@sphereon/ssi-sdk.kms-rest 0.34.1-feature.SSISDK.70.integrate.digidentity.307 → 0.34.1-feature.SSISDK.78.306
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +9 -79
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +3 -6
- package/dist/index.d.ts +3 -6
- package/dist/index.js +9 -79
- package/dist/index.js.map +1 -1
- package/package.json +6 -6
- package/src/RestKeyManagementSystem.ts +68 -147
package/dist/index.cjs
CHANGED
|
@@ -36,11 +36,11 @@ __export(index_exports, {
|
|
|
36
36
|
module.exports = __toCommonJS(index_exports);
|
|
37
37
|
|
|
38
38
|
// src/RestKeyManagementSystem.ts
|
|
39
|
+
var import_key_manager = require("@veramo/key-manager");
|
|
39
40
|
var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.key-utils");
|
|
40
|
-
var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.x509-utils");
|
|
41
41
|
var import_ssi_sdk = require("@sphereon/ssi-sdk.kms-rest-client");
|
|
42
|
+
var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.x509-utils");
|
|
42
43
|
var import_ssi_types = require("@sphereon/ssi-types");
|
|
43
|
-
var import_key_manager = require("@veramo/key-manager");
|
|
44
44
|
var import_elliptic = __toESM(require("elliptic"), 1);
|
|
45
45
|
var u8a = __toESM(require("uint8arrays"), 1);
|
|
46
46
|
var { fromString, toString } = u8a;
|
|
@@ -50,7 +50,6 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
50
50
|
}
|
|
51
51
|
client;
|
|
52
52
|
id;
|
|
53
|
-
providerId;
|
|
54
53
|
constructor(options) {
|
|
55
54
|
super();
|
|
56
55
|
const config = {
|
|
@@ -58,7 +57,6 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
58
57
|
authOpts: options.authOpts
|
|
59
58
|
};
|
|
60
59
|
this.id = options.applicationId;
|
|
61
|
-
this.providerId = options.providerId;
|
|
62
60
|
this.client = new import_ssi_sdk.KmsRestClient(config);
|
|
63
61
|
}
|
|
64
62
|
async createKey(args) {
|
|
@@ -71,10 +69,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
71
69
|
import_ssi_sdk.KeyOperations.Sign
|
|
72
70
|
]
|
|
73
71
|
};
|
|
74
|
-
const key =
|
|
75
|
-
...options,
|
|
76
|
-
providerId: this.providerId
|
|
77
|
-
}) : await this.client.methods.kmsClientGenerateKey(options);
|
|
72
|
+
const key = await this.client.methods.kmsClientGenerateKey(options);
|
|
78
73
|
const jwk = {
|
|
79
74
|
...key.keyPair.jose.publicJwk,
|
|
80
75
|
alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
|
|
@@ -104,10 +99,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
104
99
|
const { type } = args;
|
|
105
100
|
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
|
|
106
101
|
const importKey = this.mapImportKey(args);
|
|
107
|
-
const result =
|
|
108
|
-
...importKey.key,
|
|
109
|
-
providerId: this.providerId
|
|
110
|
-
}) : await this.client.methods.kmsClientStoreKey(importKey.key);
|
|
102
|
+
const result = await this.client.methods.kmsClientStoreKey(importKey.key);
|
|
111
103
|
return {
|
|
112
104
|
kid: importKey.kid,
|
|
113
105
|
kms: this.id,
|
|
@@ -127,76 +119,17 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
127
119
|
}
|
|
128
120
|
async deleteKey(args) {
|
|
129
121
|
const { kid } = args;
|
|
130
|
-
return
|
|
131
|
-
aliasOrKid: kid,
|
|
132
|
-
providerId: this.providerId
|
|
133
|
-
}) : await this.client.methods.kmsClientDeleteKey({
|
|
122
|
+
return await this.client.methods.kmsClientDeleteKey({
|
|
134
123
|
aliasOrKid: kid
|
|
135
124
|
});
|
|
136
125
|
}
|
|
137
126
|
async listKeys() {
|
|
138
|
-
const keys =
|
|
139
|
-
|
|
140
|
-
}) : await this.client.methods.kmsClientListKeys();
|
|
141
|
-
const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
|
|
142
|
-
return restKeys.map((restKey) => {
|
|
143
|
-
const jwk = restKey.key;
|
|
144
|
-
let publicKeyHex = "";
|
|
145
|
-
if (jwk.kty === "EC") {
|
|
146
|
-
publicKeyHex = jwk.x || "";
|
|
147
|
-
} else if (jwk.kty === "RSA") {
|
|
148
|
-
publicKeyHex = jwk.n || "";
|
|
149
|
-
} else if (jwk.kty === "OKP") {
|
|
150
|
-
publicKeyHex = jwk.x || "";
|
|
151
|
-
}
|
|
152
|
-
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
|
|
153
|
-
return {
|
|
154
|
-
kid: restKey.kid || restKey.alias,
|
|
155
|
-
kms: this.id,
|
|
156
|
-
type: keyType,
|
|
157
|
-
publicKeyHex,
|
|
158
|
-
meta: {
|
|
159
|
-
algorithms: restKey.signatureAlgorithm ? [
|
|
160
|
-
restKey.signatureAlgorithm
|
|
161
|
-
] : void 0,
|
|
162
|
-
jwk,
|
|
163
|
-
jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
|
|
164
|
-
jwk,
|
|
165
|
-
digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
|
|
166
|
-
}),
|
|
167
|
-
alias: restKey.alias,
|
|
168
|
-
providerId: restKey.providerId,
|
|
169
|
-
x5c: restKey.x5c,
|
|
170
|
-
keyVisibility: restKey.keyVisibility,
|
|
171
|
-
keyEncoding: restKey.keyEncoding,
|
|
172
|
-
...restKey.opts
|
|
173
|
-
}
|
|
174
|
-
};
|
|
175
|
-
});
|
|
176
|
-
}
|
|
177
|
-
mapRestKeyTypeToTKeyType(keyType) {
|
|
178
|
-
switch (keyType) {
|
|
179
|
-
case "RSA":
|
|
180
|
-
return "RSA";
|
|
181
|
-
case "EC":
|
|
182
|
-
case "P256":
|
|
183
|
-
return "Secp256r1";
|
|
184
|
-
case "X25519":
|
|
185
|
-
return "X25519";
|
|
186
|
-
case "Ed25519":
|
|
187
|
-
return "Ed25519";
|
|
188
|
-
case "secp256k1":
|
|
189
|
-
return "Secp256k1";
|
|
190
|
-
default:
|
|
191
|
-
throw new Error(`Unknown key type: ${keyType}`);
|
|
192
|
-
}
|
|
127
|
+
const keys = await this.client.methods.kmsClientListKeys();
|
|
128
|
+
return (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
|
|
193
129
|
}
|
|
194
130
|
async sign(args) {
|
|
195
131
|
const { keyRef, data } = args;
|
|
196
|
-
const key =
|
|
197
|
-
aliasOrKid: keyRef.kid,
|
|
198
|
-
providerId: this.providerId
|
|
199
|
-
}) : await this.client.methods.kmsClientGetKey({
|
|
132
|
+
const key = await this.client.methods.kmsClientGetKey({
|
|
200
133
|
aliasOrKid: keyRef.kid
|
|
201
134
|
});
|
|
202
135
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
@@ -207,10 +140,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
207
140
|
}
|
|
208
141
|
async verify(args) {
|
|
209
142
|
const { keyRef, data, signature } = args;
|
|
210
|
-
const key =
|
|
211
|
-
aliasOrKid: keyRef.kid,
|
|
212
|
-
providerId: this.providerId
|
|
213
|
-
}) : await this.client.methods.kmsClientGetKey({
|
|
143
|
+
const key = await this.client.methods.kmsClientGetKey({
|
|
214
144
|
aliasOrKid: keyRef.kid
|
|
215
145
|
});
|
|
216
146
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAA4F;AAC5F,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQC,6BAA6B;MACrD,GAAGxB;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQE,qBAAqBzB,OAAAA;AAEnD,UAAM0B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBZ,KAAKK,IAAIK,QAAQC,KAAKC,UAAUZ,MAAM,KAAKa,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUZ,GAAG,IAAIc;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOb,IAAIK,QAAQQ;QACnBC,YAAY;UAACd,IAAIK,QAAQC,KAAKC,UAAUZ,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKrB,IAAIK,QAAQC,KAAKC,UAAUpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMmD,UAAUrC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMoC,YAAY,KAAKC,aAAatC,IAAAA;AAEpC,UAAMuC,SAAS,KAAK/C,aAChB,MAAM,KAAKF,OAAO0B,QAAQwB,0BAA0B;MAClD,GAAGH,UAAUtB;MACbvB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQyB,kBAAkBJ,UAAUtB,GAAG;AAE7D,WAAO;MACLU,KAAKY,UAAUZ;MACfE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOS,UAAUtB,IAAI2B,QAAQd;QAC7BC,YAAY;UAACU,OAAOG,QAAQ3B,IAAIL,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ3B,IAAI7B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM0D,UAAU5C,MAAuC;AACrD,UAAM,EAAEyB,IAAG,IAAKzB;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO0B,QAAQ6B,2BAA2B;MACnDC,YAAYrB;MACZjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ+B,mBAAmB;MAAED,YAAYrB;IAAI,CAAA;EACrE;EAEA,MAAMuB,WAAsC;AAC1C,UAAMC,OAAO,KAAKzD,aACd,MAAM,KAAKF,OAAO0B,QAAQkC,0BAA0B;MAAE1D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO0B,QAAQmC,kBAAiB;AAE/C,UAAMC,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMrC,MAAMqC,QAAQzC;AACpB,UAAImB,eAAe;AAGnB,UAAIf,IAAIsC,QAAQ,MAAM;AACpBvB,uBAAef,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIsC,QAAQ,OAAO;AAC5BvB,uBAAef,IAAIwC,KAAK;MAC1B,WAAWxC,IAAIsC,QAAQ,OAAO;AAC5BvB,uBAAef,IAAIuC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLnC,KAAK+B,QAAQ/B,OAAO+B,QAAQ5B;QAC5BD,KAAK,KAAKpC;QACVU,MAAM2D;QACN1B;QACAhC,MAAM;UACJ2B,YAAY2B,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBqB;UACxEL;UACAW,mBAAeC,2CAAuB;YACpCZ;YACAa,iBAAiBwB,QAAQrD,qBAAqB,KAAK8B,oCAAoCuB,QAAQrD,kBAAkB,IAAI;UACvH,CAAA;UACAyB,OAAO4B,QAAQ5B;UACfpC,YAAYgE,QAAQhE;UACpBsE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIlC,MAAM,qBAAqBkC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKlE,MAAiC;AAC1C,UAAM,EAAEmE,QAAQC,KAAI,IAAKpE;AACzB,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQqD,wBAAwB;MAChDvB,YAAYqB,OAAO1C;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQsD,gBAAgB;MAAExB,YAAYqB,OAAO1C;IAAI,CAAA;AAEvE,UAAM8C,gBAAgB,MAAM,KAAKjF,OAAO0B,QAAQwD,4BAA4B;MAC1E9B,SAAS3B,IAAI2B;MACb+B,OAAOvF,SAASkF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO3E,MAAoC;AAC/C,UAAM,EAAEmE,QAAQC,MAAMM,UAAS,IAAK1E;AACpC,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQqD,wBAAwB;MAChDvB,YAAYqB,OAAO1C;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQsD,gBAAgB;MAAExB,YAAYqB,OAAO1C;IAAI,CAAA;AAEvE,UAAMmD,eAAe,MAAM,KAAKtF,OAAO0B,QAAQ6D,6BAA6B;MAC1EnC,SAAS3B,IAAI2B;MACb+B,OAAOvF,SAASkF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa/E,MAAyC;AAC1D,UAAM,IAAI0B,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC9B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK6E,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9D,MAAM,uBAAuBvB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACmF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOjF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOkF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdrF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO+E,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIzD,MAAM,YAAYzB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCsB,mBAAmB,wBAACb,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOiF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAIhF,MAAM,uBAAuBhB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBiG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO/F,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcgG;MACvB,KAAK;AACH,eAAOhG,6BAAciG;MACvB,KAAK;AACH,eAAOjG,6BAAckG;MACvB,KAAK;AACH,eAAOlG,6BAAcmG;MACvB,KAAK;AACH,eAAOnG,6BAAcoG;MACvB,KAAK;AACH,eAAOpG,6BAAcqG;MACvB,KAAK;AACH,eAAOrG,6BAAcsG;MACvB;AACE,cAAM,IAAIzF,MAAM,iBAAiBkF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBhG,mBAAmB,wBAACwG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACrH,SAAAA;AACzB,UAAMsH,OAAOtH,KAAKE,MAAMoH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvH,KAAKwH,cAAcC,SAAS,KAAA,IAASzH,KAAKwH,oBAAgBE,8BAAS1H,KAAKwH,eAAe,SAAA;AACrI,UAAM7E,mBAAegF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASnF,cAAc,QAAA;AAC5C,UAAMT,mBAAe6F,8BAASF,YAAAA;AAE9B,UAAM3H,OAAO,CAAC;AACd,QAAIoH,MAAM;AACRpH,WAAKoH,OAAO;QACVU,IAAIV,KAAKU,MAAMhI,KAAKyB,OAAOS;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlI,aAAKoH,KAAKY,sBAAsBD;AAChC,cAAMnE,UAAMuE,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA5D,aAAKoH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBpI,aAAKoH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM7G,MAAMzB,KAAKyB,OAAOvB,MAAMoH,MAAMU,MAAM9F;AAC1C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,SAAKoI,oCAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAW/H,KAAKoH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC5I,SAAAA;AAC/B,UAAM,EAAEwH,cAAa,IAAKxH;AAC1B,UAAM6I,eAAe5J,WAAWuI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAM7H,UAAU2H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAed,QAAQ+H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,mBAAeyG,0BAAMlH,cAAc,WAAA;AACzC,UAAM0F,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM5H,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,SAAKoI,oCAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACtJ,SAAAA;AAC5B,UAAM,EAAEwH,cAAa,IAAKxH;AAC1B,UAAM4H,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,mBAAeqH,kDAA8B/B,aAAAA;AACnD,UAAM7E,mBAAeyG,0BAAMlH,cAAc,QAAA;AACzC,UAAMT,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,SAAKoI,oCAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACtC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoH,gBAAgBrH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK4I,sBAAsB5I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKsJ,mBAAmBtJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI0B,MAAM,YAAY1B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACCA,yBAA4C;AAC5C,yBAKO;AACP,qBAWO;AACP,IAAAA,sBAMO;AACP,uBAAiD;AACjD,sBAAqB;AAErB,UAAqB;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQQ;QACnBC,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUrB,IAAIyB,QAAQb;QAC7BC,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,eAAOC,4CAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,wCAAuBC;MAC5C,KAAK;AAAS,eAAOD,wCAAuBE;MAC5C,KAAK;AAAS,eAAOF,wCAAuBG;MAC5C,KAAK;AAAS,eAAOH,wCAAuBI;MAC5C,KAAK;AAAU,eAAOJ,wCAAuBK;MAC7C,KAAK;AAAS,eAAOL,wCAAuBM;MAC5C,KAAK;AAAS,eAAON,wCAAuBO;MAC5C,KAAK;AAAS,eAAOP,wCAAuBQ;MAC5C,KAAK;AAAS,eAAOR,wCAAuBS;MAC5C,KAAK;AAAS,eAAOT,wCAAuBU;MAC5C,KAAK;AAAS,eAAOV,wCAAuBW;MAC5C,KAAK;AAAS,eAAOX,wCAAuBY;MAC5C,KAAK;AAAS,eAAOZ,wCAAuBa;MAC5C,KAAK;AAAS,eAAOb,wCAAuBc;MAC5C,KAAK;AAAS,eAAOd,wCAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAc+E;MACvB,KAAK;AACH,eAAO/E,6BAAcgF;MACvB,KAAK;AACH,eAAOhF,6BAAciF;MACvB,KAAK;AACH,eAAOjF,6BAAckF;MACvB,KAAK;AACH,eAAOlF,6BAAcmF;MACvB,KAAK;AACH,eAAOnF,6BAAcoF;MACvB,KAAK;AACH,eAAOpF,6BAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,oBACLE,8BAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,mBAAekE,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASrE,cAAc,QAAA;AAC5C,UAAMR,mBAAe8E,8BAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,mBAAe6F,0BAAMrG,cAAc,WAAA;AACzC,UAAM2E,oBAAgB0B,0BAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,oBAAgB0B,0BAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,mBAAewG,kDAA8BjC,aAAAA;AACnD,UAAM/D,mBAAe6F,0BAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/dist/index.d.cts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
|
|
2
1
|
import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
|
|
3
2
|
import { AbstractKeyManagementSystem } from '@veramo/key-manager';
|
|
3
|
+
import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
|
|
4
4
|
import { JWK } from '@sphereon/ssi-types';
|
|
5
5
|
|
|
6
6
|
type KeyMetadata = {
|
|
@@ -44,22 +44,19 @@ type MappedImportKey = {
|
|
|
44
44
|
publicKeyJwk: JWK;
|
|
45
45
|
};
|
|
46
46
|
|
|
47
|
-
interface
|
|
47
|
+
interface AbstractKeyManagementSystemOptions {
|
|
48
48
|
applicationId: string;
|
|
49
49
|
baseUrl: string;
|
|
50
|
-
providerId?: string;
|
|
51
50
|
authOpts?: RestClientAuthenticationOpts;
|
|
52
51
|
}
|
|
53
52
|
declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
54
53
|
private client;
|
|
55
54
|
private readonly id;
|
|
56
|
-
|
|
57
|
-
constructor(options: KeyManagementSystemOptions);
|
|
55
|
+
constructor(options: AbstractKeyManagementSystemOptions);
|
|
58
56
|
createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
|
|
59
57
|
importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
|
|
60
58
|
deleteKey(args: DeleteKeyArgs): Promise<boolean>;
|
|
61
59
|
listKeys(): Promise<ManagedKeyInfo[]>;
|
|
62
|
-
private mapRestKeyTypeToTKeyType;
|
|
63
60
|
sign(args: SignArgs): Promise<string>;
|
|
64
61
|
verify(args: VerifyArgs): Promise<boolean>;
|
|
65
62
|
sharedSecret(args: SharedSecretArgs): Promise<string>;
|
package/dist/index.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
-
import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
|
|
2
1
|
import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
|
|
3
2
|
import { AbstractKeyManagementSystem } from '@veramo/key-manager';
|
|
3
|
+
import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
|
|
4
4
|
import { JWK } from '@sphereon/ssi-types';
|
|
5
5
|
|
|
6
6
|
type KeyMetadata = {
|
|
@@ -44,22 +44,19 @@ type MappedImportKey = {
|
|
|
44
44
|
publicKeyJwk: JWK;
|
|
45
45
|
};
|
|
46
46
|
|
|
47
|
-
interface
|
|
47
|
+
interface AbstractKeyManagementSystemOptions {
|
|
48
48
|
applicationId: string;
|
|
49
49
|
baseUrl: string;
|
|
50
|
-
providerId?: string;
|
|
51
50
|
authOpts?: RestClientAuthenticationOpts;
|
|
52
51
|
}
|
|
53
52
|
declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
54
53
|
private client;
|
|
55
54
|
private readonly id;
|
|
56
|
-
|
|
57
|
-
constructor(options: KeyManagementSystemOptions);
|
|
55
|
+
constructor(options: AbstractKeyManagementSystemOptions);
|
|
58
56
|
createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
|
|
59
57
|
importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
|
|
60
58
|
deleteKey(args: DeleteKeyArgs): Promise<boolean>;
|
|
61
59
|
listKeys(): Promise<ManagedKeyInfo[]>;
|
|
62
|
-
private mapRestKeyTypeToTKeyType;
|
|
63
60
|
sign(args: SignArgs): Promise<string>;
|
|
64
61
|
verify(args: VerifyArgs): Promise<boolean>;
|
|
65
62
|
sharedSecret(args: SharedSecretArgs): Promise<string>;
|
package/dist/index.js
CHANGED
|
@@ -2,11 +2,11 @@ var __defProp = Object.defineProperty;
|
|
|
2
2
|
var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
|
|
3
3
|
|
|
4
4
|
// src/RestKeyManagementSystem.ts
|
|
5
|
+
import { AbstractKeyManagementSystem } from "@veramo/key-manager";
|
|
5
6
|
import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
|
|
6
|
-
import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
|
|
7
7
|
import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
|
|
8
|
+
import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
|
|
8
9
|
import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
|
|
9
|
-
import { AbstractKeyManagementSystem } from "@veramo/key-manager";
|
|
10
10
|
import elliptic from "elliptic";
|
|
11
11
|
import * as u8a from "uint8arrays";
|
|
12
12
|
var { fromString, toString } = u8a;
|
|
@@ -16,7 +16,6 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
16
16
|
}
|
|
17
17
|
client;
|
|
18
18
|
id;
|
|
19
|
-
providerId;
|
|
20
19
|
constructor(options) {
|
|
21
20
|
super();
|
|
22
21
|
const config = {
|
|
@@ -24,7 +23,6 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
24
23
|
authOpts: options.authOpts
|
|
25
24
|
};
|
|
26
25
|
this.id = options.applicationId;
|
|
27
|
-
this.providerId = options.providerId;
|
|
28
26
|
this.client = new KmsRestClient(config);
|
|
29
27
|
}
|
|
30
28
|
async createKey(args) {
|
|
@@ -37,10 +35,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
37
35
|
KeyOperations.Sign
|
|
38
36
|
]
|
|
39
37
|
};
|
|
40
|
-
const key =
|
|
41
|
-
...options,
|
|
42
|
-
providerId: this.providerId
|
|
43
|
-
}) : await this.client.methods.kmsClientGenerateKey(options);
|
|
38
|
+
const key = await this.client.methods.kmsClientGenerateKey(options);
|
|
44
39
|
const jwk = {
|
|
45
40
|
...key.keyPair.jose.publicJwk,
|
|
46
41
|
alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
|
|
@@ -70,10 +65,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
70
65
|
const { type } = args;
|
|
71
66
|
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
|
|
72
67
|
const importKey = this.mapImportKey(args);
|
|
73
|
-
const result =
|
|
74
|
-
...importKey.key,
|
|
75
|
-
providerId: this.providerId
|
|
76
|
-
}) : await this.client.methods.kmsClientStoreKey(importKey.key);
|
|
68
|
+
const result = await this.client.methods.kmsClientStoreKey(importKey.key);
|
|
77
69
|
return {
|
|
78
70
|
kid: importKey.kid,
|
|
79
71
|
kms: this.id,
|
|
@@ -93,76 +85,17 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
93
85
|
}
|
|
94
86
|
async deleteKey(args) {
|
|
95
87
|
const { kid } = args;
|
|
96
|
-
return
|
|
97
|
-
aliasOrKid: kid,
|
|
98
|
-
providerId: this.providerId
|
|
99
|
-
}) : await this.client.methods.kmsClientDeleteKey({
|
|
88
|
+
return await this.client.methods.kmsClientDeleteKey({
|
|
100
89
|
aliasOrKid: kid
|
|
101
90
|
});
|
|
102
91
|
}
|
|
103
92
|
async listKeys() {
|
|
104
|
-
const keys =
|
|
105
|
-
|
|
106
|
-
}) : await this.client.methods.kmsClientListKeys();
|
|
107
|
-
const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos;
|
|
108
|
-
return restKeys.map((restKey) => {
|
|
109
|
-
const jwk = restKey.key;
|
|
110
|
-
let publicKeyHex = "";
|
|
111
|
-
if (jwk.kty === "EC") {
|
|
112
|
-
publicKeyHex = jwk.x || "";
|
|
113
|
-
} else if (jwk.kty === "RSA") {
|
|
114
|
-
publicKeyHex = jwk.n || "";
|
|
115
|
-
} else if (jwk.kty === "OKP") {
|
|
116
|
-
publicKeyHex = jwk.x || "";
|
|
117
|
-
}
|
|
118
|
-
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
|
|
119
|
-
return {
|
|
120
|
-
kid: restKey.kid || restKey.alias,
|
|
121
|
-
kms: this.id,
|
|
122
|
-
type: keyType,
|
|
123
|
-
publicKeyHex,
|
|
124
|
-
meta: {
|
|
125
|
-
algorithms: restKey.signatureAlgorithm ? [
|
|
126
|
-
restKey.signatureAlgorithm
|
|
127
|
-
] : void 0,
|
|
128
|
-
jwk,
|
|
129
|
-
jwkThumbprint: calculateJwkThumbprint({
|
|
130
|
-
jwk,
|
|
131
|
-
digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
|
|
132
|
-
}),
|
|
133
|
-
alias: restKey.alias,
|
|
134
|
-
providerId: restKey.providerId,
|
|
135
|
-
x5c: restKey.x5c,
|
|
136
|
-
keyVisibility: restKey.keyVisibility,
|
|
137
|
-
keyEncoding: restKey.keyEncoding,
|
|
138
|
-
...restKey.opts
|
|
139
|
-
}
|
|
140
|
-
};
|
|
141
|
-
});
|
|
142
|
-
}
|
|
143
|
-
mapRestKeyTypeToTKeyType(keyType) {
|
|
144
|
-
switch (keyType) {
|
|
145
|
-
case "RSA":
|
|
146
|
-
return "RSA";
|
|
147
|
-
case "EC":
|
|
148
|
-
case "P256":
|
|
149
|
-
return "Secp256r1";
|
|
150
|
-
case "X25519":
|
|
151
|
-
return "X25519";
|
|
152
|
-
case "Ed25519":
|
|
153
|
-
return "Ed25519";
|
|
154
|
-
case "secp256k1":
|
|
155
|
-
return "Secp256k1";
|
|
156
|
-
default:
|
|
157
|
-
throw new Error(`Unknown key type: ${keyType}`);
|
|
158
|
-
}
|
|
93
|
+
const keys = await this.client.methods.kmsClientListKeys();
|
|
94
|
+
return ListKeysResponseToJSONTyped(keys, false).keyInfos;
|
|
159
95
|
}
|
|
160
96
|
async sign(args) {
|
|
161
97
|
const { keyRef, data } = args;
|
|
162
|
-
const key =
|
|
163
|
-
aliasOrKid: keyRef.kid,
|
|
164
|
-
providerId: this.providerId
|
|
165
|
-
}) : await this.client.methods.kmsClientGetKey({
|
|
98
|
+
const key = await this.client.methods.kmsClientGetKey({
|
|
166
99
|
aliasOrKid: keyRef.kid
|
|
167
100
|
});
|
|
168
101
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
@@ -173,10 +106,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
173
106
|
}
|
|
174
107
|
async verify(args) {
|
|
175
108
|
const { keyRef, data, signature } = args;
|
|
176
|
-
const key =
|
|
177
|
-
aliasOrKid: keyRef.kid,
|
|
178
|
-
providerId: this.providerId
|
|
179
|
-
}) : await this.client.methods.kmsClientGetKey({
|
|
109
|
+
const key = await this.client.methods.kmsClientGetKey({
|
|
180
110
|
aliasOrKid: keyRef.kid
|
|
181
111
|
});
|
|
182
112
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,OAAOC,qCAAoD;AAC5F,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQC,6BAA6B;MACrD,GAAGxB;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQE,qBAAqBzB,OAAAA;AAEnD,UAAM0B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBZ,KAAKK,IAAIK,QAAQC,KAAKC,UAAUZ,MAAM,KAAKa,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUZ,GAAG,IAAIc;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOb,IAAIK,QAAQQ;QACnBC,YAAY;UAACd,IAAIK,QAAQC,KAAKC,UAAUZ,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKrB,IAAIK,QAAQC,KAAKC,UAAUpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMmD,UAAUrC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMoC,YAAY,KAAKC,aAAatC,IAAAA;AAEpC,UAAMuC,SAAS,KAAK/C,aAChB,MAAM,KAAKF,OAAO0B,QAAQwB,0BAA0B;MAClD,GAAGH,UAAUtB;MACbvB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQyB,kBAAkBJ,UAAUtB,GAAG;AAE7D,WAAO;MACLU,KAAKY,UAAUZ;MACfE,KAAK,KAAKpC;MACVU;MACAC,MAAM;QACJ0B,OAAOS,UAAUtB,IAAI2B,QAAQd;QAC7BC,YAAY;UAACU,OAAOG,QAAQ3B,IAAIL,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC9B,kBAAAA;QAC5D,CAAA;MACF;MACA+B,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ3B,IAAI7B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM0D,UAAU5C,MAAuC;AACrD,UAAM,EAAEyB,IAAG,IAAKzB;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO0B,QAAQ6B,2BAA2B;MACnDC,YAAYrB;MACZjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQ+B,mBAAmB;MAAED,YAAYrB;IAAI,CAAA;EACrE;EAEA,MAAMuB,WAAsC;AAC1C,UAAMC,OAAO,KAAKzD,aACd,MAAM,KAAKF,OAAO0B,QAAQkC,0BAA0B;MAAE1D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO0B,QAAQmC,kBAAiB;AAE/C,UAAMC,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMrC,MAAMqC,QAAQzC;AACpB,UAAImB,eAAe;AAGnB,UAAIf,IAAIsC,QAAQ,MAAM;AACpBvB,uBAAef,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIsC,QAAQ,OAAO;AAC5BvB,uBAAef,IAAIwC,KAAK;MAC1B,WAAWxC,IAAIsC,QAAQ,OAAO;AAC5BvB,uBAAef,IAAIuC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLnC,KAAK+B,QAAQ/B,OAAO+B,QAAQ5B;QAC5BD,KAAK,KAAKpC;QACVU,MAAM2D;QACN1B;QACAhC,MAAM;UACJ2B,YAAY2B,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBqB;UACxEL;UACAW,eAAeC,uBAAuB;YACpCZ;YACAa,iBAAiBwB,QAAQrD,qBAAqB,KAAK8B,oCAAoCuB,QAAQrD,kBAAkB,IAAI;UACvH,CAAA;UACAyB,OAAO4B,QAAQ5B;UACfpC,YAAYgE,QAAQhE;UACpBsE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIlC,MAAM,qBAAqBkC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKlE,MAAiC;AAC1C,UAAM,EAAEmE,QAAQC,KAAI,IAAKpE;AACzB,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQqD,wBAAwB;MAChDvB,YAAYqB,OAAO1C;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQsD,gBAAgB;MAAExB,YAAYqB,OAAO1C;IAAI,CAAA;AAEvE,UAAM8C,gBAAgB,MAAM,KAAKjF,OAAO0B,QAAQwD,4BAA4B;MAC1E9B,SAAS3B,IAAI2B;MACb+B,OAAOvF,SAASkF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO3E,MAAoC;AAC/C,UAAM,EAAEmE,QAAQC,MAAMM,UAAS,IAAK1E;AACpC,UAAMe,MAAM,KAAKvB,aACb,MAAM,KAAKF,OAAO0B,QAAQqD,wBAAwB;MAChDvB,YAAYqB,OAAO1C;MACnBjC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO0B,QAAQsD,gBAAgB;MAAExB,YAAYqB,OAAO1C;IAAI,CAAA;AAEvE,UAAMmD,eAAe,MAAM,KAAKtF,OAAO0B,QAAQ6D,6BAA6B;MAC1EnC,SAAS3B,IAAI2B;MACb+B,OAAOvF,SAASkF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa/E,MAAyC;AAC1D,UAAM,IAAI0B,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC9B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK6E,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9D,MAAM,uBAAuBvB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACmF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOjF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOkF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdrF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO+E,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIzD,MAAM,YAAYzB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCsB,mBAAmB,wBAACb,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOiF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAIhF,MAAM,uBAAuBhB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBiG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO/F,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcgG;MACvB,KAAK;AACH,eAAOhG,cAAciG;MACvB,KAAK;AACH,eAAOjG,cAAckG;MACvB,KAAK;AACH,eAAOlG,cAAcmG;MACvB,KAAK;AACH,eAAOnG,cAAcoG;MACvB,KAAK;AACH,eAAOpG,cAAcqG;MACvB,KAAK;AACH,eAAOrG,cAAcsG;MACvB;AACE,cAAM,IAAIzF,MAAM,iBAAiBkF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBhG,mBAAmB,wBAACwG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACrH,SAAAA;AACzB,UAAMsH,OAAOtH,KAAKE,MAAMoH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvH,KAAKwH,cAAcC,SAAS,KAAA,IAASzH,KAAKwH,gBAAgBE,SAAS1H,KAAKwH,eAAe,SAAA;AACrI,UAAM7E,eAAegF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASnF,cAAc,QAAA;AAC5C,UAAMT,eAAe6F,SAASF,YAAAA;AAE9B,UAAM3H,OAAO,CAAC;AACd,QAAIoH,MAAM;AACRpH,WAAKoH,OAAO;QACVU,IAAIV,KAAKU,MAAMhI,KAAKyB,OAAOS;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlI,aAAKoH,KAAKY,sBAAsBD;AAChC,cAAMnE,MAAMuE,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA5D,aAAKoH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBpI,aAAKoH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM7G,MAAMzB,KAAKyB,OAAOvB,MAAMoH,MAAMU,MAAM9F;AAC1C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,KAAKoI,oBAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAW/H,KAAKoH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC5I,SAAAA;AAC/B,UAAM,EAAEwH,cAAa,IAAKxH;AAC1B,UAAM6I,eAAe5J,WAAWuI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAM7H,UAAU2H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAed,QAAQ+H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,eAAeyG,MAAMlH,cAAc,WAAA;AACzC,UAAM0F,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM5H,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,KAAKoI,oBAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACtJ,SAAAA;AAC5B,UAAM,EAAEwH,cAAa,IAAKxH;AAC1B,UAAM4H,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,eAAeqH,8BAA8B/B,aAAAA;AACnD,UAAM7E,eAAeyG,MAAMlH,cAAc,QAAA;AACzC,UAAMT,MAAMzB,KAAKyB,OAAOkB,aAAalB,OAAOS;AAE5C,WAAO;MACLT;MACAkB;MACA5B,KAAK;QACH2B,SAAS;UACP3B,KAAK;YACH,GAAG6G;YACHnG;YACAgC,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDpD,KAAKoI,oBAAoBb,cAAcvH,KAAK,KAAA;YAC5CqI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACtC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoH,gBAAgBrH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK4I,sBAAsB5I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKsJ,mBAAmBtJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI0B,MAAM,YAAY1B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;AACA,SAASA,mCAAmC;AAC5C,SACEC,wBACAC,OACAC,qCAEK;AACP,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SACEC,UACAC,UACAC,mBACAC,UACAC,gBACK;AACP,SAASC,8BAAwC;AACjD,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQQ;QACnBC,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUrB,IAAIyB,QAAQb;QAC7BC,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,WAAOC,4BAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,uBAAuBC;MAC5C,KAAK;AAAS,eAAOD,uBAAuBE;MAC5C,KAAK;AAAS,eAAOF,uBAAuBG;MAC5C,KAAK;AAAS,eAAOH,uBAAuBI;MAC5C,KAAK;AAAU,eAAOJ,uBAAuBK;MAC7C,KAAK;AAAS,eAAOL,uBAAuBM;MAC5C,KAAK;AAAS,eAAON,uBAAuBO;MAC5C,KAAK;AAAS,eAAOP,uBAAuBQ;MAC5C,KAAK;AAAS,eAAOR,uBAAuBS;MAC5C,KAAK;AAAS,eAAOT,uBAAuBU;MAC5C,KAAK;AAAS,eAAOV,uBAAuBW;MAC5C,KAAK;AAAS,eAAOX,uBAAuBY;MAC5C,KAAK;AAAS,eAAOZ,uBAAuBa;MAC5C,KAAK;AAAS,eAAOb,uBAAuBc;MAC5C,KAAK;AAAS,eAAOd,uBAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAc+E;MACvB,KAAK;AACH,eAAO/E,cAAcgF;MACvB,KAAK;AACH,eAAOhF,cAAciF;MACvB,KAAK;AACH,eAAOjF,cAAckF;MACvB,KAAK;AACH,eAAOlF,cAAcmF;MACvB,KAAK;AACH,eAAOnF,cAAcoF;MACvB,KAAK;AACH,eAAOpF,cAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,gBACLE,SAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,eAAekE,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASrE,cAAc,QAAA;AAC5C,UAAMR,eAAe8E,SAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,eAAe6F,MAAMrG,cAAc,WAAA;AACzC,UAAM2E,gBAAgB0B,MAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,gBAAgB0B,MAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,eAAewG,8BAA8BjC,aAAAA;AACnD,UAAM/D,eAAe6F,MAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["AbstractKeyManagementSystem","calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","JoseSignatureAlgorithm","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sphereon/ssi-sdk.kms-rest",
|
|
3
3
|
"description": "Sphereon SSI-SDK plugin for REST Key Management System.",
|
|
4
|
-
"version": "0.34.1-feature.SSISDK.
|
|
4
|
+
"version": "0.34.1-feature.SSISDK.78.306+9aff176a",
|
|
5
5
|
"source": "./src/index.ts",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "./dist/index.cjs",
|
|
@@ -22,10 +22,10 @@
|
|
|
22
22
|
"build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
|
|
23
23
|
},
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.
|
|
26
|
-
"@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.
|
|
27
|
-
"@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.SSISDK.
|
|
28
|
-
"@sphereon/ssi-types": "0.34.1-feature.SSISDK.
|
|
25
|
+
"@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.78.306+9aff176a",
|
|
26
|
+
"@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.78.306+9aff176a",
|
|
27
|
+
"@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.SSISDK.78.306+9aff176a",
|
|
28
|
+
"@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.306+9aff176a",
|
|
29
29
|
"@veramo/core": "4.2.0",
|
|
30
30
|
"@veramo/key-manager": "4.2.0",
|
|
31
31
|
"elliptic": "^6.5.4",
|
|
@@ -54,5 +54,5 @@
|
|
|
54
54
|
"key-management",
|
|
55
55
|
"Veramo"
|
|
56
56
|
],
|
|
57
|
-
"gitHead": "
|
|
57
|
+
"gitHead": "9aff176afa613d6f69fb1ff33d4f6c8c7b811ffd"
|
|
58
58
|
}
|
|
@@ -1,6 +1,11 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import {
|
|
3
|
-
import
|
|
1
|
+
import type { ManagedKeyInfo, TKeyType } from '@veramo/core'
|
|
2
|
+
import { AbstractKeyManagementSystem } from '@veramo/key-manager'
|
|
3
|
+
import {
|
|
4
|
+
calculateJwkThumbprint,
|
|
5
|
+
toJwk,
|
|
6
|
+
x25519PublicHexFromPrivateHex,
|
|
7
|
+
type X509Opts
|
|
8
|
+
} from '@sphereon/ssi-sdk-ext.key-utils'
|
|
4
9
|
import {
|
|
5
10
|
CurveFromJSONTyped,
|
|
6
11
|
JwkKeyTypeFromJSONTyped,
|
|
@@ -11,40 +16,51 @@ import {
|
|
|
11
16
|
ListKeysResponseToJSONTyped,
|
|
12
17
|
type RestClientAuthenticationOpts,
|
|
13
18
|
SignatureAlgorithm,
|
|
14
|
-
type StoreKey
|
|
19
|
+
type StoreKey
|
|
15
20
|
} from '@sphereon/ssi-sdk.kms-rest-client'
|
|
21
|
+
import {
|
|
22
|
+
hexToPEM,
|
|
23
|
+
jwkToPEM,
|
|
24
|
+
pemCertChainTox5c,
|
|
25
|
+
PEMToHex,
|
|
26
|
+
PEMToJwk
|
|
27
|
+
} from '@sphereon/ssi-sdk-ext.x509-utils'
|
|
16
28
|
import { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'
|
|
17
|
-
import type { ManagedKeyInfo, TKeyType } from '@veramo/core'
|
|
18
|
-
import { AbstractKeyManagementSystem } from '@veramo/key-manager'
|
|
19
29
|
import elliptic from 'elliptic'
|
|
20
30
|
// @ts-ignore
|
|
21
31
|
import * as u8a from 'uint8arrays'
|
|
22
|
-
import type {
|
|
32
|
+
import type {
|
|
33
|
+
CreateKeyArgs,
|
|
34
|
+
DeleteKeyArgs,
|
|
35
|
+
ImportKeyArgs,
|
|
36
|
+
MapImportKeyArgs,
|
|
37
|
+
MappedImportKey,
|
|
38
|
+
SharedSecretArgs,
|
|
39
|
+
SignArgs,
|
|
40
|
+
VerifyArgs
|
|
41
|
+
} from './types'
|
|
23
42
|
|
|
24
43
|
const { fromString, toString } = u8a
|
|
25
44
|
|
|
26
|
-
interface
|
|
45
|
+
interface AbstractKeyManagementSystemOptions {
|
|
27
46
|
applicationId: string
|
|
28
47
|
baseUrl: string
|
|
29
|
-
providerId?: string
|
|
30
48
|
authOpts?: RestClientAuthenticationOpts
|
|
31
49
|
}
|
|
32
50
|
|
|
33
51
|
export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
34
52
|
private client: KmsRestClient
|
|
35
53
|
private readonly id: string
|
|
36
|
-
private providerId: string | undefined
|
|
37
54
|
|
|
38
|
-
constructor(options:
|
|
55
|
+
constructor(options: AbstractKeyManagementSystemOptions) {
|
|
39
56
|
super()
|
|
40
57
|
|
|
41
58
|
const config = {
|
|
42
59
|
baseUrl: options.baseUrl,
|
|
43
|
-
authOpts: options.authOpts
|
|
60
|
+
authOpts: options.authOpts
|
|
44
61
|
}
|
|
45
62
|
|
|
46
63
|
this.id = options.applicationId
|
|
47
|
-
this.providerId = options.providerId
|
|
48
64
|
this.client = new KmsRestClient(config)
|
|
49
65
|
}
|
|
50
66
|
|
|
@@ -52,18 +68,13 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
52
68
|
const { type, meta } = args
|
|
53
69
|
|
|
54
70
|
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
|
|
55
|
-
const options
|
|
71
|
+
const options = {
|
|
56
72
|
use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
|
|
57
73
|
alg: signatureAlgorithm,
|
|
58
|
-
keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]
|
|
74
|
+
keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]
|
|
59
75
|
}
|
|
60
76
|
|
|
61
|
-
const key = this.
|
|
62
|
-
? await this.client.methods.kmsClientProviderGenerateKey({
|
|
63
|
-
...options,
|
|
64
|
-
providerId: this.providerId,
|
|
65
|
-
})
|
|
66
|
-
: await this.client.methods.kmsClientGenerateKey(options)
|
|
77
|
+
const key = await this.client.methods.kmsClientGenerateKey(options)
|
|
67
78
|
|
|
68
79
|
const jwk = {
|
|
69
80
|
...key.keyPair.jose.publicJwk,
|
|
@@ -96,12 +107,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
96
107
|
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
|
|
97
108
|
const importKey = this.mapImportKey(args)
|
|
98
109
|
|
|
99
|
-
const result = this.
|
|
100
|
-
? await this.client.methods.kmsClientProviderStoreKey({
|
|
101
|
-
...importKey.key,
|
|
102
|
-
providerId: this.providerId,
|
|
103
|
-
})
|
|
104
|
-
: await this.client.methods.kmsClientStoreKey(importKey.key)
|
|
110
|
+
const result = await this.client.methods.kmsClientStoreKey(importKey.key)
|
|
105
111
|
|
|
106
112
|
return {
|
|
107
113
|
kid: importKey.kid,
|
|
@@ -122,89 +128,21 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
122
128
|
async deleteKey(args: DeleteKeyArgs): Promise<boolean> {
|
|
123
129
|
const { kid } = args
|
|
124
130
|
|
|
125
|
-
return this.
|
|
126
|
-
? await this.client.methods.kmsClientProviderDeleteKey({
|
|
127
|
-
aliasOrKid: kid,
|
|
128
|
-
providerId: this.providerId,
|
|
129
|
-
})
|
|
130
|
-
: await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
|
|
131
|
+
return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
|
|
131
132
|
}
|
|
132
133
|
|
|
133
134
|
async listKeys(): Promise<ManagedKeyInfo[]> {
|
|
134
|
-
const keys = this.
|
|
135
|
-
? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })
|
|
136
|
-
: await this.client.methods.kmsClientListKeys()
|
|
137
|
-
|
|
138
|
-
const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
|
|
139
|
-
|
|
140
|
-
return restKeys.map((restKey: RestManagedKeyInfo) => {
|
|
141
|
-
const jwk = restKey.key
|
|
142
|
-
let publicKeyHex = ''
|
|
143
|
-
|
|
144
|
-
// Derive publicKeyHex from JWK based on key type
|
|
145
|
-
if (jwk.kty === 'EC') {
|
|
146
|
-
publicKeyHex = jwk.x || ''
|
|
147
|
-
} else if (jwk.kty === 'RSA') {
|
|
148
|
-
publicKeyHex = jwk.n || ''
|
|
149
|
-
} else if (jwk.kty === 'OKP') {
|
|
150
|
-
publicKeyHex = jwk.x || ''
|
|
151
|
-
}
|
|
135
|
+
const keys = await this.client.methods.kmsClientListKeys()
|
|
152
136
|
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
return {
|
|
156
|
-
kid: restKey.kid || restKey.alias,
|
|
157
|
-
kms: this.id,
|
|
158
|
-
type: keyType,
|
|
159
|
-
publicKeyHex,
|
|
160
|
-
meta: {
|
|
161
|
-
algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,
|
|
162
|
-
jwk,
|
|
163
|
-
jwkThumbprint: calculateJwkThumbprint({
|
|
164
|
-
jwk: jwk as JWK,
|
|
165
|
-
digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',
|
|
166
|
-
}),
|
|
167
|
-
alias: restKey.alias,
|
|
168
|
-
providerId: restKey.providerId,
|
|
169
|
-
x5c: restKey.x5c,
|
|
170
|
-
keyVisibility: restKey.keyVisibility,
|
|
171
|
-
keyEncoding: restKey.keyEncoding,
|
|
172
|
-
...restKey.opts,
|
|
173
|
-
},
|
|
174
|
-
} satisfies ManagedKeyInfo
|
|
175
|
-
})
|
|
176
|
-
}
|
|
177
|
-
|
|
178
|
-
private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {
|
|
179
|
-
switch (keyType) {
|
|
180
|
-
case 'RSA':
|
|
181
|
-
return 'RSA'
|
|
182
|
-
case 'EC':
|
|
183
|
-
case 'P256':
|
|
184
|
-
return 'Secp256r1'
|
|
185
|
-
case 'X25519':
|
|
186
|
-
return 'X25519'
|
|
187
|
-
case 'Ed25519':
|
|
188
|
-
return 'Ed25519'
|
|
189
|
-
case 'secp256k1':
|
|
190
|
-
return 'Secp256k1'
|
|
191
|
-
default:
|
|
192
|
-
throw new Error(`Unknown key type: ${keyType}`)
|
|
193
|
-
}
|
|
137
|
+
return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped
|
|
194
138
|
}
|
|
195
139
|
|
|
196
140
|
async sign(args: SignArgs): Promise<string> {
|
|
197
141
|
const { keyRef, data } = args
|
|
198
|
-
const key = this.
|
|
199
|
-
? await this.client.methods.kmsClientProviderGetKey({
|
|
200
|
-
aliasOrKid: keyRef.kid,
|
|
201
|
-
providerId: this.providerId,
|
|
202
|
-
})
|
|
203
|
-
: await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
|
|
204
|
-
|
|
142
|
+
const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
|
|
205
143
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
206
144
|
keyInfo: key.keyInfo,
|
|
207
|
-
input: toString(data, 'base64')
|
|
145
|
+
input: toString(data, 'base64')
|
|
208
146
|
})
|
|
209
147
|
|
|
210
148
|
return signingResult.signature
|
|
@@ -212,17 +150,11 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
212
150
|
|
|
213
151
|
async verify(args: VerifyArgs): Promise<boolean> {
|
|
214
152
|
const { keyRef, data, signature } = args
|
|
215
|
-
const key = this.
|
|
216
|
-
? await this.client.methods.kmsClientProviderGetKey({
|
|
217
|
-
aliasOrKid: keyRef.kid,
|
|
218
|
-
providerId: this.providerId,
|
|
219
|
-
})
|
|
220
|
-
: await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
|
|
221
|
-
|
|
153
|
+
const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
|
|
222
154
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
223
155
|
keyInfo: key.keyInfo,
|
|
224
156
|
input: toString(data, 'base64'),
|
|
225
|
-
signature
|
|
157
|
+
signature
|
|
226
158
|
})
|
|
227
159
|
|
|
228
160
|
return verification.isValid
|
|
@@ -275,36 +207,21 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
275
207
|
|
|
276
208
|
private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {
|
|
277
209
|
switch (alg) {
|
|
278
|
-
case 'RS256':
|
|
279
|
-
|
|
280
|
-
case '
|
|
281
|
-
|
|
282
|
-
case '
|
|
283
|
-
|
|
284
|
-
case '
|
|
285
|
-
|
|
286
|
-
case '
|
|
287
|
-
|
|
288
|
-
case '
|
|
289
|
-
|
|
290
|
-
case '
|
|
291
|
-
|
|
292
|
-
case '
|
|
293
|
-
return JoseSignatureAlgorithm.EdDSA
|
|
294
|
-
case 'HS256':
|
|
295
|
-
return JoseSignatureAlgorithm.HS256
|
|
296
|
-
case 'HS384':
|
|
297
|
-
return JoseSignatureAlgorithm.HS384
|
|
298
|
-
case 'HS512':
|
|
299
|
-
return JoseSignatureAlgorithm.HS512
|
|
300
|
-
case 'PS256':
|
|
301
|
-
return JoseSignatureAlgorithm.PS256
|
|
302
|
-
case 'PS384':
|
|
303
|
-
return JoseSignatureAlgorithm.PS384
|
|
304
|
-
case 'PS512':
|
|
305
|
-
return JoseSignatureAlgorithm.PS512
|
|
306
|
-
case 'none':
|
|
307
|
-
return JoseSignatureAlgorithm.none
|
|
210
|
+
case 'RS256': return JoseSignatureAlgorithm.RS256;
|
|
211
|
+
case 'RS384': return JoseSignatureAlgorithm.RS384;
|
|
212
|
+
case 'RS512': return JoseSignatureAlgorithm.RS512;
|
|
213
|
+
case 'ES256': return JoseSignatureAlgorithm.ES256;
|
|
214
|
+
case 'ES256K': return JoseSignatureAlgorithm.ES256K;
|
|
215
|
+
case 'ES384': return JoseSignatureAlgorithm.ES384;
|
|
216
|
+
case 'ES512': return JoseSignatureAlgorithm.ES512;
|
|
217
|
+
case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;
|
|
218
|
+
case 'HS256': return JoseSignatureAlgorithm.HS256;
|
|
219
|
+
case 'HS384': return JoseSignatureAlgorithm.HS384;
|
|
220
|
+
case 'HS512': return JoseSignatureAlgorithm.HS512;
|
|
221
|
+
case 'PS256': return JoseSignatureAlgorithm.PS256;
|
|
222
|
+
case 'PS384': return JoseSignatureAlgorithm.PS384;
|
|
223
|
+
case 'PS512': return JoseSignatureAlgorithm.PS512;
|
|
224
|
+
case 'none': return JoseSignatureAlgorithm.none;
|
|
308
225
|
default:
|
|
309
226
|
throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)
|
|
310
227
|
}
|
|
@@ -339,7 +256,10 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
339
256
|
|
|
340
257
|
private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {
|
|
341
258
|
const x509 = args.meta?.x509 as X509Opts
|
|
342
|
-
const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')
|
|
259
|
+
const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')
|
|
260
|
+
? args.privateKeyHex
|
|
261
|
+
: hexToPEM(args.privateKeyHex, 'private')
|
|
262
|
+
) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
|
|
343
263
|
const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')
|
|
344
264
|
const privateKeyJwk = PEMToJwk(privateKeyPEM)
|
|
345
265
|
const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')
|
|
@@ -387,8 +307,8 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
387
307
|
crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
|
|
388
308
|
},
|
|
389
309
|
},
|
|
390
|
-
certChain: meta.x509.x5c
|
|
391
|
-
} satisfies StoreKey
|
|
310
|
+
certChain: meta.x509.x5c
|
|
311
|
+
} satisfies StoreKey
|
|
392
312
|
}
|
|
393
313
|
}
|
|
394
314
|
|
|
@@ -413,9 +333,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
413
333
|
kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
|
|
414
334
|
use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
|
|
415
335
|
crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
|
|
416
|
-
}
|
|
417
|
-
}
|
|
418
|
-
} satisfies StoreKey
|
|
336
|
+
}
|
|
337
|
+
}
|
|
338
|
+
} satisfies StoreKey
|
|
419
339
|
}
|
|
420
340
|
}
|
|
421
341
|
|
|
@@ -437,9 +357,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
437
357
|
kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
|
|
438
358
|
use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
|
|
439
359
|
crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
|
|
440
|
-
}
|
|
441
|
-
}
|
|
442
|
-
} satisfies StoreKey
|
|
360
|
+
}
|
|
361
|
+
}
|
|
362
|
+
} satisfies StoreKey
|
|
443
363
|
}
|
|
444
364
|
}
|
|
445
365
|
|
|
@@ -458,4 +378,5 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
458
378
|
throw new Error(`Key type ${args.type} is not supported by REST KMS`)
|
|
459
379
|
}
|
|
460
380
|
}
|
|
381
|
+
|
|
461
382
|
}
|