@sphereon/ssi-sdk.kms-rest 0.34.1-feature.IDK.11.54 → 0.34.1-feature.SSISDK.44.finish.dcql.309

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/index.cjs +81 -11
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +6 -3
  4. package/dist/index.d.ts +6 -3
  5. package/dist/index.js +81 -11
  6. package/dist/index.js.map +1 -1
  7. package/package.json +6 -6
  8. package/src/RestKeyManagementSystem.ts +149 -70
package/dist/index.cjs CHANGED
@@ -36,11 +36,11 @@ __export(index_exports, {
36
36
  module.exports = __toCommonJS(index_exports);
37
37
 
38
38
  // src/RestKeyManagementSystem.ts
39
- var import_key_manager = require("@veramo/key-manager");
40
39
  var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.key-utils");
41
- var import_ssi_sdk = require("@sphereon/ssi-sdk.kms-rest-client");
42
40
  var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.x509-utils");
41
+ var import_ssi_sdk = require("@sphereon/ssi-sdk.kms-rest-client");
43
42
  var import_ssi_types = require("@sphereon/ssi-types");
43
+ var import_key_manager = require("@veramo/key-manager");
44
44
  var import_elliptic = __toESM(require("elliptic"), 1);
45
45
  var u8a = __toESM(require("uint8arrays"), 1);
46
46
  var { fromString, toString } = u8a;
@@ -50,6 +50,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
50
50
  }
51
51
  client;
52
52
  id;
53
+ providerId;
53
54
  constructor(options) {
54
55
  super();
55
56
  const config = {
@@ -57,6 +58,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
57
58
  authOpts: options.authOpts
58
59
  };
59
60
  this.id = options.applicationId;
61
+ this.providerId = options.providerId;
60
62
  this.client = new import_ssi_sdk.KmsRestClient(config);
61
63
  }
62
64
  async createKey(args) {
@@ -69,7 +71,10 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
69
71
  import_ssi_sdk.KeyOperations.Sign
70
72
  ]
71
73
  };
72
- const key = await this.client.methods.kmsClientGenerateKey(options);
74
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
75
+ ...options,
76
+ providerId: this.providerId
77
+ }) : await this.client.methods.kmsClientGenerateKey(options);
73
78
  const jwk = {
74
79
  ...key.keyPair.jose.publicJwk,
75
80
  alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
@@ -83,7 +88,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
83
88
  kms: this.id,
84
89
  type,
85
90
  meta: {
86
- alias: key.keyPair.kid,
91
+ alias: key.keyPair.alias,
87
92
  algorithms: [
88
93
  key.keyPair.jose.publicJwk.alg ?? "PS256"
89
94
  ],
@@ -99,13 +104,16 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
99
104
  const { type } = args;
100
105
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
101
106
  const importKey = this.mapImportKey(args);
102
- const result = await this.client.methods.kmsClientStoreKey(importKey.key);
107
+ const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
108
+ ...importKey.key,
109
+ providerId: this.providerId
110
+ }) : await this.client.methods.kmsClientStoreKey(importKey.key);
103
111
  return {
104
112
  kid: importKey.kid,
105
113
  kms: this.id,
106
114
  type,
107
115
  meta: {
108
- alias: importKey.kid,
116
+ alias: importKey.key.keyInfo.alias,
109
117
  algorithms: [
110
118
  result.keyInfo.key.alg ?? "PS256"
111
119
  ],
@@ -119,17 +127,76 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
119
127
  }
120
128
  async deleteKey(args) {
121
129
  const { kid } = args;
122
- return await this.client.methods.kmsClientDeleteKey({
130
+ return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
131
+ aliasOrKid: kid,
132
+ providerId: this.providerId
133
+ }) : await this.client.methods.kmsClientDeleteKey({
123
134
  aliasOrKid: kid
124
135
  });
125
136
  }
126
137
  async listKeys() {
127
- const keys = await this.client.methods.kmsClientListKeys();
128
- return (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
138
+ const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
139
+ providerId: this.providerId
140
+ }) : await this.client.methods.kmsClientListKeys();
141
+ const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
142
+ return restKeys.map((restKey) => {
143
+ const jwk = restKey.key;
144
+ let publicKeyHex = "";
145
+ if (jwk.kty === "EC") {
146
+ publicKeyHex = jwk.x || "";
147
+ } else if (jwk.kty === "RSA") {
148
+ publicKeyHex = jwk.n || "";
149
+ } else if (jwk.kty === "OKP") {
150
+ publicKeyHex = jwk.x || "";
151
+ }
152
+ const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
153
+ return {
154
+ kid: restKey.kid || restKey.alias,
155
+ kms: this.id,
156
+ type: keyType,
157
+ publicKeyHex,
158
+ meta: {
159
+ algorithms: restKey.signatureAlgorithm ? [
160
+ restKey.signatureAlgorithm
161
+ ] : void 0,
162
+ jwk,
163
+ jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
164
+ jwk,
165
+ digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
166
+ }),
167
+ alias: restKey.alias,
168
+ providerId: restKey.providerId,
169
+ x5c: restKey.x5c,
170
+ keyVisibility: restKey.keyVisibility,
171
+ keyEncoding: restKey.keyEncoding,
172
+ ...restKey.opts
173
+ }
174
+ };
175
+ });
176
+ }
177
+ mapRestKeyTypeToTKeyType(keyType) {
178
+ switch (keyType) {
179
+ case "RSA":
180
+ return "RSA";
181
+ case "EC":
182
+ case "P256":
183
+ return "Secp256r1";
184
+ case "X25519":
185
+ return "X25519";
186
+ case "Ed25519":
187
+ return "Ed25519";
188
+ case "secp256k1":
189
+ return "Secp256k1";
190
+ default:
191
+ throw new Error(`Unknown key type: ${keyType}`);
192
+ }
129
193
  }
130
194
  async sign(args) {
131
195
  const { keyRef, data } = args;
132
- const key = await this.client.methods.kmsClientGetKey({
196
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
197
+ aliasOrKid: keyRef.kid,
198
+ providerId: this.providerId
199
+ }) : await this.client.methods.kmsClientGetKey({
133
200
  aliasOrKid: keyRef.kid
134
201
  });
135
202
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
@@ -140,7 +207,10 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
140
207
  }
141
208
  async verify(args) {
142
209
  const { keyRef, data, signature } = args;
143
- const key = await this.client.methods.kmsClientGetKey({
210
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
211
+ aliasOrKid: keyRef.kid,
212
+ providerId: this.providerId
213
+ }) : await this.client.methods.kmsClientGetKey({
144
214
  aliasOrKid: keyRef.kid
145
215
  });
146
216
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.kid,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.kid,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACCA,yBAA4C;AAC5C,yBAKO;AACP,qBAWO;AACP,IAAAA,sBAMO;AACP,uBAAiD;AACjD,sBAAqB;AAErB,UAAqB;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQK;QACnBI,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUZ;QACjBI,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,eAAOC,4CAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,wCAAuBC;MAC5C,KAAK;AAAS,eAAOD,wCAAuBE;MAC5C,KAAK;AAAS,eAAOF,wCAAuBG;MAC5C,KAAK;AAAS,eAAOH,wCAAuBI;MAC5C,KAAK;AAAU,eAAOJ,wCAAuBK;MAC7C,KAAK;AAAS,eAAOL,wCAAuBM;MAC5C,KAAK;AAAS,eAAON,wCAAuBO;MAC5C,KAAK;AAAS,eAAOP,wCAAuBQ;MAC5C,KAAK;AAAS,eAAOR,wCAAuBS;MAC5C,KAAK;AAAS,eAAOT,wCAAuBU;MAC5C,KAAK;AAAS,eAAOV,wCAAuBW;MAC5C,KAAK;AAAS,eAAOX,wCAAuBY;MAC5C,KAAK;AAAS,eAAOZ,wCAAuBa;MAC5C,KAAK;AAAS,eAAOb,wCAAuBc;MAC5C,KAAK;AAAS,eAAOd,wCAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAc+E;MACvB,KAAK;AACH,eAAO/E,6BAAcgF;MACvB,KAAK;AACH,eAAOhF,6BAAciF;MACvB,KAAK;AACH,eAAOjF,6BAAckF;MACvB,KAAK;AACH,eAAOlF,6BAAcmF;MACvB,KAAK;AACH,eAAOnF,6BAAcoF;MACvB,KAAK;AACH,eAAOpF,6BAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,oBACLE,8BAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,mBAAekE,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASrE,cAAc,QAAA;AAC5C,UAAMR,mBAAe8E,8BAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,mBAAe6F,0BAAMrG,cAAc,WAAA;AACzC,UAAM2E,oBAAgB0B,0BAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,oBAAgB0B,0BAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,mBAAewG,kDAA8BjC,aAAAA;AACnD,UAAM/D,mBAAe6F,0BAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAA4F;AAC5F,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQC,6BAA6B;MACrD,GAAGxB;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQE,qBAAqBzB,OAAAA;AAEnD,UAAM0B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBZ,KAAKK,IAAIK,QAAQC,KAAKC,UAAUZ,MAAM,KAAKa,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUZ,GAAG,IAAIc;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOb,IAAIK,QAAQQ;QACnBC,YAAY;UAACd,IAAIK,QAAQC,KAAKC,UAAUZ,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKrB,IAAIK,QAAQC,KAAKC,UAAUpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMmD,UAAUrC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMoC,YAAY,KAAKC,aAAatC,IAAAA;AAEpC,UAAMuC,SAAS,KAAK/C,aAChB,MAAM,KAAKF,OAAO0B,QAAQwB,0BAA0B;MAClD,GAAGH,UAAUtB;MACbvB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQyB,kBAAkBJ,UAAUtB,GAAG;AAE7D,WAAO;MACLU,KAAKY,UAAUZ;MACfE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOS,UAAUtB,IAAI2B,QAAQd;QAC7BC,YAAY;UAACU,OAAOG,QAAQ3B,IAAIL,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ3B,IAAI7B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM0D,UAAU5C,MAAuC;AACrD,UAAM,EAAEyB,IAAG,IAAKzB;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO0B,QAAQ6B,2BAA2B;MACnDC,YAAYrB;MACZjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ+B,mBAAmB;MAAED,YAAYrB;IAAI,CAAA;EACrE;EAEA,MAAMuB,WAAsC;AAC1C,UAAMC,OAAO,KAAKzD,aACd,MAAM,KAAKF,OAAO0B,QAAQkC,0BAA0B;MAAE1D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO0B,QAAQmC,kBAAiB;AAE/C,UAAMC,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMrC,MAAMqC,QAAQzC;AACpB,UAAImB,eAAe;AAGnB,UAAIf,IAAIsC,QAAQ,MAAM;AACpBvB,uBAAef,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIsC,QAAQ,OAAO;AAC5BvB,uBAAef,IAAIwC,KAAK;MAC1B,WAAWxC,IAAIsC,QAAQ,OAAO;AAC5BvB,uBAAef,IAAIuC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLnC,KAAK+B,QAAQ/B,OAAO+B,QAAQ5B;QAC5BD,KAAK,KAAKpC;QACVU,MAAM2D;QACN1B;QACAhC,MAAM;UACJ2B,YAAY2B,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBqB;UACxEL;UACAW,mBAAeC,2CAAuB;YACpCZ;YACAa,iBAAiBwB,QAAQrD,qBAAqB,KAAK8B,oCAAoCuB,QAAQrD,kBAAkB,IAAI;UACvH,CAAA;UACAyB,OAAO4B,QAAQ5B;UACfpC,YAAYgE,QAAQhE;UACpBsE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIlC,MAAM,qBAAqBkC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKlE,MAAiC;AAC1C,UAAM,EAAEmE,QAAQC,KAAI,IAAKpE;AACzB,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQqD,wBAAwB;MAChDvB,YAAYqB,OAAO1C;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQsD,gBAAgB;MAAExB,YAAYqB,OAAO1C;IAAI,CAAA;AAEvE,UAAM8C,gBAAgB,MAAM,KAAKjF,OAAO0B,QAAQwD,4BAA4B;MAC1E9B,SAAS3B,IAAI2B;MACb+B,OAAOvF,SAASkF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO3E,MAAoC;AAC/C,UAAM,EAAEmE,QAAQC,MAAMM,UAAS,IAAK1E;AACpC,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQqD,wBAAwB;MAChDvB,YAAYqB,OAAO1C;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQsD,gBAAgB;MAAExB,YAAYqB,OAAO1C;IAAI,CAAA;AAEvE,UAAMmD,eAAe,MAAM,KAAKtF,OAAO0B,QAAQ6D,6BAA6B;MAC1EnC,SAAS3B,IAAI2B;MACb+B,OAAOvF,SAASkF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa/E,MAAyC;AAC1D,UAAM,IAAI0B,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC9B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK6E,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9D,MAAM,uBAAuBvB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACmF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOjF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOkF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdrF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO+E,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIzD,MAAM,YAAYzB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCsB,mBAAmB,wBAACb,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOiF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAIhF,MAAM,uBAAuBhB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBiG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO/F,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcgG;MACvB,KAAK;AACH,eAAOhG,6BAAciG;MACvB,KAAK;AACH,eAAOjG,6BAAckG;MACvB,KAAK;AACH,eAAOlG,6BAAcmG;MACvB,KAAK;AACH,eAAOnG,6BAAcoG;MACvB,KAAK;AACH,eAAOpG,6BAAcqG;MACvB,KAAK;AACH,eAAOrG,6BAAcsG;MACvB;AACE,cAAM,IAAIzF,MAAM,iBAAiBkF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBhG,mBAAmB,wBAACwG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACrH,SAAAA;AACzB,UAAMsH,OAAOtH,KAAKE,MAAMoH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvH,KAAKwH,cAAcC,SAAS,KAAA,IAASzH,KAAKwH,oBAAgBE,8BAAS1H,KAAKwH,eAAe,SAAA;AACrI,UAAM7E,mBAAegF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASnF,cAAc,QAAA;AAC5C,UAAMT,mBAAe6F,8BAASF,YAAAA;AAE9B,UAAM3H,OAAO,CAAC;AACd,QAAIoH,MAAM;AACRpH,WAAKoH,OAAO;QACVU,IAAIV,KAAKU,MAAMhI,KAAKyB,OAAOS;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlI,aAAKoH,KAAKY,sBAAsBD;AAChC,cAAMnE,UAAMuE,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA5D,aAAKoH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBpI,aAAKoH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM7G,MAAMzB,KAAKyB,OAAOvB,MAAMoH,MAAMU,MAAM9F;AAC1C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,SAAKoI,oCAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAW/H,KAAKoH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC5I,SAAAA;AAC/B,UAAM,EAAEwH,cAAa,IAAKxH;AAC1B,UAAM6I,eAAe5J,WAAWuI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAM7H,UAAU2H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAed,QAAQ+H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,mBAAeyG,0BAAMlH,cAAc,WAAA;AACzC,UAAM0F,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM5H,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,SAAKoI,oCAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACtJ,SAAAA;AAC5B,UAAM,EAAEwH,cAAa,IAAKxH;AAC1B,UAAM4H,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,mBAAeqH,kDAA8B/B,aAAAA;AACnD,UAAM7E,mBAAeyG,0BAAMlH,cAAc,QAAA;AACzC,UAAMT,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,SAAKoI,oCAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACtC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoH,gBAAgBrH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK4I,sBAAsB5I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKsJ,mBAAmBtJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI0B,MAAM,YAAY1B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
+ import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
1
2
  import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
2
3
  import { AbstractKeyManagementSystem } from '@veramo/key-manager';
3
- import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
4
4
  import { JWK } from '@sphereon/ssi-types';
5
5
 
6
6
  type KeyMetadata = {
@@ -44,19 +44,22 @@ type MappedImportKey = {
44
44
  publicKeyJwk: JWK;
45
45
  };
46
46
 
47
- interface AbstractKeyManagementSystemOptions {
47
+ interface KeyManagementSystemOptions {
48
48
  applicationId: string;
49
49
  baseUrl: string;
50
+ providerId?: string;
50
51
  authOpts?: RestClientAuthenticationOpts;
51
52
  }
52
53
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
53
54
  private client;
54
55
  private readonly id;
55
- constructor(options: AbstractKeyManagementSystemOptions);
56
+ private providerId;
57
+ constructor(options: KeyManagementSystemOptions);
56
58
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
57
59
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
58
60
  deleteKey(args: DeleteKeyArgs): Promise<boolean>;
59
61
  listKeys(): Promise<ManagedKeyInfo[]>;
62
+ private mapRestKeyTypeToTKeyType;
60
63
  sign(args: SignArgs): Promise<string>;
61
64
  verify(args: VerifyArgs): Promise<boolean>;
62
65
  sharedSecret(args: SharedSecretArgs): Promise<string>;
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
+ import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
1
2
  import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
2
3
  import { AbstractKeyManagementSystem } from '@veramo/key-manager';
3
- import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
4
4
  import { JWK } from '@sphereon/ssi-types';
5
5
 
6
6
  type KeyMetadata = {
@@ -44,19 +44,22 @@ type MappedImportKey = {
44
44
  publicKeyJwk: JWK;
45
45
  };
46
46
 
47
- interface AbstractKeyManagementSystemOptions {
47
+ interface KeyManagementSystemOptions {
48
48
  applicationId: string;
49
49
  baseUrl: string;
50
+ providerId?: string;
50
51
  authOpts?: RestClientAuthenticationOpts;
51
52
  }
52
53
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
53
54
  private client;
54
55
  private readonly id;
55
- constructor(options: AbstractKeyManagementSystemOptions);
56
+ private providerId;
57
+ constructor(options: KeyManagementSystemOptions);
56
58
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
57
59
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
58
60
  deleteKey(args: DeleteKeyArgs): Promise<boolean>;
59
61
  listKeys(): Promise<ManagedKeyInfo[]>;
62
+ private mapRestKeyTypeToTKeyType;
60
63
  sign(args: SignArgs): Promise<string>;
61
64
  verify(args: VerifyArgs): Promise<boolean>;
62
65
  sharedSecret(args: SharedSecretArgs): Promise<string>;
package/dist/index.js CHANGED
@@ -2,11 +2,11 @@ var __defProp = Object.defineProperty;
2
2
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
3
3
 
4
4
  // src/RestKeyManagementSystem.ts
5
- import { AbstractKeyManagementSystem } from "@veramo/key-manager";
6
5
  import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
7
- import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
8
6
  import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
7
+ import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
9
8
  import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
9
+ import { AbstractKeyManagementSystem } from "@veramo/key-manager";
10
10
  import elliptic from "elliptic";
11
11
  import * as u8a from "uint8arrays";
12
12
  var { fromString, toString } = u8a;
@@ -16,6 +16,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
16
16
  }
17
17
  client;
18
18
  id;
19
+ providerId;
19
20
  constructor(options) {
20
21
  super();
21
22
  const config = {
@@ -23,6 +24,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
23
24
  authOpts: options.authOpts
24
25
  };
25
26
  this.id = options.applicationId;
27
+ this.providerId = options.providerId;
26
28
  this.client = new KmsRestClient(config);
27
29
  }
28
30
  async createKey(args) {
@@ -35,7 +37,10 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
35
37
  KeyOperations.Sign
36
38
  ]
37
39
  };
38
- const key = await this.client.methods.kmsClientGenerateKey(options);
40
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
41
+ ...options,
42
+ providerId: this.providerId
43
+ }) : await this.client.methods.kmsClientGenerateKey(options);
39
44
  const jwk = {
40
45
  ...key.keyPair.jose.publicJwk,
41
46
  alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
@@ -49,7 +54,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
49
54
  kms: this.id,
50
55
  type,
51
56
  meta: {
52
- alias: key.keyPair.kid,
57
+ alias: key.keyPair.alias,
53
58
  algorithms: [
54
59
  key.keyPair.jose.publicJwk.alg ?? "PS256"
55
60
  ],
@@ -65,13 +70,16 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
65
70
  const { type } = args;
66
71
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
67
72
  const importKey = this.mapImportKey(args);
68
- const result = await this.client.methods.kmsClientStoreKey(importKey.key);
73
+ const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
74
+ ...importKey.key,
75
+ providerId: this.providerId
76
+ }) : await this.client.methods.kmsClientStoreKey(importKey.key);
69
77
  return {
70
78
  kid: importKey.kid,
71
79
  kms: this.id,
72
80
  type,
73
81
  meta: {
74
- alias: importKey.kid,
82
+ alias: importKey.key.keyInfo.alias,
75
83
  algorithms: [
76
84
  result.keyInfo.key.alg ?? "PS256"
77
85
  ],
@@ -85,17 +93,76 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
85
93
  }
86
94
  async deleteKey(args) {
87
95
  const { kid } = args;
88
- return await this.client.methods.kmsClientDeleteKey({
96
+ return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
97
+ aliasOrKid: kid,
98
+ providerId: this.providerId
99
+ }) : await this.client.methods.kmsClientDeleteKey({
89
100
  aliasOrKid: kid
90
101
  });
91
102
  }
92
103
  async listKeys() {
93
- const keys = await this.client.methods.kmsClientListKeys();
94
- return ListKeysResponseToJSONTyped(keys, false).keyInfos;
104
+ const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
105
+ providerId: this.providerId
106
+ }) : await this.client.methods.kmsClientListKeys();
107
+ const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos;
108
+ return restKeys.map((restKey) => {
109
+ const jwk = restKey.key;
110
+ let publicKeyHex = "";
111
+ if (jwk.kty === "EC") {
112
+ publicKeyHex = jwk.x || "";
113
+ } else if (jwk.kty === "RSA") {
114
+ publicKeyHex = jwk.n || "";
115
+ } else if (jwk.kty === "OKP") {
116
+ publicKeyHex = jwk.x || "";
117
+ }
118
+ const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
119
+ return {
120
+ kid: restKey.kid || restKey.alias,
121
+ kms: this.id,
122
+ type: keyType,
123
+ publicKeyHex,
124
+ meta: {
125
+ algorithms: restKey.signatureAlgorithm ? [
126
+ restKey.signatureAlgorithm
127
+ ] : void 0,
128
+ jwk,
129
+ jwkThumbprint: calculateJwkThumbprint({
130
+ jwk,
131
+ digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
132
+ }),
133
+ alias: restKey.alias,
134
+ providerId: restKey.providerId,
135
+ x5c: restKey.x5c,
136
+ keyVisibility: restKey.keyVisibility,
137
+ keyEncoding: restKey.keyEncoding,
138
+ ...restKey.opts
139
+ }
140
+ };
141
+ });
142
+ }
143
+ mapRestKeyTypeToTKeyType(keyType) {
144
+ switch (keyType) {
145
+ case "RSA":
146
+ return "RSA";
147
+ case "EC":
148
+ case "P256":
149
+ return "Secp256r1";
150
+ case "X25519":
151
+ return "X25519";
152
+ case "Ed25519":
153
+ return "Ed25519";
154
+ case "secp256k1":
155
+ return "Secp256k1";
156
+ default:
157
+ throw new Error(`Unknown key type: ${keyType}`);
158
+ }
95
159
  }
96
160
  async sign(args) {
97
161
  const { keyRef, data } = args;
98
- const key = await this.client.methods.kmsClientGetKey({
162
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
163
+ aliasOrKid: keyRef.kid,
164
+ providerId: this.providerId
165
+ }) : await this.client.methods.kmsClientGetKey({
99
166
  aliasOrKid: keyRef.kid
100
167
  });
101
168
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
@@ -106,7 +173,10 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
106
173
  }
107
174
  async verify(args) {
108
175
  const { keyRef, data, signature } = args;
109
- const key = await this.client.methods.kmsClientGetKey({
176
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
177
+ aliasOrKid: keyRef.kid,
178
+ providerId: this.providerId
179
+ }) : await this.client.methods.kmsClientGetKey({
110
180
  aliasOrKid: keyRef.kid
111
181
  });
112
182
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.kid,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.kid,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;AACA,SAASA,mCAAmC;AAC5C,SACEC,wBACAC,OACAC,qCAEK;AACP,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SACEC,UACAC,UACAC,mBACAC,UACAC,gBACK;AACP,SAASC,8BAAwC;AACjD,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQK;QACnBI,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUZ;QACjBI,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,WAAOC,4BAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,uBAAuBC;MAC5C,KAAK;AAAS,eAAOD,uBAAuBE;MAC5C,KAAK;AAAS,eAAOF,uBAAuBG;MAC5C,KAAK;AAAS,eAAOH,uBAAuBI;MAC5C,KAAK;AAAU,eAAOJ,uBAAuBK;MAC7C,KAAK;AAAS,eAAOL,uBAAuBM;MAC5C,KAAK;AAAS,eAAON,uBAAuBO;MAC5C,KAAK;AAAS,eAAOP,uBAAuBQ;MAC5C,KAAK;AAAS,eAAOR,uBAAuBS;MAC5C,KAAK;AAAS,eAAOT,uBAAuBU;MAC5C,KAAK;AAAS,eAAOV,uBAAuBW;MAC5C,KAAK;AAAS,eAAOX,uBAAuBY;MAC5C,KAAK;AAAS,eAAOZ,uBAAuBa;MAC5C,KAAK;AAAS,eAAOb,uBAAuBc;MAC5C,KAAK;AAAS,eAAOd,uBAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAc+E;MACvB,KAAK;AACH,eAAO/E,cAAcgF;MACvB,KAAK;AACH,eAAOhF,cAAciF;MACvB,KAAK;AACH,eAAOjF,cAAckF;MACvB,KAAK;AACH,eAAOlF,cAAcmF;MACvB,KAAK;AACH,eAAOnF,cAAcoF;MACvB,KAAK;AACH,eAAOpF,cAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,gBACLE,SAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,eAAekE,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASrE,cAAc,QAAA;AAC5C,UAAMR,eAAe8E,SAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,eAAe6F,MAAMrG,cAAc,WAAA;AACzC,UAAM2E,gBAAgB0B,MAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,gBAAgB0B,MAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,eAAewG,8BAA8BjC,aAAAA;AACnD,UAAM/D,eAAe6F,MAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["AbstractKeyManagementSystem","calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","JoseSignatureAlgorithm","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,OAAOC,qCAAoD;AAC5F,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQC,6BAA6B;MACrD,GAAGxB;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQE,qBAAqBzB,OAAAA;AAEnD,UAAM0B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBZ,KAAKK,IAAIK,QAAQC,KAAKC,UAAUZ,MAAM,KAAKa,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUZ,GAAG,IAAIc;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOb,IAAIK,QAAQQ;QACnBC,YAAY;UAACd,IAAIK,QAAQC,KAAKC,UAAUZ,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKrB,IAAIK,QAAQC,KAAKC,UAAUpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMmD,UAAUrC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMoC,YAAY,KAAKC,aAAatC,IAAAA;AAEpC,UAAMuC,SAAS,KAAK/C,aAChB,MAAM,KAAKF,OAAO0B,QAAQwB,0BAA0B;MAClD,GAAGH,UAAUtB;MACbvB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQyB,kBAAkBJ,UAAUtB,GAAG;AAE7D,WAAO;MACLU,KAAKY,UAAUZ;MACfE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOS,UAAUtB,IAAI2B,QAAQd;QAC7BC,YAAY;UAACU,OAAOG,QAAQ3B,IAAIL,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ3B,IAAI7B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM0D,UAAU5C,MAAuC;AACrD,UAAM,EAAEyB,IAAG,IAAKzB;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO0B,QAAQ6B,2BAA2B;MACnDC,YAAYrB;MACZjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ+B,mBAAmB;MAAED,YAAYrB;IAAI,CAAA;EACrE;EAEA,MAAMuB,WAAsC;AAC1C,UAAMC,OAAO,KAAKzD,aACd,MAAM,KAAKF,OAAO0B,QAAQkC,0BAA0B;MAAE1D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO0B,QAAQmC,kBAAiB;AAE/C,UAAMC,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMrC,MAAMqC,QAAQzC;AACpB,UAAImB,eAAe;AAGnB,UAAIf,IAAIsC,QAAQ,MAAM;AACpBvB,uBAAef,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIsC,QAAQ,OAAO;AAC5BvB,uBAAef,IAAIwC,KAAK;MAC1B,WAAWxC,IAAIsC,QAAQ,OAAO;AAC5BvB,uBAAef,IAAIuC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLnC,KAAK+B,QAAQ/B,OAAO+B,QAAQ5B;QAC5BD,KAAK,KAAKpC;QACVU,MAAM2D;QACN1B;QACAhC,MAAM;UACJ2B,YAAY2B,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBqB;UACxEL;UACAW,eAAeC,uBAAuB;YACpCZ;YACAa,iBAAiBwB,QAAQrD,qBAAqB,KAAK8B,oCAAoCuB,QAAQrD,kBAAkB,IAAI;UACvH,CAAA;UACAyB,OAAO4B,QAAQ5B;UACfpC,YAAYgE,QAAQhE;UACpBsE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIlC,MAAM,qBAAqBkC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKlE,MAAiC;AAC1C,UAAM,EAAEmE,QAAQC,KAAI,IAAKpE;AACzB,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQqD,wBAAwB;MAChDvB,YAAYqB,OAAO1C;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQsD,gBAAgB;MAAExB,YAAYqB,OAAO1C;IAAI,CAAA;AAEvE,UAAM8C,gBAAgB,MAAM,KAAKjF,OAAO0B,QAAQwD,4BAA4B;MAC1E9B,SAAS3B,IAAI2B;MACb+B,OAAOvF,SAASkF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO3E,MAAoC;AAC/C,UAAM,EAAEmE,QAAQC,MAAMM,UAAS,IAAK1E;AACpC,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQqD,wBAAwB;MAChDvB,YAAYqB,OAAO1C;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQsD,gBAAgB;MAAExB,YAAYqB,OAAO1C;IAAI,CAAA;AAEvE,UAAMmD,eAAe,MAAM,KAAKtF,OAAO0B,QAAQ6D,6BAA6B;MAC1EnC,SAAS3B,IAAI2B;MACb+B,OAAOvF,SAASkF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa/E,MAAyC;AAC1D,UAAM,IAAI0B,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC9B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK6E,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9D,MAAM,uBAAuBvB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACmF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOjF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOkF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdrF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO+E,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIzD,MAAM,YAAYzB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCsB,mBAAmB,wBAACb,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOiF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAIhF,MAAM,uBAAuBhB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBiG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO/F,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcgG;MACvB,KAAK;AACH,eAAOhG,cAAciG;MACvB,KAAK;AACH,eAAOjG,cAAckG;MACvB,KAAK;AACH,eAAOlG,cAAcmG;MACvB,KAAK;AACH,eAAOnG,cAAcoG;MACvB,KAAK;AACH,eAAOpG,cAAcqG;MACvB,KAAK;AACH,eAAOrG,cAAcsG;MACvB;AACE,cAAM,IAAIzF,MAAM,iBAAiBkF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBhG,mBAAmB,wBAACwG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACrH,SAAAA;AACzB,UAAMsH,OAAOtH,KAAKE,MAAMoH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvH,KAAKwH,cAAcC,SAAS,KAAA,IAASzH,KAAKwH,gBAAgBE,SAAS1H,KAAKwH,eAAe,SAAA;AACrI,UAAM7E,eAAegF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASnF,cAAc,QAAA;AAC5C,UAAMT,eAAe6F,SAASF,YAAAA;AAE9B,UAAM3H,OAAO,CAAC;AACd,QAAIoH,MAAM;AACRpH,WAAKoH,OAAO;QACVU,IAAIV,KAAKU,MAAMhI,KAAKyB,OAAOS;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlI,aAAKoH,KAAKY,sBAAsBD;AAChC,cAAMnE,MAAMuE,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA5D,aAAKoH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBpI,aAAKoH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM7G,MAAMzB,KAAKyB,OAAOvB,MAAMoH,MAAMU,MAAM9F;AAC1C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,KAAKoI,oBAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAW/H,KAAKoH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC5I,SAAAA;AAC/B,UAAM,EAAEwH,cAAa,IAAKxH;AAC1B,UAAM6I,eAAe5J,WAAWuI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAM7H,UAAU2H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAed,QAAQ+H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,eAAeyG,MAAMlH,cAAc,WAAA;AACzC,UAAM0F,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM5H,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,KAAKoI,oBAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACtJ,SAAAA;AAC5B,UAAM,EAAEwH,cAAa,IAAKxH;AAC1B,UAAM4H,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,eAAeqH,8BAA8B/B,aAAAA;AACnD,UAAM7E,eAAeyG,MAAMlH,cAAc,QAAA;AACzC,UAAMT,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,KAAKoI,oBAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACtC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoH,gBAAgBrH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK4I,sBAAsB5I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKsJ,mBAAmBtJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI0B,MAAM,YAAY1B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.kms-rest",
3
3
  "description": "Sphereon SSI-SDK plugin for REST Key Management System.",
4
- "version": "0.34.1-feature.IDK.11.54+d92e43d4",
4
+ "version": "0.34.1-feature.SSISDK.44.finish.dcql.309+dbfc561c",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -22,10 +22,10 @@
22
22
  "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
23
23
  },
24
24
  "dependencies": {
25
- "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.IDK.11.54+d92e43d4",
26
- "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.IDK.11.54+d92e43d4",
27
- "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.IDK.11.54+d92e43d4",
28
- "@sphereon/ssi-types": "0.34.1-feature.IDK.11.54+d92e43d4",
25
+ "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.44.finish.dcql.309+dbfc561c",
26
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.44.finish.dcql.309+dbfc561c",
27
+ "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.SSISDK.44.finish.dcql.309+dbfc561c",
28
+ "@sphereon/ssi-types": "0.34.1-feature.SSISDK.44.finish.dcql.309+dbfc561c",
29
29
  "@veramo/core": "4.2.0",
30
30
  "@veramo/key-manager": "4.2.0",
31
31
  "elliptic": "^6.5.4",
@@ -54,5 +54,5 @@
54
54
  "key-management",
55
55
  "Veramo"
56
56
  ],
57
- "gitHead": "d92e43d4d2a604e0c088a26d9c595d87e00382b8"
57
+ "gitHead": "dbfc561c168d680c69e1808dc13864d35573523c"
58
58
  }
package/src/RestKeyManagementSystem.ts CHANGED
@@ -1,11 +1,6 @@
1
- import type { ManagedKeyInfo, TKeyType } from '@veramo/core'
2
- import { AbstractKeyManagementSystem } from '@veramo/key-manager'
3
- import {
4
- calculateJwkThumbprint,
5
- toJwk,
6
- x25519PublicHexFromPrivateHex,
7
- type X509Opts
8
- } from '@sphereon/ssi-sdk-ext.key-utils'
1
+ import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
2
+ import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'
3
+ import type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'
9
4
  import {
10
5
  CurveFromJSONTyped,
11
6
  JwkKeyTypeFromJSONTyped,
@@ -16,51 +11,40 @@ import {
16
11
  ListKeysResponseToJSONTyped,
17
12
  type RestClientAuthenticationOpts,
18
13
  SignatureAlgorithm,
19
- type StoreKey
14
+ type StoreKey,
20
15
  } from '@sphereon/ssi-sdk.kms-rest-client'
21
- import {
22
- hexToPEM,
23
- jwkToPEM,
24
- pemCertChainTox5c,
25
- PEMToHex,
26
- PEMToJwk
27
- } from '@sphereon/ssi-sdk-ext.x509-utils'
28
16
  import { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'
17
+ import type { ManagedKeyInfo, TKeyType } from '@veramo/core'
18
+ import { AbstractKeyManagementSystem } from '@veramo/key-manager'
29
19
  import elliptic from 'elliptic'
30
20
  // @ts-ignore
31
21
  import * as u8a from 'uint8arrays'
32
- import type {
33
- CreateKeyArgs,
34
- DeleteKeyArgs,
35
- ImportKeyArgs,
36
- MapImportKeyArgs,
37
- MappedImportKey,
38
- SharedSecretArgs,
39
- SignArgs,
40
- VerifyArgs
41
- } from './types'
22
+ import type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'
42
23
 
43
24
  const { fromString, toString } = u8a
44
25
 
45
- interface AbstractKeyManagementSystemOptions {
26
+ interface KeyManagementSystemOptions {
46
27
  applicationId: string
47
28
  baseUrl: string
29
+ providerId?: string
48
30
  authOpts?: RestClientAuthenticationOpts
49
31
  }
50
32
 
51
33
  export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
52
34
  private client: KmsRestClient
53
35
  private readonly id: string
36
+ private providerId: string | undefined
54
37
 
55
- constructor(options: AbstractKeyManagementSystemOptions) {
38
+ constructor(options: KeyManagementSystemOptions) {
56
39
  super()
57
40
 
58
41
  const config = {
59
42
  baseUrl: options.baseUrl,
60
- authOpts: options.authOpts
43
+ authOpts: options.authOpts,
61
44
  }
62
45
 
63
46
  this.id = options.applicationId
47
+ this.providerId = options.providerId
64
48
  this.client = new KmsRestClient(config)
65
49
  }
66
50
 
@@ -68,13 +52,18 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
68
52
  const { type, meta } = args
69
53
 
70
54
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
71
- const options = {
55
+ const options = {
72
56
  use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
73
57
  alg: signatureAlgorithm,
74
- keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]
58
+ keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],
75
59
  }
76
60
 
77
- const key = await this.client.methods.kmsClientGenerateKey(options)
61
+ const key = this.providerId
62
+ ? await this.client.methods.kmsClientProviderGenerateKey({
63
+ ...options,
64
+ providerId: this.providerId,
65
+ })
66
+ : await this.client.methods.kmsClientGenerateKey(options)
78
67
 
79
68
  const jwk = {
80
69
  ...key.keyPair.jose.publicJwk,
@@ -91,7 +80,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
91
80
  kms: this.id,
92
81
  type,
93
82
  meta: {
94
- alias: key.keyPair.kid,
83
+ alias: key.keyPair.alias,
95
84
  algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],
96
85
  jwkThumbprint: calculateJwkThumbprint({
97
86
  jwk,
@@ -107,14 +96,19 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
107
96
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
108
97
  const importKey = this.mapImportKey(args)
109
98
 
110
- const result = await this.client.methods.kmsClientStoreKey(importKey.key)
99
+ const result = this.providerId
100
+ ? await this.client.methods.kmsClientProviderStoreKey({
101
+ ...importKey.key,
102
+ providerId: this.providerId,
103
+ })
104
+ : await this.client.methods.kmsClientStoreKey(importKey.key)
111
105
 
112
106
  return {
113
107
  kid: importKey.kid,
114
108
  kms: this.id,
115
109
  type,
116
110
  meta: {
117
- alias: importKey.kid,
111
+ alias: importKey.key.keyInfo.alias,
118
112
  algorithms: [result.keyInfo.key.alg ?? 'PS256'],
119
113
  jwkThumbprint: calculateJwkThumbprint({
120
114
  jwk: importKey.publicKeyJwk,
@@ -128,21 +122,89 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
128
122
  async deleteKey(args: DeleteKeyArgs): Promise<boolean> {
129
123
  const { kid } = args
130
124
 
131
- return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
125
+ return this.providerId
126
+ ? await this.client.methods.kmsClientProviderDeleteKey({
127
+ aliasOrKid: kid,
128
+ providerId: this.providerId,
129
+ })
130
+ : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
132
131
  }
133
132
 
134
133
  async listKeys(): Promise<ManagedKeyInfo[]> {
135
- const keys = await this.client.methods.kmsClientListKeys()
134
+ const keys = this.providerId
135
+ ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })
136
+ : await this.client.methods.kmsClientListKeys()
137
+
138
+ const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
139
+
140
+ return restKeys.map((restKey: RestManagedKeyInfo) => {
141
+ const jwk = restKey.key
142
+ let publicKeyHex = ''
143
+
144
+ // Derive publicKeyHex from JWK based on key type
145
+ if (jwk.kty === 'EC') {
146
+ publicKeyHex = jwk.x || ''
147
+ } else if (jwk.kty === 'RSA') {
148
+ publicKeyHex = jwk.n || ''
149
+ } else if (jwk.kty === 'OKP') {
150
+ publicKeyHex = jwk.x || ''
151
+ }
136
152
 
137
- return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped
153
+ const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)
154
+
155
+ return {
156
+ kid: restKey.kid || restKey.alias,
157
+ kms: this.id,
158
+ type: keyType,
159
+ publicKeyHex,
160
+ meta: {
161
+ algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,
162
+ jwk,
163
+ jwkThumbprint: calculateJwkThumbprint({
164
+ jwk: jwk as JWK,
165
+ digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',
166
+ }),
167
+ alias: restKey.alias,
168
+ providerId: restKey.providerId,
169
+ x5c: restKey.x5c,
170
+ keyVisibility: restKey.keyVisibility,
171
+ keyEncoding: restKey.keyEncoding,
172
+ ...restKey.opts,
173
+ },
174
+ } satisfies ManagedKeyInfo
175
+ })
176
+ }
177
+
178
+ private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {
179
+ switch (keyType) {
180
+ case 'RSA':
181
+ return 'RSA'
182
+ case 'EC':
183
+ case 'P256':
184
+ return 'Secp256r1'
185
+ case 'X25519':
186
+ return 'X25519'
187
+ case 'Ed25519':
188
+ return 'Ed25519'
189
+ case 'secp256k1':
190
+ return 'Secp256k1'
191
+ default:
192
+ throw new Error(`Unknown key type: ${keyType}`)
193
+ }
138
194
  }
139
195
 
140
196
  async sign(args: SignArgs): Promise<string> {
141
197
  const { keyRef, data } = args
142
- const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
198
+ const key = this.providerId
199
+ ? await this.client.methods.kmsClientProviderGetKey({
200
+ aliasOrKid: keyRef.kid,
201
+ providerId: this.providerId,
202
+ })
203
+ : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
204
+
143
205
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
144
206
  keyInfo: key.keyInfo,
145
- input: toString(data, 'base64')
207
+ input: toString(data, 'base64'),
146
208
  })
147
209
 
148
210
  return signingResult.signature
@@ -150,11 +212,17 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
150
212
 
151
213
  async verify(args: VerifyArgs): Promise<boolean> {
152
214
  const { keyRef, data, signature } = args
153
- const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
215
+ const key = this.providerId
216
+ ? await this.client.methods.kmsClientProviderGetKey({
217
+ aliasOrKid: keyRef.kid,
218
+ providerId: this.providerId,
219
+ })
220
+ : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
221
+
154
222
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
155
223
  keyInfo: key.keyInfo,
156
224
  input: toString(data, 'base64'),
157
- signature
225
+ signature,
158
226
  })
159
227
 
160
228
  return verification.isValid
@@ -207,21 +275,36 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
207
275
 
208
276
  private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {
209
277
  switch (alg) {
210
- case 'RS256': return JoseSignatureAlgorithm.RS256;
211
- case 'RS384': return JoseSignatureAlgorithm.RS384;
212
- case 'RS512': return JoseSignatureAlgorithm.RS512;
213
- case 'ES256': return JoseSignatureAlgorithm.ES256;
214
- case 'ES256K': return JoseSignatureAlgorithm.ES256K;
215
- case 'ES384': return JoseSignatureAlgorithm.ES384;
216
- case 'ES512': return JoseSignatureAlgorithm.ES512;
217
- case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;
218
- case 'HS256': return JoseSignatureAlgorithm.HS256;
219
- case 'HS384': return JoseSignatureAlgorithm.HS384;
220
- case 'HS512': return JoseSignatureAlgorithm.HS512;
221
- case 'PS256': return JoseSignatureAlgorithm.PS256;
222
- case 'PS384': return JoseSignatureAlgorithm.PS384;
223
- case 'PS512': return JoseSignatureAlgorithm.PS512;
224
- case 'none': return JoseSignatureAlgorithm.none;
278
+ case 'RS256':
279
+ return JoseSignatureAlgorithm.RS256
280
+ case 'RS384':
281
+ return JoseSignatureAlgorithm.RS384
282
+ case 'RS512':
283
+ return JoseSignatureAlgorithm.RS512
284
+ case 'ES256':
285
+ return JoseSignatureAlgorithm.ES256
286
+ case 'ES256K':
287
+ return JoseSignatureAlgorithm.ES256K
288
+ case 'ES384':
289
+ return JoseSignatureAlgorithm.ES384
290
+ case 'ES512':
291
+ return JoseSignatureAlgorithm.ES512
292
+ case 'EdDSA':
293
+ return JoseSignatureAlgorithm.EdDSA
294
+ case 'HS256':
295
+ return JoseSignatureAlgorithm.HS256
296
+ case 'HS384':
297
+ return JoseSignatureAlgorithm.HS384
298
+ case 'HS512':
299
+ return JoseSignatureAlgorithm.HS512
300
+ case 'PS256':
301
+ return JoseSignatureAlgorithm.PS256
302
+ case 'PS384':
303
+ return JoseSignatureAlgorithm.PS384
304
+ case 'PS512':
305
+ return JoseSignatureAlgorithm.PS512
306
+ case 'none':
307
+ return JoseSignatureAlgorithm.none
225
308
  default:
226
309
  throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)
227
310
  }
@@ -256,10 +339,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
256
339
 
257
340
  private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {
258
341
  const x509 = args.meta?.x509 as X509Opts
259
- const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')
260
- ? args.privateKeyHex
261
- : hexToPEM(args.privateKeyHex, 'private')
262
- ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
342
+ const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
263
343
  const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')
264
344
  const privateKeyJwk = PEMToJwk(privateKeyPEM)
265
345
  const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')
@@ -307,8 +387,8 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
307
387
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
308
388
  },
309
389
  },
310
- certChain: meta.x509.x5c
311
- } satisfies StoreKey
390
+ certChain: meta.x509.x5c,
391
+ } satisfies StoreKey,
312
392
  }
313
393
  }
314
394
 
@@ -333,9 +413,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
333
413
  kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
334
414
  use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
335
415
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
336
- }
337
- }
338
- } satisfies StoreKey
416
+ },
417
+ },
418
+ } satisfies StoreKey,
339
419
  }
340
420
  }
341
421
 
@@ -357,9 +437,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
357
437
  kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
358
438
  use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
359
439
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
360
- }
361
- }
362
- } satisfies StoreKey
440
+ },
441
+ },
442
+ } satisfies StoreKey,
363
443
  }
364
444
  }
365
445
 
@@ -378,5 +458,4 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
378
458
  throw new Error(`Key type ${args.type} is not supported by REST KMS`)
379
459
  }
380
460
  }
381
-
382
461
  }