@sphereon/ssi-sdk.kms-rest 0.34.1-feature.SSISDK.78.306 → 0.34.1-feature.SSISDK.82.and.SSISDK.70.345

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/README.md +4 -4
  2. package/dist/index.cjs +174 -16
  3. package/dist/index.cjs.map +1 -1
  4. package/dist/index.d.cts +10 -3
  5. package/dist/index.d.ts +10 -3
  6. package/dist/index.js +174 -16
  7. package/dist/index.js.map +1 -1
  8. package/package.json +6 -6
  9. package/src/RestKeyManagementSystem.ts +191 -68
  10. package/src/types/index.ts +3 -3
package/README.md CHANGED
@@ -45,13 +45,13 @@ const key = await kms.createKey({ type: 'Secp256r1' })
45
45
 
46
46
  ```typescript
47
47
  const privateKeyHex = '7dd923e40f4615ac496119f7e793cc2899e99b64b88ca8603db986700089532b'
48
- const key = await kms.importKey({ kid: 'kid', privateKeyHex, type: 'Secp256r1'})
48
+ const key = await kms.importKey({ kid: 'kid', privateKeyHex, type: 'Secp256r1' })
49
49
  ```
50
50
 
51
51
  ### Delete key
52
52
 
53
53
  ```typescript
54
- const result = await kms.deleteKey({ kid: '00-qTBov6GxjPSuMNxnk876cMP0JKjbwl4ZyN_sY2tE'})
54
+ const result = await kms.deleteKey({ kid: '00-qTBov6GxjPSuMNxnk876cMP0JKjbwl4ZyN_sY2tE' })
55
55
  ```
56
56
 
57
57
  ### List keys
@@ -65,7 +65,7 @@ const keys = await kms.listKeys()
65
65
  ```typescript
66
66
  const signature = await kms.sign({
67
67
  keyRef: { kid: '00-qTBov6GxjPSuMNxnk876cMP0JKjbwl4ZyN_sY2tE' },
68
- data: u8a.fromString('input', 'base64')
68
+ data: u8a.fromString('input', 'base64'),
69
69
  })
70
70
  ```
71
71
 
@@ -75,7 +75,7 @@ const signature = await kms.sign({
75
75
  const verification = await kms.verify({
76
76
  keyRef: { kid: '00-qTBov6GxjPSuMNxnk876cMP0JKjbwl4ZyN_sY2tE' },
77
77
  data: u8a.fromString('input', 'base64'),
78
- signature: "jSgVmRcmWwxHtAohgYHUNk9uKdaRj4gi04pjdxgwRaQyXJJJ6bMH50VyWMFvN9a6ZKjpdOahE2nJ+BWjr85nhQ=="
78
+ signature: 'jSgVmRcmWwxHtAohgYHUNk9uKdaRj4gi04pjdxgwRaQyXJJJ6bMH50VyWMFvN9a6ZKjpdOahE2nJ+BWjr85nhQ==',
79
79
  })
80
80
  ```
81
81
 
package/dist/index.cjs CHANGED
@@ -36,11 +36,11 @@ __export(index_exports, {
36
36
  module.exports = __toCommonJS(index_exports);
37
37
 
38
38
  // src/RestKeyManagementSystem.ts
39
- var import_key_manager = require("@veramo/key-manager");
40
39
  var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.key-utils");
41
- var import_ssi_sdk = require("@sphereon/ssi-sdk.kms-rest-client");
42
40
  var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.x509-utils");
41
+ var import_ssi_sdk = require("@sphereon/ssi-sdk.kms-rest-client");
43
42
  var import_ssi_types = require("@sphereon/ssi-types");
43
+ var import_key_manager = require("@veramo/key-manager");
44
44
  var import_elliptic = __toESM(require("elliptic"), 1);
45
45
  var u8a = __toESM(require("uint8arrays"), 1);
46
46
  var { fromString, toString } = u8a;
@@ -50,6 +50,9 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
50
50
  }
51
51
  client;
52
52
  id;
53
+ providerId;
54
+ tenantId;
55
+ userId;
53
56
  constructor(options) {
54
57
  super();
55
58
  const config = {
@@ -57,6 +60,9 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
57
60
  authOpts: options.authOpts
58
61
  };
59
62
  this.id = options.applicationId;
63
+ this.providerId = options.providerId;
64
+ this.tenantId = options.tenantId;
65
+ this.userId = options.userId;
60
66
  this.client = new import_ssi_sdk.KmsRestClient(config);
61
67
  }
62
68
  async createKey(args) {
@@ -65,11 +71,23 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
65
71
  const options = {
66
72
  use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : import_ssi_sdk.JwkUse.Sig,
67
73
  alg: signatureAlgorithm,
68
- keyOperations: meta ? this.mapKeyOperations(meta.keyOperations) : [
74
+ keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations) : [
69
75
  import_ssi_sdk.KeyOperations.Sign
70
- ]
76
+ ],
77
+ ...meta && "keyAlias" in meta && meta.keyAlias ? {
78
+ alias: meta.keyAlias
79
+ } : {},
80
+ ...this.tenantId && {
81
+ tenantId: this.tenantId
82
+ },
83
+ ...this.userId && {
84
+ userId: this.userId
85
+ }
71
86
  };
72
- const key = await this.client.methods.kmsClientGenerateKey(options);
87
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
88
+ ...options,
89
+ providerId: this.providerId
90
+ }) : await this.client.methods.kmsClientGenerateKey(options);
73
91
  const jwk = {
74
92
  ...key.keyPair.jose.publicJwk,
75
93
  alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
@@ -99,7 +117,24 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
99
117
  const { type } = args;
100
118
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
101
119
  const importKey = this.mapImportKey(args);
102
- const result = await this.client.methods.kmsClientStoreKey(importKey.key);
120
+ const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
121
+ ...importKey.key,
122
+ providerId: this.providerId,
123
+ ...this.tenantId && {
124
+ tenantId: this.tenantId
125
+ },
126
+ ...this.userId && {
127
+ userId: this.userId
128
+ }
129
+ }) : await this.client.methods.kmsClientStoreKey({
130
+ ...importKey.key,
131
+ ...this.tenantId && {
132
+ tenantId: this.tenantId
133
+ },
134
+ ...this.userId && {
135
+ userId: this.userId
136
+ }
137
+ });
103
138
  return {
104
139
  kid: importKey.kid,
105
140
  kms: this.id,
@@ -119,34 +154,157 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
119
154
  }
120
155
  async deleteKey(args) {
121
156
  const { kid } = args;
122
- return await this.client.methods.kmsClientDeleteKey({
123
- aliasOrKid: kid
157
+ return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
158
+ aliasOrKid: kid,
159
+ providerId: this.providerId,
160
+ ...this.tenantId && {
161
+ tenantId: this.tenantId
162
+ },
163
+ ...this.userId && {
164
+ userId: this.userId
165
+ }
166
+ }) : await this.client.methods.kmsClientDeleteKey({
167
+ aliasOrKid: kid,
168
+ ...this.tenantId && {
169
+ tenantId: this.tenantId
170
+ },
171
+ ...this.userId && {
172
+ userId: this.userId
173
+ }
124
174
  });
125
175
  }
126
176
  async listKeys() {
127
- const keys = await this.client.methods.kmsClientListKeys();
128
- return (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
177
+ const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
178
+ providerId: this.providerId,
179
+ ...this.tenantId && {
180
+ tenantId: this.tenantId
181
+ },
182
+ ...this.userId && {
183
+ userId: this.userId
184
+ }
185
+ }) : await this.client.methods.kmsClientListKeys({
186
+ ...this.tenantId && {
187
+ tenantId: this.tenantId
188
+ },
189
+ ...this.userId && {
190
+ userId: this.userId
191
+ }
192
+ });
193
+ const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
194
+ return restKeys.map((restKey) => {
195
+ const jwk = restKey.key;
196
+ let publicKeyHex = "";
197
+ if (jwk.kty === "EC") {
198
+ publicKeyHex = jwk.x || "";
199
+ } else if (jwk.kty === "RSA") {
200
+ publicKeyHex = jwk.n || "";
201
+ } else if (jwk.kty === "OKP") {
202
+ publicKeyHex = jwk.x || "";
203
+ }
204
+ const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
205
+ return {
206
+ kid: restKey.kid || restKey.alias,
207
+ kms: this.id,
208
+ type: keyType,
209
+ publicKeyHex,
210
+ meta: {
211
+ algorithms: restKey.signatureAlgorithm ? [
212
+ restKey.signatureAlgorithm
213
+ ] : void 0,
214
+ jwk,
215
+ jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
216
+ jwk,
217
+ digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
218
+ }),
219
+ alias: restKey.alias,
220
+ providerId: restKey.providerId,
221
+ x5c: restKey.x5c,
222
+ keyVisibility: restKey.keyVisibility,
223
+ keyEncoding: restKey.keyEncoding,
224
+ ...restKey.opts
225
+ }
226
+ };
227
+ });
228
+ }
229
+ mapRestKeyTypeToTKeyType(keyType) {
230
+ switch (keyType) {
231
+ case "RSA":
232
+ return "RSA";
233
+ case "EC":
234
+ case "P256":
235
+ return "Secp256r1";
236
+ case "X25519":
237
+ return "X25519";
238
+ case "Ed25519":
239
+ return "Ed25519";
240
+ case "secp256k1":
241
+ return "Secp256k1";
242
+ default:
243
+ throw new Error(`Unknown key type: ${keyType}`);
244
+ }
129
245
  }
130
246
  async sign(args) {
131
247
  const { keyRef, data } = args;
132
- const key = await this.client.methods.kmsClientGetKey({
133
- aliasOrKid: keyRef.kid
248
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
249
+ aliasOrKid: keyRef.kid,
250
+ providerId: this.providerId,
251
+ ...this.tenantId && {
252
+ tenantId: this.tenantId
253
+ },
254
+ ...this.userId && {
255
+ userId: this.userId
256
+ }
257
+ }) : await this.client.methods.kmsClientGetKey({
258
+ aliasOrKid: keyRef.kid,
259
+ ...this.tenantId && {
260
+ tenantId: this.tenantId
261
+ },
262
+ ...this.userId && {
263
+ userId: this.userId
264
+ }
134
265
  });
135
266
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
136
267
  keyInfo: key.keyInfo,
137
- input: toString(data, "base64")
268
+ input: toString(data, "base64"),
269
+ ...this.tenantId && {
270
+ tenantId: this.tenantId
271
+ },
272
+ ...this.userId && {
273
+ userId: this.userId
274
+ }
138
275
  });
139
276
  return signingResult.signature;
140
277
  }
141
278
  async verify(args) {
142
279
  const { keyRef, data, signature } = args;
143
- const key = await this.client.methods.kmsClientGetKey({
144
- aliasOrKid: keyRef.kid
280
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
281
+ aliasOrKid: keyRef.kid,
282
+ providerId: this.providerId,
283
+ ...this.tenantId && {
284
+ tenantId: this.tenantId
285
+ },
286
+ ...this.userId && {
287
+ userId: this.userId
288
+ }
289
+ }) : await this.client.methods.kmsClientGetKey({
290
+ aliasOrKid: keyRef.kid,
291
+ ...this.tenantId && {
292
+ tenantId: this.tenantId
293
+ },
294
+ ...this.userId && {
295
+ userId: this.userId
296
+ }
145
297
  });
146
298
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
147
299
  keyInfo: key.keyInfo,
148
300
  input: toString(data, "base64"),
149
- signature
301
+ signature,
302
+ ...this.tenantId && {
303
+ tenantId: this.tenantId
304
+ },
305
+ ...this.userId && {
306
+ userId: this.userId
307
+ }
150
308
  });
151
309
  return verification.isValid;
152
310
  }
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACCA,yBAA4C;AAC5C,yBAKO;AACP,qBAWO;AACP,IAAAA,sBAMO;AACP,uBAAiD;AACjD,sBAAqB;AAErB,UAAqB;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQQ;QACnBC,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUrB,IAAIyB,QAAQb;QAC7BC,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,eAAOC,4CAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,wCAAuBC;MAC5C,KAAK;AAAS,eAAOD,wCAAuBE;MAC5C,KAAK;AAAS,eAAOF,wCAAuBG;MAC5C,KAAK;AAAS,eAAOH,wCAAuBI;MAC5C,KAAK;AAAU,eAAOJ,wCAAuBK;MAC7C,KAAK;AAAS,eAAOL,wCAAuBM;MAC5C,KAAK;AAAS,eAAON,wCAAuBO;MAC5C,KAAK;AAAS,eAAOP,wCAAuBQ;MAC5C,KAAK;AAAS,eAAOR,wCAAuBS;MAC5C,KAAK;AAAS,eAAOT,wCAAuBU;MAC5C,KAAK;AAAS,eAAOV,wCAAuBW;MAC5C,KAAK;AAAS,eAAOX,wCAAuBY;MAC5C,KAAK;AAAS,eAAOZ,wCAAuBa;MAC5C,KAAK;AAAS,eAAOb,wCAAuBc;MAC5C,KAAK;AAAS,eAAOd,wCAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAc+E;MACvB,KAAK;AACH,eAAO/E,6BAAcgF;MACvB,KAAK;AACH,eAAOhF,6BAAciF;MACvB,KAAK;AACH,eAAOjF,6BAAckF;MACvB,KAAK;AACH,eAAOlF,6BAAcmF;MACvB,KAAK;AACH,eAAOnF,6BAAcoF;MACvB,KAAK;AACH,eAAOpF,6BAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,oBACLE,8BAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,mBAAekE,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASrE,cAAc,QAAA;AAC5C,UAAMR,mBAAe8E,8BAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,mBAAe6F,0BAAMrG,cAAc,WAAA;AACzC,UAAM2E,oBAAgB0B,0BAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,oBAAgB0B,0BAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,mBAAewG,kDAA8BjC,aAAAA;AACnD,UAAM/D,mBAAe6F,0BAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAA4F;AAC5F,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAlC7C,OAkC6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMqC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiBwB,QAAQtD,qBAAqB,KAAK+B,oCAAoCuB,QAAQtD,kBAAkB,IAAI;UACvH,CAAA;UACAa,OAAOyC,QAAQzC;UACf1B,YAAYmE,QAAQnE;UACpByE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,KAAI,IAAKrE;AACzB,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQqD,gBAAgB;MACxCxB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAMgF,gBAAgB,MAAM,KAAKpF,OAAO8B,QAAQuD,4BAA4B;MAC1E9B,SAAS1B,IAAI0B;MACb+B,OAAO1F,SAASqF,MAAM,QAAA;MACtB,GAAI,KAAK9E,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOgF,cAAcG;EACvB;EAEA,MAAMC,OAAO5E,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMM,UAAS,IAAK3E;AACpC,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQqD,gBAAgB;MACxCxB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAMqF,eAAe,MAAM,KAAKzF,OAAO8B,QAAQ4D,6BAA6B;MAC1EnC,SAAS1B,IAAI0B;MACb+B,OAAO1F,SAASqF,MAAM,QAAA;MACtBM;MACA,GAAI,KAAKpF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOqF,aAAaE;EACtB;EAEA,MAAMC,aAAahF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQM,sCAAsC,wBAAC/B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK8E,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI7D,MAAM,uBAAuBzB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOgF,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIxD,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOkF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAI/E,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBkG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOhG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAciG;MACvB,KAAK;AACH,eAAOjG,6BAAckG;MACvB,KAAK;AACH,eAAOlG,6BAAcmG;MACvB,KAAK;AACH,eAAOnG,6BAAcoG;MACvB,KAAK;AACH,eAAOpG,6BAAcqG;MACvB,KAAK;AACH,eAAOrG,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB;AACE,cAAM,IAAIxF,MAAM,iBAAiBiF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBjG,mBAAmB,wBAACyG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACtH,SAAAA;AACzB,UAAMuH,OAAOvH,KAAKE,MAAMqH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBxH,KAAKyH,cAAcC,SAAS,KAAA,IAAS1H,KAAKyH,oBAAgBE,8BAAS3H,KAAKyH,eAAe,SAAA;AACrI,UAAM7E,mBAAegF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASnF,cAAc,QAAA;AAC5C,UAAMT,mBAAe6F,8BAASF,YAAAA;AAE9B,UAAM5H,OAAO,CAAC;AACd,QAAIqH,MAAM;AACRrH,WAAKqH,OAAO;QACVU,IAAIV,KAAKU,MAAMjI,KAAK2B,OAAOQ;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBnI,aAAKqH,KAAKY,sBAAsBD;AAChC,cAAMnE,UAAMuE,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKqH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBrI,aAAKqH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM5G,MAAM3B,KAAK2B,OAAOzB,MAAMqH,MAAMU,MAAM9F;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWhI,KAAKqH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC7I,SAAAA;AAC/B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM8I,eAAe/J,WAAW0I,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAM5H,UAAU0H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAeb,QAAQ8H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,mBAAeyG,0BAAMlH,cAAc,WAAA;AACzC,UAAM0F,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM3H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACvJ,SAAAA;AAC5B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM6H,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,mBAAeqH,kDAA8B/B,aAAAA;AACnD,UAAM7E,mBAAeyG,0BAAMlH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKqH,gBAAgBtH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK6I,sBAAsB7I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKuJ,mBAAmBvJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/dist/index.d.cts CHANGED
@@ -1,6 +1,6 @@
1
+ import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
1
2
  import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
2
3
  import { AbstractKeyManagementSystem } from '@veramo/key-manager';
3
- import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
4
4
  import { JWK } from '@sphereon/ssi-types';
5
5
 
6
6
  type KeyMetadata = {
@@ -44,19 +44,26 @@ type MappedImportKey = {
44
44
  publicKeyJwk: JWK;
45
45
  };
46
46
 
47
- interface AbstractKeyManagementSystemOptions {
47
+ interface KeyManagementSystemOptions {
48
48
  applicationId: string;
49
49
  baseUrl: string;
50
+ providerId?: string;
51
+ tenantId?: string;
52
+ userId?: string;
50
53
  authOpts?: RestClientAuthenticationOpts;
51
54
  }
52
55
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
53
56
  private client;
54
57
  private readonly id;
55
- constructor(options: AbstractKeyManagementSystemOptions);
58
+ private providerId;
59
+ private tenantId;
60
+ private userId;
61
+ constructor(options: KeyManagementSystemOptions);
56
62
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
57
63
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
58
64
  deleteKey(args: DeleteKeyArgs): Promise<boolean>;
59
65
  listKeys(): Promise<ManagedKeyInfo[]>;
66
+ private mapRestKeyTypeToTKeyType;
60
67
  sign(args: SignArgs): Promise<string>;
61
68
  verify(args: VerifyArgs): Promise<boolean>;
62
69
  sharedSecret(args: SharedSecretArgs): Promise<string>;
package/dist/index.d.ts CHANGED
@@ -1,6 +1,6 @@
1
+ import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
1
2
  import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
2
3
  import { AbstractKeyManagementSystem } from '@veramo/key-manager';
3
- import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
4
4
  import { JWK } from '@sphereon/ssi-types';
5
5
 
6
6
  type KeyMetadata = {
@@ -44,19 +44,26 @@ type MappedImportKey = {
44
44
  publicKeyJwk: JWK;
45
45
  };
46
46
 
47
- interface AbstractKeyManagementSystemOptions {
47
+ interface KeyManagementSystemOptions {
48
48
  applicationId: string;
49
49
  baseUrl: string;
50
+ providerId?: string;
51
+ tenantId?: string;
52
+ userId?: string;
50
53
  authOpts?: RestClientAuthenticationOpts;
51
54
  }
52
55
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
53
56
  private client;
54
57
  private readonly id;
55
- constructor(options: AbstractKeyManagementSystemOptions);
58
+ private providerId;
59
+ private tenantId;
60
+ private userId;
61
+ constructor(options: KeyManagementSystemOptions);
56
62
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
57
63
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
58
64
  deleteKey(args: DeleteKeyArgs): Promise<boolean>;
59
65
  listKeys(): Promise<ManagedKeyInfo[]>;
66
+ private mapRestKeyTypeToTKeyType;
60
67
  sign(args: SignArgs): Promise<string>;
61
68
  verify(args: VerifyArgs): Promise<boolean>;
62
69
  sharedSecret(args: SharedSecretArgs): Promise<string>;
package/dist/index.js CHANGED
@@ -2,11 +2,11 @@ var __defProp = Object.defineProperty;
2
2
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
3
3
 
4
4
  // src/RestKeyManagementSystem.ts
5
- import { AbstractKeyManagementSystem } from "@veramo/key-manager";
6
5
  import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
7
- import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
8
6
  import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
7
+ import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
9
8
  import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
9
+ import { AbstractKeyManagementSystem } from "@veramo/key-manager";
10
10
  import elliptic from "elliptic";
11
11
  import * as u8a from "uint8arrays";
12
12
  var { fromString, toString } = u8a;
@@ -16,6 +16,9 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
16
16
  }
17
17
  client;
18
18
  id;
19
+ providerId;
20
+ tenantId;
21
+ userId;
19
22
  constructor(options) {
20
23
  super();
21
24
  const config = {
@@ -23,6 +26,9 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
23
26
  authOpts: options.authOpts
24
27
  };
25
28
  this.id = options.applicationId;
29
+ this.providerId = options.providerId;
30
+ this.tenantId = options.tenantId;
31
+ this.userId = options.userId;
26
32
  this.client = new KmsRestClient(config);
27
33
  }
28
34
  async createKey(args) {
@@ -31,11 +37,23 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
31
37
  const options = {
32
38
  use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
33
39
  alg: signatureAlgorithm,
34
- keyOperations: meta ? this.mapKeyOperations(meta.keyOperations) : [
40
+ keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations) : [
35
41
  KeyOperations.Sign
36
- ]
42
+ ],
43
+ ...meta && "keyAlias" in meta && meta.keyAlias ? {
44
+ alias: meta.keyAlias
45
+ } : {},
46
+ ...this.tenantId && {
47
+ tenantId: this.tenantId
48
+ },
49
+ ...this.userId && {
50
+ userId: this.userId
51
+ }
37
52
  };
38
- const key = await this.client.methods.kmsClientGenerateKey(options);
53
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
54
+ ...options,
55
+ providerId: this.providerId
56
+ }) : await this.client.methods.kmsClientGenerateKey(options);
39
57
  const jwk = {
40
58
  ...key.keyPair.jose.publicJwk,
41
59
  alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
@@ -65,7 +83,24 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
65
83
  const { type } = args;
66
84
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
67
85
  const importKey = this.mapImportKey(args);
68
- const result = await this.client.methods.kmsClientStoreKey(importKey.key);
86
+ const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
87
+ ...importKey.key,
88
+ providerId: this.providerId,
89
+ ...this.tenantId && {
90
+ tenantId: this.tenantId
91
+ },
92
+ ...this.userId && {
93
+ userId: this.userId
94
+ }
95
+ }) : await this.client.methods.kmsClientStoreKey({
96
+ ...importKey.key,
97
+ ...this.tenantId && {
98
+ tenantId: this.tenantId
99
+ },
100
+ ...this.userId && {
101
+ userId: this.userId
102
+ }
103
+ });
69
104
  return {
70
105
  kid: importKey.kid,
71
106
  kms: this.id,
@@ -85,34 +120,157 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
85
120
  }
86
121
  async deleteKey(args) {
87
122
  const { kid } = args;
88
- return await this.client.methods.kmsClientDeleteKey({
89
- aliasOrKid: kid
123
+ return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
124
+ aliasOrKid: kid,
125
+ providerId: this.providerId,
126
+ ...this.tenantId && {
127
+ tenantId: this.tenantId
128
+ },
129
+ ...this.userId && {
130
+ userId: this.userId
131
+ }
132
+ }) : await this.client.methods.kmsClientDeleteKey({
133
+ aliasOrKid: kid,
134
+ ...this.tenantId && {
135
+ tenantId: this.tenantId
136
+ },
137
+ ...this.userId && {
138
+ userId: this.userId
139
+ }
90
140
  });
91
141
  }
92
142
  async listKeys() {
93
- const keys = await this.client.methods.kmsClientListKeys();
94
- return ListKeysResponseToJSONTyped(keys, false).keyInfos;
143
+ const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
144
+ providerId: this.providerId,
145
+ ...this.tenantId && {
146
+ tenantId: this.tenantId
147
+ },
148
+ ...this.userId && {
149
+ userId: this.userId
150
+ }
151
+ }) : await this.client.methods.kmsClientListKeys({
152
+ ...this.tenantId && {
153
+ tenantId: this.tenantId
154
+ },
155
+ ...this.userId && {
156
+ userId: this.userId
157
+ }
158
+ });
159
+ const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos;
160
+ return restKeys.map((restKey) => {
161
+ const jwk = restKey.key;
162
+ let publicKeyHex = "";
163
+ if (jwk.kty === "EC") {
164
+ publicKeyHex = jwk.x || "";
165
+ } else if (jwk.kty === "RSA") {
166
+ publicKeyHex = jwk.n || "";
167
+ } else if (jwk.kty === "OKP") {
168
+ publicKeyHex = jwk.x || "";
169
+ }
170
+ const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
171
+ return {
172
+ kid: restKey.kid || restKey.alias,
173
+ kms: this.id,
174
+ type: keyType,
175
+ publicKeyHex,
176
+ meta: {
177
+ algorithms: restKey.signatureAlgorithm ? [
178
+ restKey.signatureAlgorithm
179
+ ] : void 0,
180
+ jwk,
181
+ jwkThumbprint: calculateJwkThumbprint({
182
+ jwk,
183
+ digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
184
+ }),
185
+ alias: restKey.alias,
186
+ providerId: restKey.providerId,
187
+ x5c: restKey.x5c,
188
+ keyVisibility: restKey.keyVisibility,
189
+ keyEncoding: restKey.keyEncoding,
190
+ ...restKey.opts
191
+ }
192
+ };
193
+ });
194
+ }
195
+ mapRestKeyTypeToTKeyType(keyType) {
196
+ switch (keyType) {
197
+ case "RSA":
198
+ return "RSA";
199
+ case "EC":
200
+ case "P256":
201
+ return "Secp256r1";
202
+ case "X25519":
203
+ return "X25519";
204
+ case "Ed25519":
205
+ return "Ed25519";
206
+ case "secp256k1":
207
+ return "Secp256k1";
208
+ default:
209
+ throw new Error(`Unknown key type: ${keyType}`);
210
+ }
95
211
  }
96
212
  async sign(args) {
97
213
  const { keyRef, data } = args;
98
- const key = await this.client.methods.kmsClientGetKey({
99
- aliasOrKid: keyRef.kid
214
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
215
+ aliasOrKid: keyRef.kid,
216
+ providerId: this.providerId,
217
+ ...this.tenantId && {
218
+ tenantId: this.tenantId
219
+ },
220
+ ...this.userId && {
221
+ userId: this.userId
222
+ }
223
+ }) : await this.client.methods.kmsClientGetKey({
224
+ aliasOrKid: keyRef.kid,
225
+ ...this.tenantId && {
226
+ tenantId: this.tenantId
227
+ },
228
+ ...this.userId && {
229
+ userId: this.userId
230
+ }
100
231
  });
101
232
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
102
233
  keyInfo: key.keyInfo,
103
- input: toString(data, "base64")
234
+ input: toString(data, "base64"),
235
+ ...this.tenantId && {
236
+ tenantId: this.tenantId
237
+ },
238
+ ...this.userId && {
239
+ userId: this.userId
240
+ }
104
241
  });
105
242
  return signingResult.signature;
106
243
  }
107
244
  async verify(args) {
108
245
  const { keyRef, data, signature } = args;
109
- const key = await this.client.methods.kmsClientGetKey({
110
- aliasOrKid: keyRef.kid
246
+ const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
247
+ aliasOrKid: keyRef.kid,
248
+ providerId: this.providerId,
249
+ ...this.tenantId && {
250
+ tenantId: this.tenantId
251
+ },
252
+ ...this.userId && {
253
+ userId: this.userId
254
+ }
255
+ }) : await this.client.methods.kmsClientGetKey({
256
+ aliasOrKid: keyRef.kid,
257
+ ...this.tenantId && {
258
+ tenantId: this.tenantId
259
+ },
260
+ ...this.userId && {
261
+ userId: this.userId
262
+ }
111
263
  });
112
264
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
113
265
  keyInfo: key.keyInfo,
114
266
  input: toString(data, "base64"),
115
- signature
267
+ signature,
268
+ ...this.tenantId && {
269
+ tenantId: this.tenantId
270
+ },
271
+ ...this.userId && {
272
+ userId: this.userId
273
+ }
116
274
  });
117
275
  return verification.isValid;
118
276
  }
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;AACA,SAASA,mCAAmC;AAC5C,SACEC,wBACAC,OACAC,qCAEK;AACP,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SACEC,UACAC,UACAC,mBACAC,UACAC,gBACK;AACP,SAASC,8BAAwC;AACjD,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQQ;QACnBC,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUrB,IAAIyB,QAAQb;QAC7BC,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,WAAOC,4BAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,uBAAuBC;MAC5C,KAAK;AAAS,eAAOD,uBAAuBE;MAC5C,KAAK;AAAS,eAAOF,uBAAuBG;MAC5C,KAAK;AAAS,eAAOH,uBAAuBI;MAC5C,KAAK;AAAU,eAAOJ,uBAAuBK;MAC7C,KAAK;AAAS,eAAOL,uBAAuBM;MAC5C,KAAK;AAAS,eAAON,uBAAuBO;MAC5C,KAAK;AAAS,eAAOP,uBAAuBQ;MAC5C,KAAK;AAAS,eAAOR,uBAAuBS;MAC5C,KAAK;AAAS,eAAOT,uBAAuBU;MAC5C,KAAK;AAAS,eAAOV,uBAAuBW;MAC5C,KAAK;AAAS,eAAOX,uBAAuBY;MAC5C,KAAK;AAAS,eAAOZ,uBAAuBa;MAC5C,KAAK;AAAS,eAAOb,uBAAuBc;MAC5C,KAAK;AAAS,eAAOd,uBAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAc+E;MACvB,KAAK;AACH,eAAO/E,cAAcgF;MACvB,KAAK;AACH,eAAOhF,cAAciF;MACvB,KAAK;AACH,eAAOjF,cAAckF;MACvB,KAAK;AACH,eAAOlF,cAAcmF;MACvB,KAAK;AACH,eAAOnF,cAAcoF;MACvB,KAAK;AACH,eAAOpF,cAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,gBACLE,SAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,eAAekE,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASrE,cAAc,QAAA;AAC5C,UAAMR,eAAe8E,SAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,eAAe6F,MAAMrG,cAAc,WAAA;AACzC,UAAM2E,gBAAgB0B,MAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,gBAAgB0B,MAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,eAAewG,8BAA8BjC,aAAAA;AACnD,UAAM/D,eAAe6F,MAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["AbstractKeyManagementSystem","calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","JoseSignatureAlgorithm","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,OAAOC,qCAAoD;AAC5F,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAlC7C,OAkC6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,eAAeC,uBAAuB;UACpCX;UACAY,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMqC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,eAAeC,uBAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,eAAeC,uBAAuB;YACpCX;YACAY,iBAAiBwB,QAAQtD,qBAAqB,KAAK+B,oCAAoCuB,QAAQtD,kBAAkB,IAAI;UACvH,CAAA;UACAa,OAAOyC,QAAQzC;UACf1B,YAAYmE,QAAQnE;UACpByE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,KAAI,IAAKrE;AACzB,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQqD,gBAAgB;MACxCxB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAMgF,gBAAgB,MAAM,KAAKpF,OAAO8B,QAAQuD,4BAA4B;MAC1E9B,SAAS1B,IAAI0B;MACb+B,OAAO1F,SAASqF,MAAM,QAAA;MACtB,GAAI,KAAK9E,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOgF,cAAcG;EACvB;EAEA,MAAMC,OAAO5E,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMM,UAAS,IAAK3E;AACpC,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQqD,gBAAgB;MACxCxB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAMqF,eAAe,MAAM,KAAKzF,OAAO8B,QAAQ4D,6BAA6B;MAC1EnC,SAAS1B,IAAI0B;MACb+B,OAAO1F,SAASqF,MAAM,QAAA;MACtBM;MACA,GAAI,KAAKpF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOqF,aAAaE;EACtB;EAEA,MAAMC,aAAahF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQM,sCAAsC,wBAAC/B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK8E,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI7D,MAAM,uBAAuBzB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOgF,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIxD,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOkF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAI/E,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBkG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOhG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAciG;MACvB,KAAK;AACH,eAAOjG,cAAckG;MACvB,KAAK;AACH,eAAOlG,cAAcmG;MACvB,KAAK;AACH,eAAOnG,cAAcoG;MACvB,KAAK;AACH,eAAOpG,cAAcqG;MACvB,KAAK;AACH,eAAOrG,cAAcsG;MACvB,KAAK;AACH,eAAOtG,cAAcuG;MACvB;AACE,cAAM,IAAIxF,MAAM,iBAAiBiF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBjG,mBAAmB,wBAACyG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACtH,SAAAA;AACzB,UAAMuH,OAAOvH,KAAKE,MAAMqH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBxH,KAAKyH,cAAcC,SAAS,KAAA,IAAS1H,KAAKyH,gBAAgBE,SAAS3H,KAAKyH,eAAe,SAAA;AACrI,UAAM7E,eAAegF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASnF,cAAc,QAAA;AAC5C,UAAMT,eAAe6F,SAASF,YAAAA;AAE9B,UAAM5H,OAAO,CAAC;AACd,QAAIqH,MAAM;AACRrH,WAAKqH,OAAO;QACVU,IAAIV,KAAKU,MAAMjI,KAAK2B,OAAOQ;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBnI,aAAKqH,KAAKY,sBAAsBD;AAChC,cAAMnE,MAAMuE,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKqH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBrI,aAAKqH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM5G,MAAM3B,KAAK2B,OAAOzB,MAAMqH,MAAMU,MAAM9F;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWhI,KAAKqH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC7I,SAAAA;AAC/B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM8I,eAAe/J,WAAW0I,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAM5H,UAAU0H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAeb,QAAQ8H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,eAAeyG,MAAMlH,cAAc,WAAA;AACzC,UAAM0F,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM3H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACvJ,SAAAA;AAC5B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM6H,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,eAAeqH,8BAA8B/B,aAAAA;AACnD,UAAM7E,eAAeyG,MAAMlH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKqH,gBAAgBtH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK6I,sBAAsB7I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKuJ,mBAAmBvJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.kms-rest",
3
3
  "description": "Sphereon SSI-SDK plugin for REST Key Management System.",
4
- "version": "0.34.1-feature.SSISDK.78.306+9aff176a",
4
+ "version": "0.34.1-feature.SSISDK.82.and.SSISDK.70.345+e5abbf1a",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -22,10 +22,10 @@
22
22
  "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
23
23
  },
24
24
  "dependencies": {
25
- "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.78.306+9aff176a",
26
- "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.78.306+9aff176a",
27
- "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.SSISDK.78.306+9aff176a",
28
- "@sphereon/ssi-types": "0.34.1-feature.SSISDK.78.306+9aff176a",
25
+ "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.82.and.SSISDK.70.345+e5abbf1a",
26
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.82.and.SSISDK.70.345+e5abbf1a",
27
+ "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.SSISDK.82.and.SSISDK.70.345+e5abbf1a",
28
+ "@sphereon/ssi-types": "0.34.1-feature.SSISDK.82.and.SSISDK.70.345+e5abbf1a",
29
29
  "@veramo/core": "4.2.0",
30
30
  "@veramo/key-manager": "4.2.0",
31
31
  "elliptic": "^6.5.4",
@@ -54,5 +54,5 @@
54
54
  "key-management",
55
55
  "Veramo"
56
56
  ],
57
- "gitHead": "9aff176afa613d6f69fb1ff33d4f6c8c7b811ffd"
57
+ "gitHead": "e5abbf1a0404fbc2aeb350a248183f70598ffbc0"
58
58
  }
package/src/RestKeyManagementSystem.ts CHANGED
@@ -1,11 +1,6 @@
1
- import type { ManagedKeyInfo, TKeyType } from '@veramo/core'
2
- import { AbstractKeyManagementSystem } from '@veramo/key-manager'
3
- import {
4
- calculateJwkThumbprint,
5
- toJwk,
6
- x25519PublicHexFromPrivateHex,
7
- type X509Opts
8
- } from '@sphereon/ssi-sdk-ext.key-utils'
1
+ import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
2
+ import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'
3
+ import type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'
9
4
  import {
10
5
  CurveFromJSONTyped,
11
6
  JwkKeyTypeFromJSONTyped,
@@ -16,51 +11,46 @@ import {
16
11
  ListKeysResponseToJSONTyped,
17
12
  type RestClientAuthenticationOpts,
18
13
  SignatureAlgorithm,
19
- type StoreKey
14
+ type StoreKey,
20
15
  } from '@sphereon/ssi-sdk.kms-rest-client'
21
- import {
22
- hexToPEM,
23
- jwkToPEM,
24
- pemCertChainTox5c,
25
- PEMToHex,
26
- PEMToJwk
27
- } from '@sphereon/ssi-sdk-ext.x509-utils'
28
16
  import { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'
17
+ import type { ManagedKeyInfo, TKeyType } from '@veramo/core'
18
+ import { AbstractKeyManagementSystem } from '@veramo/key-manager'
29
19
  import elliptic from 'elliptic'
30
20
  // @ts-ignore
31
21
  import * as u8a from 'uint8arrays'
32
- import type {
33
- CreateKeyArgs,
34
- DeleteKeyArgs,
35
- ImportKeyArgs,
36
- MapImportKeyArgs,
37
- MappedImportKey,
38
- SharedSecretArgs,
39
- SignArgs,
40
- VerifyArgs
41
- } from './types'
22
+ import type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'
42
23
 
43
24
  const { fromString, toString } = u8a
44
25
 
45
- interface AbstractKeyManagementSystemOptions {
26
+ interface KeyManagementSystemOptions {
46
27
  applicationId: string
47
28
  baseUrl: string
29
+ providerId?: string
30
+ tenantId?: string
31
+ userId?: string
48
32
  authOpts?: RestClientAuthenticationOpts
49
33
  }
50
34
 
51
35
  export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
52
36
  private client: KmsRestClient
53
37
  private readonly id: string
38
+ private providerId: string | undefined
39
+ private tenantId: string | undefined
40
+ private userId: string | undefined
54
41
 
55
- constructor(options: AbstractKeyManagementSystemOptions) {
42
+ constructor(options: KeyManagementSystemOptions) {
56
43
  super()
57
44
 
58
45
  const config = {
59
46
  baseUrl: options.baseUrl,
60
- authOpts: options.authOpts
47
+ authOpts: options.authOpts,
61
48
  }
62
49
 
63
50
  this.id = options.applicationId
51
+ this.providerId = options.providerId
52
+ this.tenantId = options.tenantId
53
+ this.userId = options.userId
64
54
  this.client = new KmsRestClient(config)
65
55
  }
66
56
 
@@ -68,13 +58,21 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
68
58
  const { type, meta } = args
69
59
 
70
60
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
71
- const options = {
61
+ const options = {
72
62
  use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
73
63
  alg: signatureAlgorithm,
74
- keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]
64
+ keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],
65
+ ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),
66
+ ...(this.tenantId && { tenantId: this.tenantId }),
67
+ ...(this.userId && { userId: this.userId }),
75
68
  }
76
69
 
77
- const key = await this.client.methods.kmsClientGenerateKey(options)
70
+ const key = this.providerId
71
+ ? await this.client.methods.kmsClientProviderGenerateKey({
72
+ ...options,
73
+ providerId: this.providerId,
74
+ })
75
+ : await this.client.methods.kmsClientGenerateKey(options)
78
76
 
79
77
  const jwk = {
80
78
  ...key.keyPair.jose.publicJwk,
@@ -107,7 +105,18 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
107
105
  const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
108
106
  const importKey = this.mapImportKey(args)
109
107
 
110
- const result = await this.client.methods.kmsClientStoreKey(importKey.key)
108
+ const result = this.providerId
109
+ ? await this.client.methods.kmsClientProviderStoreKey({
110
+ ...importKey.key,
111
+ providerId: this.providerId,
112
+ ...(this.tenantId && { tenantId: this.tenantId }),
113
+ ...(this.userId && { userId: this.userId }),
114
+ })
115
+ : await this.client.methods.kmsClientStoreKey({
116
+ ...importKey.key,
117
+ ...(this.tenantId && { tenantId: this.tenantId }),
118
+ ...(this.userId && { userId: this.userId }),
119
+ })
111
120
 
112
121
  return {
113
122
  kid: importKey.kid,
@@ -128,21 +137,110 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
128
137
  async deleteKey(args: DeleteKeyArgs): Promise<boolean> {
129
138
  const { kid } = args
130
139
 
131
- return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
140
+ return this.providerId
141
+ ? await this.client.methods.kmsClientProviderDeleteKey({
142
+ aliasOrKid: kid,
143
+ providerId: this.providerId,
144
+ ...(this.tenantId && { tenantId: this.tenantId }),
145
+ ...(this.userId && { userId: this.userId }),
146
+ })
147
+ : await this.client.methods.kmsClientDeleteKey({
148
+ aliasOrKid: kid,
149
+ ...(this.tenantId && { tenantId: this.tenantId }),
150
+ ...(this.userId && { userId: this.userId }),
151
+ })
132
152
  }
133
153
 
134
154
  async listKeys(): Promise<ManagedKeyInfo[]> {
135
- const keys = await this.client.methods.kmsClientListKeys()
155
+ const keys = this.providerId
156
+ ? await this.client.methods.kmsClientProviderListKeys({
157
+ providerId: this.providerId,
158
+ ...(this.tenantId && { tenantId: this.tenantId }),
159
+ ...(this.userId && { userId: this.userId }),
160
+ })
161
+ : await this.client.methods.kmsClientListKeys({
162
+ ...(this.tenantId && { tenantId: this.tenantId }),
163
+ ...(this.userId && { userId: this.userId }),
164
+ })
165
+
166
+ const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
167
+
168
+ return restKeys.map((restKey: RestManagedKeyInfo) => {
169
+ const jwk = restKey.key
170
+ let publicKeyHex = ''
171
+
172
+ // Derive publicKeyHex from JWK based on key type
173
+ if (jwk.kty === 'EC') {
174
+ publicKeyHex = jwk.x || ''
175
+ } else if (jwk.kty === 'RSA') {
176
+ publicKeyHex = jwk.n || ''
177
+ } else if (jwk.kty === 'OKP') {
178
+ publicKeyHex = jwk.x || ''
179
+ }
136
180
 
137
- return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped
181
+ const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)
182
+
183
+ return {
184
+ kid: restKey.kid || restKey.alias,
185
+ kms: this.id,
186
+ type: keyType,
187
+ publicKeyHex,
188
+ meta: {
189
+ algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,
190
+ jwk,
191
+ jwkThumbprint: calculateJwkThumbprint({
192
+ jwk: jwk as JWK,
193
+ digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',
194
+ }),
195
+ alias: restKey.alias,
196
+ providerId: restKey.providerId,
197
+ x5c: restKey.x5c,
198
+ keyVisibility: restKey.keyVisibility,
199
+ keyEncoding: restKey.keyEncoding,
200
+ ...restKey.opts,
201
+ },
202
+ } satisfies ManagedKeyInfo
203
+ })
204
+ }
205
+
206
+ private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {
207
+ switch (keyType) {
208
+ case 'RSA':
209
+ return 'RSA'
210
+ case 'EC':
211
+ case 'P256':
212
+ return 'Secp256r1'
213
+ case 'X25519':
214
+ return 'X25519'
215
+ case 'Ed25519':
216
+ return 'Ed25519'
217
+ case 'secp256k1':
218
+ return 'Secp256k1'
219
+ default:
220
+ throw new Error(`Unknown key type: ${keyType}`)
221
+ }
138
222
  }
139
223
 
140
224
  async sign(args: SignArgs): Promise<string> {
141
225
  const { keyRef, data } = args
142
- const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
226
+ const key = this.providerId
227
+ ? await this.client.methods.kmsClientProviderGetKey({
228
+ aliasOrKid: keyRef.kid,
229
+ providerId: this.providerId,
230
+ ...(this.tenantId && { tenantId: this.tenantId }),
231
+ ...(this.userId && { userId: this.userId }),
232
+ })
233
+ : await this.client.methods.kmsClientGetKey({
234
+ aliasOrKid: keyRef.kid,
235
+ ...(this.tenantId && { tenantId: this.tenantId }),
236
+ ...(this.userId && { userId: this.userId }),
237
+ })
238
+
143
239
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
144
240
  keyInfo: key.keyInfo,
145
- input: toString(data, 'base64')
241
+ input: toString(data, 'base64'),
242
+ ...(this.tenantId && { tenantId: this.tenantId }),
243
+ ...(this.userId && { userId: this.userId }),
146
244
  })
147
245
 
148
246
  return signingResult.signature
@@ -150,11 +248,25 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
150
248
 
151
249
  async verify(args: VerifyArgs): Promise<boolean> {
152
250
  const { keyRef, data, signature } = args
153
- const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
251
+ const key = this.providerId
252
+ ? await this.client.methods.kmsClientProviderGetKey({
253
+ aliasOrKid: keyRef.kid,
254
+ providerId: this.providerId,
255
+ ...(this.tenantId && { tenantId: this.tenantId }),
256
+ ...(this.userId && { userId: this.userId }),
257
+ })
258
+ : await this.client.methods.kmsClientGetKey({
259
+ aliasOrKid: keyRef.kid,
260
+ ...(this.tenantId && { tenantId: this.tenantId }),
261
+ ...(this.userId && { userId: this.userId }),
262
+ })
263
+
154
264
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
155
265
  keyInfo: key.keyInfo,
156
266
  input: toString(data, 'base64'),
157
- signature
267
+ signature,
268
+ ...(this.tenantId && { tenantId: this.tenantId }),
269
+ ...(this.userId && { userId: this.userId }),
158
270
  })
159
271
 
160
272
  return verification.isValid
@@ -207,21 +319,36 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
207
319
 
208
320
  private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {
209
321
  switch (alg) {
210
- case 'RS256': return JoseSignatureAlgorithm.RS256;
211
- case 'RS384': return JoseSignatureAlgorithm.RS384;
212
- case 'RS512': return JoseSignatureAlgorithm.RS512;
213
- case 'ES256': return JoseSignatureAlgorithm.ES256;
214
- case 'ES256K': return JoseSignatureAlgorithm.ES256K;
215
- case 'ES384': return JoseSignatureAlgorithm.ES384;
216
- case 'ES512': return JoseSignatureAlgorithm.ES512;
217
- case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;
218
- case 'HS256': return JoseSignatureAlgorithm.HS256;
219
- case 'HS384': return JoseSignatureAlgorithm.HS384;
220
- case 'HS512': return JoseSignatureAlgorithm.HS512;
221
- case 'PS256': return JoseSignatureAlgorithm.PS256;
222
- case 'PS384': return JoseSignatureAlgorithm.PS384;
223
- case 'PS512': return JoseSignatureAlgorithm.PS512;
224
- case 'none': return JoseSignatureAlgorithm.none;
322
+ case 'RS256':
323
+ return JoseSignatureAlgorithm.RS256
324
+ case 'RS384':
325
+ return JoseSignatureAlgorithm.RS384
326
+ case 'RS512':
327
+ return JoseSignatureAlgorithm.RS512
328
+ case 'ES256':
329
+ return JoseSignatureAlgorithm.ES256
330
+ case 'ES256K':
331
+ return JoseSignatureAlgorithm.ES256K
332
+ case 'ES384':
333
+ return JoseSignatureAlgorithm.ES384
334
+ case 'ES512':
335
+ return JoseSignatureAlgorithm.ES512
336
+ case 'EdDSA':
337
+ return JoseSignatureAlgorithm.EdDSA
338
+ case 'HS256':
339
+ return JoseSignatureAlgorithm.HS256
340
+ case 'HS384':
341
+ return JoseSignatureAlgorithm.HS384
342
+ case 'HS512':
343
+ return JoseSignatureAlgorithm.HS512
344
+ case 'PS256':
345
+ return JoseSignatureAlgorithm.PS256
346
+ case 'PS384':
347
+ return JoseSignatureAlgorithm.PS384
348
+ case 'PS512':
349
+ return JoseSignatureAlgorithm.PS512
350
+ case 'none':
351
+ return JoseSignatureAlgorithm.none
225
352
  default:
226
353
  throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)
227
354
  }
@@ -256,10 +383,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
256
383
 
257
384
  private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {
258
385
  const x509 = args.meta?.x509 as X509Opts
259
- const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')
260
- ? args.privateKeyHex
261
- : hexToPEM(args.privateKeyHex, 'private')
262
- ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
386
+ const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
263
387
  const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')
264
388
  const privateKeyJwk = PEMToJwk(privateKeyPEM)
265
389
  const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')
@@ -307,8 +431,8 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
307
431
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
308
432
  },
309
433
  },
310
- certChain: meta.x509.x5c
311
- } satisfies StoreKey
434
+ certChain: meta.x509.x5c,
435
+ } satisfies StoreKey,
312
436
  }
313
437
  }
314
438
 
@@ -333,9 +457,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
333
457
  kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
334
458
  use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
335
459
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
336
- }
337
- }
338
- } satisfies StoreKey
460
+ },
461
+ },
462
+ } satisfies StoreKey,
339
463
  }
340
464
  }
341
465
 
@@ -357,9 +481,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
357
481
  kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
358
482
  use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
359
483
  crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
360
- }
361
- }
362
- } satisfies StoreKey
484
+ },
485
+ },
486
+ } satisfies StoreKey,
363
487
  }
364
488
  }
365
489
 
@@ -378,5 +502,4 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
378
502
  throw new Error(`Key type ${args.type} is not supported by REST KMS`)
379
503
  }
380
504
  }
381
-
382
505
  }
package/src/types/index.ts CHANGED
@@ -21,7 +21,7 @@ export type SignArgs = {
21
21
  export type VerifyArgs = {
22
22
  keyRef: Pick<IKey, 'kid'>
23
23
  data: Uint8Array
24
- signature: string;
24
+ signature: string
25
25
  [x: string]: any
26
26
  }
27
27
 
@@ -44,7 +44,7 @@ export type MapImportKeyArgs = {
44
44
  }
45
45
 
46
46
  export type MappedImportKey = {
47
- key: StoreKey,
48
- kid: string,
47
+ key: StoreKey
48
+ kid: string
49
49
  publicKeyJwk: JWK
50
50
  }