@sphereon/ssi-sdk.kms-rest 0.34.1-feature.SSISDK.82.and.SSISDK.70.349 → 0.34.1-feature.SSISDK.82.and.SSISDK.70.353

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (6) hide show
  1. package/dist/index.cjs +4 -11
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.js +5 -12
  4. package/dist/index.js.map +1 -1
  5. package/package.json +6 -6
  6. package/src/RestKeyManagementSystem.ts +31 -37
package/dist/index.cjs CHANGED
@@ -190,16 +190,9 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
190
190
  }
191
191
  });
192
192
  const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
193
- return restKeys.map((restKey) => {
193
+ return Promise.all(restKeys.map(async (restKey) => {
194
194
  const jwk = restKey.key;
195
- let publicKeyHex = "";
196
- if (jwk.kty === "EC") {
197
- publicKeyHex = jwk.x || "";
198
- } else if (jwk.kty === "RSA") {
199
- publicKeyHex = jwk.n || "";
200
- } else if (jwk.kty === "OKP") {
201
- publicKeyHex = jwk.x || "";
202
- }
195
+ const publicKeyHex = await (0, import_ssi_sdk_ext.jwkToRawHexKey)(jwk);
203
196
  const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
204
197
  return {
205
198
  kid: restKey.kid || restKey.alias,
@@ -223,7 +216,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
223
216
  ...restKey.opts
224
217
  }
225
218
  };
226
- });
219
+ }));
227
220
  }
228
221
  mapRestKeyTypeToTKeyType(keyType) {
229
222
  switch (keyType) {
@@ -273,7 +266,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
273
266
  userId: this.userId
274
267
  }
275
268
  });
276
- return signingResult.signature;
269
+ return (0, import_ssi_sdk_ext.base64ToBase64Url)(signingResult.signature);
277
270
  }
278
271
  async verify(args) {
279
272
  const { keyRef, data, signature, algorithm = "SHA-256" } = args;
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAQO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA1C7C,OA0C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,UAAMwB,0CAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,UAAMwB,0CAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiBwB,QAAQxC,IAAIP,UAAMwB,0CAAsBuB,QAAQxC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOyC,QAAQzC;UACf1B,YAAYmE,QAAQnE;UACpByE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,qBAA6BC,iCAAaL,IAAAA,IAC5CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOwF,cAAcG;EACvB;EAEA,MAAMC,OAAOpF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMc,WAAWb,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM6F,uBAA+BX,iCAAaL,IAAAA,IAC9CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMgB,eAAe,MAAM,KAAKlG,OAAO8B,QAAQqE,6BAA6B;MAC1E5C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASqG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK5F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO8F,aAAaE;EACtB;EAEA,MAAMC,aAAazF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO2F,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAInE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOsF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAInF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBsG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOpG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcqG;MACvB,KAAK;AACH,eAAOrG,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB,KAAK;AACH,eAAOvG,6BAAcwG;MACvB,KAAK;AACH,eAAOxG,6BAAcyG;MACvB,KAAK;AACH,eAAOzG,6BAAc0G;MACvB,KAAK;AACH,eAAO1G,6BAAc2G;MACvB;AACE,cAAM,IAAI5F,MAAM,iBAAiBqF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBrG,mBAAmB,wBAAC6G,eAAAA;AAC1B,WAAOA,WAAWjE,IAAI,CAACyD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC1H,SAAAA;AACzB,UAAM2H,OAAO3H,KAAKE,MAAMyH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB5H,KAAK6H,cAAcC,SAAS,KAAA,IAAS9H,KAAK6H,oBAAgBE,8BAAS/H,KAAK6H,eAAe,SAAA;AACrI,UAAMjF,mBAAeoF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASvF,cAAc,QAAA;AAC5C,UAAMT,mBAAeiG,8BAASF,YAAAA;AAE9B,UAAMhI,OAAO,CAAC;AACd,QAAIyH,MAAM;AACRzH,WAAKyH,OAAO;QACVU,IAAIV,KAAKU,MAAMrI,KAAK2B,OAAOQ;MAC7B;AACA,UAAImG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBvI,aAAKyH,KAAKY,sBAAsBD;AAChC,cAAMvE,UAAM2E,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B/F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKyH,KAAK5D,MAAMA;MAClB;AACA,UAAI4D,KAAKgB,qBAAqB;AAE5B/F,qBAAagG,MAAMjB,KAAKgB;AACxBzI,aAAKyH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMhH,MAAM3B,KAAK2B,OAAOzB,MAAMyH,MAAMU,MAAMlG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,SAAKmF,wCAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,SAAKyI,oCAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWpI,KAAKyH,KAAK5D;MACvB;IACF;EACF,GArD0B;EAuDlBkF,wBAAwB,wBAACjJ,SAAAA;AAC/B,UAAM,EAAE6H,cAAa,IAAK7H;AAC1B,UAAMkJ,eAAenK,WAAW8I,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMhI,UAAU8H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM/G,eAAeb,QAAQkI,UAAU,MAAM,KAAA;AAC7C,UAAM5G,mBAAe6G,0BAAMtH,cAAc,WAAA;AACzC,UAAM8F,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM/H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,SAAKmF,wCAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,SAAKyI,oCAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC3J,SAAAA;AAC5B,UAAM,EAAE6H,cAAa,IAAK7H;AAC1B,UAAMiI,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMvH,mBAAeyH,kDAA8B/B,aAAAA;AACnD,UAAMjF,mBAAe6G,0BAAMtH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,SAAKmF,wCAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,SAAKyI,oCAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBxG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKyH,gBAAgB1H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKiJ,sBAAsBjJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK2J,mBAAmB3J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return Promise.all(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAUO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,UAAMwB,0CAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,UAAMwB,0CAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOC,QAAQC,IACbJ,SAASK,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMkB,eAAe,UAAMyB,mCAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY6B,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiB0B,QAAQ1C,IAAIP,UAAMwB,0CAAsByB,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf1B,YAAYqE,QAAQrE;UACpByE,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;EAEJ;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,qBAA6BC,iCAAaL,IAAAA,IAC5CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,eAAO2F,sCAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOrF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMe,WAAWd,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM8F,uBAA+BZ,iCAAaL,IAAAA,IAC9CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMiB,eAAe,MAAM,KAAKnG,OAAO8B,QAAQsE,6BAA6B;MAC1E7C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASsG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK7F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO+F,aAAaE;EACtB;EAEA,MAAMC,aAAa1F,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACqF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOnF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOoF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdvF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO4F,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIpE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOuF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAIpF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBuG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOrG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB,KAAK;AACH,eAAOvG,6BAAcwG;MACvB,KAAK;AACH,eAAOxG,6BAAcyG;MACvB,KAAK;AACH,eAAOzG,6BAAc0G;MACvB,KAAK;AACH,eAAO1G,6BAAc2G;MACvB,KAAK;AACH,eAAO3G,6BAAc4G;MACvB;AACE,cAAM,IAAI7F,MAAM,iBAAiBsF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBtG,mBAAmB,wBAAC8G,eAAAA;AAC1B,WAAOA,WAAWhE,IAAI,CAACwD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3H,SAAAA;AACzB,UAAM4H,OAAO5H,KAAKE,MAAM0H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7H,KAAK8H,cAAcC,SAAS,KAAA,IAAS/H,KAAK8H,oBAAgBE,8BAAShI,KAAK8H,eAAe,SAAA;AACrI,UAAMlF,mBAAeqF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASxF,cAAc,QAAA;AAC5C,UAAMT,mBAAekG,8BAASF,YAAAA;AAE9B,UAAMjI,OAAO,CAAC;AACd,QAAI0H,MAAM;AACR1H,WAAK0H,OAAO;QACVU,IAAIV,KAAKU,MAAMtI,KAAK2B,OAAOQ;MAC7B;AACA,UAAIoG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxI,aAAK0H,KAAKY,sBAAsBD;AAChC,cAAMxE,UAAM4E,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BhG,uBAAamB,MAAMA;QACrB;AACA7D,aAAK0H,KAAK7D,MAAMA;MAClB;AACA,UAAI6D,KAAKgB,qBAAqB;AAE5BhG,qBAAaiG,MAAMjB,KAAKgB;AACxB1I,aAAK0H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMjH,MAAM3B,KAAK2B,OAAOzB,MAAM0H,MAAMU,MAAMnG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;QACAV,WAAWrI,KAAK0H,KAAK7D;MACvB;IACF;EACF,GArD0B;EAuDlBoF,wBAAwB,wBAACnJ,SAAAA;AAC/B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMoJ,eAAerK,WAAW+I,cAAcuB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMlI,UAAUgI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMjH,eAAeb,QAAQoI,UAAU,MAAM,KAAA;AAC7C,UAAM9G,mBAAe+G,0BAAMxH,cAAc,WAAA;AACzC,UAAM+F,oBAAgByB,0BAAM7B,eAAe,aAAa;MAAE8B,cAAc;IAAK,CAAA;AAC7E,UAAMjI,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC7J,SAAAA;AAC5B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMkI,oBAAgByB,0BAAM7B,eAAe,UAAU;MAAE8B,cAAc;IAAK,CAAA;AAC1E,UAAMzH,mBAAe2H,kDAA8BhC,aAAAA;AACnD,UAAMlF,mBAAe+G,0BAAMxH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB1G,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0H,gBAAgB3H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKmJ,sBAAsBnJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK6J,mBAAmB7J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","Promise","all","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/dist/index.js CHANGED
@@ -2,7 +2,7 @@ var __defProp = Object.defineProperty;
2
2
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
3
3
 
4
4
  // src/RestKeyManagementSystem.ts
5
- import { calculateJwkThumbprint, isHashString, joseAlgorithmToDigest, shaHasher, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
5
+ import { base64ToBase64Url, calculateJwkThumbprint, isHashString, joseAlgorithmToDigest, jwkToRawHexKey, shaHasher, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
6
6
  import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
7
7
  import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
8
8
  import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
@@ -156,16 +156,9 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
156
156
  }
157
157
  });
158
158
  const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos;
159
- return restKeys.map((restKey) => {
159
+ return Promise.all(restKeys.map(async (restKey) => {
160
160
  const jwk = restKey.key;
161
- let publicKeyHex = "";
162
- if (jwk.kty === "EC") {
163
- publicKeyHex = jwk.x || "";
164
- } else if (jwk.kty === "RSA") {
165
- publicKeyHex = jwk.n || "";
166
- } else if (jwk.kty === "OKP") {
167
- publicKeyHex = jwk.x || "";
168
- }
161
+ const publicKeyHex = await jwkToRawHexKey(jwk);
169
162
  const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
170
163
  return {
171
164
  kid: restKey.kid || restKey.alias,
@@ -189,7 +182,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
189
182
  ...restKey.opts
190
183
  }
191
184
  };
192
- });
185
+ }));
193
186
  }
194
187
  mapRestKeyTypeToTKeyType(keyType) {
195
188
  switch (keyType) {
@@ -239,7 +232,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
239
232
  userId: this.userId
240
233
  }
241
234
  });
242
- return signingResult.signature;
235
+ return base64ToBase64Url(signingResult.signature);
243
236
  }
244
237
  async verify(args) {
245
238
  const { keyRef, data, signature, algorithm = "SHA-256" } = args;
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,wBACAC,cACAC,uBACAC,WACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA1C7C,OA0C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,eAAeC,uBAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,MAAMwB,sBAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,eAAeC,uBAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,MAAMwB,sBAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,eAAeC,uBAAuB;YACpCX;YACAY,iBAAiBwB,QAAQxC,IAAIP,MAAMwB,sBAAsBuB,QAAQxC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOyC,QAAQzC;UACf1B,YAAYmE,QAAQnE;UACpByE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,iBAA6BC,aAAaL,IAAAA,IAC5CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOwF,cAAcG;EACvB;EAEA,MAAMC,OAAOpF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMc,WAAWb,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM6F,mBAA+BX,aAAaL,IAAAA,IAC9CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMgB,eAAe,MAAM,KAAKlG,OAAO8B,QAAQqE,6BAA6B;MAC1E5C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASqG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK5F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO8F,aAAaE;EACtB;EAEA,MAAMC,aAAazF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO2F,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAInE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOsF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAInF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBsG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOpG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcqG;MACvB,KAAK;AACH,eAAOrG,cAAcsG;MACvB,KAAK;AACH,eAAOtG,cAAcuG;MACvB,KAAK;AACH,eAAOvG,cAAcwG;MACvB,KAAK;AACH,eAAOxG,cAAcyG;MACvB,KAAK;AACH,eAAOzG,cAAc0G;MACvB,KAAK;AACH,eAAO1G,cAAc2G;MACvB;AACE,cAAM,IAAI5F,MAAM,iBAAiBqF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBrG,mBAAmB,wBAAC6G,eAAAA;AAC1B,WAAOA,WAAWjE,IAAI,CAACyD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC1H,SAAAA;AACzB,UAAM2H,OAAO3H,KAAKE,MAAMyH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB5H,KAAK6H,cAAcC,SAAS,KAAA,IAAS9H,KAAK6H,gBAAgBE,SAAS/H,KAAK6H,eAAe,SAAA;AACrI,UAAMjF,eAAeoF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASvF,cAAc,QAAA;AAC5C,UAAMT,eAAeiG,SAASF,YAAAA;AAE9B,UAAMhI,OAAO,CAAC;AACd,QAAIyH,MAAM;AACRzH,WAAKyH,OAAO;QACVU,IAAIV,KAAKU,MAAMrI,KAAK2B,OAAOQ;MAC7B;AACA,UAAImG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBvI,aAAKyH,KAAKY,sBAAsBD;AAChC,cAAMvE,MAAM2E,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B/F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKyH,KAAK5D,MAAMA;MAClB;AACA,UAAI4D,KAAKgB,qBAAqB;AAE5B/F,qBAAagG,MAAMjB,KAAKgB;AACxBzI,aAAKyH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMhH,MAAM3B,KAAK2B,OAAOzB,MAAMyH,MAAMU,MAAMlG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,KAAKmF,wBAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,KAAKyI,oBAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWpI,KAAKyH,KAAK5D;MACvB;IACF;EACF,GArD0B;EAuDlBkF,wBAAwB,wBAACjJ,SAAAA;AAC/B,UAAM,EAAE6H,cAAa,IAAK7H;AAC1B,UAAMkJ,eAAenK,WAAW8I,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMhI,UAAU8H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM/G,eAAeb,QAAQkI,UAAU,MAAM,KAAA;AAC7C,UAAM5G,eAAe6G,MAAMtH,cAAc,WAAA;AACzC,UAAM8F,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM/H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,KAAKmF,wBAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,KAAKyI,oBAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC3J,SAAAA;AAC5B,UAAM,EAAE6H,cAAa,IAAK7H;AAC1B,UAAMiI,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMvH,eAAeyH,8BAA8B/B,aAAAA;AACnD,UAAMjF,eAAe6G,MAAMtH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,KAAKmF,wBAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,KAAKyI,oBAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBxG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKyH,gBAAgB1H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKiJ,sBAAsBjJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK2J,mBAAmB3J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","shaHasher","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return Promise.all(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,mBACAC,wBACAC,cACAC,uBACAC,gBACAC,WACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,eAAeC,uBAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,MAAMwB,sBAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,eAAeC,uBAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,MAAMwB,sBAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOC,QAAQC,IACbJ,SAASK,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMkB,eAAe,MAAMyB,eAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY6B,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAU,eAAeC,uBAAuB;YACpCX;YACAY,iBAAiB0B,QAAQ1C,IAAIP,MAAMwB,sBAAsByB,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf1B,YAAYqE,QAAQrE;UACpByE,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;EAEJ;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,iBAA6BC,aAAaL,IAAAA,IAC5CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO2F,kBAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOrF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMe,WAAWd,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM8F,mBAA+BZ,aAAaL,IAAAA,IAC9CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMiB,eAAe,MAAM,KAAKnG,OAAO8B,QAAQsE,6BAA6B;MAC1E7C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASsG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK7F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO+F,aAAaE;EACtB;EAEA,MAAMC,aAAa1F,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACqF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOnF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOoF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdvF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO4F,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIpE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOuF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAIpF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBuG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOrG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcsG;MACvB,KAAK;AACH,eAAOtG,cAAcuG;MACvB,KAAK;AACH,eAAOvG,cAAcwG;MACvB,KAAK;AACH,eAAOxG,cAAcyG;MACvB,KAAK;AACH,eAAOzG,cAAc0G;MACvB,KAAK;AACH,eAAO1G,cAAc2G;MACvB,KAAK;AACH,eAAO3G,cAAc4G;MACvB;AACE,cAAM,IAAI7F,MAAM,iBAAiBsF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBtG,mBAAmB,wBAAC8G,eAAAA;AAC1B,WAAOA,WAAWhE,IAAI,CAACwD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3H,SAAAA;AACzB,UAAM4H,OAAO5H,KAAKE,MAAM0H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7H,KAAK8H,cAAcC,SAAS,KAAA,IAAS/H,KAAK8H,gBAAgBE,SAAShI,KAAK8H,eAAe,SAAA;AACrI,UAAMlF,eAAeqF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASxF,cAAc,QAAA;AAC5C,UAAMT,eAAekG,SAASF,YAAAA;AAE9B,UAAMjI,OAAO,CAAC;AACd,QAAI0H,MAAM;AACR1H,WAAK0H,OAAO;QACVU,IAAIV,KAAKU,MAAMtI,KAAK2B,OAAOQ;MAC7B;AACA,UAAIoG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxI,aAAK0H,KAAKY,sBAAsBD;AAChC,cAAMxE,MAAM4E,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BhG,uBAAamB,MAAMA;QACrB;AACA7D,aAAK0H,KAAK7D,MAAMA;MAClB;AACA,UAAI6D,KAAKgB,qBAAqB;AAE5BhG,qBAAaiG,MAAMjB,KAAKgB;AACxB1I,aAAK0H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMjH,MAAM3B,KAAK2B,OAAOzB,MAAM0H,MAAMU,MAAMnG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;QACAV,WAAWrI,KAAK0H,KAAK7D;MACvB;IACF;EACF,GArD0B;EAuDlBoF,wBAAwB,wBAACnJ,SAAAA;AAC/B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMoJ,eAAerK,WAAW+I,cAAcuB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMlI,UAAUgI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMjH,eAAeb,QAAQoI,UAAU,MAAM,KAAA;AAC7C,UAAM9G,eAAe+G,MAAMxH,cAAc,WAAA;AACzC,UAAM+F,gBAAgByB,MAAM7B,eAAe,aAAa;MAAE8B,cAAc;IAAK,CAAA;AAC7E,UAAMjI,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC7J,SAAAA;AAC5B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMkI,gBAAgByB,MAAM7B,eAAe,UAAU;MAAE8B,cAAc;IAAK,CAAA;AAC1E,UAAMzH,eAAe2H,8BAA8BhC,aAAAA;AACnD,UAAMlF,eAAe+G,MAAMxH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB1G,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0H,gBAAgB3H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKmJ,sBAAsBnJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK6J,mBAAmB7J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["base64ToBase64Url","calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","jwkToRawHexKey","shaHasher","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","Promise","all","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.kms-rest",
3
3
  "description": "Sphereon SSI-SDK plugin for REST Key Management System.",
4
- "version": "0.34.1-feature.SSISDK.82.and.SSISDK.70.349+8423ec8c",
4
+ "version": "0.34.1-feature.SSISDK.82.and.SSISDK.70.353+0b848d11",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -22,10 +22,10 @@
22
22
  "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
23
23
  },
24
24
  "dependencies": {
25
- "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.82.and.SSISDK.70.349+8423ec8c",
26
- "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.82.and.SSISDK.70.349+8423ec8c",
27
- "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.SSISDK.82.and.SSISDK.70.349+8423ec8c",
28
- "@sphereon/ssi-types": "0.34.1-feature.SSISDK.82.and.SSISDK.70.349+8423ec8c",
25
+ "@sphereon/ssi-sdk-ext.key-utils": "0.34.1-feature.SSISDK.82.and.SSISDK.70.353+0b848d11",
26
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-feature.SSISDK.82.and.SSISDK.70.353+0b848d11",
27
+ "@sphereon/ssi-sdk.kms-rest-client": "0.34.1-feature.SSISDK.82.and.SSISDK.70.353+0b848d11",
28
+ "@sphereon/ssi-types": "0.34.1-feature.SSISDK.82.and.SSISDK.70.353+0b848d11",
29
29
  "@veramo/core": "4.2.0",
30
30
  "@veramo/key-manager": "4.2.0",
31
31
  "elliptic": "^6.5.4",
@@ -54,5 +54,5 @@
54
54
  "key-management",
55
55
  "Veramo"
56
56
  ],
57
- "gitHead": "8423ec8c4953d573753106202593191705c9ce23"
57
+ "gitHead": "0b848d117120a7fb846717082ce55fd2e80838e2"
58
58
  }
package/src/RestKeyManagementSystem.ts CHANGED
@@ -1,7 +1,9 @@
1
1
  import {
2
+ base64ToBase64Url,
2
3
  calculateJwkThumbprint,
3
4
  isHashString,
4
5
  joseAlgorithmToDigest,
6
+ jwkToRawHexKey,
5
7
  shaHasher,
6
8
  toJwk,
7
9
  x25519PublicHexFromPrivateHex,
@@ -172,42 +174,34 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
172
174
 
173
175
  const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
174
176
 
175
- return restKeys.map((restKey: RestManagedKeyInfo) => {
176
- const jwk = restKey.key
177
- let publicKeyHex = ''
178
-
179
- // Derive publicKeyHex from JWK based on key type
180
- if (jwk.kty === 'EC') {
181
- publicKeyHex = jwk.x || ''
182
- } else if (jwk.kty === 'RSA') {
183
- publicKeyHex = jwk.n || ''
184
- } else if (jwk.kty === 'OKP') {
185
- publicKeyHex = jwk.x || ''
186
- }
187
-
188
- const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)
189
-
190
- return {
191
- kid: restKey.kid || restKey.alias,
192
- kms: this.id,
193
- type: keyType,
194
- publicKeyHex,
195
- meta: {
196
- algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,
197
- jwk,
198
- jwkThumbprint: calculateJwkThumbprint({
199
- jwk: jwk as JWK,
200
- digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',
201
- }),
202
- alias: restKey.alias,
203
- providerId: restKey.providerId,
204
- x5c: restKey.x5c,
205
- keyVisibility: restKey.keyVisibility,
206
- keyEncoding: restKey.keyEncoding,
207
- ...restKey.opts,
208
- },
209
- } satisfies ManagedKeyInfo
210
- })
177
+ return Promise.all(
178
+ restKeys.map(async (restKey: RestManagedKeyInfo) => {
179
+ const jwk = restKey.key
180
+ const publicKeyHex = await jwkToRawHexKey(jwk as JWK)
181
+ const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)
182
+
183
+ return {
184
+ kid: restKey.kid || restKey.alias,
185
+ kms: this.id,
186
+ type: keyType,
187
+ publicKeyHex,
188
+ meta: {
189
+ algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,
190
+ jwk,
191
+ jwkThumbprint: calculateJwkThumbprint({
192
+ jwk: jwk as JWK,
193
+ digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',
194
+ }),
195
+ alias: restKey.alias,
196
+ providerId: restKey.providerId,
197
+ x5c: restKey.x5c,
198
+ keyVisibility: restKey.keyVisibility,
199
+ keyEncoding: restKey.keyEncoding,
200
+ ...restKey.opts,
201
+ },
202
+ } satisfies ManagedKeyInfo
203
+ }),
204
+ )
211
205
  }
212
206
 
213
207
  private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {
@@ -254,7 +248,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
254
248
  ...(this.userId && { userId: this.userId }),
255
249
  })
256
250
 
257
- return signingResult.signature
251
+ return base64ToBase64Url(signingResult.signature)
258
252
  }
259
253
 
260
254
  async verify(args: VerifyArgs): Promise<boolean> {