@sphereon/ssi-sdk.kms-rest 0.34.1-next.299 → 0.34.1-next.322
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -4
- package/dist/index.cjs +84 -11
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +6 -3
- package/dist/index.d.ts +6 -3
- package/dist/index.js +84 -11
- package/dist/index.js.map +1 -1
- package/package.json +6 -6
- package/src/RestKeyManagementSystem.ts +148 -68
- package/src/types/index.ts +3 -3
package/README.md
CHANGED
|
@@ -45,13 +45,13 @@ const key = await kms.createKey({ type: 'Secp256r1' })
|
|
|
45
45
|
|
|
46
46
|
```typescript
|
|
47
47
|
const privateKeyHex = '7dd923e40f4615ac496119f7e793cc2899e99b64b88ca8603db986700089532b'
|
|
48
|
-
const key = await kms.importKey({ kid: 'kid', privateKeyHex, type: 'Secp256r1'})
|
|
48
|
+
const key = await kms.importKey({ kid: 'kid', privateKeyHex, type: 'Secp256r1' })
|
|
49
49
|
```
|
|
50
50
|
|
|
51
51
|
### Delete key
|
|
52
52
|
|
|
53
53
|
```typescript
|
|
54
|
-
const result = await kms.deleteKey({ kid: '00-qTBov6GxjPSuMNxnk876cMP0JKjbwl4ZyN_sY2tE'})
|
|
54
|
+
const result = await kms.deleteKey({ kid: '00-qTBov6GxjPSuMNxnk876cMP0JKjbwl4ZyN_sY2tE' })
|
|
55
55
|
```
|
|
56
56
|
|
|
57
57
|
### List keys
|
|
@@ -65,7 +65,7 @@ const keys = await kms.listKeys()
|
|
|
65
65
|
```typescript
|
|
66
66
|
const signature = await kms.sign({
|
|
67
67
|
keyRef: { kid: '00-qTBov6GxjPSuMNxnk876cMP0JKjbwl4ZyN_sY2tE' },
|
|
68
|
-
data: u8a.fromString('input', 'base64')
|
|
68
|
+
data: u8a.fromString('input', 'base64'),
|
|
69
69
|
})
|
|
70
70
|
```
|
|
71
71
|
|
|
@@ -75,7 +75,7 @@ const signature = await kms.sign({
|
|
|
75
75
|
const verification = await kms.verify({
|
|
76
76
|
keyRef: { kid: '00-qTBov6GxjPSuMNxnk876cMP0JKjbwl4ZyN_sY2tE' },
|
|
77
77
|
data: u8a.fromString('input', 'base64'),
|
|
78
|
-
signature:
|
|
78
|
+
signature: 'jSgVmRcmWwxHtAohgYHUNk9uKdaRj4gi04pjdxgwRaQyXJJJ6bMH50VyWMFvN9a6ZKjpdOahE2nJ+BWjr85nhQ==',
|
|
79
79
|
})
|
|
80
80
|
```
|
|
81
81
|
|
package/dist/index.cjs
CHANGED
|
@@ -36,11 +36,11 @@ __export(index_exports, {
|
|
|
36
36
|
module.exports = __toCommonJS(index_exports);
|
|
37
37
|
|
|
38
38
|
// src/RestKeyManagementSystem.ts
|
|
39
|
-
var import_key_manager = require("@veramo/key-manager");
|
|
40
39
|
var import_ssi_sdk_ext = require("@sphereon/ssi-sdk-ext.key-utils");
|
|
41
|
-
var import_ssi_sdk = require("@sphereon/ssi-sdk.kms-rest-client");
|
|
42
40
|
var import_ssi_sdk_ext2 = require("@sphereon/ssi-sdk-ext.x509-utils");
|
|
41
|
+
var import_ssi_sdk = require("@sphereon/ssi-sdk.kms-rest-client");
|
|
43
42
|
var import_ssi_types = require("@sphereon/ssi-types");
|
|
43
|
+
var import_key_manager = require("@veramo/key-manager");
|
|
44
44
|
var import_elliptic = __toESM(require("elliptic"), 1);
|
|
45
45
|
var u8a = __toESM(require("uint8arrays"), 1);
|
|
46
46
|
var { fromString, toString } = u8a;
|
|
@@ -50,6 +50,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
50
50
|
}
|
|
51
51
|
client;
|
|
52
52
|
id;
|
|
53
|
+
providerId;
|
|
53
54
|
constructor(options) {
|
|
54
55
|
super();
|
|
55
56
|
const config = {
|
|
@@ -57,6 +58,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
57
58
|
authOpts: options.authOpts
|
|
58
59
|
};
|
|
59
60
|
this.id = options.applicationId;
|
|
61
|
+
this.providerId = options.providerId;
|
|
60
62
|
this.client = new import_ssi_sdk.KmsRestClient(config);
|
|
61
63
|
}
|
|
62
64
|
async createKey(args) {
|
|
@@ -65,11 +67,17 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
65
67
|
const options = {
|
|
66
68
|
use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : import_ssi_sdk.JwkUse.Sig,
|
|
67
69
|
alg: signatureAlgorithm,
|
|
68
|
-
keyOperations: meta ? this.mapKeyOperations(meta.keyOperations) : [
|
|
70
|
+
keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations) : [
|
|
69
71
|
import_ssi_sdk.KeyOperations.Sign
|
|
70
|
-
]
|
|
72
|
+
],
|
|
73
|
+
...meta && "keyAlias" in meta && meta.keyAlias ? {
|
|
74
|
+
alias: meta.keyAlias
|
|
75
|
+
} : {}
|
|
71
76
|
};
|
|
72
|
-
const key = await this.client.methods.
|
|
77
|
+
const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
|
|
78
|
+
...options,
|
|
79
|
+
providerId: this.providerId
|
|
80
|
+
}) : await this.client.methods.kmsClientGenerateKey(options);
|
|
73
81
|
const jwk = {
|
|
74
82
|
...key.keyPair.jose.publicJwk,
|
|
75
83
|
alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
|
|
@@ -99,7 +107,10 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
99
107
|
const { type } = args;
|
|
100
108
|
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
|
|
101
109
|
const importKey = this.mapImportKey(args);
|
|
102
|
-
const result = await this.client.methods.
|
|
110
|
+
const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
|
|
111
|
+
...importKey.key,
|
|
112
|
+
providerId: this.providerId
|
|
113
|
+
}) : await this.client.methods.kmsClientStoreKey(importKey.key);
|
|
103
114
|
return {
|
|
104
115
|
kid: importKey.kid,
|
|
105
116
|
kms: this.id,
|
|
@@ -119,17 +130,76 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
119
130
|
}
|
|
120
131
|
async deleteKey(args) {
|
|
121
132
|
const { kid } = args;
|
|
122
|
-
return await this.client.methods.
|
|
133
|
+
return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
|
|
134
|
+
aliasOrKid: kid,
|
|
135
|
+
providerId: this.providerId
|
|
136
|
+
}) : await this.client.methods.kmsClientDeleteKey({
|
|
123
137
|
aliasOrKid: kid
|
|
124
138
|
});
|
|
125
139
|
}
|
|
126
140
|
async listKeys() {
|
|
127
|
-
const keys = await this.client.methods.
|
|
128
|
-
|
|
141
|
+
const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
|
|
142
|
+
providerId: this.providerId
|
|
143
|
+
}) : await this.client.methods.kmsClientListKeys();
|
|
144
|
+
const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
|
|
145
|
+
return restKeys.map((restKey) => {
|
|
146
|
+
const jwk = restKey.key;
|
|
147
|
+
let publicKeyHex = "";
|
|
148
|
+
if (jwk.kty === "EC") {
|
|
149
|
+
publicKeyHex = jwk.x || "";
|
|
150
|
+
} else if (jwk.kty === "RSA") {
|
|
151
|
+
publicKeyHex = jwk.n || "";
|
|
152
|
+
} else if (jwk.kty === "OKP") {
|
|
153
|
+
publicKeyHex = jwk.x || "";
|
|
154
|
+
}
|
|
155
|
+
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
|
|
156
|
+
return {
|
|
157
|
+
kid: restKey.kid || restKey.alias,
|
|
158
|
+
kms: this.id,
|
|
159
|
+
type: keyType,
|
|
160
|
+
publicKeyHex,
|
|
161
|
+
meta: {
|
|
162
|
+
algorithms: restKey.signatureAlgorithm ? [
|
|
163
|
+
restKey.signatureAlgorithm
|
|
164
|
+
] : void 0,
|
|
165
|
+
jwk,
|
|
166
|
+
jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
|
|
167
|
+
jwk,
|
|
168
|
+
digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
|
|
169
|
+
}),
|
|
170
|
+
alias: restKey.alias,
|
|
171
|
+
providerId: restKey.providerId,
|
|
172
|
+
x5c: restKey.x5c,
|
|
173
|
+
keyVisibility: restKey.keyVisibility,
|
|
174
|
+
keyEncoding: restKey.keyEncoding,
|
|
175
|
+
...restKey.opts
|
|
176
|
+
}
|
|
177
|
+
};
|
|
178
|
+
});
|
|
179
|
+
}
|
|
180
|
+
mapRestKeyTypeToTKeyType(keyType) {
|
|
181
|
+
switch (keyType) {
|
|
182
|
+
case "RSA":
|
|
183
|
+
return "RSA";
|
|
184
|
+
case "EC":
|
|
185
|
+
case "P256":
|
|
186
|
+
return "Secp256r1";
|
|
187
|
+
case "X25519":
|
|
188
|
+
return "X25519";
|
|
189
|
+
case "Ed25519":
|
|
190
|
+
return "Ed25519";
|
|
191
|
+
case "secp256k1":
|
|
192
|
+
return "Secp256k1";
|
|
193
|
+
default:
|
|
194
|
+
throw new Error(`Unknown key type: ${keyType}`);
|
|
195
|
+
}
|
|
129
196
|
}
|
|
130
197
|
async sign(args) {
|
|
131
198
|
const { keyRef, data } = args;
|
|
132
|
-
const key = await this.client.methods.
|
|
199
|
+
const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
|
|
200
|
+
aliasOrKid: keyRef.kid,
|
|
201
|
+
providerId: this.providerId
|
|
202
|
+
}) : await this.client.methods.kmsClientGetKey({
|
|
133
203
|
aliasOrKid: keyRef.kid
|
|
134
204
|
});
|
|
135
205
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
@@ -140,7 +210,10 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
140
210
|
}
|
|
141
211
|
async verify(args) {
|
|
142
212
|
const { keyRef, data, signature } = args;
|
|
143
|
-
const key = await this.client.methods.
|
|
213
|
+
const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
|
|
214
|
+
aliasOrKid: keyRef.kid,
|
|
215
|
+
providerId: this.providerId
|
|
216
|
+
}) : await this.client.methods.kmsClientGetKey({
|
|
144
217
|
aliasOrKid: keyRef.kid
|
|
145
218
|
});
|
|
146
219
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACCA,yBAA4C;AAC5C,yBAKO;AACP,qBAWO;AACP,IAAAA,sBAMO;AACP,uBAAiD;AACjD,sBAAqB;AAErB,UAAqB;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQQ;QACnBC,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,mBAAeC,2CAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUrB,IAAIyB,QAAQb;QAC7BC,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,mBAAeC,2CAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,eAAOC,4CAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,wCAAuBC;MAC5C,KAAK;AAAS,eAAOD,wCAAuBE;MAC5C,KAAK;AAAS,eAAOF,wCAAuBG;MAC5C,KAAK;AAAS,eAAOH,wCAAuBI;MAC5C,KAAK;AAAU,eAAOJ,wCAAuBK;MAC7C,KAAK;AAAS,eAAOL,wCAAuBM;MAC5C,KAAK;AAAS,eAAON,wCAAuBO;MAC5C,KAAK;AAAS,eAAOP,wCAAuBQ;MAC5C,KAAK;AAAS,eAAOR,wCAAuBS;MAC5C,KAAK;AAAS,eAAOT,wCAAuBU;MAC5C,KAAK;AAAS,eAAOV,wCAAuBW;MAC5C,KAAK;AAAS,eAAOX,wCAAuBY;MAC5C,KAAK;AAAS,eAAOZ,wCAAuBa;MAC5C,KAAK;AAAS,eAAOb,wCAAuBc;MAC5C,KAAK;AAAS,eAAOd,wCAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAc+E;MACvB,KAAK;AACH,eAAO/E,6BAAcgF;MACvB,KAAK;AACH,eAAOhF,6BAAciF;MACvB,KAAK;AACH,eAAOjF,6BAAckF;MACvB,KAAK;AACH,eAAOlF,6BAAcmF;MACvB,KAAK;AACH,eAAOnF,6BAAcoF;MACvB,KAAK;AACH,eAAOpF,6BAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,oBACLE,8BAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,mBAAekE,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASrE,cAAc,QAAA;AAC5C,UAAMR,mBAAe8E,8BAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,UAAMC,uCAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,mBAAe6F,0BAAMrG,cAAc,WAAA;AACzC,UAAM2E,oBAAgB0B,0BAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,oBAAgB0B,0BAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,mBAAewG,kDAA8BjC,aAAAA;AACnD,UAAM/D,mBAAe6F,0BAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,SAAKC,wCAAwBd,cAAca,KAAK,KAAA;YAChDpH,SAAKsH,oCAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,SAAKC,mCAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAA4F;AAC5F,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;IAChF;AAEA,UAAME,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUtC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMoD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMqC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKhD,aAChB,MAAM,KAAKF,OAAO4B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACbzB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQwB,kBAAkBJ,UAAUrB,GAAG;AAE7D,WAAO;MACLU,KAAKW,UAAUX;MACfE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAI/B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM2D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO4B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQ8B,mBAAmB;MAAED,YAAYpB;IAAI,CAAA;EACrE;EAEA,MAAMsB,WAAsC;AAC1C,UAAMC,OAAO,KAAK1D,aACd,MAAM,KAAKF,OAAO4B,QAAQiC,0BAA0B;MAAE3D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO4B,QAAQkC,kBAAiB;AAE/C,UAAMC,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKtC;QACVU,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiBwB,QAAQtD,qBAAqB,KAAK+B,oCAAoCuB,QAAQtD,kBAAkB,IAAI;UACvH,CAAA;UACAa,OAAOyC,QAAQzC;UACfxB,YAAYiE,QAAQjE;UACpBuE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,KAAI,IAAKrE;AACzB,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAM6C,gBAAgB,MAAM,KAAKlF,OAAO4B,QAAQuD,4BAA4B;MAC1E9B,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO5E,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMM,UAAS,IAAK3E;AACpC,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAMkD,eAAe,MAAM,KAAKvF,OAAO4B,QAAQ4D,6BAA6B;MAC1EnC,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAahF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQM,sCAAsC,wBAAC/B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK8E,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI7D,MAAM,uBAAuBzB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOgF,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIxD,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOkF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAI/E,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBkG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOhG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAciG;MACvB,KAAK;AACH,eAAOjG,6BAAckG;MACvB,KAAK;AACH,eAAOlG,6BAAcmG;MACvB,KAAK;AACH,eAAOnG,6BAAcoG;MACvB,KAAK;AACH,eAAOpG,6BAAcqG;MACvB,KAAK;AACH,eAAOrG,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB;AACE,cAAM,IAAIxF,MAAM,iBAAiBiF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBjG,mBAAmB,wBAACyG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACtH,SAAAA;AACzB,UAAMuH,OAAOvH,KAAKE,MAAMqH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBxH,KAAKyH,cAAcC,SAAS,KAAA,IAAS1H,KAAKyH,oBAAgBE,8BAAS3H,KAAKyH,eAAe,SAAA;AACrI,UAAM7E,mBAAegF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASnF,cAAc,QAAA;AAC5C,UAAMT,mBAAe6F,8BAASF,YAAAA;AAE9B,UAAM5H,OAAO,CAAC;AACd,QAAIqH,MAAM;AACRrH,WAAKqH,OAAO;QACVU,IAAIV,KAAKU,MAAMjI,KAAK2B,OAAOQ;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBnI,aAAKqH,KAAKY,sBAAsBD;AAChC,cAAMnE,UAAMuE,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKqH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBrI,aAAKqH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM5G,MAAM3B,KAAK2B,OAAOzB,MAAMqH,MAAMU,MAAM9F;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWhI,KAAKqH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC7I,SAAAA;AAC/B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM8I,eAAe7J,WAAWwI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAM5H,UAAU0H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAeb,QAAQ8H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,mBAAeyG,0BAAMlH,cAAc,WAAA;AACzC,UAAM0F,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM3H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACvJ,SAAAA;AAC5B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM6H,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,mBAAeqH,kDAA8B/B,aAAAA;AACnD,UAAM7E,mBAAeyG,0BAAMlH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKqH,gBAAgBtH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK6I,sBAAsB7I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKuJ,mBAAmBvJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/dist/index.d.cts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
+
import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
|
|
1
2
|
import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
|
|
2
3
|
import { AbstractKeyManagementSystem } from '@veramo/key-manager';
|
|
3
|
-
import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
|
|
4
4
|
import { JWK } from '@sphereon/ssi-types';
|
|
5
5
|
|
|
6
6
|
type KeyMetadata = {
|
|
@@ -44,19 +44,22 @@ type MappedImportKey = {
|
|
|
44
44
|
publicKeyJwk: JWK;
|
|
45
45
|
};
|
|
46
46
|
|
|
47
|
-
interface
|
|
47
|
+
interface KeyManagementSystemOptions {
|
|
48
48
|
applicationId: string;
|
|
49
49
|
baseUrl: string;
|
|
50
|
+
providerId?: string;
|
|
50
51
|
authOpts?: RestClientAuthenticationOpts;
|
|
51
52
|
}
|
|
52
53
|
declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
53
54
|
private client;
|
|
54
55
|
private readonly id;
|
|
55
|
-
|
|
56
|
+
private providerId;
|
|
57
|
+
constructor(options: KeyManagementSystemOptions);
|
|
56
58
|
createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
|
|
57
59
|
importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
|
|
58
60
|
deleteKey(args: DeleteKeyArgs): Promise<boolean>;
|
|
59
61
|
listKeys(): Promise<ManagedKeyInfo[]>;
|
|
62
|
+
private mapRestKeyTypeToTKeyType;
|
|
60
63
|
sign(args: SignArgs): Promise<string>;
|
|
61
64
|
verify(args: VerifyArgs): Promise<boolean>;
|
|
62
65
|
sharedSecret(args: SharedSecretArgs): Promise<string>;
|
package/dist/index.d.ts
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
|
+
import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
|
|
1
2
|
import { TKeyType, MinimalImportableKey, IKey, ManagedKeyInfo } from '@veramo/core';
|
|
2
3
|
import { AbstractKeyManagementSystem } from '@veramo/key-manager';
|
|
3
|
-
import { StoreKey, RestClientAuthenticationOpts } from '@sphereon/ssi-sdk.kms-rest-client';
|
|
4
4
|
import { JWK } from '@sphereon/ssi-types';
|
|
5
5
|
|
|
6
6
|
type KeyMetadata = {
|
|
@@ -44,19 +44,22 @@ type MappedImportKey = {
|
|
|
44
44
|
publicKeyJwk: JWK;
|
|
45
45
|
};
|
|
46
46
|
|
|
47
|
-
interface
|
|
47
|
+
interface KeyManagementSystemOptions {
|
|
48
48
|
applicationId: string;
|
|
49
49
|
baseUrl: string;
|
|
50
|
+
providerId?: string;
|
|
50
51
|
authOpts?: RestClientAuthenticationOpts;
|
|
51
52
|
}
|
|
52
53
|
declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
53
54
|
private client;
|
|
54
55
|
private readonly id;
|
|
55
|
-
|
|
56
|
+
private providerId;
|
|
57
|
+
constructor(options: KeyManagementSystemOptions);
|
|
56
58
|
createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
|
|
57
59
|
importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
|
|
58
60
|
deleteKey(args: DeleteKeyArgs): Promise<boolean>;
|
|
59
61
|
listKeys(): Promise<ManagedKeyInfo[]>;
|
|
62
|
+
private mapRestKeyTypeToTKeyType;
|
|
60
63
|
sign(args: SignArgs): Promise<string>;
|
|
61
64
|
verify(args: VerifyArgs): Promise<boolean>;
|
|
62
65
|
sharedSecret(args: SharedSecretArgs): Promise<string>;
|
package/dist/index.js
CHANGED
|
@@ -2,11 +2,11 @@ var __defProp = Object.defineProperty;
|
|
|
2
2
|
var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
|
|
3
3
|
|
|
4
4
|
// src/RestKeyManagementSystem.ts
|
|
5
|
-
import { AbstractKeyManagementSystem } from "@veramo/key-manager";
|
|
6
5
|
import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
|
|
7
|
-
import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
|
|
8
6
|
import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
|
|
7
|
+
import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
|
|
9
8
|
import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
|
|
9
|
+
import { AbstractKeyManagementSystem } from "@veramo/key-manager";
|
|
10
10
|
import elliptic from "elliptic";
|
|
11
11
|
import * as u8a from "uint8arrays";
|
|
12
12
|
var { fromString, toString } = u8a;
|
|
@@ -16,6 +16,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
16
16
|
}
|
|
17
17
|
client;
|
|
18
18
|
id;
|
|
19
|
+
providerId;
|
|
19
20
|
constructor(options) {
|
|
20
21
|
super();
|
|
21
22
|
const config = {
|
|
@@ -23,6 +24,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
23
24
|
authOpts: options.authOpts
|
|
24
25
|
};
|
|
25
26
|
this.id = options.applicationId;
|
|
27
|
+
this.providerId = options.providerId;
|
|
26
28
|
this.client = new KmsRestClient(config);
|
|
27
29
|
}
|
|
28
30
|
async createKey(args) {
|
|
@@ -31,11 +33,17 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
31
33
|
const options = {
|
|
32
34
|
use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
|
|
33
35
|
alg: signatureAlgorithm,
|
|
34
|
-
keyOperations: meta ? this.mapKeyOperations(meta.keyOperations) : [
|
|
36
|
+
keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations) : [
|
|
35
37
|
KeyOperations.Sign
|
|
36
|
-
]
|
|
38
|
+
],
|
|
39
|
+
...meta && "keyAlias" in meta && meta.keyAlias ? {
|
|
40
|
+
alias: meta.keyAlias
|
|
41
|
+
} : {}
|
|
37
42
|
};
|
|
38
|
-
const key = await this.client.methods.
|
|
43
|
+
const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
|
|
44
|
+
...options,
|
|
45
|
+
providerId: this.providerId
|
|
46
|
+
}) : await this.client.methods.kmsClientGenerateKey(options);
|
|
39
47
|
const jwk = {
|
|
40
48
|
...key.keyPair.jose.publicJwk,
|
|
41
49
|
alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
|
|
@@ -65,7 +73,10 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
65
73
|
const { type } = args;
|
|
66
74
|
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
|
|
67
75
|
const importKey = this.mapImportKey(args);
|
|
68
|
-
const result = await this.client.methods.
|
|
76
|
+
const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
|
|
77
|
+
...importKey.key,
|
|
78
|
+
providerId: this.providerId
|
|
79
|
+
}) : await this.client.methods.kmsClientStoreKey(importKey.key);
|
|
69
80
|
return {
|
|
70
81
|
kid: importKey.kid,
|
|
71
82
|
kms: this.id,
|
|
@@ -85,17 +96,76 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
85
96
|
}
|
|
86
97
|
async deleteKey(args) {
|
|
87
98
|
const { kid } = args;
|
|
88
|
-
return await this.client.methods.
|
|
99
|
+
return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
|
|
100
|
+
aliasOrKid: kid,
|
|
101
|
+
providerId: this.providerId
|
|
102
|
+
}) : await this.client.methods.kmsClientDeleteKey({
|
|
89
103
|
aliasOrKid: kid
|
|
90
104
|
});
|
|
91
105
|
}
|
|
92
106
|
async listKeys() {
|
|
93
|
-
const keys = await this.client.methods.
|
|
94
|
-
|
|
107
|
+
const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
|
|
108
|
+
providerId: this.providerId
|
|
109
|
+
}) : await this.client.methods.kmsClientListKeys();
|
|
110
|
+
const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos;
|
|
111
|
+
return restKeys.map((restKey) => {
|
|
112
|
+
const jwk = restKey.key;
|
|
113
|
+
let publicKeyHex = "";
|
|
114
|
+
if (jwk.kty === "EC") {
|
|
115
|
+
publicKeyHex = jwk.x || "";
|
|
116
|
+
} else if (jwk.kty === "RSA") {
|
|
117
|
+
publicKeyHex = jwk.n || "";
|
|
118
|
+
} else if (jwk.kty === "OKP") {
|
|
119
|
+
publicKeyHex = jwk.x || "";
|
|
120
|
+
}
|
|
121
|
+
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
|
|
122
|
+
return {
|
|
123
|
+
kid: restKey.kid || restKey.alias,
|
|
124
|
+
kms: this.id,
|
|
125
|
+
type: keyType,
|
|
126
|
+
publicKeyHex,
|
|
127
|
+
meta: {
|
|
128
|
+
algorithms: restKey.signatureAlgorithm ? [
|
|
129
|
+
restKey.signatureAlgorithm
|
|
130
|
+
] : void 0,
|
|
131
|
+
jwk,
|
|
132
|
+
jwkThumbprint: calculateJwkThumbprint({
|
|
133
|
+
jwk,
|
|
134
|
+
digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
|
|
135
|
+
}),
|
|
136
|
+
alias: restKey.alias,
|
|
137
|
+
providerId: restKey.providerId,
|
|
138
|
+
x5c: restKey.x5c,
|
|
139
|
+
keyVisibility: restKey.keyVisibility,
|
|
140
|
+
keyEncoding: restKey.keyEncoding,
|
|
141
|
+
...restKey.opts
|
|
142
|
+
}
|
|
143
|
+
};
|
|
144
|
+
});
|
|
145
|
+
}
|
|
146
|
+
mapRestKeyTypeToTKeyType(keyType) {
|
|
147
|
+
switch (keyType) {
|
|
148
|
+
case "RSA":
|
|
149
|
+
return "RSA";
|
|
150
|
+
case "EC":
|
|
151
|
+
case "P256":
|
|
152
|
+
return "Secp256r1";
|
|
153
|
+
case "X25519":
|
|
154
|
+
return "X25519";
|
|
155
|
+
case "Ed25519":
|
|
156
|
+
return "Ed25519";
|
|
157
|
+
case "secp256k1":
|
|
158
|
+
return "Secp256k1";
|
|
159
|
+
default:
|
|
160
|
+
throw new Error(`Unknown key type: ${keyType}`);
|
|
161
|
+
}
|
|
95
162
|
}
|
|
96
163
|
async sign(args) {
|
|
97
164
|
const { keyRef, data } = args;
|
|
98
|
-
const key = await this.client.methods.
|
|
165
|
+
const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
|
|
166
|
+
aliasOrKid: keyRef.kid,
|
|
167
|
+
providerId: this.providerId
|
|
168
|
+
}) : await this.client.methods.kmsClientGetKey({
|
|
99
169
|
aliasOrKid: keyRef.kid
|
|
100
170
|
});
|
|
101
171
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
@@ -106,7 +176,10 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
106
176
|
}
|
|
107
177
|
async verify(args) {
|
|
108
178
|
const { keyRef, data, signature } = args;
|
|
109
|
-
const key = await this.client.methods.
|
|
179
|
+
const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
|
|
180
|
+
aliasOrKid: keyRef.kid,
|
|
181
|
+
providerId: this.providerId
|
|
182
|
+
}) : await this.client.methods.kmsClientGetKey({
|
|
110
183
|
aliasOrKid: keyRef.kid
|
|
111
184
|
});
|
|
112
185
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport {\n calculateJwkThumbprint,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n hexToPEM,\n jwkToPEM,\n pemCertChainTox5c,\n PEMToHex,\n PEMToJwk\n} from '@sphereon/ssi-sdk-ext.x509-utils'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type {\n CreateKeyArgs,\n DeleteKeyArgs,\n ImportKeyArgs,\n MapImportKeyArgs,\n MappedImportKey,\n SharedSecretArgs,\n SignArgs,\n VerifyArgs\n} from './types'\n\nconst { fromString, toString } = u8a\n\ninterface AbstractKeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n\n constructor(options: AbstractKeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts\n }\n\n this.id = options.applicationId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]\n }\n\n const key = await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = await this.client.methods.kmsClientListKeys()\n\n return ListKeysResponseToJSONTyped(keys, false).keyInfos //ListKeysResponseFromJSONTyped\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64')\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256': return JoseSignatureAlgorithm.RS256;\n case 'RS384': return JoseSignatureAlgorithm.RS384;\n case 'RS512': return JoseSignatureAlgorithm.RS512;\n case 'ES256': return JoseSignatureAlgorithm.ES256;\n case 'ES256K': return JoseSignatureAlgorithm.ES256K;\n case 'ES384': return JoseSignatureAlgorithm.ES384;\n case 'ES512': return JoseSignatureAlgorithm.ES512;\n case 'EdDSA': return JoseSignatureAlgorithm.EdDSA;\n case 'HS256': return JoseSignatureAlgorithm.HS256;\n case 'HS384': return JoseSignatureAlgorithm.HS384;\n case 'HS512': return JoseSignatureAlgorithm.HS512;\n case 'PS256': return JoseSignatureAlgorithm.PS256;\n case 'PS384': return JoseSignatureAlgorithm.PS384;\n case 'PS512': return JoseSignatureAlgorithm.PS512;\n case 'none': return JoseSignatureAlgorithm.none;\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')\n ? args.privateKeyHex\n : hexToPEM(args.privateKeyHex, 'private')\n ) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c\n } satisfies StoreKey\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n }\n }\n } satisfies StoreKey\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n\n}\n"],"mappings":";;;;AACA,SAASA,mCAAmC;AAC5C,SACEC,wBACAC,OACAC,qCAEK;AACP,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SACEC,UACAC,UACAC,mBACAC,UACAC,gBACK;AACP,SAASC,8BAAwC;AACjD,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAYrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAQ1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAjD7C,OAiD6CA;;;EACnCC;EACSC;EAEjB,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKJ,KAAKC,QAAQI;AAClB,SAAKN,SAAS,IAAIO,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAW;MACfY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,OAAO,KAAKU,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;IAC/F;AAEA,UAAMC,MAAM,MAAM,KAAKxB,OAAOyB,QAAQC,qBAAqBxB,OAAAA;AAE3D,UAAMyB,MAAM;MACV,GAAGH,IAAII,QAAQC,KAAKC;MACpBX,KAAKK,IAAII,QAAQC,KAAKC,UAAUX,MAAM,KAAKY,iBAAiBP,IAAII,QAAQC,KAAKC,UAAUX,GAAG,IAAIa;IAChG;AAEA,UAAMC,MAAMT,IAAII,QAAQK,OAAOT,IAAII,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOZ,IAAII,QAAQQ;QACnBC,YAAY;UAACb,IAAII,QAAQC,KAAKC,UAAUX,OAAO;;QAC/CmB,eAAeC,uBAAuB;UACpCZ;UACAa,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKpB,IAAII,QAAQC,KAAKC,UAAUlC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMiD,UAAUpC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMmC,YAAY,KAAKC,aAAarC,IAAAA;AAEpC,UAAMsC,SAAS,MAAM,KAAK/C,OAAOyB,QAAQuB,kBAAkBH,UAAUrB,GAAG;AAExE,WAAO;MACLS,KAAKY,UAAUZ;MACfE,KAAK,KAAKlC;MACVS;MACAC,MAAM;QACJyB,OAAOS,UAAUrB,IAAIyB,QAAQb;QAC7BC,YAAY;UAACU,OAAOE,QAAQzB,IAAIL,OAAO;;QACvCmB,eAAeC,uBAAuB;UACpCZ,KAAKkB,UAAUK;UACfV,iBAAiB,KAAKC,oCAAoC7B,kBAAAA;QAC5D,CAAA;MACF;MACA8B,cAAcC,OAAOC,KAAKG,OAAOE,QAAQzB,IAAI5B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAMuD,UAAU1C,MAAuC;AACrD,UAAM,EAAEwB,IAAG,IAAKxB;AAEhB,WAAO,MAAM,KAAKT,OAAOyB,QAAQ2B,mBAAmB;MAAEC,YAAYpB;IAAI,CAAA;EACxE;EAEA,MAAMqB,WAAsC;AAC1C,UAAMC,OAAO,MAAM,KAAKvD,OAAOyB,QAAQ+B,kBAAiB;AAExD,WAAOC,4BAA4BF,MAAM,KAAA,EAAOG;EAClD;EAEA,MAAMC,KAAKlD,MAAiC;AAC1C,UAAM,EAAEmD,QAAQC,KAAI,IAAKpD;AACzB,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAM8B,gBAAgB,MAAM,KAAK/D,OAAOyB,QAAQuC,4BAA4B;MAC1Ef,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOE,cAAcG;EACvB;EAEA,MAAMC,OAAO1D,MAAoC;AAC/C,UAAM,EAAEmD,QAAQC,MAAMK,UAAS,IAAKzD;AACpC,UAAMe,MAAM,MAAM,KAAKxB,OAAOyB,QAAQqC,gBAAgB;MAAET,YAAYO,OAAO3B;IAAI,CAAA;AAC/E,UAAMmC,eAAe,MAAM,KAAKpE,OAAOyB,QAAQ4C,6BAA6B;MAC1EpB,SAASzB,IAAIyB;MACbgB,OAAOrE,SAASiE,MAAM,QAAA;MACtBK;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAa9D,MAAyC;AAC1D,UAAM,IAAIyB,MAAM,+CAAA;EAClB;EAEQO,sCAAsC,wBAAC7B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK4D,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI9C,MAAM,uBAAuBtB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACkE,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOhE,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOiE;MAChB;AACE,cAAM,IAAIhD,MAAM,aAAa+C,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdpE,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO8D,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIzC,MAAM,YAAYxB,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCqB,mBAAmB,wBAACZ,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AAAS,eAAOgE,uBAAuBC;MAC5C,KAAK;AAAS,eAAOD,uBAAuBE;MAC5C,KAAK;AAAS,eAAOF,uBAAuBG;MAC5C,KAAK;AAAS,eAAOH,uBAAuBI;MAC5C,KAAK;AAAU,eAAOJ,uBAAuBK;MAC7C,KAAK;AAAS,eAAOL,uBAAuBM;MAC5C,KAAK;AAAS,eAAON,uBAAuBO;MAC5C,KAAK;AAAS,eAAOP,uBAAuBQ;MAC5C,KAAK;AAAS,eAAOR,uBAAuBS;MAC5C,KAAK;AAAS,eAAOT,uBAAuBU;MAC5C,KAAK;AAAS,eAAOV,uBAAuBW;MAC5C,KAAK;AAAS,eAAOX,uBAAuBY;MAC5C,KAAK;AAAS,eAAOZ,uBAAuBa;MAC5C,KAAK;AAAS,eAAOb,uBAAuBc;MAC5C,KAAK;AAAS,eAAOd,uBAAuBe;MAC5C;AACE,cAAM,IAAIhE,MAAM,uBAAuBf,GAAAA,+BAAkC;IAC7E;EACF,GApB2B;EAsBnBgF,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO9E,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAc+E;MACvB,KAAK;AACH,eAAO/E,cAAcgF;MACvB,KAAK;AACH,eAAOhF,cAAciF;MACvB,KAAK;AACH,eAAOjF,cAAckF;MACvB,KAAK;AACH,eAAOlF,cAAcmF;MACvB,KAAK;AACH,eAAOnF,cAAcoF;MACvB,KAAK;AACH,eAAOpF,cAAcqF;MACvB;AACE,cAAM,IAAIzE,MAAM,iBAAiBkE,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB/E,mBAAmB,wBAACuF,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACT,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBU,kBAAkB,wBAACrG,SAAAA;AACzB,UAAMsG,OAAOtG,KAAKE,MAAMoG;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBvG,KAAKwG,cAAcC,SAAS,KAAA,IACtEzG,KAAKwG,gBACLE,SAAS1G,KAAKwG,eAAe,SAAA;AAEjC,UAAM/D,eAAekE,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASrE,cAAc,QAAA;AAC5C,UAAMR,eAAe8E,SAASF,YAAAA;AAE9B,UAAM3G,OAAO,CAAC;AACd,QAAIoG,MAAM;AACRpG,WAAKoG,OAAO;QACVU,IAAIV,KAAKU,MAAMhH,KAAKwB,OAAOS;MAC7B;AACA,UAAIgF,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBlH,aAAKoG,KAAKY,sBAAsBD;AAChC,cAAMI,MAAMC,kBAAkBL,SAAAA;AAC9B,YAAI,CAACX,KAAKiB,qBAAqB;AAG7B9E,uBAAa4E,MAAMA;QACrB;AACAnH,aAAKoG,KAAKe,MAAMA;MAClB;AACA,UAAIf,KAAKiB,qBAAqB;AAE5B9E,qBAAa+E,MAAMlB,KAAKiB;AACxBrH,aAAKoG,KAAKkB,MAAMlB,KAAKiB;MACvB;IACF;AAEA,UAAM/F,MAAMxB,KAAKwB,OAAOtB,MAAMoG,MAAMU,MAAM/E;AAC1C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;QACAX,WAAW/G,KAAKoG,KAAKe;MACvB;IACF;EACF,GAxD0B;EA0DlBS,wBAAwB,wBAAC9H,SAAAA;AAC/B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM+H,eAAe7I,WAAWsH,cAAcwB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMhH,UAAU8G,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9F,eAAed,QAAQkH,UAAU,MAAM,KAAA;AAC7C,UAAM5F,eAAe6F,MAAMrG,cAAc,WAAA;AACzC,UAAM2E,gBAAgB0B,MAAM9B,eAAe,aAAa;MAAE+B,cAAc;IAAK,CAAA;AAC7E,UAAM/G,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACxI,SAAAA;AAC5B,UAAM,EAAEwG,cAAa,IAAKxG;AAC1B,UAAM4G,gBAAgB0B,MAAM9B,eAAe,UAAU;MAAE+B,cAAc;IAAK,CAAA;AAC1E,UAAMtG,eAAewG,8BAA8BjC,aAAAA;AACnD,UAAM/D,eAAe6F,MAAMrG,cAAc,QAAA;AACzC,UAAMT,MAAMxB,KAAKwB,OAAOiB,aAAajB,OAAOS;AAE5C,WAAO;MACLT;MACAiB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG6F;YACHpF;YACAiG,KAAKC,wBAAwBd,cAAca,KAAK,KAAA;YAChDpH,KAAKsH,oBAAoBf,cAAcvG,KAAK,KAAA;YAC5CuH,KAAKC,mBAAmBjB,cAAcgB,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBvF,eAAe,wBAACrC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKoG,gBAAgBrG,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK8H,sBAAsB9H,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKwI,mBAAmBxI,IAAAA;MACjC;MACA;AACE,cAAM,IAAIyB,MAAM,YAAYzB,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAgBzB;","names":["AbstractKeyManagementSystem","calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","JoseSignatureAlgorithm","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","key","methods","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","alias","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientDeleteKey","aliasOrKid","listKeys","keys","kmsClientListKeys","ListKeysResponseToJSONTyped","keyInfos","sign","keyRef","data","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","map","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","x5c","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,OAAOC,qCAAoD;AAC5F,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;IAChF;AAEA,UAAME,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,eAAeC,uBAAuB;UACpCX;UACAY,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUtC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMoD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMqC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKhD,aAChB,MAAM,KAAKF,OAAO4B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACbzB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQwB,kBAAkBJ,UAAUrB,GAAG;AAE7D,WAAO;MACLU,KAAKW,UAAUX;MACfE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,eAAeC,uBAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAI/B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM2D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO4B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQ8B,mBAAmB;MAAED,YAAYpB;IAAI,CAAA;EACrE;EAEA,MAAMsB,WAAsC;AAC1C,UAAMC,OAAO,KAAK1D,aACd,MAAM,KAAKF,OAAO4B,QAAQiC,0BAA0B;MAAE3D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO4B,QAAQkC,kBAAiB;AAE/C,UAAMC,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKtC;QACVU,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,eAAeC,uBAAuB;YACpCX;YACAY,iBAAiBwB,QAAQtD,qBAAqB,KAAK+B,oCAAoCuB,QAAQtD,kBAAkB,IAAI;UACvH,CAAA;UACAa,OAAOyC,QAAQzC;UACfxB,YAAYiE,QAAQjE;UACpBuE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,KAAI,IAAKrE;AACzB,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAM6C,gBAAgB,MAAM,KAAKlF,OAAO4B,QAAQuD,4BAA4B;MAC1E9B,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO5E,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMM,UAAS,IAAK3E;AACpC,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAMkD,eAAe,MAAM,KAAKvF,OAAO4B,QAAQ4D,6BAA6B;MAC1EnC,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAahF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQM,sCAAsC,wBAAC/B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK8E,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI7D,MAAM,uBAAuBzB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOgF,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIxD,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOkF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAI/E,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBkG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOhG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAciG;MACvB,KAAK;AACH,eAAOjG,cAAckG;MACvB,KAAK;AACH,eAAOlG,cAAcmG;MACvB,KAAK;AACH,eAAOnG,cAAcoG;MACvB,KAAK;AACH,eAAOpG,cAAcqG;MACvB,KAAK;AACH,eAAOrG,cAAcsG;MACvB,KAAK;AACH,eAAOtG,cAAcuG;MACvB;AACE,cAAM,IAAIxF,MAAM,iBAAiBiF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBjG,mBAAmB,wBAACyG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACtH,SAAAA;AACzB,UAAMuH,OAAOvH,KAAKE,MAAMqH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBxH,KAAKyH,cAAcC,SAAS,KAAA,IAAS1H,KAAKyH,gBAAgBE,SAAS3H,KAAKyH,eAAe,SAAA;AACrI,UAAM7E,eAAegF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASnF,cAAc,QAAA;AAC5C,UAAMT,eAAe6F,SAASF,YAAAA;AAE9B,UAAM5H,OAAO,CAAC;AACd,QAAIqH,MAAM;AACRrH,WAAKqH,OAAO;QACVU,IAAIV,KAAKU,MAAMjI,KAAK2B,OAAOQ;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBnI,aAAKqH,KAAKY,sBAAsBD;AAChC,cAAMnE,MAAMuE,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKqH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBrI,aAAKqH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM5G,MAAM3B,KAAK2B,OAAOzB,MAAMqH,MAAMU,MAAM9F;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWhI,KAAKqH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC7I,SAAAA;AAC/B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM8I,eAAe7J,WAAWwI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAM5H,UAAU0H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAeb,QAAQ8H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,eAAeyG,MAAMlH,cAAc,WAAA;AACzC,UAAM0F,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM3H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACvJ,SAAAA;AAC5B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM6H,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,eAAeqH,8BAA8B/B,aAAAA;AACnD,UAAM7E,eAAeyG,MAAMlH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKqH,gBAAgBtH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK6I,sBAAsB7I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKuJ,mBAAmBvJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sphereon/ssi-sdk.kms-rest",
|
|
3
3
|
"description": "Sphereon SSI-SDK plugin for REST Key Management System.",
|
|
4
|
-
"version": "0.34.1-next.
|
|
4
|
+
"version": "0.34.1-next.322+78f8dd31",
|
|
5
5
|
"source": "./src/index.ts",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "./dist/index.cjs",
|
|
@@ -22,10 +22,10 @@
|
|
|
22
22
|
"build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
|
|
23
23
|
},
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"@sphereon/ssi-sdk-ext.key-utils": "0.34.1-next.
|
|
26
|
-
"@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-next.
|
|
27
|
-
"@sphereon/ssi-sdk.kms-rest-client": "0.34.1-next.
|
|
28
|
-
"@sphereon/ssi-types": "0.34.1-next.
|
|
25
|
+
"@sphereon/ssi-sdk-ext.key-utils": "0.34.1-next.322+78f8dd31",
|
|
26
|
+
"@sphereon/ssi-sdk-ext.x509-utils": "0.34.1-next.322+78f8dd31",
|
|
27
|
+
"@sphereon/ssi-sdk.kms-rest-client": "0.34.1-next.322+78f8dd31",
|
|
28
|
+
"@sphereon/ssi-types": "0.34.1-next.322+78f8dd31",
|
|
29
29
|
"@veramo/core": "4.2.0",
|
|
30
30
|
"@veramo/key-manager": "4.2.0",
|
|
31
31
|
"elliptic": "^6.5.4",
|
|
@@ -54,5 +54,5 @@
|
|
|
54
54
|
"key-management",
|
|
55
55
|
"Veramo"
|
|
56
56
|
],
|
|
57
|
-
"gitHead": "
|
|
57
|
+
"gitHead": "78f8dd3157066ae8cf11d2ae50c8c3d8f43b8ed0"
|
|
58
58
|
}
|
|
@@ -1,11 +1,6 @@
|
|
|
1
|
-
import
|
|
2
|
-
import {
|
|
3
|
-
import {
|
|
4
|
-
calculateJwkThumbprint,
|
|
5
|
-
toJwk,
|
|
6
|
-
x25519PublicHexFromPrivateHex,
|
|
7
|
-
type X509Opts
|
|
8
|
-
} from '@sphereon/ssi-sdk-ext.key-utils'
|
|
1
|
+
import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
|
|
2
|
+
import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'
|
|
3
|
+
import type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'
|
|
9
4
|
import {
|
|
10
5
|
CurveFromJSONTyped,
|
|
11
6
|
JwkKeyTypeFromJSONTyped,
|
|
@@ -16,51 +11,40 @@ import {
|
|
|
16
11
|
ListKeysResponseToJSONTyped,
|
|
17
12
|
type RestClientAuthenticationOpts,
|
|
18
13
|
SignatureAlgorithm,
|
|
19
|
-
type StoreKey
|
|
14
|
+
type StoreKey,
|
|
20
15
|
} from '@sphereon/ssi-sdk.kms-rest-client'
|
|
21
|
-
import {
|
|
22
|
-
hexToPEM,
|
|
23
|
-
jwkToPEM,
|
|
24
|
-
pemCertChainTox5c,
|
|
25
|
-
PEMToHex,
|
|
26
|
-
PEMToJwk
|
|
27
|
-
} from '@sphereon/ssi-sdk-ext.x509-utils'
|
|
28
16
|
import { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'
|
|
17
|
+
import type { ManagedKeyInfo, TKeyType } from '@veramo/core'
|
|
18
|
+
import { AbstractKeyManagementSystem } from '@veramo/key-manager'
|
|
29
19
|
import elliptic from 'elliptic'
|
|
30
20
|
// @ts-ignore
|
|
31
21
|
import * as u8a from 'uint8arrays'
|
|
32
|
-
import type {
|
|
33
|
-
CreateKeyArgs,
|
|
34
|
-
DeleteKeyArgs,
|
|
35
|
-
ImportKeyArgs,
|
|
36
|
-
MapImportKeyArgs,
|
|
37
|
-
MappedImportKey,
|
|
38
|
-
SharedSecretArgs,
|
|
39
|
-
SignArgs,
|
|
40
|
-
VerifyArgs
|
|
41
|
-
} from './types'
|
|
22
|
+
import type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'
|
|
42
23
|
|
|
43
24
|
const { fromString, toString } = u8a
|
|
44
25
|
|
|
45
|
-
interface
|
|
26
|
+
interface KeyManagementSystemOptions {
|
|
46
27
|
applicationId: string
|
|
47
28
|
baseUrl: string
|
|
29
|
+
providerId?: string
|
|
48
30
|
authOpts?: RestClientAuthenticationOpts
|
|
49
31
|
}
|
|
50
32
|
|
|
51
33
|
export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
52
34
|
private client: KmsRestClient
|
|
53
35
|
private readonly id: string
|
|
36
|
+
private providerId: string | undefined
|
|
54
37
|
|
|
55
|
-
constructor(options:
|
|
38
|
+
constructor(options: KeyManagementSystemOptions) {
|
|
56
39
|
super()
|
|
57
40
|
|
|
58
41
|
const config = {
|
|
59
42
|
baseUrl: options.baseUrl,
|
|
60
|
-
authOpts: options.authOpts
|
|
43
|
+
authOpts: options.authOpts,
|
|
61
44
|
}
|
|
62
45
|
|
|
63
46
|
this.id = options.applicationId
|
|
47
|
+
this.providerId = options.providerId
|
|
64
48
|
this.client = new KmsRestClient(config)
|
|
65
49
|
}
|
|
66
50
|
|
|
@@ -68,13 +52,19 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
68
52
|
const { type, meta } = args
|
|
69
53
|
|
|
70
54
|
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
|
|
71
|
-
const options
|
|
55
|
+
const options = {
|
|
72
56
|
use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
|
|
73
57
|
alg: signatureAlgorithm,
|
|
74
|
-
keyOperations: meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign]
|
|
58
|
+
keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],
|
|
59
|
+
...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),
|
|
75
60
|
}
|
|
76
61
|
|
|
77
|
-
const key =
|
|
62
|
+
const key = this.providerId
|
|
63
|
+
? await this.client.methods.kmsClientProviderGenerateKey({
|
|
64
|
+
...options,
|
|
65
|
+
providerId: this.providerId,
|
|
66
|
+
})
|
|
67
|
+
: await this.client.methods.kmsClientGenerateKey(options)
|
|
78
68
|
|
|
79
69
|
const jwk = {
|
|
80
70
|
...key.keyPair.jose.publicJwk,
|
|
@@ -107,7 +97,12 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
107
97
|
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
|
|
108
98
|
const importKey = this.mapImportKey(args)
|
|
109
99
|
|
|
110
|
-
const result =
|
|
100
|
+
const result = this.providerId
|
|
101
|
+
? await this.client.methods.kmsClientProviderStoreKey({
|
|
102
|
+
...importKey.key,
|
|
103
|
+
providerId: this.providerId,
|
|
104
|
+
})
|
|
105
|
+
: await this.client.methods.kmsClientStoreKey(importKey.key)
|
|
111
106
|
|
|
112
107
|
return {
|
|
113
108
|
kid: importKey.kid,
|
|
@@ -128,21 +123,89 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
128
123
|
async deleteKey(args: DeleteKeyArgs): Promise<boolean> {
|
|
129
124
|
const { kid } = args
|
|
130
125
|
|
|
131
|
-
return
|
|
126
|
+
return this.providerId
|
|
127
|
+
? await this.client.methods.kmsClientProviderDeleteKey({
|
|
128
|
+
aliasOrKid: kid,
|
|
129
|
+
providerId: this.providerId,
|
|
130
|
+
})
|
|
131
|
+
: await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
|
|
132
132
|
}
|
|
133
133
|
|
|
134
134
|
async listKeys(): Promise<ManagedKeyInfo[]> {
|
|
135
|
-
const keys =
|
|
135
|
+
const keys = this.providerId
|
|
136
|
+
? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })
|
|
137
|
+
: await this.client.methods.kmsClientListKeys()
|
|
138
|
+
|
|
139
|
+
const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
|
|
140
|
+
|
|
141
|
+
return restKeys.map((restKey: RestManagedKeyInfo) => {
|
|
142
|
+
const jwk = restKey.key
|
|
143
|
+
let publicKeyHex = ''
|
|
144
|
+
|
|
145
|
+
// Derive publicKeyHex from JWK based on key type
|
|
146
|
+
if (jwk.kty === 'EC') {
|
|
147
|
+
publicKeyHex = jwk.x || ''
|
|
148
|
+
} else if (jwk.kty === 'RSA') {
|
|
149
|
+
publicKeyHex = jwk.n || ''
|
|
150
|
+
} else if (jwk.kty === 'OKP') {
|
|
151
|
+
publicKeyHex = jwk.x || ''
|
|
152
|
+
}
|
|
136
153
|
|
|
137
|
-
|
|
154
|
+
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)
|
|
155
|
+
|
|
156
|
+
return {
|
|
157
|
+
kid: restKey.kid || restKey.alias,
|
|
158
|
+
kms: this.id,
|
|
159
|
+
type: keyType,
|
|
160
|
+
publicKeyHex,
|
|
161
|
+
meta: {
|
|
162
|
+
algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,
|
|
163
|
+
jwk,
|
|
164
|
+
jwkThumbprint: calculateJwkThumbprint({
|
|
165
|
+
jwk: jwk as JWK,
|
|
166
|
+
digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',
|
|
167
|
+
}),
|
|
168
|
+
alias: restKey.alias,
|
|
169
|
+
providerId: restKey.providerId,
|
|
170
|
+
x5c: restKey.x5c,
|
|
171
|
+
keyVisibility: restKey.keyVisibility,
|
|
172
|
+
keyEncoding: restKey.keyEncoding,
|
|
173
|
+
...restKey.opts,
|
|
174
|
+
},
|
|
175
|
+
} satisfies ManagedKeyInfo
|
|
176
|
+
})
|
|
177
|
+
}
|
|
178
|
+
|
|
179
|
+
private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {
|
|
180
|
+
switch (keyType) {
|
|
181
|
+
case 'RSA':
|
|
182
|
+
return 'RSA'
|
|
183
|
+
case 'EC':
|
|
184
|
+
case 'P256':
|
|
185
|
+
return 'Secp256r1'
|
|
186
|
+
case 'X25519':
|
|
187
|
+
return 'X25519'
|
|
188
|
+
case 'Ed25519':
|
|
189
|
+
return 'Ed25519'
|
|
190
|
+
case 'secp256k1':
|
|
191
|
+
return 'Secp256k1'
|
|
192
|
+
default:
|
|
193
|
+
throw new Error(`Unknown key type: ${keyType}`)
|
|
194
|
+
}
|
|
138
195
|
}
|
|
139
196
|
|
|
140
197
|
async sign(args: SignArgs): Promise<string> {
|
|
141
198
|
const { keyRef, data } = args
|
|
142
|
-
const key =
|
|
199
|
+
const key = this.providerId
|
|
200
|
+
? await this.client.methods.kmsClientProviderGetKey({
|
|
201
|
+
aliasOrKid: keyRef.kid,
|
|
202
|
+
providerId: this.providerId,
|
|
203
|
+
})
|
|
204
|
+
: await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
|
|
205
|
+
|
|
143
206
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
144
207
|
keyInfo: key.keyInfo,
|
|
145
|
-
input: toString(data, 'base64')
|
|
208
|
+
input: toString(data, 'base64'),
|
|
146
209
|
})
|
|
147
210
|
|
|
148
211
|
return signingResult.signature
|
|
@@ -150,11 +213,17 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
150
213
|
|
|
151
214
|
async verify(args: VerifyArgs): Promise<boolean> {
|
|
152
215
|
const { keyRef, data, signature } = args
|
|
153
|
-
const key =
|
|
216
|
+
const key = this.providerId
|
|
217
|
+
? await this.client.methods.kmsClientProviderGetKey({
|
|
218
|
+
aliasOrKid: keyRef.kid,
|
|
219
|
+
providerId: this.providerId,
|
|
220
|
+
})
|
|
221
|
+
: await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
|
|
222
|
+
|
|
154
223
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
155
224
|
keyInfo: key.keyInfo,
|
|
156
225
|
input: toString(data, 'base64'),
|
|
157
|
-
signature
|
|
226
|
+
signature,
|
|
158
227
|
})
|
|
159
228
|
|
|
160
229
|
return verification.isValid
|
|
@@ -207,21 +276,36 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
207
276
|
|
|
208
277
|
private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {
|
|
209
278
|
switch (alg) {
|
|
210
|
-
case 'RS256':
|
|
211
|
-
|
|
212
|
-
case '
|
|
213
|
-
|
|
214
|
-
case '
|
|
215
|
-
|
|
216
|
-
case '
|
|
217
|
-
|
|
218
|
-
case '
|
|
219
|
-
|
|
220
|
-
case '
|
|
221
|
-
|
|
222
|
-
case '
|
|
223
|
-
|
|
224
|
-
case '
|
|
279
|
+
case 'RS256':
|
|
280
|
+
return JoseSignatureAlgorithm.RS256
|
|
281
|
+
case 'RS384':
|
|
282
|
+
return JoseSignatureAlgorithm.RS384
|
|
283
|
+
case 'RS512':
|
|
284
|
+
return JoseSignatureAlgorithm.RS512
|
|
285
|
+
case 'ES256':
|
|
286
|
+
return JoseSignatureAlgorithm.ES256
|
|
287
|
+
case 'ES256K':
|
|
288
|
+
return JoseSignatureAlgorithm.ES256K
|
|
289
|
+
case 'ES384':
|
|
290
|
+
return JoseSignatureAlgorithm.ES384
|
|
291
|
+
case 'ES512':
|
|
292
|
+
return JoseSignatureAlgorithm.ES512
|
|
293
|
+
case 'EdDSA':
|
|
294
|
+
return JoseSignatureAlgorithm.EdDSA
|
|
295
|
+
case 'HS256':
|
|
296
|
+
return JoseSignatureAlgorithm.HS256
|
|
297
|
+
case 'HS384':
|
|
298
|
+
return JoseSignatureAlgorithm.HS384
|
|
299
|
+
case 'HS512':
|
|
300
|
+
return JoseSignatureAlgorithm.HS512
|
|
301
|
+
case 'PS256':
|
|
302
|
+
return JoseSignatureAlgorithm.PS256
|
|
303
|
+
case 'PS384':
|
|
304
|
+
return JoseSignatureAlgorithm.PS384
|
|
305
|
+
case 'PS512':
|
|
306
|
+
return JoseSignatureAlgorithm.PS512
|
|
307
|
+
case 'none':
|
|
308
|
+
return JoseSignatureAlgorithm.none
|
|
225
309
|
default:
|
|
226
310
|
throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)
|
|
227
311
|
}
|
|
@@ -256,10 +340,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
256
340
|
|
|
257
341
|
private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {
|
|
258
342
|
const x509 = args.meta?.x509 as X509Opts
|
|
259
|
-
const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---')
|
|
260
|
-
? args.privateKeyHex
|
|
261
|
-
: hexToPEM(args.privateKeyHex, 'private')
|
|
262
|
-
) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
|
|
343
|
+
const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)
|
|
263
344
|
const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')
|
|
264
345
|
const privateKeyJwk = PEMToJwk(privateKeyPEM)
|
|
265
346
|
const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')
|
|
@@ -307,8 +388,8 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
307
388
|
crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
|
|
308
389
|
},
|
|
309
390
|
},
|
|
310
|
-
certChain: meta.x509.x5c
|
|
311
|
-
} satisfies StoreKey
|
|
391
|
+
certChain: meta.x509.x5c,
|
|
392
|
+
} satisfies StoreKey,
|
|
312
393
|
}
|
|
313
394
|
}
|
|
314
395
|
|
|
@@ -333,9 +414,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
333
414
|
kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
|
|
334
415
|
use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
|
|
335
416
|
crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
|
|
336
|
-
}
|
|
337
|
-
}
|
|
338
|
-
} satisfies StoreKey
|
|
417
|
+
},
|
|
418
|
+
},
|
|
419
|
+
} satisfies StoreKey,
|
|
339
420
|
}
|
|
340
421
|
}
|
|
341
422
|
|
|
@@ -357,9 +438,9 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
357
438
|
kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),
|
|
358
439
|
use: JwkUseFromJSONTyped(privateKeyJwk.use, false),
|
|
359
440
|
crv: CurveFromJSONTyped(privateKeyJwk.crv, false),
|
|
360
|
-
}
|
|
361
|
-
}
|
|
362
|
-
} satisfies StoreKey
|
|
441
|
+
},
|
|
442
|
+
},
|
|
443
|
+
} satisfies StoreKey,
|
|
363
444
|
}
|
|
364
445
|
}
|
|
365
446
|
|
|
@@ -378,5 +459,4 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
378
459
|
throw new Error(`Key type ${args.type} is not supported by REST KMS`)
|
|
379
460
|
}
|
|
380
461
|
}
|
|
381
|
-
|
|
382
462
|
}
|
package/src/types/index.ts
CHANGED
|
@@ -21,7 +21,7 @@ export type SignArgs = {
|
|
|
21
21
|
export type VerifyArgs = {
|
|
22
22
|
keyRef: Pick<IKey, 'kid'>
|
|
23
23
|
data: Uint8Array
|
|
24
|
-
signature: string
|
|
24
|
+
signature: string
|
|
25
25
|
[x: string]: any
|
|
26
26
|
}
|
|
27
27
|
|
|
@@ -44,7 +44,7 @@ export type MapImportKeyArgs = {
|
|
|
44
44
|
}
|
|
45
45
|
|
|
46
46
|
export type MappedImportKey = {
|
|
47
|
-
key: StoreKey
|
|
48
|
-
kid: string
|
|
47
|
+
key: StoreKey
|
|
48
|
+
kid: string
|
|
49
49
|
publicKeyJwk: JWK
|
|
50
50
|
}
|