@sphereon/ssi-sdk.kms-rest 0.34.1-feature.IDK.11.54 → 0.34.1-feature.SSISDK.70.integrate.digidentity.306

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/index.cjs +27 -8
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +4 -2
  4. package/dist/index.d.ts +4 -2
  5. package/dist/index.js +27 -8
  6. package/dist/index.js.map +1 -1
  7. package/package.json +6 -6
  8. package/src/RestKeyManagementSystem.ts +90 -67
package/dist/index.cjs CHANGED
@@ -50,6 +50,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
50
50
  }
51
51
  client;
52
52
  id;
53
+ providerId;
53
54
  constructor(options) {
54
55
  super();
55
56
  const config = {
@@ -57,6 +58,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
57
58
  authOpts: options.authOpts
58
59
  };
59
60
  this.id = options.applicationId;
61
+ this.providerId = options.providerId;
60
62
  this.client = new import_ssi_sdk.KmsRestClient(config);
61
63
  }
62
64
  async createKey(args) {
@@ -69,7 +71,10 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
69
71
  import_ssi_sdk.KeyOperations.Sign
70
72
  ]
71
73
  };
72
- const key = await this.client.methods.kmsClientGenerateKey(options);
74
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
75
+ ...options,
76
+ providerId: this.providerId
77
+ }) : await this.client.methods.kmsClientGenerateKey(options);
73
78
  const jwk = {
74
79
  ...key.keyPair.jose.publicJwk,
75
80
  alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
@@ -83,7 +88,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
83
88
  kms: this.id,
84
89
  type,
85
90
  meta: {
86
- alias: key.keyPair.kid,
91
+ alias: key.keyPair.alias,
87
92
  algorithms: [
88
93
  key.keyPair.jose.publicJwk.alg ?? "PS256"
89
94
  ],
@@ -99,13 +104,16 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
99
104
  const { type } = args;
100
105
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
101
106
  const importKey = this.mapImportKey(args);
102
- const result = await this.client.methods.kmsClientStoreKey(importKey.key);
107
+ const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
108
+ ...importKey.key,
109
+ providerId: this.providerId
110
+ }) : await this.client.methods.kmsClientStoreKey(importKey.key);
103
111
  return {
104
112
  kid: importKey.kid,
105
113
  kms: this.id,
106
114
  type,
107
115
  meta: {
108
- alias: importKey.kid,
116
+ alias: importKey.key.keyInfo.alias,
109
117
  algorithms: [
110
118
  result.keyInfo.key.alg ?? "PS256"
111
119
  ],
@@ -119,17 +127,25 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
119
127
  }
120
128
  async deleteKey(args) {
121
129
  const { kid } = args;
122
- return await this.client.methods.kmsClientDeleteKey({
130
+ return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
131
+ aliasOrKid: kid,
132
+ providerId: this.providerId
133
+ }) : await this.client.methods.kmsClientDeleteKey({
123
134
  aliasOrKid: kid
124
135
  });
125
136
  }
126
137
  async listKeys() {
127
- const keys = await this.client.methods.kmsClientListKeys();
138
+ const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
139
+ providerId: this.providerId
140
+ }) : await this.client.methods.kmsClientListKeys();
128
141
  return (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
129
142
  }
130
143
  async sign(args) {
131
144
  const { keyRef, data } = args;
132
- const key = await this.client.methods.kmsClientGetKey({
145
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
146
+ aliasOrKid: keyRef.kid,
147
+ providerId: this.providerId
148
+ }) : await this.client.methods.kmsClientGetKey({
133
149
  aliasOrKid: keyRef.kid
134
150
  });
135
151
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
@@ -140,7 +156,10 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
140
156
  }
141
157
  async verify(args) {
142
158
  const { keyRef, data, signature } = args;
143
- const key = await this.client.methods.kmsClientGetKey({
159
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
160
+ aliasOrKid: keyRef.kid,
161
+ providerId: this.providerId
162
+ }) : await this.client.methods.kmsClientGetKey({
144
163
  aliasOrKid: keyRef.kid
145
164
  });
146
165
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.kid,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.kid,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACCA,yBAA4C;AAC5C,yBAKO;AACP,qBAWO;AACP,IAAAA,sBAMO;AACP,uBAAiD;AACjD,sBAAqB;AAErB,UAAqB;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQK;QACnBI,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUZ;QACjBI,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,eAAOC,4CAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,wCAAuBC;MAC5C,KAAK;AAAS,eAAOD,wCAAuBE;MAC5C,KAAK;AAAS,eAAOF,wCAAuBG;MAC5C,KAAK;AAAS,eAAOH,wCAAuBI;MAC5C,KAAK;AAAU,eAAOJ,wCAAuBK;MAC7C,KAAK;AAAS,eAAOL,wCAAuBM;MAC5C,KAAK;AAAS,eAAON,wCAAuBO;MAC5C,KAAK;AAAS,eAAOP,wCAAuBQ;MAC5C,KAAK;AAAS,eAAOR,wCAAuBS;MAC5C,KAAK;AAAS,eAAOT,wCAAuBU;MAC5C,KAAK;AAAS,eAAOV,wCAAuBW;MAC5C,KAAK;AAAS,eAAOX,wCAAuBY;MAC5C,KAAK;AAAS,eAAOZ,wCAAuBa;MAC5C,KAAK;AAAS,eAAOb,wCAAuBc;MAC5C,KAAK;AAAS,eAAOd,wCAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAc+E;MACvB,KAAK;AACH,eAAO/E,6BAAcgF;MACvB,KAAK;AACH,eAAOhF,6BAAciF;MACvB,KAAK;AACH,eAAOjF,6BAAckF;MACvB,KAAK;AACH,eAAOlF,6BAAcmF;MACvB,KAAK;AACH,eAAOnF,6BAAcoF;MACvB,KAAK;AACH,eAAOpF,6BAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,oBACLE,8BAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,mBAAekE,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASrE,cAAc,QAAA;AAC5C,UAAMR,mBAAe8E,8BAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,mBAAe6F,0BAAMrG,cAAc,WAAA;AACzC,UAAM2E,oBAAgB0B,0BAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,oBAAgB0B,0BAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,mBAAewG,kDAA8BjC,aAAAA;AACnD,UAAM/D,mBAAe6F,0BAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACCA,yBAA4C;AAC5C,yBAA4F;AAC5F,qBAWO;AACP,IAAAA,sBAA0E;AAC1E,uBAAiD;AACjD,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA9B7C,OA8B6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQC,6BAA6B;MACrD,GAAGxB;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQE,qBAAqBzB,OAAAA;AAEnD,UAAM0B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBZ,KAAKK,IAAIK,QAAQC,KAAKC,UAAUZ,MAAM,KAAKa,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUZ,GAAG,IAAIc;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOb,IAAIK,QAAQQ;QACnBC,YAAY;UAACd,IAAIK,QAAQC,KAAKC,UAAUZ,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKrB,IAAIK,QAAQC,KAAKC,UAAUpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMmD,UAAUrC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMoC,YAAY,KAAKC,aAAatC,IAAAA;AAEpC,UAAMuC,SAAS,KAAK/C,aAChB,MAAM,KAAKF,OAAO0B,QAAQwB,0BAA0B;MAClD,GAAGH,UAAUtB;MACbvB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQyB,kBAAkBJ,UAAUtB,GAAG;AAE7D,WAAO;MACLU,KAAKY,UAAUZ;MACfE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOS,UAAUtB,IAAI2B,QAAQd;QAC7BC,YAAY;UAACU,OAAOG,QAAQ3B,IAAIL,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ3B,IAAI7B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM0D,UAAU5C,MAAuC;AACrD,UAAM,EAAEyB,IAAG,IAAKzB;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO0B,QAAQ6B,2BAA2B;MACnDC,YAAYrB;MACZjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ+B,mBAAmB;MAAED,YAAYrB;IAAI,CAAA;EACrE;EAEA,MAAMuB,WAAsC;AAC1C,UAAMC,OAAO,KAAKzD,aACd,MAAM,KAAKF,OAAO0B,QAAQkC,0BAA0B;MAAE1D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO0B,QAAQmC,kBAAiB;AAE/C,eAAOC,4CAA4BH,MAAM,KAAA,EAAOI;EAClD;EAEA,MAAMC,KAAKtD,MAAiC;AAC1C,UAAM,EAAEuD,QAAQC,KAAI,IAAKxD;AACzB,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQyC,wBAAwB;MAChDX,YAAYS,OAAO9B;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ0C,gBAAgB;MAAEZ,YAAYS,OAAO9B;IAAI,CAAA;AAEvE,UAAMkC,gBAAgB,MAAM,KAAKrE,OAAO0B,QAAQ4C,4BAA4B;MAC1ElB,SAAS3B,IAAI2B;MACbmB,OAAO3E,SAASsE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO/D,MAAoC;AAC/C,UAAM,EAAEuD,QAAQC,MAAMM,UAAS,IAAK9D;AACpC,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQyC,wBAAwB;MAChDX,YAAYS,OAAO9B;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ0C,gBAAgB;MAAEZ,YAAYS,OAAO9B;IAAI,CAAA;AAEvE,UAAMuC,eAAe,MAAM,KAAK1E,OAAO0B,QAAQiD,6BAA6B;MAC1EvB,SAAS3B,IAAI2B;MACbmB,OAAO3E,SAASsE,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAanE,MAAyC;AAC1D,UAAM,IAAI0B,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC9B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAKiE,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAIlD,MAAM,uBAAuBvB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACuE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOrE,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOsE;MAChB;AACE,cAAM,IAAIpD,MAAM,aAAamD,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdzE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOmE,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAI7C,MAAM,YAAYzB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCsB,mBAAmB,wBAACb,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOqE,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAIpE,MAAM,uBAAuBhB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBqF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOnF,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcoF;MACvB,KAAK;AACH,eAAOpF,6BAAcqF;MACvB,KAAK;AACH,eAAOrF,6BAAcsF;MACvB,KAAK;AACH,eAAOtF,6BAAcuF;MACvB,KAAK;AACH,eAAOvF,6BAAcwF;MACvB,KAAK;AACH,eAAOxF,6BAAcyF;MACvB,KAAK;AACH,eAAOzF,6BAAc0F;MACvB;AACE,cAAM,IAAI7E,MAAM,iBAAiBsE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBpF,mBAAmB,wBAAC4F,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAAC1G,SAAAA;AACzB,UAAM2G,OAAO3G,KAAKE,MAAMyG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB5G,KAAK6G,cAAcC,SAAS,KAAA,IAAS9G,KAAK6G,oBAAgBE,8BAAS/G,KAAK6G,eAAe,SAAA;AACrI,UAAMlE,mBAAeqE,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASxE,cAAc,QAAA;AAC5C,UAAMT,mBAAekF,8BAASF,YAAAA;AAE9B,UAAMhH,OAAO,CAAC;AACd,QAAIyG,MAAM;AACRzG,WAAKyG,OAAO;QACVU,IAAIV,KAAKU,MAAMrH,KAAKyB,OAAOS;MAC7B;AACA,UAAIoF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBvH,aAAKyG,KAAKY,sBAAsBD;AAChC,cAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7BjF,uBAAa+E,MAAMA;QACrB;AACAxH,aAAKyG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5BjF,qBAAakF,MAAMlB,KAAKiB;AACxB1H,aAAKyG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAMnG,MAAMzB,KAAKyB,OAAOvB,MAAMyG,MAAMU,MAAMnF;AAC1C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAGkG;YACHxF;YACAqG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDzH,SAAK2H,oCAAoBf,cAAc5G,KAAK,KAAA;YAC5C4H,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAWpH,KAAKyG,KAAKe;MACvB;IACF;EACF,GArD0B;EAuDlBS,wBAAwB,wBAACnI,SAAAA;AAC/B,UAAM,EAAE6G,cAAa,IAAK7G;AAC1B,UAAMoI,eAAenJ,WAAW4H,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMpH,UAAUkH,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMlG,eAAed,QAAQsH,UAAU,MAAM,KAAA;AAC7C,UAAM/F,mBAAegG,0BAAMzG,cAAc,WAAA;AACzC,UAAM+E,oBAAgB0B,0BAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAMnH,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAGkG;YACHxF;YACAqG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDzH,SAAK2H,oCAAoBf,cAAc5G,KAAK,KAAA;YAC5C4H,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC7I,SAAAA;AAC5B,UAAM,EAAE6G,cAAa,IAAK7G;AAC1B,UAAMiH,oBAAgB0B,0BAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAM1G,mBAAe4G,kDAA8BjC,aAAAA;AACnD,UAAMlE,mBAAegG,0BAAMzG,cAAc,QAAA;AACzC,UAAMT,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAGkG;YACHxF;YACAqG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDzH,SAAK2H,oCAAoBf,cAAc5G,KAAK,KAAA;YAC5C4H,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB3F,eAAe,wBAACtC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKyG,gBAAgB1G,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKmI,sBAAsBnI,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK6I,mBAAmB7I,IAAAA;MACjC;MACA;AACE,cAAM,IAAI0B,MAAM,YAAY1B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/dist/index.d.cts CHANGED
@@ -44,15 +44,17 @@ type MappedImportKey = {
44
44
  publicKeyJwk: JWK;
45
45
  };
46
46
 
47
- interface AbstractKeyManagementSystemOptions {
47
+ interface KeyManagementSystemOptions {
48
48
  applicationId: string;
49
49
  baseUrl: string;
50
+ providerId?: string;
50
51
  authOpts?: RestClientAuthenticationOpts;
51
52
  }
52
53
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
53
54
  private client;
54
55
  private readonly id;
55
- constructor(options: AbstractKeyManagementSystemOptions);
56
+ private providerId;
57
+ constructor(options: KeyManagementSystemOptions);
56
58
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
57
59
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
58
60
  deleteKey(args: DeleteKeyArgs): Promise<boolean>;
package/dist/index.d.ts CHANGED
@@ -44,15 +44,17 @@ type MappedImportKey = {
44
44
  publicKeyJwk: JWK;
45
45
  };
46
46
 
47
- interface AbstractKeyManagementSystemOptions {
47
+ interface KeyManagementSystemOptions {
48
48
  applicationId: string;
49
49
  baseUrl: string;
50
+ providerId?: string;
50
51
  authOpts?: RestClientAuthenticationOpts;
51
52
  }
52
53
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
53
54
  private client;
54
55
  private readonly id;
55
- constructor(options: AbstractKeyManagementSystemOptions);
56
+ private providerId;
57
+ constructor(options: KeyManagementSystemOptions);
56
58
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
57
59
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
58
60
  deleteKey(args: DeleteKeyArgs): Promise<boolean>;
package/dist/index.js CHANGED
@@ -16,6 +16,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
16
16
  }
17
17
  client;
18
18
  id;
19
+ providerId;
19
20
  constructor(options) {
20
21
  super();
21
22
  const config = {
@@ -23,6 +24,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
23
24
  authOpts: options.authOpts
24
25
  };
25
26
  this.id = options.applicationId;
27
+ this.providerId = options.providerId;
26
28
  this.client = new KmsRestClient(config);
27
29
  }
28
30
  async createKey(args) {
@@ -35,7 +37,10 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
35
37
  KeyOperations.Sign
36
38
  ]
37
39
  };
38
- const key = await this.client.methods.kmsClientGenerateKey(options);
40
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
41
+ ...options,
42
+ providerId: this.providerId
43
+ }) : await this.client.methods.kmsClientGenerateKey(options);
39
44
  const jwk = {
40
45
  ...key.keyPair.jose.publicJwk,
41
46
  alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
@@ -49,7 +54,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
49
54
  kms: this.id,
50
55
  type,
51
56
  meta: {
52
- alias: key.keyPair.kid,
57
+ alias: key.keyPair.alias,
53
58
  algorithms: [
54
59
  key.keyPair.jose.publicJwk.alg ?? "PS256"
55
60
  ],
@@ -65,13 +70,16 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
65
70
  const { type } = args;
66
71
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
67
72
  const importKey = this.mapImportKey(args);
68
- const result = await this.client.methods.kmsClientStoreKey(importKey.key);
73
+ const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
74
+ ...importKey.key,
75
+ providerId: this.providerId
76
+ }) : await this.client.methods.kmsClientStoreKey(importKey.key);
69
77
  return {
70
78
  kid: importKey.kid,
71
79
  kms: this.id,
72
80
  type,
73
81
  meta: {
74
- alias: importKey.kid,
82
+ alias: importKey.key.keyInfo.alias,
75
83
  algorithms: [
76
84
  result.keyInfo.key.alg ?? "PS256"
77
85
  ],
@@ -85,17 +93,25 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
85
93
  }
86
94
  async deleteKey(args) {
87
95
  const { kid } = args;
88
- return await this.client.methods.kmsClientDeleteKey({
96
+ return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
97
+ aliasOrKid: kid,
98
+ providerId: this.providerId
99
+ }) : await this.client.methods.kmsClientDeleteKey({
89
100
  aliasOrKid: kid
90
101
  });
91
102
  }
92
103
  async listKeys() {
93
- const keys = await this.client.methods.kmsClientListKeys();
104
+ const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
105
+ providerId: this.providerId
106
+ }) : await this.client.methods.kmsClientListKeys();
94
107
  return ListKeysResponseToJSONTyped(keys, false).keyInfos;
95
108
  }
96
109
  async sign(args) {
97
110
  const { keyRef, data } = args;
98
- const key = await this.client.methods.kmsClientGetKey({
111
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
112
+ aliasOrKid: keyRef.kid,
113
+ providerId: this.providerId
114
+ }) : await this.client.methods.kmsClientGetKey({
99
115
  aliasOrKid: keyRef.kid
100
116
  });
101
117
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
@@ -106,7 +122,10 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
106
122
  }
107
123
  async verify(args) {
108
124
  const { keyRef, data, signature } = args;
109
- const key = await this.client.methods.kmsClientGetKey({
125
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
126
+ aliasOrKid: keyRef.kid,
127
+ providerId: this.providerId
128
+ }) : await this.client.methods.kmsClientGetKey({
110
129
  aliasOrKid: keyRef.kid
111
130
  });
112
131
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.kid,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.kid,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;AACA,SAASA,mCAAmC;AAC5C,SACEC,wBACAC,OACAC,qCAEK;AACP,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SACEC,UACAC,UACAC,mBACAC,UACAC,gBACK;AACP,SAASC,8BAAwC;AACjD,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQK;QACnBI,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUZ;QACjBI,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,WAAOC,4BAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,uBAAuBC;MAC5C,KAAK;AAAS,eAAOD,uBAAuBE;MAC5C,KAAK;AAAS,eAAOF,uBAAuBG;MAC5C,KAAK;AAAS,eAAOH,uBAAuBI;MAC5C,KAAK;AAAU,eAAOJ,uBAAuBK;MAC7C,KAAK;AAAS,eAAOL,uBAAuBM;MAC5C,KAAK;AAAS,eAAON,uBAAuBO;MAC5C,KAAK;AAAS,eAAOP,uBAAuBQ;MAC5C,KAAK;AAAS,eAAOR,uBAAuBS;MAC5C,KAAK;AAAS,eAAOT,uBAAuBU;MAC5C,KAAK;AAAS,eAAOV,uBAAuBW;MAC5C,KAAK;AAAS,eAAOX,uBAAuBY;MAC5C,KAAK;AAAS,eAAOZ,uBAAuBa;MAC5C,KAAK;AAAS,eAAOb,uBAAuBc;MAC5C,KAAK;AAAS,eAAOd,uBAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAc+E;MACvB,KAAK;AACH,eAAO/E,cAAcgF;MACvB,KAAK;AACH,eAAOhF,cAAciF;MACvB,KAAK;AACH,eAAOjF,cAAckF;MACvB,KAAK;AACH,eAAOlF,cAAcmF;MACvB,KAAK;AACH,eAAOnF,cAAcoF;MACvB,KAAK;AACH,eAAOpF,cAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,gBACLE,SAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,eAAekE,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASrE,cAAc,QAAA;AAC5C,UAAMR,eAAe8E,SAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,eAAe6F,MAAMrG,cAAc,WAAA;AACzC,UAAM2E,gBAAgB0B,MAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,gBAAgB0B,MAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,eAAewG,8BAA8BjC,aAAAA;AACnD,UAAM/D,eAAe6F,MAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["AbstractKeyManagementSystem","calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","JoseSignatureAlgorithm","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AACA,SAASA,mCAAmC;AAC5C,SAASC,wBAAwBC,OAAOC,qCAAoD;AAC5F,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAC1E,SAASC,8BAAwC;AACjD,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA9B7C,OA8B6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQC,6BAA6B;MACrD,GAAGxB;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQE,qBAAqBzB,OAAAA;AAEnD,UAAM0B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBZ,KAAKK,IAAIK,QAAQC,KAAKC,UAAUZ,MAAM,KAAKa,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUZ,GAAG,IAAIc;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOb,IAAIK,QAAQQ;QACnBC,YAAY;UAACd,IAAIK,QAAQC,KAAKC,UAAUZ,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKrB,IAAIK,QAAQC,KAAKC,UAAUpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMmD,UAAUrC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMoC,YAAY,KAAKC,aAAatC,IAAAA;AAEpC,UAAMuC,SAAS,KAAK/C,aAChB,MAAM,KAAKF,OAAO0B,QAAQwB,0BAA0B;MAClD,GAAGH,UAAUtB;MACbvB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQyB,kBAAkBJ,UAAUtB,GAAG;AAE7D,WAAO;MACLU,KAAKY,UAAUZ;MACfE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOS,UAAUtB,IAAI2B,QAAQd;QAC7BC,YAAY;UAACU,OAAOG,QAAQ3B,IAAIL,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ3B,IAAI7B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM0D,UAAU5C,MAAuC;AACrD,UAAM,EAAEyB,IAAG,IAAKzB;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO0B,QAAQ6B,2BAA2B;MACnDC,YAAYrB;MACZjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ+B,mBAAmB;MAAED,YAAYrB;IAAI,CAAA;EACrE;EAEA,MAAMuB,WAAsC;AAC1C,UAAMC,OAAO,KAAKzD,aACd,MAAM,KAAKF,OAAO0B,QAAQkC,0BAA0B;MAAE1D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO0B,QAAQmC,kBAAiB;AAE/C,WAAOC,4BAA4BH,MAAM,KAAA,EAAOI;EAClD;EAEA,MAAMC,KAAKtD,MAAiC;AAC1C,UAAM,EAAEuD,QAAQC,KAAI,IAAKxD;AACzB,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQyC,wBAAwB;MAChDX,YAAYS,OAAO9B;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ0C,gBAAgB;MAAEZ,YAAYS,OAAO9B;IAAI,CAAA;AAEvE,UAAMkC,gBAAgB,MAAM,KAAKrE,OAAO0B,QAAQ4C,4BAA4B;MAC1ElB,SAAS3B,IAAI2B;MACbmB,OAAO3E,SAASsE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO/D,MAAoC;AAC/C,UAAM,EAAEuD,QAAQC,MAAMM,UAAS,IAAK9D;AACpC,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQyC,wBAAwB;MAChDX,YAAYS,OAAO9B;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ0C,gBAAgB;MAAEZ,YAAYS,OAAO9B;IAAI,CAAA;AAEvE,UAAMuC,eAAe,MAAM,KAAK1E,OAAO0B,QAAQiD,6BAA6B;MAC1EvB,SAAS3B,IAAI2B;MACbmB,OAAO3E,SAASsE,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAanE,MAAyC;AAC1D,UAAM,IAAI0B,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC9B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAKiE,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAIlD,MAAM,uBAAuBvB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACuE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOrE,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOsE;MAChB;AACE,cAAM,IAAIpD,MAAM,aAAamD,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdzE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOmE,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAI7C,MAAM,YAAYzB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCsB,mBAAmB,wBAACb,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOqE,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAIpE,MAAM,uBAAuBhB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBqF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOnF,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcoF;MACvB,KAAK;AACH,eAAOpF,cAAcqF;MACvB,KAAK;AACH,eAAOrF,cAAcsF;MACvB,KAAK;AACH,eAAOtF,cAAcuF;MACvB,KAAK;AACH,eAAOvF,cAAcwF;MACvB,KAAK;AACH,eAAOxF,cAAcyF;MACvB,KAAK;AACH,eAAOzF,cAAc0F;MACvB;AACE,cAAM,IAAI7E,MAAM,iBAAiBsE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBpF,mBAAmB,wBAAC4F,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAAC1G,SAAAA;AACzB,UAAM2G,OAAO3G,KAAKE,MAAMyG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB5G,KAAK6G,cAAcC,SAAS,KAAA,IAAS9G,KAAK6G,gBAAgBE,SAAS/G,KAAK6G,eAAe,SAAA;AACrI,UAAMlE,eAAeqE,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASxE,cAAc,QAAA;AAC5C,UAAMT,eAAekF,SAASF,YAAAA;AAE9B,UAAMhH,OAAO,CAAC;AACd,QAAIyG,MAAM;AACRzG,WAAKyG,OAAO;QACVU,IAAIV,KAAKU,MAAMrH,KAAKyB,OAAOS;MAC7B;AACA,UAAIoF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBvH,aAAKyG,KAAKY,sBAAsBD;AAChC,cAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7BjF,uBAAa+E,MAAMA;QACrB;AACAxH,aAAKyG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5BjF,qBAAakF,MAAMlB,KAAKiB;AACxB1H,aAAKyG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAMnG,MAAMzB,KAAKyB,OAAOvB,MAAMyG,MAAMU,MAAMnF;AAC1C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAGkG;YACHxF;YACAqG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDzH,KAAK2H,oBAAoBf,cAAc5G,KAAK,KAAA;YAC5C4H,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAWpH,KAAKyG,KAAKe;MACvB;IACF;EACF,GArD0B;EAuDlBS,wBAAwB,wBAACnI,SAAAA;AAC/B,UAAM,EAAE6G,cAAa,IAAK7G;AAC1B,UAAMoI,eAAenJ,WAAW4H,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMpH,UAAUkH,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMlG,eAAed,QAAQsH,UAAU,MAAM,KAAA;AAC7C,UAAM/F,eAAegG,MAAMzG,cAAc,WAAA;AACzC,UAAM+E,gBAAgB0B,MAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAMnH,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAGkG;YACHxF;YACAqG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDzH,KAAK2H,oBAAoBf,cAAc5G,KAAK,KAAA;YAC5C4H,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC7I,SAAAA;AAC5B,UAAM,EAAE6G,cAAa,IAAK7G;AAC1B,UAAMiH,gBAAgB0B,MAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAM1G,eAAe4G,8BAA8BjC,aAAAA;AACnD,UAAMlE,eAAegG,MAAMzG,cAAc,QAAA;AACzC,UAAMT,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAGkG;YACHxF;YACAqG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDzH,KAAK2H,oBAAoBf,cAAc5G,KAAK,KAAA;YAC5C4H,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB3F,eAAe,wBAACtC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKyG,gBAAgB1G,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKmI,sBAAsBnI,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK6I,mBAAmB7I,IAAAA;MACjC;MACA;AACE,cAAM,IAAI0B,MAAM,YAAY1B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["AbstractKeyManagementSystem","calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","JoseSignatureAlgorithm","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.kms-rest",
3
3
  "description": "Sphereon SSI-SDK plugin for REST Key Management System.",
4
- "version": "0.34.1-feature.IDK.11.54+d92e43d4",
4
+ "version": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -22,10 +22,10 @@
22
22
  "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
23
23
  },
24
24
  "dependencies": {
25
- "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.IDK.11.54+d92e43d4",
26
- "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.IDK.11.54+d92e43d4",
27
- "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.IDK.11.54+d92e43d4",
28
- "@sphereon/ssi-types": "0.34.1-feature.IDK.11.54+d92e43d4",
25
+ "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
26
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
27
+ "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
28
+ "@sphereon/ssi-types": "0.34.1-feature.SSISDK.70.integrate.digidentity.306+44911856",
29
29
  "@veramo/core": "4.2.0",
30
30
  "@veramo/key-manager": "4.2.0",
31
31
  "elliptic": "^6.5.4",
@@ -54,5 +54,5 @@
54
54
  "key-management",
55
55
  "Veramo"
56
56
  ],
57
- "gitHead": "d92e43d4d2a604e0c088a26d9c595d87e00382b8"
57
+ "gitHead": "4491185688c3daa30f33d7f435ff75c9b0a853cb"
58
58
  }
package/src/RestKeyManagementSystem.ts CHANGED
@@ -1,11 +1,6 @@
1
1
  import type { ManagedKeyInfo, TKeyType } from '@veramo/core'
2
2
  import { AbstractKeyManagementSystem } from '@veramo/key-manager'
3
- import {
4
- calculateJwkThumbprint,
5
- toJwk,
6
- x25519PublicHexFromPrivateHex,
7
- type X509Opts
8
- } from '@sphereon/ssi-sdk-ext.key-utils'
3
+ import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
9
4
  import {
10
5
  CurveFromJSONTyped,
11
6
  JwkKeyTypeFromJSONTyped,
@@ -16,51 +11,39 @@ import {
16
11
  ListKeysResponseToJSONTyped,
17
12
  type RestClientAuthenticationOpts,
18
13
  SignatureAlgorithm,
19
- type StoreKey
14
+ type StoreKey,
20
15
  } from '@sphereon/ssi-sdk.kms-rest-client'
21
- import {
22
- hexToPEM,
23
- jwkToPEM,
24
- pemCertChainTox5c,
25
- PEMToHex,
26
- PEMToJwk
27
- } from '@sphereon/ssi-sdk-ext.x509-utils'
16
+ import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'
28
17
  import { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'
29
18
  import elliptic from 'elliptic'
30
19
  // @ts-ignore
31
20
  import * as u8a from 'uint8arrays'
32
- import type {
33
- CreateKeyArgs,
34
- DeleteKeyArgs,
35
- ImportKeyArgs,
36
- MapImportKeyArgs,
37
- MappedImportKey,
38
- SharedSecretArgs,
39
- SignArgs,
40
- VerifyArgs
41
- } from './types'
21
+ import type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'
42
22
 
43
23
  const { fromString, toString } = u8a
44
24
 
45
- interface AbstractKeyManagementSystemOptions {
25
+ interface KeyManagementSystemOptions {
46
26
  applicationId: string
47
27
  baseUrl: string
28
+ providerId?: string
48
29
  authOpts?: RestClientAuthenticationOpts
49
30
  }
50
31
 
51
32
  export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
52
33
  private client: KmsRestClient
53
34
  private readonly id: string
35
+ private providerId: string | undefined
54
36
 
55
- constructor(options: AbstractKeyManagementSystemOptions) {
37
+ constructor(options: KeyManagementSystemOptions) {
56
38
  super()
57
39
 
58
40
  const config = {
59
41
  baseUrl: options.baseUrl,
60
- authOpts: options.authOpts
42
+ authOpts: options.authOpts,
61
43
  }
62
44
 
63
45
  this.id = options.applicationId
46
+ this.providerId = options.providerId
64
47
  this.client = new KmsRestClient(config)
65
48
  }
66
49
 
@@ -68,13 +51,18 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
68
51
  const { type, meta } = args
69
52
 
70
53
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
71
- const options = {
54
+ const options = {
72
55
  use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
73
56
  alg: signatureAlgorithm,
74
- keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]
57
+ keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],
75
58
  }
76
59
 
77
- const key = await this.client.methods.kmsClientGenerateKey(options)
60
+ const key = this.providerId
61
+ ? await this.client.methods.kmsClientProviderGenerateKey({
62
+ ...options,
63
+ providerId: this.providerId,
64
+ })
65
+ : await this.client.methods.kmsClientGenerateKey(options)
78
66
 
79
67
  const jwk = {
80
68
  ...key.keyPair.jose.publicJwk,
@@ -91,7 +79,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
91
79
  kms: this.id,
92
80
  type,
93
81
  meta: {
94
- alias: key.keyPair.kid,
82
+ alias: key.keyPair.alias,
95
83
  algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],
96
84
  jwkThumbprint: calculateJwkThumbprint({
97
85
  jwk,
@@ -107,14 +95,19 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
107
95
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
108
96
  const importKey = this.mapImportKey(args)
109
97
 
110
- const result = await this.client.methods.kmsClientStoreKey(importKey.key)
98
+ const result = this.providerId
99
+ ? await this.client.methods.kmsClientProviderStoreKey({
100
+ ...importKey.key,
101
+ providerId: this.providerId,
102
+ })
103
+ : await this.client.methods.kmsClientStoreKey(importKey.key)
111
104
 
112
105
  return {
113
106
  kid: importKey.kid,
114
107
  kms: this.id,
115
108
  type,
116
109
  meta: {
117
- alias: importKey.kid,
110
+ alias: importKey.key.keyInfo.alias,
118
111
  algorithms: [result.keyInfo.key.alg ?? 'PS256'],
119
112
  jwkThumbprint: calculateJwkThumbprint({
120
113
  jwk: importKey.publicKeyJwk,
@@ -128,21 +121,34 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
128
121
  async deleteKey(args: DeleteKeyArgs): Promise<boolean> {
129
122
  const { kid } = args
130
123
 
131
- return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
124
+ return this.providerId
125
+ ? await this.client.methods.kmsClientProviderDeleteKey({
126
+ aliasOrKid: kid,
127
+ providerId: this.providerId,
128
+ })
129
+ : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
132
130
  }
133
131
 
134
132
  async listKeys(): Promise<ManagedKeyInfo[]> {
135
- const keys = await this.client.methods.kmsClientListKeys()
133
+ const keys = this.providerId
134
+ ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })
135
+ : await this.client.methods.kmsClientListKeys()
136
136
 
137
137
  return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped
138
138
  }
139
139
 
140
140
  async sign(args: SignArgs): Promise<string> {
141
141
  const { keyRef, data } = args
142
- const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
142
+ const key = this.providerId
143
+ ? await this.client.methods.kmsClientProviderGetKey({
144
+ aliasOrKid: keyRef.kid,
145
+ providerId: this.providerId,
146
+ })
147
+ : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
148
+
143
149
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
144
150
  keyInfo: key.keyInfo,
145
- input: toString(data, 'base64')
151
+ input: toString(data, 'base64'),
146
152
  })
147
153
 
148
154
  return signingResult.signature
@@ -150,11 +156,17 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
150
156
 
151
157
  async verify(args: VerifyArgs): Promise<boolean> {
152
158
  const { keyRef, data, signature } = args
153
- const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
159
+ const key = this.providerId
160
+ ? await this.client.methods.kmsClientProviderGetKey({
161
+ aliasOrKid: keyRef.kid,
162
+ providerId: this.providerId,
163
+ })
164
+ : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
165
+
154
166
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
155
167
  keyInfo: key.keyInfo,
156
168
  input: toString(data, 'base64'),
157
- signature
169
+ signature,
158
170
  })
159
171
 
160
172
  return verification.isValid
@@ -207,21 +219,36 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
207
219
 
208
220
  private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {
209
221
  switch (alg) {
210
- case 'RS256': return JoseSignatureAlgorithm.RS256;
211
- case 'RS384': return JoseSignatureAlgorithm.RS384;
212
- case 'RS512': return JoseSignatureAlgorithm.RS512;
213
- case 'ES256': return JoseSignatureAlgorithm.ES256;
214
- case 'ES256K': return JoseSignatureAlgorithm.ES256K;
215
- case 'ES384': return JoseSignatureAlgorithm.ES384;
216
- case 'ES512': return JoseSignatureAlgorithm.ES512;
217
- case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;
218
- case 'HS256': return JoseSignatureAlgorithm.HS256;
219
- case 'HS384': return JoseSignatureAlgorithm.HS384;
220
- case 'HS512': return JoseSignatureAlgorithm.HS512;
221
- case 'PS256': return JoseSignatureAlgorithm.PS256;
222
- case 'PS384': return JoseSignatureAlgorithm.PS384;
223
- case 'PS512': return JoseSignatureAlgorithm.PS512;
224
- case 'none': return JoseSignatureAlgorithm.none;
222
+ case 'RS256':
223
+ return JoseSignatureAlgorithm.RS256
224
+ case 'RS384':
225
+ return JoseSignatureAlgorithm.RS384
226
+ case 'RS512':
227
+ return JoseSignatureAlgorithm.RS512
228
+ case 'ES256':
229
+ return JoseSignatureAlgorithm.ES256
230
+ case 'ES256K':
231
+ return JoseSignatureAlgorithm.ES256K
232
+ case 'ES384':
233
+ return JoseSignatureAlgorithm.ES384
234
+ case 'ES512':
235
+ return JoseSignatureAlgorithm.ES512
236
+ case 'EdDSA':
237
+ return JoseSignatureAlgorithm.EdDSA
238
+ case 'HS256':
239
+ return JoseSignatureAlgorithm.HS256
240
+ case 'HS384':
241
+ return JoseSignatureAlgorithm.HS384
242
+ case 'HS512':
243
+ return JoseSignatureAlgorithm.HS512
244
+ case 'PS256':
245
+ return JoseSignatureAlgorithm.PS256
246
+ case 'PS384':
247
+ return JoseSignatureAlgorithm.PS384
248
+ case 'PS512':
249
+ return JoseSignatureAlgorithm.PS512
250
+ case 'none':
251
+ return JoseSignatureAlgorithm.none
225
252
  default:
226
253
  throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)
227
254
  }
@@ -256,10 +283,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
256
283
 
257
284
  private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {
258
285
  const x509 = args.meta?.x509 as X509Opts
259
- const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')
260
- ? args.privateKeyHex
261
- : hexToPEM(args.privateKeyHex, 'private')
262
- ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
286
+ const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
263
287
  const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')
264
288
  const privateKeyJwk = PEMToJwk(privateKeyPEM)
265
289
  const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')
@@ -307,8 +331,8 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
307
331
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
308
332
  },
309
333
  },
310
- certChain: meta.x509.x5c
311
- } satisfies StoreKey
334
+ certChain: meta.x509.x5c,
335
+ } satisfies StoreKey,
312
336
  }
313
337
  }
314
338
 
@@ -333,9 +357,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
333
357
  kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
334
358
  use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
335
359
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
336
- }
337
- }
338
- } satisfies StoreKey
360
+ },
361
+ },
362
+ } satisfies StoreKey,
339
363
  }
340
364
  }
341
365
 
@@ -357,9 +381,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
357
381
  kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
358
382
  use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
359
383
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
360
- }
361
- }
362
- } satisfies StoreKey
384
+ },
385
+ },
386
+ } satisfies StoreKey,
363
387
  }
364
388
  }
365
389
 
@@ -378,5 +402,4 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
378
402
  throw new Error(`Key type ${args.type} is not supported by REST KMS`)
379
403
  }
380
404
  }
381
-
382
405
  }