@sphereon/ssi-sdk-ext.kms-local 0.28.1-feature.jose.vcdm.25 → 0.28.1-feature.jose.vcdm.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (7) hide show
  1. package/dist/index.cjs +9 -7
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.js +9 -7
  4. package/dist/index.js.map +1 -1
  5. package/package.json +5 -5
  6. package/src/SphereonKeyManagementSystem.ts +7 -7
  7. package/src/__tests__/rsa.test.ts +1 -1
package/dist/index.cjs CHANGED
@@ -132,9 +132,12 @@ var SphereonKeyManagementSystem = class extends import_kms_local.KeyManagementSy
132
132
  throw Error("BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures");
133
133
  } else if (
134
134
  // @ts-ignore
135
- privateKey.type === "RSA" && (typeof algorithm === "undefined" || algorithm === "RS256" || algorithm === "RS512" || algorithm === "PS256" || algorithm === "PS512")
135
+ privateKey.type === "RSA"
136
136
  ) {
137
- return await this.signRSA(privateKey, data, algorithm ?? "PS256");
137
+ if (typeof algorithm === "undefined" || algorithm === "RS256" || algorithm === "RS512" || algorithm === "PS256" || algorithm === "PS512") {
138
+ return await this.signRSA(privateKey, data, algorithm ?? "PS256");
139
+ }
140
+ return Promise.reject(new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`));
138
141
  } else {
139
142
  return await super.sign({
140
143
  keyRef,
@@ -142,7 +145,6 @@ var SphereonKeyManagementSystem = class extends import_kms_local.KeyManagementSy
142
145
  data
143
146
  });
144
147
  }
145
- throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`);
146
148
  }
147
149
  async verify({ publicKeyHex, type, algorithm, data, signature }) {
148
150
  if (type === "RSA") {
@@ -248,12 +250,12 @@ ${certChain}`;
248
250
  publicKeyHex,
249
251
  meta: {
250
252
  ...meta,
251
- // todo: could als be DSA etc
253
+ // todo: could als be EcDSA etc
252
254
  algorithms: [
253
- "RS256",
254
- "RS512",
255
255
  "PS256",
256
- "PS512"
256
+ "PS512",
257
+ "RS256",
258
+ "RS512"
257
259
  ],
258
260
  publicKeyJwk,
259
261
  publicKeyPEM
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/SphereonKeyManagementSystem.ts"],"sourcesContent":["import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n","import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA;;;;;;;;ACHA,yBAAoF;AAIpF,uBAAoC;AACpC,mBAAkB;AAClB,sBAAqB;AAErB,UAAqB;AAGrB,IAAAA,sBAQO;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,YAAQC,aAAAA,SAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,qCAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,UAAMW,0CAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,gBAAAA,QAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO3C,KAAK4B,MAAMe;AACxB,cAAM9B,gBACJ8B,MAAM9B,kBAAkBb,KAAKK,cAAcuC,SAAS,KAAA,IAAS5C,KAAKK,oBAAgBwC,8BAAS7C,KAAKK,eAAe,SAAA;AACjH,cAAMyC,mBAAeC,8BAASlC,eAAe,QAAA;AAC7C,cAAMmC,mBAAeC,8BAASH,cAAc,QAAA;AAC5C,cAAMxC,mBAAe4C,8BAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMnD,KAAKU,SAASJ;UAC/B;AACA,cAAI8C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA3C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMe,MAAMQ,MAAM7C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAMzC,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkBwC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASxB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEwD;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAO/C,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkBwC,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASvC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEuD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKtE,gBAAgBuE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAC/C,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ADtRA,0BAAc,8BAFd;AAgBO,IAAKgD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["import_ssi_sdk_ext","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/SphereonKeyManagementSystem.ts"],"sourcesContent":["import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n","import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA') {\n if ((typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n }\n return Promise.reject(new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`))\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be EcDSA etc\n algorithms: ['PS256', 'PS512', 'RS256', 'RS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA;;;;;;;;ACHA,yBAAoF;AAIpF,uBAAoC;AACpC,mBAAkB;AAClB,sBAAqB;AAErB,UAAqB;AAGrB,IAAAA,sBAQO;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,YAAQC,aAAAA,SAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,qCAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,UAAMW,0CAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS;MAAO;AAC3B,UAAK,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc,SAAU;AAC1I,eAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;MAC3D;AACA,aAAOM,QAAQC,OAAO,IAAInB,MAAM,6DAA6DY,SAAAA,4CAAqD,CAAA;IACpJ,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;EACF;EAEA,MAAMO,OAAO,EACXrB,cACAL,MACAkB,WACAC,MACAQ,UAAS,GAOU;AACnB,QAAI3B,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK4B,UAAUvB,cAAcc,MAAMD,aAAa,SAASS,SAAAA;IACxE;AACA,UAAMrB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBwB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAe1C,WAAWU,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAe1C,WAAWU,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,gBAAAA,QAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO7C,KAAK8B,MAAMe;AACxB,cAAMhC,gBACJgC,MAAMhC,kBAAkBb,KAAKK,cAAcyC,SAAS,KAAA,IAAS9C,KAAKK,oBAAgB0C,8BAAS/C,KAAKK,eAAe,SAAA;AACjH,cAAM2C,mBAAeC,8BAASpC,eAAe,QAAA;AAC7C,cAAMqC,mBAAeC,8BAASH,cAAc,QAAA;AAC5C,cAAM1C,mBAAe8C,8BAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMrD,KAAKU,SAASJ;UAC/B;AACA,cAAIgD,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA7C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASoB,MAAMe,MAAMQ,MAAM/C;UACrCA;UACAwB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM3C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkB0C,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAAS1B,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAE0D;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAOjD,KAAKG,IAAAA;AACpC,WAAOQ;EACT;EAEA,MAAcC,UAAUvB,cAAsBc,MAAkB0C,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASzC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEyD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOP,MAAMQ,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKxE,gBAAgByE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAACjD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ADtRA,0BAAc,8BAFd;AAgBO,IAAKkD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["import_ssi_sdk_ext","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","Promise","reject","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
package/dist/index.js CHANGED
@@ -96,9 +96,12 @@ var SphereonKeyManagementSystem = class extends KeyManagementSystem {
96
96
  throw Error("BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures");
97
97
  } else if (
98
98
  // @ts-ignore
99
- privateKey.type === "RSA" && (typeof algorithm === "undefined" || algorithm === "RS256" || algorithm === "RS512" || algorithm === "PS256" || algorithm === "PS512")
99
+ privateKey.type === "RSA"
100
100
  ) {
101
- return await this.signRSA(privateKey, data, algorithm ?? "PS256");
101
+ if (typeof algorithm === "undefined" || algorithm === "RS256" || algorithm === "RS512" || algorithm === "PS256" || algorithm === "PS512") {
102
+ return await this.signRSA(privateKey, data, algorithm ?? "PS256");
103
+ }
104
+ return Promise.reject(new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`));
102
105
  } else {
103
106
  return await super.sign({
104
107
  keyRef,
@@ -106,7 +109,6 @@ var SphereonKeyManagementSystem = class extends KeyManagementSystem {
106
109
  data
107
110
  });
108
111
  }
109
- throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`);
110
112
  }
111
113
  async verify({ publicKeyHex, type, algorithm, data, signature }) {
112
114
  if (type === "RSA") {
@@ -212,12 +214,12 @@ ${certChain}`;
212
214
  publicKeyHex,
213
215
  meta: {
214
216
  ...meta,
215
- // todo: could als be DSA etc
217
+ // todo: could als be EcDSA etc
216
218
  algorithms: [
217
- "RS256",
218
- "RS512",
219
219
  "PS256",
220
- "PS512"
220
+ "PS512",
221
+ "RS256",
222
+ "RS512"
221
223
  ],
222
224
  publicKeyJwk,
223
225
  publicKeyPEM
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"sourcesContent":["import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA' &&\n (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')\n ) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be DSA etc\n algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,uBAAuBC,aAA4B;AAIpF,SAASC,2BAA2B;AACpC,OAAOC,WAAW;AAClB,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,SACEC,UACAC,UACAC,mBACAC,UACAC,UACAC,WACAC,uCACK;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,QAAQC,MAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,oBAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,MAAMW,sBAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS,UACnB,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc;MAC9H;AACA,aAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;IAC3D,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;AACA,UAAMb,MAAM,gDAAgDc,WAAWpB,IAAI,EAAE;EAC/E;EAEA,MAAMwB,OAAO,EACXnB,cACAL,MACAkB,WACAC,MACAM,UAAS,GAOU;AACnB,QAAIzB,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK0B,UAAUrB,cAAcc,MAAMD,aAAa,SAASO,SAAAA;IACxE;AACA,UAAMnB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBsB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,SAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAexC,WAAWU,KAAKK,cAAc0B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,SAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAMxB,eAAe6B,QAAQE,UAAU,MAAM,KAAA;AAC7CtB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAsB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMnC,cAAc,WAAA;YAAa,CAAA;YAC9EuB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO3C,KAAK4B,MAAMe;AACxB,cAAM9B,gBACJ8B,MAAM9B,kBAAkBb,KAAKK,cAAcuC,SAAS,KAAA,IAAS5C,KAAKK,gBAAgBwC,SAAS7C,KAAKK,eAAe,SAAA;AACjH,cAAMyC,eAAeC,SAASlC,eAAe,QAAA;AAC7C,cAAMmC,eAAeC,SAASH,cAAc,QAAA;AAC5C,cAAMxC,eAAe4C,SAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMnD,KAAKU,SAASJ;UAC/B;AACA,cAAI8C,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA3C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASkB,MAAMe,MAAMQ,MAAM7C;UACrCA;UACAsB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAMzC,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkBwC,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASxB,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAEwD;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAO/C,KAAKG,IAAAA;AACpC,WAAOM;EACT;EAEA,MAAcC,UAAUrB,cAAsBc,MAAkBwC,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASvC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEuD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOL,MAAMM,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKtE,gBAAgBuE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAAC/C,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ACtRA,cAAc;AAcP,IAAKgD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["calculateJwkThumbprint","generatePrivateKeyHex","toJwk","KeyManagementSystem","Debug","elliptic","u8a","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","RSASigner","signAlgorithmToSchemeAndHashAlg","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
1
+ {"version":3,"sources":["../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"sourcesContent":["import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA') {\n if ((typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')) {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n }\n return Promise.reject(new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`))\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be EcDSA etc\n algorithms: ['PS256', 'PS512', 'RS256', 'RS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,uBAAuBC,aAA4B;AAIpF,SAASC,2BAA2B;AACpC,OAAOC,WAAW;AAClB,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,SACEC,UACAC,UACAC,mBACAC,UACAC,UACAC,WACAC,uCACK;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,QAAQC,MAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,oBAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjBC,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKF,kBAAkBE;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKL,gBAAgBgB,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKJ,gBAAgBgB,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnER,cAAM,gBAAgBgB,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,MAAMW,sBAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAT,UAAM,eAAeS,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKzB,gBAAgB0B,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS;MAAO;AAC3B,UAAK,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc,SAAU;AAC1I,eAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;MAC3D;AACA,aAAOM,QAAQC,OAAO,IAAInB,MAAM,6DAA6DY,SAAAA,4CAAqD,CAAA;IACpJ,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;EACF;EAEA,MAAMO,OAAO,EACXrB,cACAL,MACAkB,WACAC,MACAQ,UAAS,GAOU;AACnB,QAAI3B,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK4B,UAAUvB,cAAcc,MAAMD,aAAa,SAASS,SAAAA;IACxE;AACA,UAAMrB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBwB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAe1C,WAAWU,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,SAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAe1C,WAAWU,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,SAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO7C,KAAK8B,MAAMe;AACxB,cAAMhC,gBACJgC,MAAMhC,kBAAkBb,KAAKK,cAAcyC,SAAS,KAAA,IAAS9C,KAAKK,gBAAgB0C,SAAS/C,KAAKK,eAAe,SAAA;AACjH,cAAM2C,eAAeC,SAASpC,eAAe,QAAA;AAC7C,cAAMqC,eAAeC,SAASH,cAAc,QAAA;AAC5C,cAAM1C,eAAe8C,SAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMrD,KAAKU,SAASJ;UAC/B;AACA,cAAIgD,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA7C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASoB,MAAMe,MAAMQ,MAAM/C;UACrCA;UACAwB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM3C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkB0C,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAAS1B,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAE0D;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAOjD,KAAKG,IAAAA;AACpC,WAAOQ;EACT;EAEA,MAAcC,UAAUvB,cAAsBc,MAAkB0C,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASzC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEyD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOP,MAAMQ,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKxE,gBAAgByE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAACjD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ACtRA,cAAc;AAcP,IAAKkD,UAAAA,yBAAAA,UAAAA;;SAAAA;;","names":["calculateJwkThumbprint","generatePrivateKeyHex","toJwk","KeyManagementSystem","Debug","elliptic","u8a","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","RSASigner","signAlgorithmToSchemeAndHashAlg","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","constructor","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","Promise","reject","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk-ext.kms-local",
3
3
  "description": "Sphereon Local Key Management System with support for BLS/BBS+, RSA keys",
4
- "version": "0.28.1-feature.jose.vcdm.25+2116977",
4
+ "version": "0.28.1-feature.jose.vcdm.26+1aa66d6",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -23,9 +23,9 @@
23
23
  "generate-plugin-schema": "sphereon dev generate-plugin-schema"
24
24
  },
25
25
  "dependencies": {
26
- "@sphereon/ssi-sdk-ext.did-utils": "0.28.1-feature.jose.vcdm.25+2116977",
27
- "@sphereon/ssi-sdk-ext.key-utils": "0.28.1-feature.jose.vcdm.25+2116977",
28
- "@sphereon/ssi-sdk-ext.x509-utils": "0.28.1-feature.jose.vcdm.25+2116977",
26
+ "@sphereon/ssi-sdk-ext.did-utils": "0.28.1-feature.jose.vcdm.26+1aa66d6",
27
+ "@sphereon/ssi-sdk-ext.key-utils": "0.28.1-feature.jose.vcdm.26+1aa66d6",
28
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.28.1-feature.jose.vcdm.26+1aa66d6",
29
29
  "@trust/keyto": "2.0.0-alpha1",
30
30
  "@veramo/core": "4.2.0",
31
31
  "@veramo/key-manager": "4.2.0",
@@ -58,5 +58,5 @@
58
58
  "kms",
59
59
  "Veramo"
60
60
  ],
61
- "gitHead": "2116977b572c00af55b280f2ee954526b2e7af00"
61
+ "gitHead": "1aa66d64d3e4050f5bc798f6f903f7aa64246d72"
62
62
  }
package/src/SphereonKeyManagementSystem.ts CHANGED
@@ -130,14 +130,14 @@ export class SphereonKeyManagementSystem extends KeyManagementSystem {
130
130
  return signature*/
131
131
  } else if (
132
132
  // @ts-ignore
133
- privateKey.type === 'RSA' &&
134
- (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')
135
- ) {
136
- return await this.signRSA(privateKey, data, algorithm ?? 'PS256')
133
+ privateKey.type === 'RSA') {
134
+ if ((typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512')) {
135
+ return await this.signRSA(privateKey, data, algorithm ?? 'PS256')
136
+ }
137
+ return Promise.reject(new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`))
137
138
  } else {
138
139
  return await super.sign({ keyRef, algorithm, data })
139
140
  }
140
- throw Error(`not_supported: Cannot sign using key of type ${privateKey.type}`)
141
141
  }
142
142
 
143
143
  async verify({
@@ -247,8 +247,8 @@ export class SphereonKeyManagementSystem extends KeyManagementSystem {
247
247
  publicKeyHex,
248
248
  meta: {
249
249
  ...meta,
250
- // todo: could als be DSA etc
251
- algorithms: ['RS256', 'RS512', 'PS256', 'PS512'],
250
+ // todo: could als be EcDSA etc
251
+ algorithms: ['PS256', 'PS512', 'RS256', 'RS512'],
252
252
  publicKeyJwk,
253
253
  publicKeyPEM,
254
254
  },
package/src/__tests__/rsa.test.ts CHANGED
@@ -118,7 +118,7 @@ describe('@veramo/kms-local x509 import', () => {
118
118
  '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001'
119
119
  )
120
120
  expect(key.kid).toEqual('test')
121
- expect(key.meta?.algorithms).toEqual(['RS256', 'RS512', 'PS256', 'PS512'])
121
+ expect(key.meta?.algorithms).toEqual(['PS256', 'PS512', 'RS256', 'RS512'])
122
122
 
123
123
  expect(key.meta?.publicKeyPEM).toBeDefined()
124
124
  await expect(key.meta?.publicKeyJwk).toMatchObject({