@sphereon/ssi-sdk-ext.kms-local 0.34.1-next.91 → 0.36.1-feat.SSISDK.83.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.cjs.map +1 -1
  2. package/dist/index.js.map +1 -1
  3. package/dist/tsdoc-metadata.json +1 -1
  4. package/package.json +6 -6
  5. package/src/SphereonKeyManagementSystem.ts +3 -3
  6. package/src/__tests__/rsa.test.ts +6 -6
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/SphereonKeyManagementSystem.ts"],"sourcesContent":["import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n","import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA'\n ) {\n if (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512') {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n }\n return Promise.reject(\n new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`)\n )\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be EcDSA etc\n algorithms: ['PS256', 'PS512', 'RS256', 'RS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA;;;;;;;;ACHA,yBAAoF;AAIpF,uBAAoC;AACpC,mBAAkB;AAClB,sBAAqB;AAErB,UAAqB;AAGrB,IAAAA,sBAQO;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,YAAQC,aAAAA,SAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,qCAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjB,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKD,kBAAkBC;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKJ,gBAAgBe,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnEP,cAAM,gBAAgBe,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKH,gBAAgBe,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnEP,cAAM,gBAAgBe,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,UAAMW,0CAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAR,UAAM,eAAeQ,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKxB,gBAAgByB,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS;MACpB;AACA,UAAI,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc,SAAS;AACxI,eAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;MAC3D;AACA,aAAOM,QAAQC,OACb,IAAInB,MAAM,6DAA6DY,SAAAA,4CAAqD,CAAA;IAEhI,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;EACF;EAEA,MAAMO,OAAO,EACXrB,cACAL,MACAkB,WACAC,MACAQ,UAAS,GAOU;AACnB,QAAI3B,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK4B,UAAUvB,cAAcc,MAAMD,aAAa,SAASS,SAAAA;IACxE;AACA,UAAMrB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBwB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAezC,WAAWS,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAezC,WAAWS,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,gBAAAA,QAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO7C,KAAK8B,MAAMe;AACxB,cAAMhC,gBACJgC,MAAMhC,kBAAkBb,KAAKK,cAAcyC,SAAS,KAAA,IAAS9C,KAAKK,oBAAgB0C,8BAAS/C,KAAKK,eAAe,SAAA;AACjH,cAAM2C,mBAAeC,8BAASpC,eAAe,QAAA;AAC7C,cAAMqC,mBAAeC,8BAASH,cAAc,QAAA;AAC5C,cAAM1C,mBAAe8C,8BAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMrD,KAAKU,SAASJ;UAC/B;AACA,cAAIgD,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA7C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASoB,MAAMe,MAAMQ,MAAM/C;UACrCA;UACAwB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM3C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkB0C,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAAS1B,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAE0D;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAOjD,KAAKG,IAAAA;AACpC,WAAOQ;EACT;EAEA,MAAcC,UAAUvB,cAAsBc,MAAkB0C,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASzC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEyD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOP,MAAMQ,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKvE,gBAAgBwE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAACjD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ADzRA,0BAAc,8BAFd;AAgBO,IAAKkD,UAAAA,0BAAAA,UAAAA;;SAAAA;;","names":["import_ssi_sdk_ext","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","Promise","reject","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/SphereonKeyManagementSystem.ts"],"sourcesContent":["import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n","import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures',\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures',\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA'\n ) {\n if (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512') {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n }\n return Promise.reject(\n new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`),\n )\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be EcDSA etc\n algorithms: ['PS256', 'PS512', 'RS256', 'RS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGA;;;;;;;;ACHA,yBAAoF;AAIpF,uBAAoC;AACpC,mBAAkB;AAClB,sBAAqB;AAErB,UAAqB;AAGrB,IAAAA,sBAQO;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,YAAQC,aAAAA,SAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,qCAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjB,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKD,kBAAkBC;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKJ,gBAAgBe,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnEP,cAAM,gBAAgBe,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKH,gBAAgBe,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnEP,cAAM,gBAAgBe,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,UAAMW,0CAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAR,UAAM,eAAeQ,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKxB,gBAAgByB,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS;MACpB;AACA,UAAI,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc,SAAS;AACxI,eAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;MAC3D;AACA,aAAOM,QAAQC,OACb,IAAInB,MAAM,6DAA6DY,SAAAA,4CAAqD,CAAA;IAEhI,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;EACF;EAEA,MAAMO,OAAO,EACXrB,cACAL,MACAkB,WACAC,MACAQ,UAAS,GAOU;AACnB,QAAI3B,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK4B,UAAUvB,cAAcc,MAAMD,aAAa,SAASS,SAAAA;IACxE;AACA,UAAMrB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBwB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAezC,WAAWS,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAezC,WAAWS,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,gBAAAA,QAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,mBAAeC,2CAAuB;cAAEC,SAAKC,0BAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO7C,KAAK8B,MAAMe;AACxB,cAAMhC,gBACJgC,MAAMhC,kBAAkBb,KAAKK,cAAcyC,SAAS,KAAA,IAAS9C,KAAKK,oBAAgB0C,8BAAS/C,KAAKK,eAAe,SAAA;AACjH,cAAM2C,mBAAeC,8BAASpC,eAAe,QAAA;AAC7C,cAAMqC,mBAAeC,8BAASH,cAAc,QAAA;AAC5C,cAAM1C,mBAAe8C,8BAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMrD,KAAKU,SAASJ;UAC/B;AACA,cAAIgD,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA7C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASoB,MAAMe,MAAMQ,MAAM/C;UACrCA;UACAwB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM3C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkB0C,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAAS1B,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAE0D;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAOjD,KAAKG,IAAAA;AACpC,WAAOQ;EACT;EAEA,MAAcC,UAAUvB,cAAsBc,MAAkB0C,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,QAAKC,qDAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,kCAAUlB,kCAASF,8BAASzC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEyD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOP,MAAMQ,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKvE,gBAAgBwE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAACjD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ADzRA,0BAAc,8BAFd;AAgBO,IAAKkD,UAAAA,0BAAAA,UAAAA;;SAAAA;;","names":["import_ssi_sdk_ext","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","Promise","reject","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"sourcesContent":["import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA'\n ) {\n if (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512') {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n }\n return Promise.reject(\n new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`)\n )\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be EcDSA etc\n algorithms: ['PS256', 'PS512', 'RS256', 'RS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,uBAAuBC,aAA4B;AAIpF,SAASC,2BAA2B;AACpC,OAAOC,WAAW;AAClB,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,SACEC,UACAC,UACAC,mBACAC,UACAC,UACAC,WACAC,uCACK;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,QAAQC,MAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,oBAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjB,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKD,kBAAkBC;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKJ,gBAAgBe,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnEP,cAAM,gBAAgBe,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKH,gBAAgBe,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnEP,cAAM,gBAAgBe,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,MAAMW,sBAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAR,UAAM,eAAeQ,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKxB,gBAAgByB,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS;MACpB;AACA,UAAI,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc,SAAS;AACxI,eAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;MAC3D;AACA,aAAOM,QAAQC,OACb,IAAInB,MAAM,6DAA6DY,SAAAA,4CAAqD,CAAA;IAEhI,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;EACF;EAEA,MAAMO,OAAO,EACXrB,cACAL,MACAkB,WACAC,MACAQ,UAAS,GAOU;AACnB,QAAI3B,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK4B,UAAUvB,cAAcc,MAAMD,aAAa,SAASS,SAAAA;IACxE;AACA,UAAMrB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBwB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAezC,WAAWS,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,SAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAezC,WAAWS,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,SAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO7C,KAAK8B,MAAMe;AACxB,cAAMhC,gBACJgC,MAAMhC,kBAAkBb,KAAKK,cAAcyC,SAAS,KAAA,IAAS9C,KAAKK,gBAAgB0C,SAAS/C,KAAKK,eAAe,SAAA;AACjH,cAAM2C,eAAeC,SAASpC,eAAe,QAAA;AAC7C,cAAMqC,eAAeC,SAASH,cAAc,QAAA;AAC5C,cAAM1C,eAAe8C,SAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMrD,KAAKU,SAASJ;UAC/B;AACA,cAAIgD,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA7C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASoB,MAAMe,MAAMQ,MAAM/C;UACrCA;UACAwB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM3C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkB0C,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAAS1B,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAE0D;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAOjD,KAAKG,IAAAA;AACpC,WAAOQ;EACT;EAEA,MAAcC,UAAUvB,cAAsBc,MAAkB0C,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASzC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEyD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOP,MAAMQ,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKvE,gBAAgBwE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAACjD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ACzRA,cAAc;AAcP,IAAKkD,UAAAA,0BAAAA,UAAAA;;SAAAA;;","names":["calculateJwkThumbprint","generatePrivateKeyHex","toJwk","KeyManagementSystem","Debug","elliptic","u8a","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","RSASigner","signAlgorithmToSchemeAndHashAlg","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","Promise","reject","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
1
+ {"version":3,"sources":["../src/SphereonKeyManagementSystem.ts","../src/index.ts"],"sourcesContent":["import { calculateJwkThumbprint, generatePrivateKeyHex, toJwk, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\n\nimport type { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractPrivateKeyStore, type ManagedPrivateKey } from '@veramo/key-manager'\nimport { KeyManagementSystem } from '@veramo/kms-local'\nimport Debug from 'debug'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nconst { fromString } = u8a\nimport { KeyType, type ManagedKeyInfoArgs } from './index'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk,\n RSASigner,\n signAlgorithmToSchemeAndHashAlg,\n} from '@sphereon/ssi-sdk-ext.x509-utils'\n\nconst debug = Debug('sphereon:kms:local')\n\nexport class SphereonKeyManagementSystem extends KeyManagementSystem {\n private readonly privateKeyStore: AbstractPrivateKeyStore\n\n constructor(keyStore: AbstractPrivateKeyStore) {\n super(keyStore)\n this.privateKeyStore = keyStore\n }\n\n async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n switch (args.type) {\n case KeyType.Bls12381G2.toString():\n if (!args.privateKeyHex || !args.publicKeyHex) {\n throw new Error('invalid_argument: type, publicKeyHex and privateKeyHex are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({\n ...args,\n alias: args.kid,\n privateKeyHex: args.privateKeyHex,\n publicKeyHex: args.publicKeyHex,\n type: args.type,\n })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n\n case 'Secp256k1':\n case 'Secp256r1':\n // @ts-ignore\n case 'RSA': {\n if (!args.privateKeyHex && !args.privateKeyPEM) {\n throw new Error('invalid_argument: type and privateKeyHex (or privateKeyPEM for RSA) are required to import a key')\n }\n const managedKey = this.asSphereonManagedKeyInfo({ alias: args.kid, ...args })\n await this.privateKeyStore.import({ alias: managedKey.kid, ...args })\n debug('imported key', managedKey.type, managedKey.publicKeyHex)\n return managedKey\n }\n default:\n return await super.importKey(args)\n }\n }\n\n async createKey({ type }: { type: TKeyType }): Promise<ManagedKeyInfo> {\n let key: ManagedKeyInfo\n\n switch (type) {\n case KeyType.Bls12381G2: {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures',\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n const keyPairBls12381G2 = await bbs.generateKeyPair({\n ciphersuite: 'BLS12-381-SHA-256'\n })\n key = await this.importKey({\n type,\n privateKeyHex: Buffer.from(keyPairBls12381G2.secretKey).toString('hex'),\n publicKeyHex: Buffer.from(keyPairBls12381G2.publicKey).toString('hex'),\n })\n break*/\n }\n\n // @ts-ignore\n case 'RSA': {\n const privateKeyHex = await generatePrivateKeyHex(type)\n key = await this.importKey({\n type,\n privateKeyHex,\n })\n break\n }\n default:\n key = await super.createKey({ type })\n }\n\n debug('Created key', type, key.publicKeyHex)\n\n return key\n }\n\n async sign({ keyRef, algorithm, data }: { keyRef: Pick<IKey, 'kid'>; algorithm?: string; data: Uint8Array }): Promise<string> {\n let privateKey: ManagedPrivateKey\n try {\n privateKey = await this.privateKeyStore.get({ alias: keyRef.kid })\n } catch (e) {\n throw new Error(`key_not_found: No key entry found for kid=${keyRef.kid}`)\n }\n\n if (privateKey.type === KeyType.Bls12381G2) {\n throw Error(\n 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures',\n )\n /*// @ts-ignore\n const bbs = await import('@digitalbazaar/bbs-signatures')\n if (!data || Array.isArray(data)) {\n throw new Error('Data must be defined and cannot be an array')\n }\n const keyPair = {\n keyPair: {\n secretKey: Uint8Array.from(Buffer.from(privateKey.privateKeyHex, 'hex')),\n publicKey: Uint8Array.from(Buffer.from(keyRef.kid, 'hex')),\n },\n messages: [data],\n }\n const signature = await bbs.sign({secretKey: privateKey, publicKey, header, messages});\n return signature*/\n } else if (\n // @ts-ignore\n privateKey.type === 'RSA'\n ) {\n if (typeof algorithm === 'undefined' || algorithm === 'RS256' || algorithm === 'RS512' || algorithm === 'PS256' || algorithm === 'PS512') {\n return await this.signRSA(privateKey, data, algorithm ?? 'PS256')\n }\n return Promise.reject(\n new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`),\n )\n } else {\n return await super.sign({ keyRef, algorithm, data })\n }\n }\n\n async verify({\n publicKeyHex,\n type,\n algorithm,\n data,\n signature,\n }: {\n publicKeyHex: string\n type: TKeyType\n algorithm?: string\n data: Uint8Array\n signature: string\n }): Promise<boolean> {\n if (type === 'RSA') {\n return await this.verifyRSA(publicKeyHex, data, algorithm ?? 'PS256', signature)\n }\n throw Error(`KMS verify is not implemented yet for ${type}`)\n }\n\n private asSphereonManagedKeyInfo(args: ManagedKeyInfoArgs): ManagedKeyInfo {\n let key: Partial<ManagedKeyInfo>\n switch (args.type) {\n case KeyType.Bls12381G2:\n key = {\n type: args.type,\n kid: args.alias ?? args.publicKeyHex,\n publicKeyHex: args.publicKeyHex,\n meta: {\n algorithms: ['BLS'],\n },\n }\n break\n case 'Secp256k1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256k1 = new elliptic.ec('secp256k1')\n const keyPair = secp256k1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256k1') }),\n algorithms: ['ES256K', 'ES256K-R', 'eth_signTransaction', 'eth_signTypedData', 'eth_signMessage', 'eth_rawSign'],\n },\n }\n break\n }\n case 'Secp256r1': {\n const privateBytes = fromString(args.privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n key = {\n type: args.type,\n kid: args.alias ?? publicKeyHex,\n publicKeyHex,\n meta: {\n jwkThumbprint: calculateJwkThumbprint({ jwk: toJwk(publicKeyHex, 'Secp256r1') }),\n algorithms: ['ES256'],\n },\n }\n break\n }\n // @ts-ignore\n case 'RSA': {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM =\n x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.alias ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n key = {\n type: args.type,\n kid: args.alias ?? meta?.x509?.cn ?? publicKeyHex,\n publicKeyHex,\n meta: {\n ...meta,\n // todo: could als be EcDSA etc\n algorithms: ['PS256', 'PS512', 'RS256', 'RS512'],\n publicKeyJwk,\n publicKeyPEM,\n },\n }\n break\n }\n\n default:\n throw Error('not_supported: Key type not supported: ' + args.type)\n }\n return key as ManagedKeyInfo\n }\n\n /**\n * @returns a base64url encoded signature for the `RS256` alg\n */\n private async signRSA(privateKey: ManagedPrivateKey, data: Uint8Array, signingAlgorithm: string): Promise<string> {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(privateKey.privateKeyHex, 'private'), 'private'), { hashAlgorithm, scheme })\n const signature = await signer.sign(data)\n return signature as string\n }\n\n private async verifyRSA(publicKeyHex: string, data: Uint8Array, signingAlgorithm: string, signature: string) {\n const { hashAlgorithm, scheme } = signAlgorithmToSchemeAndHashAlg(signingAlgorithm)\n const signer = new RSASigner(PEMToJwk(hexToPEM(publicKeyHex, 'public'), 'public'), { hashAlgorithm, scheme })\n return await signer.verify(data, signature)\n }\n\n public async listKeys(): Promise<Array<ManagedKeyInfo>> {\n return (await this.privateKeyStore.list({})).map((privateKey: ManagedPrivateKey) => this.asSphereonManagedKeyInfo(privateKey))\n }\n}\n","import type { X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport type { KeyMetadata, TKeyType } from '@veramo/core'\n\nexport { SphereonKeyManagementSystem } from './SphereonKeyManagementSystem'\n\nexport * from '@veramo/kms-local'\n\nexport interface ManagedKeyInfoArgs {\n alias?: string\n type: TKeyType\n privateKeyHex: string\n publicKeyHex?: string\n meta?: ManageKeyInfoMeta | undefined | null\n}\n\nexport interface ManageKeyInfoMeta extends KeyMetadata {\n x509?: X509Opts\n [x: string]: any\n}\nexport enum KeyType {\n Bls12381G2 = 'Bls12381G2',\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,uBAAuBC,aAA4B;AAIpF,SAASC,2BAA2B;AACpC,OAAOC,WAAW;AAClB,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,SACEC,UACAC,UACAC,mBACAC,UACAC,UACAC,WACAC,uCACK;AAVP,IAAM,EAAEC,WAAU,IAAKC;AAYvB,IAAMC,QAAQC,MAAM,oBAAA;AAEb,IAAMC,8BAAN,cAA0CC,oBAAAA;EAvBjD,OAuBiDA;;;EAC9BC;EAEjB,YAAYC,UAAmC;AAC7C,UAAMA,QAAAA;AACN,SAAKD,kBAAkBC;EACzB;EAEA,MAAMC,UAAUC,MAA+F;AAC7G,YAAQA,KAAKC,MAAI;MACf,KAAKC,QAAQC,WAAWC,SAAQ;AAC9B,YAAI,CAACJ,KAAKK,iBAAiB,CAACL,KAAKM,cAAc;AAC7C,gBAAM,IAAIC,MAAM,qFAAA;QAClB;AACA,cAAMC,aAAa,KAAKC,yBAAyB;UAC/C,GAAGT;UACHU,OAAOV,KAAKW;UACZN,eAAeL,KAAKK;UACpBC,cAAcN,KAAKM;UACnBL,MAAMD,KAAKC;QACb,CAAA;AACA,cAAM,KAAKJ,gBAAgBe,OAAO;UAAEF,OAAOF,WAAWG;UAAK,GAAGX;QAAK,CAAA;AACnEP,cAAM,gBAAgBe,WAAWP,MAAMO,WAAWF,YAAY;AAC9D,eAAOE;MAET,KAAK;MACL,KAAK;;MAEL,KAAK,OAAO;AACV,YAAI,CAACR,KAAKK,iBAAiB,CAACL,KAAKa,eAAe;AAC9C,gBAAM,IAAIN,MAAM,kGAAA;QAClB;AACA,cAAMC,cAAa,KAAKC,yBAAyB;UAAEC,OAAOV,KAAKW;UAAK,GAAGX;QAAK,CAAA;AAC5E,cAAM,KAAKH,gBAAgBe,OAAO;UAAEF,OAAOF,YAAWG;UAAK,GAAGX;QAAK,CAAA;AACnEP,cAAM,gBAAgBe,YAAWP,MAAMO,YAAWF,YAAY;AAC9D,eAAOE;MACT;MACA;AACE,eAAO,MAAM,MAAMT,UAAUC,IAAAA;IACjC;EACF;EAEA,MAAMc,UAAU,EAAEb,KAAI,GAAiD;AACrE,QAAIc;AAEJ,YAAQd,MAAAA;MACN,KAAKC,QAAQC,YAAY;AACvB,cAAMI,MACJ,mLAAA;MAaJ;;MAGA,KAAK,OAAO;AACV,cAAMF,gBAAgB,MAAMW,sBAAsBf,IAAAA;AAClDc,cAAM,MAAM,KAAKhB,UAAU;UACzBE;UACAI;QACF,CAAA;AACA;MACF;MACA;AACEU,cAAM,MAAM,MAAMD,UAAU;UAAEb;QAAK,CAAA;IACvC;AAEAR,UAAM,eAAeQ,MAAMc,IAAIT,YAAY;AAE3C,WAAOS;EACT;EAEA,MAAME,KAAK,EAAEC,QAAQC,WAAWC,KAAI,GAA0F;AAC5H,QAAIC;AACJ,QAAI;AACFA,mBAAa,MAAM,KAAKxB,gBAAgByB,IAAI;QAAEZ,OAAOQ,OAAOP;MAAI,CAAA;IAClE,SAASY,GAAG;AACV,YAAM,IAAIhB,MAAM,6CAA6CW,OAAOP,GAAG,EAAE;IAC3E;AAEA,QAAIU,WAAWpB,SAASC,QAAQC,YAAY;AAC1C,YAAMI,MACJ,mLAAA;IAgBJ;;MAEEc,WAAWpB,SAAS;MACpB;AACA,UAAI,OAAOkB,cAAc,eAAeA,cAAc,WAAWA,cAAc,WAAWA,cAAc,WAAWA,cAAc,SAAS;AACxI,eAAO,MAAM,KAAKK,QAAQH,YAAYD,MAAMD,aAAa,OAAA;MAC3D;AACA,aAAOM,QAAQC,OACb,IAAInB,MAAM,6DAA6DY,SAAAA,4CAAqD,CAAA;IAEhI,OAAO;AACL,aAAO,MAAM,MAAMF,KAAK;QAAEC;QAAQC;QAAWC;MAAK,CAAA;IACpD;EACF;EAEA,MAAMO,OAAO,EACXrB,cACAL,MACAkB,WACAC,MACAQ,UAAS,GAOU;AACnB,QAAI3B,SAAS,OAAO;AAClB,aAAO,MAAM,KAAK4B,UAAUvB,cAAcc,MAAMD,aAAa,SAASS,SAAAA;IACxE;AACA,UAAMrB,MAAM,yCAAyCN,IAAAA,EAAM;EAC7D;EAEQQ,yBAAyBT,MAA0C;AACzE,QAAIe;AACJ,YAAQf,KAAKC,MAAI;MACf,KAAKC,QAAQC;AACXY,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASV,KAAKM;UACxBA,cAAcN,KAAKM;UACnBwB,MAAM;YACJC,YAAY;cAAC;;UACf;QACF;AACA;MACF,KAAK,aAAa;AAChB,cAAMC,eAAezC,WAAWS,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMC,YAAY,IAAIC,SAASC,GAAG,WAAA;AAClC,cAAMC,UAAUH,UAAUI,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;cAAU;cAAY;cAAuB;cAAqB;cAAmB;;UACpG;QACF;AACA;MACF;MACA,KAAK,aAAa;AAChB,cAAMC,eAAezC,WAAWS,KAAKK,cAAc4B,YAAW,GAAI,QAAA;AAClE,cAAMW,YAAY,IAAIT,SAASC,GAAG,MAAA;AAClC,cAAMC,UAAUO,UAAUN,eAAeN,cAAc,KAAA;AACvD,cAAM1B,eAAe+B,QAAQE,UAAU,MAAM,KAAA;AAC7CxB,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASJ;UACnBA;UACAwB,MAAM;YACJU,eAAeC,uBAAuB;cAAEC,KAAKC,MAAMrC,cAAc,WAAA;YAAa,CAAA;YAC9EyB,YAAY;cAAC;;UACf;QACF;AACA;MACF;;MAEA,KAAK,OAAO;AACV,cAAMc,OAAO7C,KAAK8B,MAAMe;AACxB,cAAMhC,gBACJgC,MAAMhC,kBAAkBb,KAAKK,cAAcyC,SAAS,KAAA,IAAS9C,KAAKK,gBAAgB0C,SAAS/C,KAAKK,eAAe,SAAA;AACjH,cAAM2C,eAAeC,SAASpC,eAAe,QAAA;AAC7C,cAAMqC,eAAeC,SAASH,cAAc,QAAA;AAC5C,cAAM1C,eAAe8C,SAASF,YAAAA;AAE9B,cAAMpB,OAAO,CAAC;AACd,YAAIe,MAAM;AACRf,eAAKe,OAAO;YACVQ,IAAIR,KAAKQ,MAAMrD,KAAKU,SAASJ;UAC/B;AACA,cAAIgD,YAAoBT,KAAKU,uBAAuB;AACpD,cAAIV,KAAKW,gBAAgB;AACvB,gBAAI,CAACF,UAAUR,SAASD,KAAKW,cAAc,GAAG;AAC5CF,0BAAY,GAAGT,KAAKW,cAAc;EAAKF,SAAAA;YACzC;UACF;AACA,cAAIA,UAAUG,SAAS,GAAG;AACxB3B,iBAAKe,KAAKU,sBAAsBD;AAChC,kBAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,gBAAI,CAACT,KAAKe,qBAAqB;AAG7BZ,2BAAaU,MAAMA;YACrB;AACA5B,iBAAKe,KAAKa,MAAMA;UAClB;AACA,cAAIb,KAAKe,qBAAqB;AAE5BZ,yBAAaa,MAAMhB,KAAKe;AACxB9B,iBAAKe,KAAKgB,MAAMhB,KAAKe;UACvB;QACF;AAEA7C,cAAM;UACJd,MAAMD,KAAKC;UACXU,KAAKX,KAAKU,SAASoB,MAAMe,MAAMQ,MAAM/C;UACrCA;UACAwB,MAAM;YACJ,GAAGA;;YAEHC,YAAY;cAAC;cAAS;cAAS;cAAS;;YACxCiB;YACAE;UACF;QACF;AACA;MACF;MAEA;AACE,cAAM3C,MAAM,4CAA4CP,KAAKC,IAAI;IACrE;AACA,WAAOc;EACT;;;;EAKA,MAAcS,QAAQH,YAA+BD,MAAkB0C,kBAA2C;AAChH,UAAM,EAAEC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAAS1B,WAAWhB,eAAe,SAAA,GAAY,SAAA,GAAY;MAAE0D;MAAeC;IAAO,CAAA;AACzH,UAAMpC,YAAY,MAAMsC,OAAOjD,KAAKG,IAAAA;AACpC,WAAOQ;EACT;EAEA,MAAcC,UAAUvB,cAAsBc,MAAkB0C,kBAA0BlC,WAAmB;AAC3G,UAAM,EAAEmC,eAAeC,OAAM,IAAKC,gCAAgCH,gBAAAA;AAClE,UAAMI,SAAS,IAAIC,UAAUlB,SAASF,SAASzC,cAAc,QAAA,GAAW,QAAA,GAAW;MAAEyD;MAAeC;IAAO,CAAA;AAC3G,WAAO,MAAME,OAAOvC,OAAOP,MAAMQ,SAAAA;EACnC;EAEA,MAAawC,WAA2C;AACtD,YAAQ,MAAM,KAAKvE,gBAAgBwE,KAAK,CAAC,CAAA,GAAIC,IAAI,CAACjD,eAAkC,KAAKZ,yBAAyBY,UAAAA,CAAAA;EACpH;AACF;;;ACzRA,cAAc;AAcP,IAAKkD,UAAAA,0BAAAA,UAAAA;;SAAAA;;","names":["calculateJwkThumbprint","generatePrivateKeyHex","toJwk","KeyManagementSystem","Debug","elliptic","u8a","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","RSASigner","signAlgorithmToSchemeAndHashAlg","fromString","u8a","debug","Debug","SphereonKeyManagementSystem","KeyManagementSystem","privateKeyStore","keyStore","importKey","args","type","KeyType","Bls12381G2","toString","privateKeyHex","publicKeyHex","Error","managedKey","asSphereonManagedKeyInfo","alias","kid","import","privateKeyPEM","createKey","key","generatePrivateKeyHex","sign","keyRef","algorithm","data","privateKey","get","e","signRSA","Promise","reject","verify","signature","verifyRSA","meta","algorithms","privateBytes","toLowerCase","secp256k1","elliptic","ec","keyPair","keyFromPrivate","getPublic","jwkThumbprint","calculateJwkThumbprint","jwk","toJwk","secp256r1","x509","includes","hexToPEM","publicKeyJwk","PEMToJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","signingAlgorithm","hashAlgorithm","scheme","signAlgorithmToSchemeAndHashAlg","signer","RSASigner","listKeys","list","map","KeyType"]}
package/dist/tsdoc-metadata.json CHANGED
@@ -5,7 +5,7 @@
5
5
  "toolPackages": [
6
6
  {
7
7
  "packageName": "@microsoft/api-extractor",
8
- "packageVersion": "7.52.10"
8
+ "packageVersion": "7.55.0"
9
9
  }
10
10
  ]
11
11
  }
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk-ext.kms-local",
3
3
  "description": "Sphereon Local Key Management System with support for BLS/BBS+, RSA keys",
4
- "version": "0.34.1-next.91+3c949810",
4
+ "version": "0.36.1-feat.SSISDK.83.11+15665c90",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -23,9 +23,9 @@
23
23
  "generate-plugin-schema": "tsx ../../packages/dev/bin/sphereon.js dev generate-plugin-schema"
24
24
  },
25
25
  "dependencies": {
26
- "@sphereon/ssi-sdk-ext.did-utils": "0.34.1-next.91+3c949810",
27
- "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-next.91+3c949810",
28
- "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-next.91+3c949810",
26
+ "@sphereon/ssi-sdk-ext.did-utils": "0.36.1-feat.SSISDK.83.11+15665c90",
27
+ "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feat.SSISDK.83.11+15665c90",
28
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feat.SSISDK.83.11+15665c90",
29
29
  "@trust/keyto": "2.0.0-alpha1",
30
30
  "@veramo/core": "4.2.0",
31
31
  "@veramo/key-manager": "4.2.0",
@@ -36,7 +36,7 @@
36
36
  },
37
37
  "devDependencies": {
38
38
  "@sphereon/jsencrypt": "3.3.2-unstable.0",
39
- "@sphereon/ssi-sdk.dev": "0.34.1-next.91+3c949810",
39
+ "@sphereon/ssi-sdk.dev": "0.36.1-feat.SSISDK.83.11+15665c90",
40
40
  "@types/elliptic": "6.4.14",
41
41
  "@veramo/cli": "4.2.0"
42
42
  },
@@ -58,5 +58,5 @@
58
58
  "kms",
59
59
  "Veramo"
60
60
  ],
61
- "gitHead": "3c9498100ca07dfc2ba7979e7347fb9b19c47d18"
61
+ "gitHead": "15665c90d27b72a0c3b7267375f60512d2cd4085"
62
62
  }
package/src/SphereonKeyManagementSystem.ts CHANGED
@@ -69,7 +69,7 @@ export class SphereonKeyManagementSystem extends KeyManagementSystem {
69
69
  switch (type) {
70
70
  case KeyType.Bls12381G2: {
71
71
  throw Error(
72
- 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'
72
+ 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures',
73
73
  )
74
74
  /*// @ts-ignore
75
75
  const bbs = await import('@digitalbazaar/bbs-signatures')
@@ -112,7 +112,7 @@ export class SphereonKeyManagementSystem extends KeyManagementSystem {
112
112
 
113
113
  if (privateKey.type === KeyType.Bls12381G2) {
114
114
  throw Error(
115
- 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures'
115
+ 'BLS support not available because upstream is not really providing Windows and React-Native support; giving too much headache. We soon will move to @digitalbazaar/bbs-signatures',
116
116
  )
117
117
  /*// @ts-ignore
118
118
  const bbs = await import('@digitalbazaar/bbs-signatures')
@@ -136,7 +136,7 @@ export class SphereonKeyManagementSystem extends KeyManagementSystem {
136
136
  return await this.signRSA(privateKey, data, algorithm ?? 'PS256')
137
137
  }
138
138
  return Promise.reject(
139
- new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`)
139
+ new Error(`not_supported: Cannot sign using key of type RSA and alg: ${algorithm}. Only RS and PS algorithms are supported.`),
140
140
  )
141
141
  } else {
142
142
  return await super.sign({ keyRef, algorithm, data })
package/src/__tests__/rsa.test.ts CHANGED
@@ -19,7 +19,7 @@ describe('X509 PEMs', () => {
19
19
  it('should get public key from private key', () => {
20
20
  const publicKeyFromPrivateKey = publicKeyHexFromPEM(PEM_PRIV_KEY)
21
21
  expect(publicKeyFromPrivateKey).toEqual(
22
- '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001'
22
+ '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001',
23
23
  )
24
24
  })
25
25
 
@@ -54,7 +54,7 @@ describe('x509 keys', () => {
54
54
  const keyObject = toKeyObject(PEM_PRIV_KEY, 'private')
55
55
  expect(keyObject.keyType).toEqual('private')
56
56
  expect(keyObject.keyHex).toEqual(
57
- '308204bf020100300d06092a864886f70d0101010500048204a9308204a50201000282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c02453020301000102820101009576685ad2b3a124182969fc36e41d34983ea581fd2c16c97c010b36ea2f485628f240c5be324c0856b3df3f1469fb48dee09d8647417903a320e819c1a275099606689a82c093f106199fb98ad6124f16d0eb885710d45d3ef769310be37ace6e811bd31988d764566976def774e6ad05a839c715243acab6a6c20d01eeb68d3d0eec83b098d3ceda31eca32a42121b59229f424975f47061006d766a6cbe18d5857b5e06a8b25e1ca0fd792bb7afb92b83c7d4180482f83bbce0cf55fb3b640a72cd93de0f419fe7e0a1c60d495641afc5cd692c0bde4c71fde0d3501e5b6cf8aa285514613c1e7399d20918e383a7daa370af898dde24242f3486006e503102818100f498cfafc7b004682d6902a67b9f7e316051ab375c35193e3f9307d53041f7d8e1c238503561af52cd23e1ff7ed6c50b32e9ff38bfafd0eb2bd8bd5f4c30c49d2101938c048aff105fe3e66c60acdea069e5cef9575277ab737636c77ae0d08bbf56083fe53d967b0c6a9532c3a44df0742ad58f030e8d86e55444b16621498d02818100dfe42c7f598d07663a7db562d840d2cb9b5d902c8f2855184b2e7c5556a803cb5df12b63524d058476306a8a3adc614ebafb494c5fcc465f0831b817405061297b15a95565d4a4bd820fa66959590c32ef9929629c5f16a38e8591d55e056fcf597adb6f997bbfdcaef5ea9692abd73737a5911cb5d59ed44b0e0d088e6c7d5f028180449dcdbd812656c626df0b984a9bde99d96c6fbcb3084e5191221d13685b493d356ff7be408b6bd4ada9c04f9d74808878bafe171c672513a4144463c48af5cd22a23f930aff37388fbdee393f119fce9e86927e8e499b3aa4c467efa4000760fcc714bf5ffedc051ee193834f30fb9055f6623ca15de6c40df78ae1bd45df4d02818100b9c40faba6b8de3fd31e44a6fbf9652dacfe87c6810d9cf56843ecc3bdfff00e082737b1d432b5f63f3e52d7d898cc604fc27a01d5a69f68f05a987d2a4ec71f6cd1ff4b2d0faf94d1da7c6002d360ccce824d95555b8c642eb7e2d59f8a714820dd503f1ba153031f6449bd9f7ad73a2880c69384c7f75dfbdc6fb1fec2438f02818100df333c3157e5e861fc1bb4db910c628b5dcbff481f0ed036c4a7f2a517ff390cb0c5cbb44fc02351738e0df74d3b5345c48e728cbacd1752ac04fb482829c3037f0de6f8f8de9a9395aa740b07a2608877eb570406aba25563dd1f187f6b9c0b3e9aec71487c56999a91436a0e76da27caf444578e2782bc1ee2718af0ee4de0'
57
+ '308204bf020100300d06092a864886f70d0101010500048204a9308204a50201000282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c02453020301000102820101009576685ad2b3a124182969fc36e41d34983ea581fd2c16c97c010b36ea2f485628f240c5be324c0856b3df3f1469fb48dee09d8647417903a320e819c1a275099606689a82c093f106199fb98ad6124f16d0eb885710d45d3ef769310be37ace6e811bd31988d764566976def774e6ad05a839c715243acab6a6c20d01eeb68d3d0eec83b098d3ceda31eca32a42121b59229f424975f47061006d766a6cbe18d5857b5e06a8b25e1ca0fd792bb7afb92b83c7d4180482f83bbce0cf55fb3b640a72cd93de0f419fe7e0a1c60d495641afc5cd692c0bde4c71fde0d3501e5b6cf8aa285514613c1e7399d20918e383a7daa370af898dde24242f3486006e503102818100f498cfafc7b004682d6902a67b9f7e316051ab375c35193e3f9307d53041f7d8e1c238503561af52cd23e1ff7ed6c50b32e9ff38bfafd0eb2bd8bd5f4c30c49d2101938c048aff105fe3e66c60acdea069e5cef9575277ab737636c77ae0d08bbf56083fe53d967b0c6a9532c3a44df0742ad58f030e8d86e55444b16621498d02818100dfe42c7f598d07663a7db562d840d2cb9b5d902c8f2855184b2e7c5556a803cb5df12b63524d058476306a8a3adc614ebafb494c5fcc465f0831b817405061297b15a95565d4a4bd820fa66959590c32ef9929629c5f16a38e8591d55e056fcf597adb6f997bbfdcaef5ea9692abd73737a5911cb5d59ed44b0e0d088e6c7d5f028180449dcdbd812656c626df0b984a9bde99d96c6fbcb3084e5191221d13685b493d356ff7be408b6bd4ada9c04f9d74808878bafe171c672513a4144463c48af5cd22a23f930aff37388fbdee393f119fce9e86927e8e499b3aa4c467efa4000760fcc714bf5ffedc051ee193834f30fb9055f6623ca15de6c40df78ae1bd45df4d02818100b9c40faba6b8de3fd31e44a6fbf9652dacfe87c6810d9cf56843ecc3bdfff00e082737b1d432b5f63f3e52d7d898cc604fc27a01d5a69f68f05a987d2a4ec71f6cd1ff4b2d0faf94d1da7c6002d360ccce824d95555b8c642eb7e2d59f8a714820dd503f1ba153031f6449bd9f7ad73a2880c69384c7f75dfbdc6fb1fec2438f02818100df333c3157e5e861fc1bb4db910c628b5dcbff481f0ed036c4a7f2a517ff390cb0c5cbb44fc02351738e0df74d3b5345c48e728cbacd1752ac04fb482829c3037f0de6f8f8de9a9395aa740b07a2608877eb570406aba25563dd1f187f6b9c0b3e9aec71487c56999a91436a0e76da27caf444578e2782bc1ee2718af0ee4de0',
58
58
  )
59
59
  expect(keyObject.pem).toEqual(PEM_PRIV_KEY + '\n')
60
60
  expect(keyObject.jwk).toEqual({
@@ -74,7 +74,7 @@ describe('x509 keys', () => {
74
74
  const keyObject = toKeyObject(PEM_PRIV_KEY, 'public')
75
75
  expect(keyObject.keyType).toEqual('public')
76
76
  expect(keyObject.keyHex).toEqual(
77
- '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001'
77
+ '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001',
78
78
  )
79
79
  expect(keyObject.pem).toEqual(
80
80
  '-----BEGIN PUBLIC KEY-----\n' +
@@ -85,7 +85,7 @@ describe('x509 keys', () => {
85
85
  'iaVdUcNw/8+5xZapYPQEGcEp47yPixOJ2SmXpoR2iTpvZK4ZNyF3JxqKQg2pGJqV\n' +
86
86
  'bVovthSwdxQkOqF21obQd6IiJcvDmnHSxLo6DiHBGYEYxJO83PSkTY3Xyh7yZMAk\n' +
87
87
  'UwIDAQAB\n' +
88
- '-----END PUBLIC KEY-----\n'
88
+ '-----END PUBLIC KEY-----\n',
89
89
  )
90
90
  expect(keyObject.jwk).toEqual({
91
91
  e: 'AQAB',
@@ -115,7 +115,7 @@ describe('@veramo/kms-local x509 import', () => {
115
115
  const key = await kms.importKey({ kid: 'test', privateKeyHex, type: 'RSA', meta })
116
116
  expect(key.type).toEqual('RSA')
117
117
  expect(key.publicKeyHex).toEqual(
118
- '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001'
118
+ '30820122300d06092a864886f70d01010105000382010f003082010a0282010100d5eb1f8708914a91581b7945b2f620963859b5279bcd9db3830cc6ac1cf8e9f26ecf8f6cc1a9d914b099fad9c4c4360008d1be9507f893b6ac32a5d6144314da8c4867526ffd15e41ff2f8fc0b7e0e23cf343de8607af88242b0a55ab2f38c371c12fa105522adcfc0356337374aabb0f2e41f14a56a3c20cacba9d58e14de0c78fdb710494dfa261fe5981e90f7b2e9915eedc6079c59406c02e87db772b689a55d51c370ffcfb9c596a960f40419c129e3bc8f8b1389d92997a68476893a6f64ae19372177271a8a420da9189a956d5a2fb614b07714243aa176d686d077a22225cbc39a71d2c4ba3a0e21c1198118c493bcdcf4a44d8dd7ca1ef264c024530203010001',
119
119
  )
120
120
  expect(key.kid).toEqual('test')
121
121
  expect(key.meta?.algorithms).toEqual(['PS256', 'PS512', 'RS256', 'RS512'])
@@ -137,7 +137,7 @@ describe('@veramo/kms-local x509 import', () => {
137
137
  const key = await kms.importKey({ kid: 'test', privateKeyHex, type: 'RSA', meta })
138
138
  const signature = await kms.sign({ keyRef: key, data, algorithm: 'RS256' })
139
139
  expect(signature).toEqual(
140
- 'PAgf2uRWJa-pmlUL80NVnxkExJkcpfLPB8udX1WoFGtAnIuFCfq8r1C43NL0xr9Qtn8TBK5pVHmAPPd7XlTkXU_LQ_JoBYxjzjtaRzGOo4-S-TAtKaW-evGI5rpXFWCeta0gwzTCVfDjbouRUg3_krK0B1cLLK1Kiih83n-6hadTxPLiQqNpbWxbnoHbZXw-V-5maCE1erY9cvO9LZeO2S_PXiqb19gk4mOEG3ZRQm12eHAlOVTnqRYiLmwWfSnT231jkJnF99RuLUjxlQNO5K6B-vYIhfVoqDliqaW6IEOamJJHUWG6RlqZfU7TzanZzR0YmDf5HIJEiDG4D_lF6g'
140
+ 'PAgf2uRWJa-pmlUL80NVnxkExJkcpfLPB8udX1WoFGtAnIuFCfq8r1C43NL0xr9Qtn8TBK5pVHmAPPd7XlTkXU_LQ_JoBYxjzjtaRzGOo4-S-TAtKaW-evGI5rpXFWCeta0gwzTCVfDjbouRUg3_krK0B1cLLK1Kiih83n-6hadTxPLiQqNpbWxbnoHbZXw-V-5maCE1erY9cvO9LZeO2S_PXiqb19gk4mOEG3ZRQm12eHAlOVTnqRYiLmwWfSnT231jkJnF99RuLUjxlQNO5K6B-vYIhfVoqDliqaW6IEOamJJHUWG6RlqZfU7TzanZzR0YmDf5HIJEiDG4D_lF6g',
141
141
  )
142
142
  })
143
143
  })