@sphereon/ssi-sdk.kms-rest 0.36.1-feat.SSISDK.83.6 → 0.36.1-feature.SSISDK.82.and.SSISDK.70.37
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +110 -47
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +6 -1
- package/dist/index.d.ts +6 -1
- package/dist/index.js +111 -48
- package/dist/index.js.map +1 -1
- package/package.json +6 -6
- package/src/RestKeyManagementSystem.ts +103 -68
- package/src/types/index.ts +2 -0
package/dist/index.cjs
CHANGED
|
@@ -51,6 +51,8 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
51
51
|
client;
|
|
52
52
|
id;
|
|
53
53
|
providerId;
|
|
54
|
+
tenantId;
|
|
55
|
+
userId;
|
|
54
56
|
constructor(options) {
|
|
55
57
|
super();
|
|
56
58
|
const config = {
|
|
@@ -59,6 +61,8 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
59
61
|
};
|
|
60
62
|
this.id = options.applicationId;
|
|
61
63
|
this.providerId = options.providerId;
|
|
64
|
+
this.tenantId = options.tenantId;
|
|
65
|
+
this.userId = options.userId;
|
|
62
66
|
this.client = new import_ssi_sdk.KmsRestClient(config);
|
|
63
67
|
}
|
|
64
68
|
async createKey(args) {
|
|
@@ -72,7 +76,13 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
72
76
|
],
|
|
73
77
|
...meta && "keyAlias" in meta && meta.keyAlias ? {
|
|
74
78
|
alias: meta.keyAlias
|
|
75
|
-
} : {}
|
|
79
|
+
} : {},
|
|
80
|
+
...this.tenantId && {
|
|
81
|
+
tenantId: this.tenantId
|
|
82
|
+
},
|
|
83
|
+
...this.userId && {
|
|
84
|
+
userId: this.userId
|
|
85
|
+
}
|
|
76
86
|
};
|
|
77
87
|
const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
|
|
78
88
|
...options,
|
|
@@ -97,7 +107,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
97
107
|
],
|
|
98
108
|
jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
|
|
99
109
|
jwk,
|
|
100
|
-
digestAlgorithm:
|
|
110
|
+
digestAlgorithm: jwk.alg ? (0, import_ssi_sdk_ext.joseAlgorithmToDigest)(jwk.alg) : "sha256"
|
|
101
111
|
})
|
|
102
112
|
},
|
|
103
113
|
publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), "utf8").toString("base64")
|
|
@@ -105,12 +115,25 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
105
115
|
}
|
|
106
116
|
async importKey(args) {
|
|
107
117
|
const { type } = args;
|
|
108
|
-
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
|
|
109
118
|
const importKey = this.mapImportKey(args);
|
|
110
119
|
const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
|
|
111
120
|
...importKey.key,
|
|
112
|
-
providerId: this.providerId
|
|
113
|
-
|
|
121
|
+
providerId: this.providerId,
|
|
122
|
+
...this.tenantId && {
|
|
123
|
+
tenantId: this.tenantId
|
|
124
|
+
},
|
|
125
|
+
...this.userId && {
|
|
126
|
+
userId: this.userId
|
|
127
|
+
}
|
|
128
|
+
}) : await this.client.methods.kmsClientStoreKey({
|
|
129
|
+
...importKey.key,
|
|
130
|
+
...this.tenantId && {
|
|
131
|
+
tenantId: this.tenantId
|
|
132
|
+
},
|
|
133
|
+
...this.userId && {
|
|
134
|
+
userId: this.userId
|
|
135
|
+
}
|
|
136
|
+
});
|
|
114
137
|
return {
|
|
115
138
|
kid: importKey.kid,
|
|
116
139
|
kms: this.id,
|
|
@@ -122,7 +145,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
122
145
|
],
|
|
123
146
|
jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
|
|
124
147
|
jwk: importKey.publicKeyJwk,
|
|
125
|
-
digestAlgorithm:
|
|
148
|
+
digestAlgorithm: importKey.publicKeyJwk.alg ? (0, import_ssi_sdk_ext.joseAlgorithmToDigest)(importKey.publicKeyJwk.alg) : "sha256"
|
|
126
149
|
})
|
|
127
150
|
},
|
|
128
151
|
publicKeyHex: Buffer.from(result.keyInfo.key.toString(), "utf8").toString("base64")
|
|
@@ -132,26 +155,44 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
132
155
|
const { kid } = args;
|
|
133
156
|
return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
|
|
134
157
|
aliasOrKid: kid,
|
|
135
|
-
providerId: this.providerId
|
|
158
|
+
providerId: this.providerId,
|
|
159
|
+
...this.tenantId && {
|
|
160
|
+
tenantId: this.tenantId
|
|
161
|
+
},
|
|
162
|
+
...this.userId && {
|
|
163
|
+
userId: this.userId
|
|
164
|
+
}
|
|
136
165
|
}) : await this.client.methods.kmsClientDeleteKey({
|
|
137
|
-
aliasOrKid: kid
|
|
166
|
+
aliasOrKid: kid,
|
|
167
|
+
...this.tenantId && {
|
|
168
|
+
tenantId: this.tenantId
|
|
169
|
+
},
|
|
170
|
+
...this.userId && {
|
|
171
|
+
userId: this.userId
|
|
172
|
+
}
|
|
138
173
|
});
|
|
139
174
|
}
|
|
140
175
|
async listKeys() {
|
|
141
176
|
const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
|
|
142
|
-
providerId: this.providerId
|
|
143
|
-
|
|
177
|
+
providerId: this.providerId,
|
|
178
|
+
...this.tenantId && {
|
|
179
|
+
tenantId: this.tenantId
|
|
180
|
+
},
|
|
181
|
+
...this.userId && {
|
|
182
|
+
userId: this.userId
|
|
183
|
+
}
|
|
184
|
+
}) : await this.client.methods.kmsClientListKeys({
|
|
185
|
+
...this.tenantId && {
|
|
186
|
+
tenantId: this.tenantId
|
|
187
|
+
},
|
|
188
|
+
...this.userId && {
|
|
189
|
+
userId: this.userId
|
|
190
|
+
}
|
|
191
|
+
});
|
|
144
192
|
const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
|
|
145
|
-
return restKeys.map((restKey) => {
|
|
193
|
+
return Promise.all(restKeys.map(async (restKey) => {
|
|
146
194
|
const jwk = restKey.key;
|
|
147
|
-
|
|
148
|
-
if (jwk.kty === "EC") {
|
|
149
|
-
publicKeyHex = jwk.x || "";
|
|
150
|
-
} else if (jwk.kty === "RSA") {
|
|
151
|
-
publicKeyHex = jwk.n || "";
|
|
152
|
-
} else if (jwk.kty === "OKP") {
|
|
153
|
-
publicKeyHex = jwk.x || "";
|
|
154
|
-
}
|
|
195
|
+
const publicKeyHex = await (0, import_ssi_sdk_ext.jwkToRawHexKey)(jwk);
|
|
155
196
|
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
|
|
156
197
|
return {
|
|
157
198
|
kid: restKey.kid || restKey.alias,
|
|
@@ -165,7 +206,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
165
206
|
jwk,
|
|
166
207
|
jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
|
|
167
208
|
jwk,
|
|
168
|
-
digestAlgorithm: restKey.
|
|
209
|
+
digestAlgorithm: restKey.key.alg ? (0, import_ssi_sdk_ext.joseAlgorithmToDigest)(restKey.key.alg) : "sha256"
|
|
169
210
|
}),
|
|
170
211
|
alias: restKey.alias,
|
|
171
212
|
providerId: restKey.providerId,
|
|
@@ -175,7 +216,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
175
216
|
...restKey.opts
|
|
176
217
|
}
|
|
177
218
|
};
|
|
178
|
-
});
|
|
219
|
+
}));
|
|
179
220
|
}
|
|
180
221
|
mapRestKeyTypeToTKeyType(keyType) {
|
|
181
222
|
switch (keyType) {
|
|
@@ -195,53 +236,75 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
195
236
|
}
|
|
196
237
|
}
|
|
197
238
|
async sign(args) {
|
|
198
|
-
const { keyRef, data } = args;
|
|
239
|
+
const { keyRef, data, algorithm = "SHA-256" } = args;
|
|
199
240
|
const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
|
|
200
241
|
aliasOrKid: keyRef.kid,
|
|
201
|
-
providerId: this.providerId
|
|
242
|
+
providerId: this.providerId,
|
|
243
|
+
...this.tenantId && {
|
|
244
|
+
tenantId: this.tenantId
|
|
245
|
+
},
|
|
246
|
+
...this.userId && {
|
|
247
|
+
userId: this.userId
|
|
248
|
+
}
|
|
202
249
|
}) : await this.client.methods.kmsClientGetKey({
|
|
203
|
-
aliasOrKid: keyRef.kid
|
|
250
|
+
aliasOrKid: keyRef.kid,
|
|
251
|
+
...this.tenantId && {
|
|
252
|
+
tenantId: this.tenantId
|
|
253
|
+
},
|
|
254
|
+
...this.userId && {
|
|
255
|
+
userId: this.userId
|
|
256
|
+
}
|
|
204
257
|
});
|
|
258
|
+
const dataToBeSigned = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
205
259
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
206
260
|
keyInfo: key.keyInfo,
|
|
207
|
-
input: toString(
|
|
261
|
+
input: toString(dataToBeSigned, "base64"),
|
|
262
|
+
...this.tenantId && {
|
|
263
|
+
tenantId: this.tenantId
|
|
264
|
+
},
|
|
265
|
+
...this.userId && {
|
|
266
|
+
userId: this.userId
|
|
267
|
+
}
|
|
208
268
|
});
|
|
209
|
-
return signingResult.signature;
|
|
269
|
+
return (0, import_ssi_sdk_ext.base64ToBase64Url)(signingResult.signature);
|
|
210
270
|
}
|
|
211
271
|
async verify(args) {
|
|
212
|
-
const { keyRef, data, signature } = args;
|
|
272
|
+
const { keyRef, data, signature, algorithm = "SHA-256" } = args;
|
|
213
273
|
const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
|
|
214
274
|
aliasOrKid: keyRef.kid,
|
|
215
|
-
providerId: this.providerId
|
|
275
|
+
providerId: this.providerId,
|
|
276
|
+
...this.tenantId && {
|
|
277
|
+
tenantId: this.tenantId
|
|
278
|
+
},
|
|
279
|
+
...this.userId && {
|
|
280
|
+
userId: this.userId
|
|
281
|
+
}
|
|
216
282
|
}) : await this.client.methods.kmsClientGetKey({
|
|
217
|
-
aliasOrKid: keyRef.kid
|
|
283
|
+
aliasOrKid: keyRef.kid,
|
|
284
|
+
...this.tenantId && {
|
|
285
|
+
tenantId: this.tenantId
|
|
286
|
+
},
|
|
287
|
+
...this.userId && {
|
|
288
|
+
userId: this.userId
|
|
289
|
+
}
|
|
218
290
|
});
|
|
291
|
+
const dataToBeVerified = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
219
292
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
220
293
|
keyInfo: key.keyInfo,
|
|
221
|
-
input: toString(
|
|
222
|
-
signature
|
|
294
|
+
input: toString(dataToBeVerified, "base64"),
|
|
295
|
+
signature,
|
|
296
|
+
...this.tenantId && {
|
|
297
|
+
tenantId: this.tenantId
|
|
298
|
+
},
|
|
299
|
+
...this.userId && {
|
|
300
|
+
userId: this.userId
|
|
301
|
+
}
|
|
223
302
|
});
|
|
224
303
|
return verification.isValid;
|
|
225
304
|
}
|
|
226
305
|
async sharedSecret(args) {
|
|
227
306
|
throw new Error("sharedSecret is not implemented for REST KMS.");
|
|
228
307
|
}
|
|
229
|
-
signatureAlgorithmToDigestAlgorithm = /* @__PURE__ */ __name((signatureAlgorithm) => {
|
|
230
|
-
switch (signatureAlgorithm) {
|
|
231
|
-
case import_ssi_sdk.SignatureAlgorithm.EcdsaSha256:
|
|
232
|
-
case import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha256Mgf1:
|
|
233
|
-
case import_ssi_sdk.SignatureAlgorithm.EckaDhSha256:
|
|
234
|
-
case import_ssi_sdk.SignatureAlgorithm.HmacSha256:
|
|
235
|
-
case import_ssi_sdk.SignatureAlgorithm.Es256K:
|
|
236
|
-
return "sha256";
|
|
237
|
-
case import_ssi_sdk.SignatureAlgorithm.EcdsaSha512:
|
|
238
|
-
case import_ssi_sdk.SignatureAlgorithm.HmacSha512:
|
|
239
|
-
case import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha512Mgf1:
|
|
240
|
-
return "sha512";
|
|
241
|
-
default:
|
|
242
|
-
throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`);
|
|
243
|
-
}
|
|
244
|
-
}, "signatureAlgorithmToDigestAlgorithm");
|
|
245
308
|
mapKeyUsage = /* @__PURE__ */ __name((usage) => {
|
|
246
309
|
switch (usage) {
|
|
247
310
|
case "sig":
|
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAA4F;AAC5F,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;IAChF;AAEA,UAAME,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUtC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMoD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMqC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKhD,aAChB,MAAM,KAAKF,OAAO4B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACbzB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQwB,kBAAkBJ,UAAUrB,GAAG;AAE7D,WAAO;MACLU,KAAKW,UAAUX;MACfE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAI/B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM2D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO4B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQ8B,mBAAmB;MAAED,YAAYpB;IAAI,CAAA;EACrE;EAEA,MAAMsB,WAAsC;AAC1C,UAAMC,OAAO,KAAK1D,aACd,MAAM,KAAKF,OAAO4B,QAAQiC,0BAA0B;MAAE3D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO4B,QAAQkC,kBAAiB;AAE/C,UAAMC,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKtC;QACVU,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiBwB,QAAQtD,qBAAqB,KAAK+B,oCAAoCuB,QAAQtD,kBAAkB,IAAI;UACvH,CAAA;UACAa,OAAOyC,QAAQzC;UACfxB,YAAYiE,QAAQjE;UACpBuE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,KAAI,IAAKrE;AACzB,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAM6C,gBAAgB,MAAM,KAAKlF,OAAO4B,QAAQuD,4BAA4B;MAC1E9B,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO5E,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMM,UAAS,IAAK3E;AACpC,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAMkD,eAAe,MAAM,KAAKvF,OAAO4B,QAAQ4D,6BAA6B;MAC1EnC,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAahF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQM,sCAAsC,wBAAC/B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK8E,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI7D,MAAM,uBAAuBzB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOgF,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIxD,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOkF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAI/E,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBkG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOhG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAciG;MACvB,KAAK;AACH,eAAOjG,6BAAckG;MACvB,KAAK;AACH,eAAOlG,6BAAcmG;MACvB,KAAK;AACH,eAAOnG,6BAAcoG;MACvB,KAAK;AACH,eAAOpG,6BAAcqG;MACvB,KAAK;AACH,eAAOrG,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB;AACE,cAAM,IAAIxF,MAAM,iBAAiBiF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBjG,mBAAmB,wBAACyG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACtH,SAAAA;AACzB,UAAMuH,OAAOvH,KAAKE,MAAMqH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBxH,KAAKyH,cAAcC,SAAS,KAAA,IAAS1H,KAAKyH,oBAAgBE,8BAAS3H,KAAKyH,eAAe,SAAA;AACrI,UAAM7E,mBAAegF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASnF,cAAc,QAAA;AAC5C,UAAMT,mBAAe6F,8BAASF,YAAAA;AAE9B,UAAM5H,OAAO,CAAC;AACd,QAAIqH,MAAM;AACRrH,WAAKqH,OAAO;QACVU,IAAIV,KAAKU,MAAMjI,KAAK2B,OAAOQ;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBnI,aAAKqH,KAAKY,sBAAsBD;AAChC,cAAMnE,UAAMuE,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKqH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBrI,aAAKqH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM5G,MAAM3B,KAAK2B,OAAOzB,MAAMqH,MAAMU,MAAM9F;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWhI,KAAKqH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC7I,SAAAA;AAC/B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM8I,eAAe7J,WAAWwI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAM5H,UAAU0H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAeb,QAAQ8H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,mBAAeyG,0BAAMlH,cAAc,WAAA;AACzC,UAAM0F,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM3H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACvJ,SAAAA;AAC5B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM6H,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,mBAAeqH,kDAA8B/B,aAAAA;AACnD,UAAM7E,mBAAeyG,0BAAMlH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKqH,gBAAgBtH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK6I,sBAAsB7I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKuJ,mBAAmBvJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return Promise.all(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAUO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,UAAMwB,0CAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,UAAMwB,0CAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOC,QAAQC,IACbJ,SAASK,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMkB,eAAe,UAAMyB,mCAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY6B,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiB0B,QAAQ1C,IAAIP,UAAMwB,0CAAsByB,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf1B,YAAYqE,QAAQrE;UACpByE,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;EAEJ;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,qBAA6BC,iCAAaL,IAAAA,IAC5CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,eAAO2F,sCAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOrF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMe,WAAWd,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM8F,uBAA+BZ,iCAAaL,IAAAA,IAC9CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMiB,eAAe,MAAM,KAAKnG,OAAO8B,QAAQsE,6BAA6B;MAC1E7C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASsG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK7F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO+F,aAAaE;EACtB;EAEA,MAAMC,aAAa1F,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACqF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOnF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOoF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdvF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO4F,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIpE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOuF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAIpF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBuG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOrG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB,KAAK;AACH,eAAOvG,6BAAcwG;MACvB,KAAK;AACH,eAAOxG,6BAAcyG;MACvB,KAAK;AACH,eAAOzG,6BAAc0G;MACvB,KAAK;AACH,eAAO1G,6BAAc2G;MACvB,KAAK;AACH,eAAO3G,6BAAc4G;MACvB;AACE,cAAM,IAAI7F,MAAM,iBAAiBsF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBtG,mBAAmB,wBAAC8G,eAAAA;AAC1B,WAAOA,WAAWhE,IAAI,CAACwD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3H,SAAAA;AACzB,UAAM4H,OAAO5H,KAAKE,MAAM0H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7H,KAAK8H,cAAcC,SAAS,KAAA,IAAS/H,KAAK8H,oBAAgBE,8BAAShI,KAAK8H,eAAe,SAAA;AACrI,UAAMlF,mBAAeqF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASxF,cAAc,QAAA;AAC5C,UAAMT,mBAAekG,8BAASF,YAAAA;AAE9B,UAAMjI,OAAO,CAAC;AACd,QAAI0H,MAAM;AACR1H,WAAK0H,OAAO;QACVU,IAAIV,KAAKU,MAAMtI,KAAK2B,OAAOQ;MAC7B;AACA,UAAIoG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxI,aAAK0H,KAAKY,sBAAsBD;AAChC,cAAMxE,UAAM4E,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BhG,uBAAamB,MAAMA;QACrB;AACA7D,aAAK0H,KAAK7D,MAAMA;MAClB;AACA,UAAI6D,KAAKgB,qBAAqB;AAE5BhG,qBAAaiG,MAAMjB,KAAKgB;AACxB1I,aAAK0H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMjH,MAAM3B,KAAK2B,OAAOzB,MAAM0H,MAAMU,MAAMnG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;QACAV,WAAWrI,KAAK0H,KAAK7D;MACvB;IACF;EACF,GArD0B;EAuDlBoF,wBAAwB,wBAACnJ,SAAAA;AAC/B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMoJ,eAAerK,WAAW+I,cAAcuB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMlI,UAAUgI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMjH,eAAeb,QAAQoI,UAAU,MAAM,KAAA;AAC7C,UAAM9G,mBAAe+G,0BAAMxH,cAAc,WAAA;AACzC,UAAM+F,oBAAgByB,0BAAM7B,eAAe,aAAa;MAAE8B,cAAc;IAAK,CAAA;AAC7E,UAAMjI,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC7J,SAAAA;AAC5B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMkI,oBAAgByB,0BAAM7B,eAAe,UAAU;MAAE8B,cAAc;IAAK,CAAA;AAC1E,UAAMzH,mBAAe2H,kDAA8BhC,aAAAA;AACnD,UAAMlF,mBAAe+G,0BAAMxH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB1G,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0H,gBAAgB3H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKmJ,sBAAsBnJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK6J,mBAAmB7J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","Promise","all","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/dist/index.d.cts
CHANGED
|
@@ -14,12 +14,14 @@ type CreateKeyArgs = {
|
|
|
14
14
|
type SignArgs = {
|
|
15
15
|
keyRef: Pick<IKey, 'kid'>;
|
|
16
16
|
data: Uint8Array;
|
|
17
|
+
algorithm?: string;
|
|
17
18
|
[x: string]: any;
|
|
18
19
|
};
|
|
19
20
|
type VerifyArgs = {
|
|
20
21
|
keyRef: Pick<IKey, 'kid'>;
|
|
21
22
|
data: Uint8Array;
|
|
22
23
|
signature: string;
|
|
24
|
+
algorithm?: string;
|
|
23
25
|
[x: string]: any;
|
|
24
26
|
};
|
|
25
27
|
type SharedSecretArgs = {
|
|
@@ -48,12 +50,16 @@ interface KeyManagementSystemOptions {
|
|
|
48
50
|
applicationId: string;
|
|
49
51
|
baseUrl: string;
|
|
50
52
|
providerId?: string;
|
|
53
|
+
tenantId?: string;
|
|
54
|
+
userId?: string;
|
|
51
55
|
authOpts?: RestClientAuthenticationOpts;
|
|
52
56
|
}
|
|
53
57
|
declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
54
58
|
private client;
|
|
55
59
|
private readonly id;
|
|
56
60
|
private providerId;
|
|
61
|
+
private tenantId;
|
|
62
|
+
private userId;
|
|
57
63
|
constructor(options: KeyManagementSystemOptions);
|
|
58
64
|
createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
|
|
59
65
|
importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
|
|
@@ -63,7 +69,6 @@ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
63
69
|
sign(args: SignArgs): Promise<string>;
|
|
64
70
|
verify(args: VerifyArgs): Promise<boolean>;
|
|
65
71
|
sharedSecret(args: SharedSecretArgs): Promise<string>;
|
|
66
|
-
private signatureAlgorithmToDigestAlgorithm;
|
|
67
72
|
private mapKeyUsage;
|
|
68
73
|
private mapKeyTypeToSignatureAlgorithm;
|
|
69
74
|
private mapJoseAlgorithm;
|
package/dist/index.d.ts
CHANGED
|
@@ -14,12 +14,14 @@ type CreateKeyArgs = {
|
|
|
14
14
|
type SignArgs = {
|
|
15
15
|
keyRef: Pick<IKey, 'kid'>;
|
|
16
16
|
data: Uint8Array;
|
|
17
|
+
algorithm?: string;
|
|
17
18
|
[x: string]: any;
|
|
18
19
|
};
|
|
19
20
|
type VerifyArgs = {
|
|
20
21
|
keyRef: Pick<IKey, 'kid'>;
|
|
21
22
|
data: Uint8Array;
|
|
22
23
|
signature: string;
|
|
24
|
+
algorithm?: string;
|
|
23
25
|
[x: string]: any;
|
|
24
26
|
};
|
|
25
27
|
type SharedSecretArgs = {
|
|
@@ -48,12 +50,16 @@ interface KeyManagementSystemOptions {
|
|
|
48
50
|
applicationId: string;
|
|
49
51
|
baseUrl: string;
|
|
50
52
|
providerId?: string;
|
|
53
|
+
tenantId?: string;
|
|
54
|
+
userId?: string;
|
|
51
55
|
authOpts?: RestClientAuthenticationOpts;
|
|
52
56
|
}
|
|
53
57
|
declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
54
58
|
private client;
|
|
55
59
|
private readonly id;
|
|
56
60
|
private providerId;
|
|
61
|
+
private tenantId;
|
|
62
|
+
private userId;
|
|
57
63
|
constructor(options: KeyManagementSystemOptions);
|
|
58
64
|
createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
|
|
59
65
|
importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
|
|
@@ -63,7 +69,6 @@ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
63
69
|
sign(args: SignArgs): Promise<string>;
|
|
64
70
|
verify(args: VerifyArgs): Promise<boolean>;
|
|
65
71
|
sharedSecret(args: SharedSecretArgs): Promise<string>;
|
|
66
|
-
private signatureAlgorithmToDigestAlgorithm;
|
|
67
72
|
private mapKeyUsage;
|
|
68
73
|
private mapKeyTypeToSignatureAlgorithm;
|
|
69
74
|
private mapJoseAlgorithm;
|
package/dist/index.js
CHANGED
|
@@ -2,7 +2,7 @@ var __defProp = Object.defineProperty;
|
|
|
2
2
|
var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
|
|
3
3
|
|
|
4
4
|
// src/RestKeyManagementSystem.ts
|
|
5
|
-
import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
|
|
5
|
+
import { base64ToBase64Url, calculateJwkThumbprint, isHashString, joseAlgorithmToDigest, jwkToRawHexKey, shaHasher, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
|
|
6
6
|
import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
|
|
7
7
|
import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
|
|
8
8
|
import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
|
|
@@ -17,6 +17,8 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
17
17
|
client;
|
|
18
18
|
id;
|
|
19
19
|
providerId;
|
|
20
|
+
tenantId;
|
|
21
|
+
userId;
|
|
20
22
|
constructor(options) {
|
|
21
23
|
super();
|
|
22
24
|
const config = {
|
|
@@ -25,6 +27,8 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
25
27
|
};
|
|
26
28
|
this.id = options.applicationId;
|
|
27
29
|
this.providerId = options.providerId;
|
|
30
|
+
this.tenantId = options.tenantId;
|
|
31
|
+
this.userId = options.userId;
|
|
28
32
|
this.client = new KmsRestClient(config);
|
|
29
33
|
}
|
|
30
34
|
async createKey(args) {
|
|
@@ -38,7 +42,13 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
38
42
|
],
|
|
39
43
|
...meta && "keyAlias" in meta && meta.keyAlias ? {
|
|
40
44
|
alias: meta.keyAlias
|
|
41
|
-
} : {}
|
|
45
|
+
} : {},
|
|
46
|
+
...this.tenantId && {
|
|
47
|
+
tenantId: this.tenantId
|
|
48
|
+
},
|
|
49
|
+
...this.userId && {
|
|
50
|
+
userId: this.userId
|
|
51
|
+
}
|
|
42
52
|
};
|
|
43
53
|
const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
|
|
44
54
|
...options,
|
|
@@ -63,7 +73,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
63
73
|
],
|
|
64
74
|
jwkThumbprint: calculateJwkThumbprint({
|
|
65
75
|
jwk,
|
|
66
|
-
digestAlgorithm:
|
|
76
|
+
digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : "sha256"
|
|
67
77
|
})
|
|
68
78
|
},
|
|
69
79
|
publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), "utf8").toString("base64")
|
|
@@ -71,12 +81,25 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
71
81
|
}
|
|
72
82
|
async importKey(args) {
|
|
73
83
|
const { type } = args;
|
|
74
|
-
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
|
|
75
84
|
const importKey = this.mapImportKey(args);
|
|
76
85
|
const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
|
|
77
86
|
...importKey.key,
|
|
78
|
-
providerId: this.providerId
|
|
79
|
-
|
|
87
|
+
providerId: this.providerId,
|
|
88
|
+
...this.tenantId && {
|
|
89
|
+
tenantId: this.tenantId
|
|
90
|
+
},
|
|
91
|
+
...this.userId && {
|
|
92
|
+
userId: this.userId
|
|
93
|
+
}
|
|
94
|
+
}) : await this.client.methods.kmsClientStoreKey({
|
|
95
|
+
...importKey.key,
|
|
96
|
+
...this.tenantId && {
|
|
97
|
+
tenantId: this.tenantId
|
|
98
|
+
},
|
|
99
|
+
...this.userId && {
|
|
100
|
+
userId: this.userId
|
|
101
|
+
}
|
|
102
|
+
});
|
|
80
103
|
return {
|
|
81
104
|
kid: importKey.kid,
|
|
82
105
|
kms: this.id,
|
|
@@ -88,7 +111,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
88
111
|
],
|
|
89
112
|
jwkThumbprint: calculateJwkThumbprint({
|
|
90
113
|
jwk: importKey.publicKeyJwk,
|
|
91
|
-
digestAlgorithm:
|
|
114
|
+
digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : "sha256"
|
|
92
115
|
})
|
|
93
116
|
},
|
|
94
117
|
publicKeyHex: Buffer.from(result.keyInfo.key.toString(), "utf8").toString("base64")
|
|
@@ -98,26 +121,44 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
98
121
|
const { kid } = args;
|
|
99
122
|
return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
|
|
100
123
|
aliasOrKid: kid,
|
|
101
|
-
providerId: this.providerId
|
|
124
|
+
providerId: this.providerId,
|
|
125
|
+
...this.tenantId && {
|
|
126
|
+
tenantId: this.tenantId
|
|
127
|
+
},
|
|
128
|
+
...this.userId && {
|
|
129
|
+
userId: this.userId
|
|
130
|
+
}
|
|
102
131
|
}) : await this.client.methods.kmsClientDeleteKey({
|
|
103
|
-
aliasOrKid: kid
|
|
132
|
+
aliasOrKid: kid,
|
|
133
|
+
...this.tenantId && {
|
|
134
|
+
tenantId: this.tenantId
|
|
135
|
+
},
|
|
136
|
+
...this.userId && {
|
|
137
|
+
userId: this.userId
|
|
138
|
+
}
|
|
104
139
|
});
|
|
105
140
|
}
|
|
106
141
|
async listKeys() {
|
|
107
142
|
const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
|
|
108
|
-
providerId: this.providerId
|
|
109
|
-
|
|
143
|
+
providerId: this.providerId,
|
|
144
|
+
...this.tenantId && {
|
|
145
|
+
tenantId: this.tenantId
|
|
146
|
+
},
|
|
147
|
+
...this.userId && {
|
|
148
|
+
userId: this.userId
|
|
149
|
+
}
|
|
150
|
+
}) : await this.client.methods.kmsClientListKeys({
|
|
151
|
+
...this.tenantId && {
|
|
152
|
+
tenantId: this.tenantId
|
|
153
|
+
},
|
|
154
|
+
...this.userId && {
|
|
155
|
+
userId: this.userId
|
|
156
|
+
}
|
|
157
|
+
});
|
|
110
158
|
const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos;
|
|
111
|
-
return restKeys.map((restKey) => {
|
|
159
|
+
return Promise.all(restKeys.map(async (restKey) => {
|
|
112
160
|
const jwk = restKey.key;
|
|
113
|
-
|
|
114
|
-
if (jwk.kty === "EC") {
|
|
115
|
-
publicKeyHex = jwk.x || "";
|
|
116
|
-
} else if (jwk.kty === "RSA") {
|
|
117
|
-
publicKeyHex = jwk.n || "";
|
|
118
|
-
} else if (jwk.kty === "OKP") {
|
|
119
|
-
publicKeyHex = jwk.x || "";
|
|
120
|
-
}
|
|
161
|
+
const publicKeyHex = await jwkToRawHexKey(jwk);
|
|
121
162
|
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
|
|
122
163
|
return {
|
|
123
164
|
kid: restKey.kid || restKey.alias,
|
|
@@ -131,7 +172,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
131
172
|
jwk,
|
|
132
173
|
jwkThumbprint: calculateJwkThumbprint({
|
|
133
174
|
jwk,
|
|
134
|
-
digestAlgorithm: restKey.
|
|
175
|
+
digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : "sha256"
|
|
135
176
|
}),
|
|
136
177
|
alias: restKey.alias,
|
|
137
178
|
providerId: restKey.providerId,
|
|
@@ -141,7 +182,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
141
182
|
...restKey.opts
|
|
142
183
|
}
|
|
143
184
|
};
|
|
144
|
-
});
|
|
185
|
+
}));
|
|
145
186
|
}
|
|
146
187
|
mapRestKeyTypeToTKeyType(keyType) {
|
|
147
188
|
switch (keyType) {
|
|
@@ -161,53 +202,75 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
161
202
|
}
|
|
162
203
|
}
|
|
163
204
|
async sign(args) {
|
|
164
|
-
const { keyRef, data } = args;
|
|
205
|
+
const { keyRef, data, algorithm = "SHA-256" } = args;
|
|
165
206
|
const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
|
|
166
207
|
aliasOrKid: keyRef.kid,
|
|
167
|
-
providerId: this.providerId
|
|
208
|
+
providerId: this.providerId,
|
|
209
|
+
...this.tenantId && {
|
|
210
|
+
tenantId: this.tenantId
|
|
211
|
+
},
|
|
212
|
+
...this.userId && {
|
|
213
|
+
userId: this.userId
|
|
214
|
+
}
|
|
168
215
|
}) : await this.client.methods.kmsClientGetKey({
|
|
169
|
-
aliasOrKid: keyRef.kid
|
|
216
|
+
aliasOrKid: keyRef.kid,
|
|
217
|
+
...this.tenantId && {
|
|
218
|
+
tenantId: this.tenantId
|
|
219
|
+
},
|
|
220
|
+
...this.userId && {
|
|
221
|
+
userId: this.userId
|
|
222
|
+
}
|
|
170
223
|
});
|
|
224
|
+
const dataToBeSigned = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
171
225
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
172
226
|
keyInfo: key.keyInfo,
|
|
173
|
-
input: toString(
|
|
227
|
+
input: toString(dataToBeSigned, "base64"),
|
|
228
|
+
...this.tenantId && {
|
|
229
|
+
tenantId: this.tenantId
|
|
230
|
+
},
|
|
231
|
+
...this.userId && {
|
|
232
|
+
userId: this.userId
|
|
233
|
+
}
|
|
174
234
|
});
|
|
175
|
-
return signingResult.signature;
|
|
235
|
+
return base64ToBase64Url(signingResult.signature);
|
|
176
236
|
}
|
|
177
237
|
async verify(args) {
|
|
178
|
-
const { keyRef, data, signature } = args;
|
|
238
|
+
const { keyRef, data, signature, algorithm = "SHA-256" } = args;
|
|
179
239
|
const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
|
|
180
240
|
aliasOrKid: keyRef.kid,
|
|
181
|
-
providerId: this.providerId
|
|
241
|
+
providerId: this.providerId,
|
|
242
|
+
...this.tenantId && {
|
|
243
|
+
tenantId: this.tenantId
|
|
244
|
+
},
|
|
245
|
+
...this.userId && {
|
|
246
|
+
userId: this.userId
|
|
247
|
+
}
|
|
182
248
|
}) : await this.client.methods.kmsClientGetKey({
|
|
183
|
-
aliasOrKid: keyRef.kid
|
|
249
|
+
aliasOrKid: keyRef.kid,
|
|
250
|
+
...this.tenantId && {
|
|
251
|
+
tenantId: this.tenantId
|
|
252
|
+
},
|
|
253
|
+
...this.userId && {
|
|
254
|
+
userId: this.userId
|
|
255
|
+
}
|
|
184
256
|
});
|
|
257
|
+
const dataToBeVerified = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
185
258
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
186
259
|
keyInfo: key.keyInfo,
|
|
187
|
-
input: toString(
|
|
188
|
-
signature
|
|
260
|
+
input: toString(dataToBeVerified, "base64"),
|
|
261
|
+
signature,
|
|
262
|
+
...this.tenantId && {
|
|
263
|
+
tenantId: this.tenantId
|
|
264
|
+
},
|
|
265
|
+
...this.userId && {
|
|
266
|
+
userId: this.userId
|
|
267
|
+
}
|
|
189
268
|
});
|
|
190
269
|
return verification.isValid;
|
|
191
270
|
}
|
|
192
271
|
async sharedSecret(args) {
|
|
193
272
|
throw new Error("sharedSecret is not implemented for REST KMS.");
|
|
194
273
|
}
|
|
195
|
-
signatureAlgorithmToDigestAlgorithm = /* @__PURE__ */ __name((signatureAlgorithm) => {
|
|
196
|
-
switch (signatureAlgorithm) {
|
|
197
|
-
case SignatureAlgorithm.EcdsaSha256:
|
|
198
|
-
case SignatureAlgorithm.RsaSsaPssSha256Mgf1:
|
|
199
|
-
case SignatureAlgorithm.EckaDhSha256:
|
|
200
|
-
case SignatureAlgorithm.HmacSha256:
|
|
201
|
-
case SignatureAlgorithm.Es256K:
|
|
202
|
-
return "sha256";
|
|
203
|
-
case SignatureAlgorithm.EcdsaSha512:
|
|
204
|
-
case SignatureAlgorithm.HmacSha512:
|
|
205
|
-
case SignatureAlgorithm.RsaSsaPssSha512Mgf1:
|
|
206
|
-
return "sha512";
|
|
207
|
-
default:
|
|
208
|
-
throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`);
|
|
209
|
-
}
|
|
210
|
-
}, "signatureAlgorithmToDigestAlgorithm");
|
|
211
274
|
mapKeyUsage = /* @__PURE__ */ __name((usage) => {
|
|
212
275
|
switch (usage) {
|
|
213
276
|
case "sig":
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SAASA,wBAAwBC,OAAOC,qCAAoD;AAC5F,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;IAChF;AAEA,UAAME,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,eAAeC,uBAAuB;UACpCX;UACAY,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUtC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMoD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMqC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKhD,aAChB,MAAM,KAAKF,OAAO4B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACbzB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQwB,kBAAkBJ,UAAUrB,GAAG;AAE7D,WAAO;MACLU,KAAKW,UAAUX;MACfE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,eAAeC,uBAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAI/B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM2D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO4B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQ8B,mBAAmB;MAAED,YAAYpB;IAAI,CAAA;EACrE;EAEA,MAAMsB,WAAsC;AAC1C,UAAMC,OAAO,KAAK1D,aACd,MAAM,KAAKF,OAAO4B,QAAQiC,0BAA0B;MAAE3D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO4B,QAAQkC,kBAAiB;AAE/C,UAAMC,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKtC;QACVU,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,eAAeC,uBAAuB;YACpCX;YACAY,iBAAiBwB,QAAQtD,qBAAqB,KAAK+B,oCAAoCuB,QAAQtD,kBAAkB,IAAI;UACvH,CAAA;UACAa,OAAOyC,QAAQzC;UACfxB,YAAYiE,QAAQjE;UACpBuE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,KAAI,IAAKrE;AACzB,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAM6C,gBAAgB,MAAM,KAAKlF,OAAO4B,QAAQuD,4BAA4B;MAC1E9B,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO5E,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMM,UAAS,IAAK3E;AACpC,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAMkD,eAAe,MAAM,KAAKvF,OAAO4B,QAAQ4D,6BAA6B;MAC1EnC,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAahF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQM,sCAAsC,wBAAC/B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK8E,mBAAmBC;MACxB,KAAKD,mBAAmBE;MACxB,KAAKF,mBAAmBG;MACxB,KAAKH,mBAAmBI;MACxB,KAAKJ,mBAAmBK;AACtB,eAAO;MACT,KAAKL,mBAAmBM;MACxB,KAAKN,mBAAmBO;MACxB,KAAKP,mBAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI7D,MAAM,uBAAuBzB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOgF,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIxD,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOkF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAI/E,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBkG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOhG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAciG;MACvB,KAAK;AACH,eAAOjG,cAAckG;MACvB,KAAK;AACH,eAAOlG,cAAcmG;MACvB,KAAK;AACH,eAAOnG,cAAcoG;MACvB,KAAK;AACH,eAAOpG,cAAcqG;MACvB,KAAK;AACH,eAAOrG,cAAcsG;MACvB,KAAK;AACH,eAAOtG,cAAcuG;MACvB;AACE,cAAM,IAAIxF,MAAM,iBAAiBiF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBjG,mBAAmB,wBAACyG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACtH,SAAAA;AACzB,UAAMuH,OAAOvH,KAAKE,MAAMqH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBxH,KAAKyH,cAAcC,SAAS,KAAA,IAAS1H,KAAKyH,gBAAgBE,SAAS3H,KAAKyH,eAAe,SAAA;AACrI,UAAM7E,eAAegF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASnF,cAAc,QAAA;AAC5C,UAAMT,eAAe6F,SAASF,YAAAA;AAE9B,UAAM5H,OAAO,CAAC;AACd,QAAIqH,MAAM;AACRrH,WAAKqH,OAAO;QACVU,IAAIV,KAAKU,MAAMjI,KAAK2B,OAAOQ;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBnI,aAAKqH,KAAKY,sBAAsBD;AAChC,cAAMnE,MAAMuE,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKqH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBrI,aAAKqH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM5G,MAAM3B,KAAK2B,OAAOzB,MAAMqH,MAAMU,MAAM9F;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWhI,KAAKqH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC7I,SAAAA;AAC/B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM8I,eAAe7J,WAAWwI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAM5H,UAAU0H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAeb,QAAQ8H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,eAAeyG,MAAMlH,cAAc,WAAA;AACzC,UAAM0F,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM3H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACvJ,SAAAA;AAC5B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM6H,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,eAAeqH,8BAA8B/B,aAAAA;AACnD,UAAM7E,eAAeyG,MAAMlH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,KAAK+E,wBAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,KAAKqI,oBAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKqH,gBAAgBtH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK6I,sBAAsB7I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKuJ,mBAAmBvJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return Promise.all(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,mBACAC,wBACAC,cACAC,uBACAC,gBACAC,WACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,eAAeC,uBAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,MAAMwB,sBAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,eAAeC,uBAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,MAAMwB,sBAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOC,QAAQC,IACbJ,SAASK,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMkB,eAAe,MAAMyB,eAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY6B,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAU,eAAeC,uBAAuB;YACpCX;YACAY,iBAAiB0B,QAAQ1C,IAAIP,MAAMwB,sBAAsByB,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf1B,YAAYqE,QAAQrE;UACpByE,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;EAEJ;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,iBAA6BC,aAAaL,IAAAA,IAC5CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO2F,kBAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOrF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMe,WAAWd,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM8F,mBAA+BZ,aAAaL,IAAAA,IAC9CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMiB,eAAe,MAAM,KAAKnG,OAAO8B,QAAQsE,6BAA6B;MAC1E7C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASsG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK7F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO+F,aAAaE;EACtB;EAEA,MAAMC,aAAa1F,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACqF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOnF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOoF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdvF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO4F,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIpE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOuF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAIpF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBuG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOrG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcsG;MACvB,KAAK;AACH,eAAOtG,cAAcuG;MACvB,KAAK;AACH,eAAOvG,cAAcwG;MACvB,KAAK;AACH,eAAOxG,cAAcyG;MACvB,KAAK;AACH,eAAOzG,cAAc0G;MACvB,KAAK;AACH,eAAO1G,cAAc2G;MACvB,KAAK;AACH,eAAO3G,cAAc4G;MACvB;AACE,cAAM,IAAI7F,MAAM,iBAAiBsF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBtG,mBAAmB,wBAAC8G,eAAAA;AAC1B,WAAOA,WAAWhE,IAAI,CAACwD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3H,SAAAA;AACzB,UAAM4H,OAAO5H,KAAKE,MAAM0H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7H,KAAK8H,cAAcC,SAAS,KAAA,IAAS/H,KAAK8H,gBAAgBE,SAAShI,KAAK8H,eAAe,SAAA;AACrI,UAAMlF,eAAeqF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASxF,cAAc,QAAA;AAC5C,UAAMT,eAAekG,SAASF,YAAAA;AAE9B,UAAMjI,OAAO,CAAC;AACd,QAAI0H,MAAM;AACR1H,WAAK0H,OAAO;QACVU,IAAIV,KAAKU,MAAMtI,KAAK2B,OAAOQ;MAC7B;AACA,UAAIoG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxI,aAAK0H,KAAKY,sBAAsBD;AAChC,cAAMxE,MAAM4E,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BhG,uBAAamB,MAAMA;QACrB;AACA7D,aAAK0H,KAAK7D,MAAMA;MAClB;AACA,UAAI6D,KAAKgB,qBAAqB;AAE5BhG,qBAAaiG,MAAMjB,KAAKgB;AACxB1I,aAAK0H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMjH,MAAM3B,KAAK2B,OAAOzB,MAAM0H,MAAMU,MAAMnG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;QACAV,WAAWrI,KAAK0H,KAAK7D;MACvB;IACF;EACF,GArD0B;EAuDlBoF,wBAAwB,wBAACnJ,SAAAA;AAC/B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMoJ,eAAerK,WAAW+I,cAAcuB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMlI,UAAUgI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMjH,eAAeb,QAAQoI,UAAU,MAAM,KAAA;AAC7C,UAAM9G,eAAe+G,MAAMxH,cAAc,WAAA;AACzC,UAAM+F,gBAAgByB,MAAM7B,eAAe,aAAa;MAAE8B,cAAc;IAAK,CAAA;AAC7E,UAAMjI,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC7J,SAAAA;AAC5B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMkI,gBAAgByB,MAAM7B,eAAe,UAAU;MAAE8B,cAAc;IAAK,CAAA;AAC1E,UAAMzH,eAAe2H,8BAA8BhC,aAAAA;AACnD,UAAMlF,eAAe+G,MAAMxH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB1G,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0H,gBAAgB3H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKmJ,sBAAsBnJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK6J,mBAAmB7J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["base64ToBase64Url","calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","jwkToRawHexKey","shaHasher","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","Promise","all","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sphereon/ssi-sdk.kms-rest",
|
|
3
3
|
"description": "Sphereon SSI-SDK plugin for REST Key Management System.",
|
|
4
|
-
"version": "0.36.1-
|
|
4
|
+
"version": "0.36.1-feature.SSISDK.82.and.SSISDK.70.37+4f1096f2",
|
|
5
5
|
"source": "./src/index.ts",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "./dist/index.cjs",
|
|
@@ -22,10 +22,10 @@
|
|
|
22
22
|
"build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
|
|
23
23
|
},
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"@sphereon/ssi-sdk-ext.key-utils": "0.36.1-
|
|
26
|
-
"@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-
|
|
27
|
-
"@sphereon/ssi-sdk.kms-rest-client": "0.36.1-
|
|
28
|
-
"@sphereon/ssi-types": "0.36.1-
|
|
25
|
+
"@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.SSISDK.82.and.SSISDK.70.37+4f1096f2",
|
|
26
|
+
"@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.SSISDK.82.and.SSISDK.70.37+4f1096f2",
|
|
27
|
+
"@sphereon/ssi-sdk.kms-rest-client": "0.36.1-feature.SSISDK.82.and.SSISDK.70.37+4f1096f2",
|
|
28
|
+
"@sphereon/ssi-types": "0.36.1-feature.SSISDK.82.and.SSISDK.70.37+4f1096f2",
|
|
29
29
|
"@veramo/core": "4.2.0",
|
|
30
30
|
"@veramo/key-manager": "4.2.0",
|
|
31
31
|
"elliptic": "^6.5.4",
|
|
@@ -54,5 +54,5 @@
|
|
|
54
54
|
"key-management",
|
|
55
55
|
"Veramo"
|
|
56
56
|
],
|
|
57
|
-
"gitHead": "
|
|
57
|
+
"gitHead": "4f1096f2d7ce22bdc20319a780386979393bc2ef"
|
|
58
58
|
}
|
|
@@ -1,4 +1,14 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import {
|
|
2
|
+
base64ToBase64Url,
|
|
3
|
+
calculateJwkThumbprint,
|
|
4
|
+
isHashString,
|
|
5
|
+
joseAlgorithmToDigest,
|
|
6
|
+
jwkToRawHexKey,
|
|
7
|
+
shaHasher,
|
|
8
|
+
toJwk,
|
|
9
|
+
x25519PublicHexFromPrivateHex,
|
|
10
|
+
type X509Opts,
|
|
11
|
+
} from '@sphereon/ssi-sdk-ext.key-utils'
|
|
2
12
|
import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'
|
|
3
13
|
import type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'
|
|
4
14
|
import {
|
|
@@ -27,6 +37,8 @@ interface KeyManagementSystemOptions {
|
|
|
27
37
|
applicationId: string
|
|
28
38
|
baseUrl: string
|
|
29
39
|
providerId?: string
|
|
40
|
+
tenantId?: string
|
|
41
|
+
userId?: string
|
|
30
42
|
authOpts?: RestClientAuthenticationOpts
|
|
31
43
|
}
|
|
32
44
|
|
|
@@ -34,6 +46,8 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
34
46
|
private client: KmsRestClient
|
|
35
47
|
private readonly id: string
|
|
36
48
|
private providerId: string | undefined
|
|
49
|
+
private tenantId: string | undefined
|
|
50
|
+
private userId: string | undefined
|
|
37
51
|
|
|
38
52
|
constructor(options: KeyManagementSystemOptions) {
|
|
39
53
|
super()
|
|
@@ -45,6 +59,8 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
45
59
|
|
|
46
60
|
this.id = options.applicationId
|
|
47
61
|
this.providerId = options.providerId
|
|
62
|
+
this.tenantId = options.tenantId
|
|
63
|
+
this.userId = options.userId
|
|
48
64
|
this.client = new KmsRestClient(config)
|
|
49
65
|
}
|
|
50
66
|
|
|
@@ -57,6 +73,8 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
57
73
|
alg: signatureAlgorithm,
|
|
58
74
|
keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],
|
|
59
75
|
...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),
|
|
76
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
77
|
+
...(this.userId && { userId: this.userId }),
|
|
60
78
|
}
|
|
61
79
|
|
|
62
80
|
const key = this.providerId
|
|
@@ -85,7 +103,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
85
103
|
algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],
|
|
86
104
|
jwkThumbprint: calculateJwkThumbprint({
|
|
87
105
|
jwk,
|
|
88
|
-
digestAlgorithm:
|
|
106
|
+
digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',
|
|
89
107
|
}),
|
|
90
108
|
},
|
|
91
109
|
publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),
|
|
@@ -94,15 +112,20 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
94
112
|
|
|
95
113
|
async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {
|
|
96
114
|
const { type } = args
|
|
97
|
-
const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
|
|
98
115
|
const importKey = this.mapImportKey(args)
|
|
99
116
|
|
|
100
117
|
const result = this.providerId
|
|
101
118
|
? await this.client.methods.kmsClientProviderStoreKey({
|
|
102
119
|
...importKey.key,
|
|
103
120
|
providerId: this.providerId,
|
|
121
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
122
|
+
...(this.userId && { userId: this.userId }),
|
|
123
|
+
})
|
|
124
|
+
: await this.client.methods.kmsClientStoreKey({
|
|
125
|
+
...importKey.key,
|
|
126
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
127
|
+
...(this.userId && { userId: this.userId }),
|
|
104
128
|
})
|
|
105
|
-
: await this.client.methods.kmsClientStoreKey(importKey.key)
|
|
106
129
|
|
|
107
130
|
return {
|
|
108
131
|
kid: importKey.kid,
|
|
@@ -113,7 +136,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
113
136
|
algorithms: [result.keyInfo.key.alg ?? 'PS256'],
|
|
114
137
|
jwkThumbprint: calculateJwkThumbprint({
|
|
115
138
|
jwk: importKey.publicKeyJwk,
|
|
116
|
-
digestAlgorithm:
|
|
139
|
+
digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',
|
|
117
140
|
}),
|
|
118
141
|
},
|
|
119
142
|
publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),
|
|
@@ -127,53 +150,58 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
127
150
|
? await this.client.methods.kmsClientProviderDeleteKey({
|
|
128
151
|
aliasOrKid: kid,
|
|
129
152
|
providerId: this.providerId,
|
|
153
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
154
|
+
...(this.userId && { userId: this.userId }),
|
|
155
|
+
})
|
|
156
|
+
: await this.client.methods.kmsClientDeleteKey({
|
|
157
|
+
aliasOrKid: kid,
|
|
158
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
159
|
+
...(this.userId && { userId: this.userId }),
|
|
130
160
|
})
|
|
131
|
-
: await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
|
|
132
161
|
}
|
|
133
162
|
|
|
134
163
|
async listKeys(): Promise<ManagedKeyInfo[]> {
|
|
135
164
|
const keys = this.providerId
|
|
136
|
-
? await this.client.methods.kmsClientProviderListKeys({
|
|
137
|
-
|
|
165
|
+
? await this.client.methods.kmsClientProviderListKeys({
|
|
166
|
+
providerId: this.providerId,
|
|
167
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
168
|
+
...(this.userId && { userId: this.userId }),
|
|
169
|
+
})
|
|
170
|
+
: await this.client.methods.kmsClientListKeys({
|
|
171
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
172
|
+
...(this.userId && { userId: this.userId }),
|
|
173
|
+
})
|
|
138
174
|
|
|
139
175
|
const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
|
|
140
176
|
|
|
141
|
-
return
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
providerId: restKey.providerId,
|
|
170
|
-
x5c: restKey.x5c,
|
|
171
|
-
keyVisibility: restKey.keyVisibility,
|
|
172
|
-
keyEncoding: restKey.keyEncoding,
|
|
173
|
-
...restKey.opts,
|
|
174
|
-
},
|
|
175
|
-
} satisfies ManagedKeyInfo
|
|
176
|
-
})
|
|
177
|
+
return Promise.all(
|
|
178
|
+
restKeys.map(async (restKey: RestManagedKeyInfo) => {
|
|
179
|
+
const jwk = restKey.key
|
|
180
|
+
const publicKeyHex = await jwkToRawHexKey(jwk as JWK)
|
|
181
|
+
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)
|
|
182
|
+
|
|
183
|
+
return {
|
|
184
|
+
kid: restKey.kid || restKey.alias,
|
|
185
|
+
kms: this.id,
|
|
186
|
+
type: keyType,
|
|
187
|
+
publicKeyHex,
|
|
188
|
+
meta: {
|
|
189
|
+
algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,
|
|
190
|
+
jwk,
|
|
191
|
+
jwkThumbprint: calculateJwkThumbprint({
|
|
192
|
+
jwk: jwk as JWK,
|
|
193
|
+
digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',
|
|
194
|
+
}),
|
|
195
|
+
alias: restKey.alias,
|
|
196
|
+
providerId: restKey.providerId,
|
|
197
|
+
x5c: restKey.x5c,
|
|
198
|
+
keyVisibility: restKey.keyVisibility,
|
|
199
|
+
keyEncoding: restKey.keyEncoding,
|
|
200
|
+
...restKey.opts,
|
|
201
|
+
},
|
|
202
|
+
} satisfies ManagedKeyInfo
|
|
203
|
+
}),
|
|
204
|
+
)
|
|
177
205
|
}
|
|
178
206
|
|
|
179
207
|
private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {
|
|
@@ -195,35 +223,59 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
195
223
|
}
|
|
196
224
|
|
|
197
225
|
async sign(args: SignArgs): Promise<string> {
|
|
198
|
-
const { keyRef, data } = args
|
|
226
|
+
const { keyRef, data, algorithm = 'SHA-256' } = args
|
|
199
227
|
const key = this.providerId
|
|
200
228
|
? await this.client.methods.kmsClientProviderGetKey({
|
|
201
229
|
aliasOrKid: keyRef.kid,
|
|
202
230
|
providerId: this.providerId,
|
|
231
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
232
|
+
...(this.userId && { userId: this.userId }),
|
|
233
|
+
})
|
|
234
|
+
: await this.client.methods.kmsClientGetKey({
|
|
235
|
+
aliasOrKid: keyRef.kid,
|
|
236
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
237
|
+
...(this.userId && { userId: this.userId }),
|
|
203
238
|
})
|
|
204
|
-
: await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
|
|
205
239
|
|
|
240
|
+
// with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash
|
|
241
|
+
const dataToBeSigned: Uint8Array = isHashString(data)
|
|
242
|
+
? data
|
|
243
|
+
: shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
|
|
206
244
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
207
245
|
keyInfo: key.keyInfo,
|
|
208
|
-
input: toString(
|
|
246
|
+
input: toString(dataToBeSigned, 'base64'),
|
|
247
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
248
|
+
...(this.userId && { userId: this.userId }),
|
|
209
249
|
})
|
|
210
250
|
|
|
211
|
-
return signingResult.signature
|
|
251
|
+
return base64ToBase64Url(signingResult.signature)
|
|
212
252
|
}
|
|
213
253
|
|
|
214
254
|
async verify(args: VerifyArgs): Promise<boolean> {
|
|
215
|
-
const { keyRef, data, signature } = args
|
|
255
|
+
const { keyRef, data, signature, algorithm = 'SHA-256' } = args
|
|
216
256
|
const key = this.providerId
|
|
217
257
|
? await this.client.methods.kmsClientProviderGetKey({
|
|
218
258
|
aliasOrKid: keyRef.kid,
|
|
219
259
|
providerId: this.providerId,
|
|
260
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
261
|
+
...(this.userId && { userId: this.userId }),
|
|
262
|
+
})
|
|
263
|
+
: await this.client.methods.kmsClientGetKey({
|
|
264
|
+
aliasOrKid: keyRef.kid,
|
|
265
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
266
|
+
...(this.userId && { userId: this.userId }),
|
|
220
267
|
})
|
|
221
|
-
: await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
|
|
222
268
|
|
|
269
|
+
// with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash
|
|
270
|
+
const dataToBeVerified: Uint8Array = isHashString(data)
|
|
271
|
+
? data
|
|
272
|
+
: shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
|
|
223
273
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
224
274
|
keyInfo: key.keyInfo,
|
|
225
|
-
input: toString(
|
|
275
|
+
input: toString(dataToBeVerified, 'base64'),
|
|
226
276
|
signature,
|
|
277
|
+
...(this.tenantId && { tenantId: this.tenantId }),
|
|
278
|
+
...(this.userId && { userId: this.userId }),
|
|
227
279
|
})
|
|
228
280
|
|
|
229
281
|
return verification.isValid
|
|
@@ -233,23 +285,6 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
233
285
|
throw new Error('sharedSecret is not implemented for REST KMS.')
|
|
234
286
|
}
|
|
235
287
|
|
|
236
|
-
private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {
|
|
237
|
-
switch (signatureAlgorithm) {
|
|
238
|
-
case SignatureAlgorithm.EcdsaSha256:
|
|
239
|
-
case SignatureAlgorithm.RsaSsaPssSha256Mgf1:
|
|
240
|
-
case SignatureAlgorithm.EckaDhSha256:
|
|
241
|
-
case SignatureAlgorithm.HmacSha256:
|
|
242
|
-
case SignatureAlgorithm.Es256K:
|
|
243
|
-
return 'sha256'
|
|
244
|
-
case SignatureAlgorithm.EcdsaSha512:
|
|
245
|
-
case SignatureAlgorithm.HmacSha512:
|
|
246
|
-
case SignatureAlgorithm.RsaSsaPssSha512Mgf1:
|
|
247
|
-
return 'sha512'
|
|
248
|
-
default:
|
|
249
|
-
throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)
|
|
250
|
-
}
|
|
251
|
-
}
|
|
252
|
-
|
|
253
288
|
private mapKeyUsage = (usage: string): JwkUse => {
|
|
254
289
|
switch (usage) {
|
|
255
290
|
case 'sig':
|
package/src/types/index.ts
CHANGED
|
@@ -15,6 +15,7 @@ export type CreateKeyArgs = {
|
|
|
15
15
|
export type SignArgs = {
|
|
16
16
|
keyRef: Pick<IKey, 'kid'>
|
|
17
17
|
data: Uint8Array
|
|
18
|
+
algorithm?: string
|
|
18
19
|
[x: string]: any
|
|
19
20
|
}
|
|
20
21
|
|
|
@@ -22,6 +23,7 @@ export type VerifyArgs = {
|
|
|
22
23
|
keyRef: Pick<IKey, 'kid'>
|
|
23
24
|
data: Uint8Array
|
|
24
25
|
signature: string
|
|
26
|
+
algorithm?: string
|
|
25
27
|
[x: string]: any
|
|
26
28
|
}
|
|
27
29
|
|