@sphereon/ssi-sdk.kms-rest 0.34.1-feature.IDK.11.294

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/LICENSE +201 -0
  2. package/README.md +112 -0
  3. package/dist/index.cjs +372 -0
  4. package/dist/index.cjs.map +1 -0
  5. package/dist/index.d.cts +75 -0
  6. package/dist/index.d.ts +75 -0
  7. package/dist/index.js +341 -0
  8. package/dist/index.js.map +1 -0
  9. package/package.json +58 -0
  10. package/src/RestKeyManagementSystem.ts +382 -0
  11. package/src/index.ts +2 -0
  12. package/src/types/index.ts +50 -0
package/dist/index.cjs.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.kid,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.kid,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACCA,yBAA4C;AAC5C,yBAKO;AACP,qBAWO;AACP,IAAAA,sBAMO;AACP,uBAAiD;AACjD,sBAAqB;AAErB,UAAqB;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQK;QACnBI,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUZ;QACjBI,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,eAAOC,4CAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,wCAAuBC;MAC5C,KAAK;AAAS,eAAOD,wCAAuBE;MAC5C,KAAK;AAAS,eAAOF,wCAAuBG;MAC5C,KAAK;AAAS,eAAOH,wCAAuBI;MAC5C,KAAK;AAAU,eAAOJ,wCAAuBK;MAC7C,KAAK;AAAS,eAAOL,wCAAuBM;MAC5C,KAAK;AAAS,eAAON,wCAAuBO;MAC5C,KAAK;AAAS,eAAOP,wCAAuBQ;MAC5C,KAAK;AAAS,eAAOR,wCAAuBS;MAC5C,KAAK;AAAS,eAAOT,wCAAuBU;MAC5C,KAAK;AAAS,eAAOV,wCAAuBW;MAC5C,KAAK;AAAS,eAAOX,wCAAuBY;MAC5C,KAAK;AAAS,eAAOZ,wCAAuBa;MAC5C,KAAK;AAAS,eAAOb,wCAAuBc;MAC5C,KAAK;AAAS,eAAOd,wCAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAc+E;MACvB,KAAK;AACH,eAAO/E,6BAAcgF;MACvB,KAAK;AACH,eAAOhF,6BAAciF;MACvB,KAAK;AACH,eAAOjF,6BAAckF;MACvB,KAAK;AACH,eAAOlF,6BAAcmF;MACvB,KAAK;AACH,eAAOnF,6BAAcoF;MACvB,KAAK;AACH,eAAOpF,6BAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,oBACLE,8BAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,mBAAekE,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASrE,cAAc,QAAA;AAC5C,UAAMR,mBAAe8E,8BAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,mBAAe6F,0BAAMrG,cAAc,WAAA;AACzC,UAAM2E,oBAAgB0B,0BAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,oBAAgB0B,0BAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,mBAAewG,kDAA8BjC,aAAAA;AACnD,UAAM/D,mBAAe6F,0BAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/dist/index.d.cts ADDED
@@ -0,0 +1,75 @@
1
+ import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
2
+ import { AbstractKeyManagementSystem } from '@veramo/key-manager';
3
+ import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
4
+ import { JWK } from '@sphereon/ssi-types';
5
+
6
+ type KeyMetadata = {
7
+ algorithms?: string[];
8
+ [x: string]: any;
9
+ };
10
+ type CreateKeyArgs = {
11
+ type: TKeyType;
12
+ meta?: KeyMetadata;
13
+ };
14
+ type SignArgs = {
15
+ keyRef: Pick<IKey, 'kid'>;
16
+ data: Uint8Array;
17
+ [x: string]: any;
18
+ };
19
+ type VerifyArgs = {
20
+ keyRef: Pick<IKey, 'kid'>;
21
+ data: Uint8Array;
22
+ signature: string;
23
+ [x: string]: any;
24
+ };
25
+ type SharedSecretArgs = {
26
+ myKeyRef: Pick<IKey, 'kid'>;
27
+ theirKey: Pick<IKey, 'publicKeyHex' | 'type'>;
28
+ };
29
+ type ImportKeyArgs = Omit<MinimalImportableKey, 'kms'> & {
30
+ privateKeyPEM?: string;
31
+ };
32
+ type DeleteKeyArgs = {
33
+ kid: string;
34
+ };
35
+ type MapImportKeyArgs = {
36
+ type: TKeyType;
37
+ privateKeyHex: string;
38
+ meta?: KeyMetadata | null;
39
+ kid?: string;
40
+ };
41
+ type MappedImportKey = {
42
+ key: StoreKey;
43
+ kid: string;
44
+ publicKeyJwk: JWK;
45
+ };
46
+
47
+ interface AbstractKeyManagementSystemOptions {
48
+ applicationId: string;
49
+ baseUrl: string;
50
+ authOpts?: RestClientAuthenticationOpts;
51
+ }
52
+ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
53
+ private client;
54
+ private readonly id;
55
+ constructor(options: AbstractKeyManagementSystemOptions);
56
+ createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
57
+ importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
58
+ deleteKey(args: DeleteKeyArgs): Promise<boolean>;
59
+ listKeys(): Promise<ManagedKeyInfo[]>;
60
+ sign(args: SignArgs): Promise<string>;
61
+ verify(args: VerifyArgs): Promise<boolean>;
62
+ sharedSecret(args: SharedSecretArgs): Promise<string>;
63
+ private signatureAlgorithmToDigestAlgorithm;
64
+ private mapKeyUsage;
65
+ private mapKeyTypeToSignatureAlgorithm;
66
+ private mapJoseAlgorithm;
67
+ private mapKeyOperation;
68
+ private mapKeyOperations;
69
+ private mapImportRsaKey;
70
+ private mapImportSecp256r1Key;
71
+ private mapImportX25519Key;
72
+ private mapImportKey;
73
+ }
74
+
75
+ export { type CreateKeyArgs, type DeleteKeyArgs, type ImportKeyArgs, type KeyMetadata, type MapImportKeyArgs, type MappedImportKey, RestKeyManagementSystem, type SharedSecretArgs, type SignArgs, type VerifyArgs };
package/dist/index.d.ts ADDED
@@ -0,0 +1,75 @@
1
+ import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
2
+ import { AbstractKeyManagementSystem } from '@veramo/key-manager';
3
+ import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
4
+ import { JWK } from '@sphereon/ssi-types';
5
+
6
+ type KeyMetadata = {
7
+ algorithms?: string[];
8
+ [x: string]: any;
9
+ };
10
+ type CreateKeyArgs = {
11
+ type: TKeyType;
12
+ meta?: KeyMetadata;
13
+ };
14
+ type SignArgs = {
15
+ keyRef: Pick<IKey, 'kid'>;
16
+ data: Uint8Array;
17
+ [x: string]: any;
18
+ };
19
+ type VerifyArgs = {
20
+ keyRef: Pick<IKey, 'kid'>;
21
+ data: Uint8Array;
22
+ signature: string;
23
+ [x: string]: any;
24
+ };
25
+ type SharedSecretArgs = {
26
+ myKeyRef: Pick<IKey, 'kid'>;
27
+ theirKey: Pick<IKey, 'publicKeyHex' | 'type'>;
28
+ };
29
+ type ImportKeyArgs = Omit<MinimalImportableKey, 'kms'> & {
30
+ privateKeyPEM?: string;
31
+ };
32
+ type DeleteKeyArgs = {
33
+ kid: string;
34
+ };
35
+ type MapImportKeyArgs = {
36
+ type: TKeyType;
37
+ privateKeyHex: string;
38
+ meta?: KeyMetadata | null;
39
+ kid?: string;
40
+ };
41
+ type MappedImportKey = {
42
+ key: StoreKey;
43
+ kid: string;
44
+ publicKeyJwk: JWK;
45
+ };
46
+
47
+ interface AbstractKeyManagementSystemOptions {
48
+ applicationId: string;
49
+ baseUrl: string;
50
+ authOpts?: RestClientAuthenticationOpts;
51
+ }
52
+ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
53
+ private client;
54
+ private readonly id;
55
+ constructor(options: AbstractKeyManagementSystemOptions);
56
+ createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
57
+ importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
58
+ deleteKey(args: DeleteKeyArgs): Promise<boolean>;
59
+ listKeys(): Promise<ManagedKeyInfo[]>;
60
+ sign(args: SignArgs): Promise<string>;
61
+ verify(args: VerifyArgs): Promise<boolean>;
62
+ sharedSecret(args: SharedSecretArgs): Promise<string>;
63
+ private signatureAlgorithmToDigestAlgorithm;
64
+ private mapKeyUsage;
65
+ private mapKeyTypeToSignatureAlgorithm;
66
+ private mapJoseAlgorithm;
67
+ private mapKeyOperation;
68
+ private mapKeyOperations;
69
+ private mapImportRsaKey;
70
+ private mapImportSecp256r1Key;
71
+ private mapImportX25519Key;
72
+ private mapImportKey;
73
+ }
74
+
75
+ export { type CreateKeyArgs, type DeleteKeyArgs, type ImportKeyArgs, type KeyMetadata, type MapImportKeyArgs, type MappedImportKey, RestKeyManagementSystem, type SharedSecretArgs, type SignArgs, type VerifyArgs };
package/dist/index.js ADDED
@@ -0,0 +1,341 @@
1
+ var __defProp = Object.defineProperty;
2
+ var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
3
+
4
+ // src/RestKeyManagementSystem.ts
5
+ import { AbstractKeyManagementSystem } from "@veramo/key-manager";
6
+ import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
7
+ import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
8
+ import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
9
+ import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
10
+ import elliptic from "elliptic";
11
+ import * as u8a from "uint8arrays";
12
+ var { fromString, toString } = u8a;
13
+ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
14
+ static {
15
+ __name(this, "RestKeyManagementSystem");
16
+ }
17
+ client;
18
+ id;
19
+ constructor(options) {
20
+ super();
21
+ const config = {
22
+ baseUrl: options.baseUrl,
23
+ authOpts: options.authOpts
24
+ };
25
+ this.id = options.applicationId;
26
+ this.client = new KmsRestClient(config);
27
+ }
28
+ async createKey(args) {
29
+ const { type, meta } = args;
30
+ const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
31
+ const options = {
32
+ use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
33
+ alg: signatureAlgorithm,
34
+ keyOperations: meta ? this.mapKeyOperations(meta.keyOperations) : [
35
+ KeyOperations.Sign
36
+ ]
37
+ };
38
+ const key = await this.client.methods.kmsClientGenerateKey(options);
39
+ const jwk = {
40
+ ...key.keyPair.jose.publicJwk,
41
+ alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
42
+ };
43
+ const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid;
44
+ if (!kid) {
45
+ throw new Error(`No kid present in key`);
46
+ }
47
+ return {
48
+ kid,
49
+ kms: this.id,
50
+ type,
51
+ meta: {
52
+ alias: key.keyPair.kid,
53
+ algorithms: [
54
+ key.keyPair.jose.publicJwk.alg ?? "PS256"
55
+ ],
56
+ jwkThumbprint: calculateJwkThumbprint({
57
+ jwk,
58
+ digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm)
59
+ })
60
+ },
61
+ publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), "utf8").toString("base64")
62
+ };
63
+ }
64
+ async importKey(args) {
65
+ const { type } = args;
66
+ const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
67
+ const importKey = this.mapImportKey(args);
68
+ const result = await this.client.methods.kmsClientStoreKey(importKey.key);
69
+ return {
70
+ kid: importKey.kid,
71
+ kms: this.id,
72
+ type,
73
+ meta: {
74
+ alias: importKey.kid,
75
+ algorithms: [
76
+ result.keyInfo.key.alg ?? "PS256"
77
+ ],
78
+ jwkThumbprint: calculateJwkThumbprint({
79
+ jwk: importKey.publicKeyJwk,
80
+ digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm)
81
+ })
82
+ },
83
+ publicKeyHex: Buffer.from(result.keyInfo.key.toString(), "utf8").toString("base64")
84
+ };
85
+ }
86
+ async deleteKey(args) {
87
+ const { kid } = args;
88
+ return await this.client.methods.kmsClientDeleteKey({
89
+ aliasOrKid: kid
90
+ });
91
+ }
92
+ async listKeys() {
93
+ const keys = await this.client.methods.kmsClientListKeys();
94
+ return ListKeysResponseToJSONTyped(keys, false).keyInfos;
95
+ }
96
+ async sign(args) {
97
+ const { keyRef, data } = args;
98
+ const key = await this.client.methods.kmsClientGetKey({
99
+ aliasOrKid: keyRef.kid
100
+ });
101
+ const signingResult = await this.client.methods.kmsClientCreateRawSignature({
102
+ keyInfo: key.keyInfo,
103
+ input: toString(data, "base64")
104
+ });
105
+ return signingResult.signature;
106
+ }
107
+ async verify(args) {
108
+ const { keyRef, data, signature } = args;
109
+ const key = await this.client.methods.kmsClientGetKey({
110
+ aliasOrKid: keyRef.kid
111
+ });
112
+ const verification = await this.client.methods.kmsClientIsValidRawSignature({
113
+ keyInfo: key.keyInfo,
114
+ input: toString(data, "base64"),
115
+ signature
116
+ });
117
+ return verification.isValid;
118
+ }
119
+ async sharedSecret(args) {
120
+ throw new Error("sharedSecret is not implemented for REST KMS.");
121
+ }
122
+ signatureAlgorithmToDigestAlgorithm = /* @__PURE__ */ __name((signatureAlgorithm) => {
123
+ switch (signatureAlgorithm) {
124
+ case SignatureAlgorithm.EcdsaSha256:
125
+ case SignatureAlgorithm.RsaSsaPssSha256Mgf1:
126
+ case SignatureAlgorithm.EckaDhSha256:
127
+ case SignatureAlgorithm.HmacSha256:
128
+ case SignatureAlgorithm.Es256K:
129
+ return "sha256";
130
+ case SignatureAlgorithm.EcdsaSha512:
131
+ case SignatureAlgorithm.HmacSha512:
132
+ case SignatureAlgorithm.RsaSsaPssSha512Mgf1:
133
+ return "sha512";
134
+ default:
135
+ throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`);
136
+ }
137
+ }, "signatureAlgorithmToDigestAlgorithm");
138
+ mapKeyUsage = /* @__PURE__ */ __name((usage) => {
139
+ switch (usage) {
140
+ case "sig":
141
+ return JwkUse.Sig;
142
+ case "enc":
143
+ return JwkUse.Enc;
144
+ default:
145
+ throw new Error(`Key usage ${usage} is not supported by REST KMS`);
146
+ }
147
+ }, "mapKeyUsage");
148
+ mapKeyTypeToSignatureAlgorithm = /* @__PURE__ */ __name((type) => {
149
+ switch (type) {
150
+ case "Secp256r1":
151
+ return SignatureAlgorithm.EcdsaSha256;
152
+ case "RSA":
153
+ return SignatureAlgorithm.RsaSsaPssSha256Mgf1;
154
+ case "X25519":
155
+ return SignatureAlgorithm.EckaDhSha256;
156
+ default:
157
+ throw new Error(`Key type ${type} is not supported by REST KMS`);
158
+ }
159
+ }, "mapKeyTypeToSignatureAlgorithm");
160
+ mapJoseAlgorithm = /* @__PURE__ */ __name((alg) => {
161
+ switch (alg) {
162
+ case "RS256":
163
+ return JoseSignatureAlgorithm.RS256;
164
+ case "RS384":
165
+ return JoseSignatureAlgorithm.RS384;
166
+ case "RS512":
167
+ return JoseSignatureAlgorithm.RS512;
168
+ case "ES256":
169
+ return JoseSignatureAlgorithm.ES256;
170
+ case "ES256K":
171
+ return JoseSignatureAlgorithm.ES256K;
172
+ case "ES384":
173
+ return JoseSignatureAlgorithm.ES384;
174
+ case "ES512":
175
+ return JoseSignatureAlgorithm.ES512;
176
+ case "EdDSA":
177
+ return JoseSignatureAlgorithm.EdDSA;
178
+ case "HS256":
179
+ return JoseSignatureAlgorithm.HS256;
180
+ case "HS384":
181
+ return JoseSignatureAlgorithm.HS384;
182
+ case "HS512":
183
+ return JoseSignatureAlgorithm.HS512;
184
+ case "PS256":
185
+ return JoseSignatureAlgorithm.PS256;
186
+ case "PS384":
187
+ return JoseSignatureAlgorithm.PS384;
188
+ case "PS512":
189
+ return JoseSignatureAlgorithm.PS512;
190
+ case "none":
191
+ return JoseSignatureAlgorithm.none;
192
+ default:
193
+ throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`);
194
+ }
195
+ }, "mapJoseAlgorithm");
196
+ mapKeyOperation = /* @__PURE__ */ __name((operation) => {
197
+ switch (operation) {
198
+ case "sign":
199
+ return KeyOperations.Sign;
200
+ case "verify":
201
+ return KeyOperations.Verify;
202
+ case "wrapKey":
203
+ return KeyOperations.WrapKey;
204
+ case "deriveKey":
205
+ return KeyOperations.DeriveKey;
206
+ case "unwrapKey":
207
+ return KeyOperations.UnwrapKey;
208
+ case "decrypt":
209
+ return KeyOperations.Decrypt;
210
+ case "deriveBits":
211
+ return KeyOperations.DeriveBits;
212
+ case "encrypt":
213
+ return KeyOperations.Encrypt;
214
+ default:
215
+ throw new Error(`Key operation ${operation} is not supported by REST KMS`);
216
+ }
217
+ }, "mapKeyOperation");
218
+ mapKeyOperations = /* @__PURE__ */ __name((operations) => {
219
+ return operations.map((operation) => this.mapKeyOperation(operation));
220
+ }, "mapKeyOperations");
221
+ mapImportRsaKey = /* @__PURE__ */ __name((args) => {
222
+ const x509 = args.meta?.x509;
223
+ const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes("---") ? args.privateKeyHex : hexToPEM(args.privateKeyHex, "private"));
224
+ const publicKeyJwk = PEMToJwk(privateKeyPEM, "public");
225
+ const privateKeyJwk = PEMToJwk(privateKeyPEM);
226
+ const publicKeyPEM = jwkToPEM(publicKeyJwk, "public");
227
+ const publicKeyHex = PEMToHex(publicKeyPEM);
228
+ const meta = {};
229
+ if (x509) {
230
+ meta.x509 = {
231
+ cn: x509.cn ?? args.kid ?? publicKeyHex
232
+ };
233
+ let certChain = x509.certificateChainPEM ?? "";
234
+ if (x509.certificatePEM) {
235
+ if (!certChain.includes(x509.certificatePEM)) {
236
+ certChain = `${x509.certificatePEM}
237
+ ${certChain}`;
238
+ }
239
+ }
240
+ if (certChain.length > 0) {
241
+ meta.x509.certificateChainPEM = certChain;
242
+ const x5c = pemCertChainTox5c(certChain);
243
+ if (!x509.certificateChainURL) {
244
+ publicKeyJwk.x5c = x5c;
245
+ }
246
+ meta.x509.x5c = x5c;
247
+ }
248
+ if (x509.certificateChainURL) {
249
+ publicKeyJwk.x5u = x509.certificateChainURL;
250
+ meta.x509.x5u = x509.certificateChainURL;
251
+ }
252
+ }
253
+ const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex;
254
+ return {
255
+ kid,
256
+ publicKeyJwk,
257
+ key: {
258
+ keyInfo: {
259
+ key: {
260
+ ...privateKeyJwk,
261
+ kid,
262
+ kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
263
+ use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
264
+ crv: CurveFromJSONTyped(privateKeyJwk.crv, false)
265
+ }
266
+ },
267
+ certChain: meta.x509.x5c
268
+ }
269
+ };
270
+ }, "mapImportRsaKey");
271
+ mapImportSecp256r1Key = /* @__PURE__ */ __name((args) => {
272
+ const { privateKeyHex } = args;
273
+ const privateBytes = fromString(privateKeyHex.toLowerCase(), "base16");
274
+ const secp256r1 = new elliptic.ec("p256");
275
+ const keyPair = secp256r1.keyFromPrivate(privateBytes, "hex");
276
+ const publicKeyHex = keyPair.getPublic(true, "hex");
277
+ const publicKeyJwk = toJwk(publicKeyHex, "Secp256r1");
278
+ const privateKeyJwk = toJwk(privateKeyHex, "Secp256r1", {
279
+ isPrivateKey: true
280
+ });
281
+ const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex;
282
+ return {
283
+ kid,
284
+ publicKeyJwk,
285
+ key: {
286
+ keyInfo: {
287
+ key: {
288
+ ...privateKeyJwk,
289
+ kid,
290
+ kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
291
+ use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
292
+ crv: CurveFromJSONTyped(privateKeyJwk.crv, false)
293
+ }
294
+ }
295
+ }
296
+ };
297
+ }, "mapImportSecp256r1Key");
298
+ mapImportX25519Key = /* @__PURE__ */ __name((args) => {
299
+ const { privateKeyHex } = args;
300
+ const privateKeyJwk = toJwk(privateKeyHex, "X25519", {
301
+ isPrivateKey: true
302
+ });
303
+ const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex);
304
+ const publicKeyJwk = toJwk(publicKeyHex, "X25519");
305
+ const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex;
306
+ return {
307
+ kid,
308
+ publicKeyJwk,
309
+ key: {
310
+ keyInfo: {
311
+ key: {
312
+ ...privateKeyJwk,
313
+ kid,
314
+ kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
315
+ use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
316
+ crv: CurveFromJSONTyped(privateKeyJwk.crv, false)
317
+ }
318
+ }
319
+ }
320
+ };
321
+ }, "mapImportX25519Key");
322
+ mapImportKey = /* @__PURE__ */ __name((args) => {
323
+ switch (args.type) {
324
+ case "RSA": {
325
+ return this.mapImportRsaKey(args);
326
+ }
327
+ case "Secp256r1": {
328
+ return this.mapImportSecp256r1Key(args);
329
+ }
330
+ case "X25519": {
331
+ return this.mapImportX25519Key(args);
332
+ }
333
+ default:
334
+ throw new Error(`Key type ${args.type} is not supported by REST KMS`);
335
+ }
336
+ }, "mapImportKey");
337
+ };
338
+ export {
339
+ RestKeyManagementSystem
340
+ };
341
+ //# sourceMappingURL=index.js.map
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.kid,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.kid,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;AACA,SAASA,mCAAmC;AAC5C,SACEC,wBACAC,OACAC,qCAEK;AACP,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SACEC,UACAC,UACAC,mBACAC,UACAC,gBACK;AACP,SAASC,8BAAwC;AACjD,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQK;QACnBI,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUZ;QACjBI,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,WAAOC,4BAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,uBAAuBC;MAC5C,KAAK;AAAS,eAAOD,uBAAuBE;MAC5C,KAAK;AAAS,eAAOF,uBAAuBG;MAC5C,KAAK;AAAS,eAAOH,uBAAuBI;MAC5C,KAAK;AAAU,eAAOJ,uBAAuBK;MAC7C,KAAK;AAAS,eAAOL,uBAAuBM;MAC5C,KAAK;AAAS,eAAON,uBAAuBO;MAC5C,KAAK;AAAS,eAAOP,uBAAuBQ;MAC5C,KAAK;AAAS,eAAOR,uBAAuBS;MAC5C,KAAK;AAAS,eAAOT,uBAAuBU;MAC5C,KAAK;AAAS,eAAOV,uBAAuBW;MAC5C,KAAK;AAAS,eAAOX,uBAAuBY;MAC5C,KAAK;AAAS,eAAOZ,uBAAuBa;MAC5C,KAAK;AAAS,eAAOb,uBAAuBc;MAC5C,KAAK;AAAS,eAAOd,uBAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAc+E;MACvB,KAAK;AACH,eAAO/E,cAAcgF;MACvB,KAAK;AACH,eAAOhF,cAAciF;MACvB,KAAK;AACH,eAAOjF,cAAckF;MACvB,KAAK;AACH,eAAOlF,cAAcmF;MACvB,KAAK;AACH,eAAOnF,cAAcoF;MACvB,KAAK;AACH,eAAOpF,cAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,gBACLE,SAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,eAAekE,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASrE,cAAc,QAAA;AAC5C,UAAMR,eAAe8E,SAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,eAAe6F,MAAMrG,cAAc,WAAA;AACzC,UAAM2E,gBAAgB0B,MAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,gBAAgB0B,MAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,eAAewG,8BAA8BjC,aAAAA;AACnD,UAAM/D,eAAe6F,MAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["AbstractKeyManagementSystem","calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","JoseSignatureAlgorithm","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/package.json ADDED
@@ -0,0 +1,58 @@
1
+ {
2
+ "name": "@sphereon/ssi-sdk.kms-rest",
3
+ "description": "Sphereon SSI-SDK plugin for REST Key Management System.",
4
+ "version": "0.34.1-feature.IDK.11.294+fa47cf87",
5
+ "source": "./src/index.ts",
6
+ "type": "module",
7
+ "main": "./dist/index.cjs",
8
+ "module": "./dist/index.js",
9
+ "types": "./dist/index.d.ts",
10
+ "exports": {
11
+ "react-native": "./dist/index.js",
12
+ "import": {
13
+ "types": "./dist/index.d.ts",
14
+ "import": "./dist/index.js"
15
+ },
16
+ "require": {
17
+ "types": "./dist/index.d.cts",
18
+ "require": "./dist/index.cjs"
19
+ }
20
+ },
21
+ "scripts": {
22
+ "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
23
+ },
24
+ "dependencies": {
25
+ "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.IDK.11.294+fa47cf87",
26
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.IDK.11.294+fa47cf87",
27
+ "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.IDK.11.294+fa47cf87",
28
+ "@sphereon/ssi-types": "0.34.1-feature.IDK.11.294+fa47cf87",
29
+ "@veramo/core": "4.2.0",
30
+ "@veramo/key-manager": "4.2.0",
31
+ "elliptic": "^6.5.4",
32
+ "uint8arrays": "3.1.1"
33
+ },
34
+ "devDependencies": {
35
+ "@types/elliptic": "6.4.14",
36
+ "@types/text-encoding": "0.0.39",
37
+ "nock": "^13.5.4"
38
+ },
39
+ "files": [
40
+ "dist",
41
+ "src",
42
+ "README.md",
43
+ "LICENSE"
44
+ ],
45
+ "private": false,
46
+ "publishConfig": {
47
+ "access": "public"
48
+ },
49
+ "repository": "git@github.com:Sphereon-OpenSource/SSI-SDK-crypto-extensions.git",
50
+ "author": "Sphereon <dev@sphereon.com>",
51
+ "license": "Apache-2.0",
52
+ "keywords": [
53
+ "REST",
54
+ "key-management",
55
+ "Veramo"
56
+ ],
57
+ "gitHead": "fa47cf87103acee63b27b628daa96d956c2fd3e8"
58
+ }