE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAChD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ACrRA,cAAc;AAcP,IAAKiD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["calculateJwkThumbprint","generatePrivateKeyHex","toJwk","KeyManagementSystem","Debug","elliptic","fromString","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","RSASigner","signAlgorithmToSchemeAndHashAlg","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","fromString","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
1
+ {"version":3,"sources":["../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"sourcesContent":["import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,uBAAuBC,aAA4B;AAIpF,SAASC,2BAA2B;AACpC,OAAOC,WAAW;AAClB,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,SACEC,UACAC,UACAC,mBACAC,UACAC,UACAC,WACAC,uCACK;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,QAAQC,MAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,oBAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,MAAMW,sBAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,SAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,SAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO3C,KAAK4B,MAAMe;AACxB,cAAM9B,gBACJ8B,MAAM9B,kBAAkBb,KAAKK,cAAcuC,SAAS,KAAA,IAAS5C,KAAKK,gBAAgBwC,SAAS7C,KAAKK,eAAe,SAAA;AACjH,cAAMyC,eAAeC,SAASlC,eAAe,QAAA;AAC7C,cAAMmC,eAAeC,SAASH,cAAc,QAAA;AAC5C,cAAMxC,eAAe4C,SAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMnD,KAAKU,SAASJ;UAC/B;AACA,cAAI8C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA3C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMe,MAAMQ,MAAM7C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAMzC,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkBwC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASxB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEwD;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAO/C,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkBwC,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASvC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEuD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKtE,gBAAgBuE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAC/C,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ACtRA,cAAc;AAcP,IAAKgD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["calculateJwkThumbprint","generatePrivateKeyHex","toJwk","KeyManagementSystem","Debug","elliptic","u8a","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","RSASigner","signAlgorithmToSchemeAndHashAlg","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
package/dist/tsdoc-metadata.json CHANGED
@@ -5,7 +5,7 @@
5
5
  "toolPackages": [
6
6
  {
7
7
  "packageName": "@microsoft/api-extractor",
8
- "packageVersion": "7.52.3"
8
+ "packageVersion": "7.52.5"
9
9
  }
10
10
  ]
11
11
  }
package/package.json CHANGED
@@ -1,13 +1,14 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk-ext.kms-local",
3
3
  "description": "Sphereon Local Key Management System with support for BLS/BBS+, RSA keys",
4
- "version": "0.28.1-feature.esm.cjs.9+71682ea",
4
+ "version": "0.28.1-feature.jose.vcdm.20+0d68761",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
8
8
  "module": "./dist/index.js",
9
9
  "types": "./dist/index.d.ts",
10
10
  "exports": {
11
+ "react-native": "./dist/index.js",
11
12
  "import": {
12
13
  "types": "./dist/index.d.ts",
13
14
  "import": "./dist/index.js"
@@ -22,20 +23,20 @@
22
23
  "generate-plugin-schema": "sphereon dev generate-plugin-schema"
23
24
  },
24
25
  "dependencies": {
25
- "@sphereon/ssi-sdk-ext.did-utils": "^0.28.1-feature.esm.cjs.9+71682ea",
26
- "@sphereon/ssi-sdk-ext.key-utils": "^0.28.1-feature.esm.cjs.9+71682ea",
27
- "@sphereon/ssi-sdk-ext.x509-utils": "^0.28.1-feature.esm.cjs.9+71682ea",
26
+ "@sphereon/ssi-sdk-ext.did-utils": "0.28.1-feature.jose.vcdm.20+0d68761",
27
+ "@sphereon/ssi-sdk-ext.key-utils": "0.28.1-feature.jose.vcdm.20+0d68761",
28
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.28.1-feature.jose.vcdm.20+0d68761",
28
29
  "@trust/keyto": "2.0.0-alpha1",
29
30
  "@veramo/core": "4.2.0",
30
31
  "@veramo/key-manager": "4.2.0",
31
32
  "@veramo/kms-local": "4.2.0",
32
33
  "debug": "^4.4.0",
33
34
  "elliptic": "^6.5.4",
34
- "uint8arrays": "5.1.0"
35
+ "uint8arrays": "3.1.1"
35
36
  },
36
37
  "devDependencies": {
37
38
  "@sphereon/jsencrypt": "3.3.2-unstable.0",
38
- "@sphereon/ssi-sdk.dev": " ^0.33",
39
+ "@sphereon/ssi-sdk.dev": "0.33.1-feature.jose.vcdm.56",
39
40
  "@types/elliptic": "6.4.14",
40
41
  "@veramo/cli": "4.2.0"
41
42
  },
@@ -57,5 +58,5 @@
57
58
  "kms",
58
59
  "Veramo"
59
60
  ],
60
- "gitHead": "71682ea0c528f5b32c421245c253b3bc9d6296a0"
61
+ "gitHead": "0d68761c4490c4759a24780bdb9e29046145549d"
61
62
  }
package/src/SphereonKeyManagementSystem.ts CHANGED
@@ -1,13 +1,14 @@
1
- import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
1
+ import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
2
2
 
3
- import { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'
4
- import { AbstractPrivateKeyStore, ManagedPrivateKey } from '@veramo/key-manager'
3
+ import type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'
4
+ import { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'
5
5
  import { KeyManagementSystem } from '@veramo/kms-local'
6
6
  import Debug from 'debug'
7
7
  import elliptic from 'elliptic'
8
8
  // @ts-ignore
9
- import { fromString } from 'uint8arrays/from-string'
10
- import { KeyType, ManagedKeyInfoArgs } from './index'
9
+ import * as u8a from 'uint8arrays'
10
+ const { fromString } = u8a
11
+ import { KeyType, type ManagedKeyInfoArgs } from './index'
11
12
  import {
12
13
  hexToPEM,
13
14
  jwkToPEM,
package/src/index.ts CHANGED
@@ -1,5 +1,5 @@
1
- import { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
2
- import { KeyMetadata, TKeyType } from '@veramo/core'
1
+ import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
2
+ import type { KeyMetadata, TKeyType } from '@veramo/core'
3
3
 
4
4
  export { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'
5
5