@sphereon/ssi-sdk.kms-rest 0.36.1-feature.SSISDK.44.finish.dcql.1 → 0.36.1-feature.SSISDK.70.integrate.digidentity.55

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/index.cjs +137 -83
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +8 -4
  4. package/dist/index.d.ts +8 -4
  5. package/dist/index.js +138 -84
  6. package/dist/index.js.map +1 -1
  7. package/package.json +6 -6
  8. package/src/RestKeyManagementSystem.ts +106 -80
  9. package/src/types/index.ts +2 -0
package/dist/index.cjs CHANGED
@@ -51,6 +51,8 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
51
51
  client;
52
52
  id;
53
53
  providerId;
54
+ tenantId;
55
+ userId;
54
56
  constructor(options) {
55
57
  super();
56
58
  const config = {
@@ -59,11 +61,17 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
59
61
  };
60
62
  this.id = options.applicationId;
61
63
  this.providerId = options.providerId;
64
+ this.tenantId = options.tenantId;
65
+ this.userId = options.userId;
62
66
  this.client = new import_ssi_sdk.KmsRestClient(config);
63
67
  }
64
68
  async createKey(args) {
65
69
  const { type, meta } = args;
66
- const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
70
+ const joseAlg = (0, import_ssi_sdk_ext.signatureAlgorithmFromKeyType)({
71
+ type,
72
+ algorithms: meta?.algorithms
73
+ });
74
+ const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg);
67
75
  const options = {
68
76
  use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : import_ssi_sdk.JwkUse.Sig,
69
77
  alg: signatureAlgorithm,
@@ -72,7 +80,13 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
72
80
  ],
73
81
  ...meta && "keyAlias" in meta && meta.keyAlias ? {
74
82
  alias: meta.keyAlias
75
- } : {}
83
+ } : {},
84
+ ...this.tenantId && {
85
+ tenantId: this.tenantId
86
+ },
87
+ ...this.userId && {
88
+ userId: this.userId
89
+ }
76
90
  };
77
91
  const key = this.providerId ? await this.client.methods.kmsClientProviderGenerateKey({
78
92
  ...options,
@@ -80,7 +94,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
80
94
  }) : await this.client.methods.kmsClientGenerateKey(options);
81
95
  const jwk = {
82
96
  ...key.keyPair.jose.publicJwk,
83
- alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
97
+ alg: key.keyPair.jose.publicJwk.alg ? (0, import_ssi_sdk_ext.signatureAlgorithmToJoseAlgorithm)(key.keyPair.jose.publicJwk.alg) : void 0
84
98
  };
85
99
  const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid;
86
100
  if (!kid) {
@@ -97,7 +111,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
97
111
  ],
98
112
  jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
99
113
  jwk,
100
- digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm)
114
+ digestAlgorithm: jwk.alg ? (0, import_ssi_sdk_ext.joseAlgorithmToDigest)(jwk.alg) : "sha256"
101
115
  })
102
116
  },
103
117
  publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), "utf8").toString("base64")
@@ -105,12 +119,25 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
105
119
  }
106
120
  async importKey(args) {
107
121
  const { type } = args;
108
- const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
109
122
  const importKey = this.mapImportKey(args);
110
123
  const result = this.providerId ? await this.client.methods.kmsClientProviderStoreKey({
111
124
  ...importKey.key,
112
- providerId: this.providerId
113
- }) : await this.client.methods.kmsClientStoreKey(importKey.key);
125
+ providerId: this.providerId,
126
+ ...this.tenantId && {
127
+ tenantId: this.tenantId
128
+ },
129
+ ...this.userId && {
130
+ userId: this.userId
131
+ }
132
+ }) : await this.client.methods.kmsClientStoreKey({
133
+ ...importKey.key,
134
+ ...this.tenantId && {
135
+ tenantId: this.tenantId
136
+ },
137
+ ...this.userId && {
138
+ userId: this.userId
139
+ }
140
+ });
114
141
  return {
115
142
  kid: importKey.kid,
116
143
  kms: this.id,
@@ -122,7 +149,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
122
149
  ],
123
150
  jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
124
151
  jwk: importKey.publicKeyJwk,
125
- digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm)
152
+ digestAlgorithm: importKey.publicKeyJwk.alg ? (0, import_ssi_sdk_ext.joseAlgorithmToDigest)(importKey.publicKeyJwk.alg) : "sha256"
126
153
  })
127
154
  },
128
155
  publicKeyHex: Buffer.from(result.keyInfo.key.toString(), "utf8").toString("base64")
@@ -132,15 +159,40 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
132
159
  const { kid } = args;
133
160
  return this.providerId ? await this.client.methods.kmsClientProviderDeleteKey({
134
161
  aliasOrKid: kid,
135
- providerId: this.providerId
162
+ providerId: this.providerId,
163
+ ...this.tenantId && {
164
+ tenantId: this.tenantId
165
+ },
166
+ ...this.userId && {
167
+ userId: this.userId
168
+ }
136
169
  }) : await this.client.methods.kmsClientDeleteKey({
137
- aliasOrKid: kid
170
+ aliasOrKid: kid,
171
+ ...this.tenantId && {
172
+ tenantId: this.tenantId
173
+ },
174
+ ...this.userId && {
175
+ userId: this.userId
176
+ }
138
177
  });
139
178
  }
140
179
  async listKeys() {
141
180
  const keys = this.providerId ? await this.client.methods.kmsClientProviderListKeys({
142
- providerId: this.providerId
143
- }) : await this.client.methods.kmsClientListKeys();
181
+ providerId: this.providerId,
182
+ ...this.tenantId && {
183
+ tenantId: this.tenantId
184
+ },
185
+ ...this.userId && {
186
+ userId: this.userId
187
+ }
188
+ }) : await this.client.methods.kmsClientListKeys({
189
+ ...this.tenantId && {
190
+ tenantId: this.tenantId
191
+ },
192
+ ...this.userId && {
193
+ userId: this.userId
194
+ }
195
+ });
144
196
  const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
145
197
  return restKeys.map((restKey) => {
146
198
  const jwk = restKey.key;
@@ -165,7 +217,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
165
217
  jwk,
166
218
  jwkThumbprint: (0, import_ssi_sdk_ext.calculateJwkThumbprint)({
167
219
  jwk,
168
- digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : "sha256"
220
+ digestAlgorithm: restKey.key.alg ? (0, import_ssi_sdk_ext.joseAlgorithmToDigest)(restKey.key.alg) : "sha256"
169
221
  }),
170
222
  alias: restKey.alias,
171
223
  providerId: restKey.providerId,
@@ -195,53 +247,75 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
195
247
  }
196
248
  }
197
249
  async sign(args) {
198
- const { keyRef, data } = args;
250
+ const { keyRef, data, algorithm = "SHA-256" } = args;
199
251
  const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
200
252
  aliasOrKid: keyRef.kid,
201
- providerId: this.providerId
253
+ providerId: this.providerId,
254
+ ...this.tenantId && {
255
+ tenantId: this.tenantId
256
+ },
257
+ ...this.userId && {
258
+ userId: this.userId
259
+ }
202
260
  }) : await this.client.methods.kmsClientGetKey({
203
- aliasOrKid: keyRef.kid
261
+ aliasOrKid: keyRef.kid,
262
+ ...this.tenantId && {
263
+ tenantId: this.tenantId
264
+ },
265
+ ...this.userId && {
266
+ userId: this.userId
267
+ }
204
268
  });
269
+ const dataToBeSigned = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
205
270
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
206
271
  keyInfo: key.keyInfo,
207
- input: toString(data, "base64")
272
+ input: toString(dataToBeSigned, "base64"),
273
+ ...this.tenantId && {
274
+ tenantId: this.tenantId
275
+ },
276
+ ...this.userId && {
277
+ userId: this.userId
278
+ }
208
279
  });
209
280
  return signingResult.signature;
210
281
  }
211
282
  async verify(args) {
212
- const { keyRef, data, signature } = args;
283
+ const { keyRef, data, signature, algorithm = "SHA-256" } = args;
213
284
  const key = this.providerId ? await this.client.methods.kmsClientProviderGetKey({
214
285
  aliasOrKid: keyRef.kid,
215
- providerId: this.providerId
286
+ providerId: this.providerId,
287
+ ...this.tenantId && {
288
+ tenantId: this.tenantId
289
+ },
290
+ ...this.userId && {
291
+ userId: this.userId
292
+ }
216
293
  }) : await this.client.methods.kmsClientGetKey({
217
- aliasOrKid: keyRef.kid
294
+ aliasOrKid: keyRef.kid,
295
+ ...this.tenantId && {
296
+ tenantId: this.tenantId
297
+ },
298
+ ...this.userId && {
299
+ userId: this.userId
300
+ }
218
301
  });
302
+ const dataToBeVerified = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
219
303
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
220
304
  keyInfo: key.keyInfo,
221
- input: toString(data, "base64"),
222
- signature
305
+ input: toString(dataToBeVerified, "base64"),
306
+ signature,
307
+ ...this.tenantId && {
308
+ tenantId: this.tenantId
309
+ },
310
+ ...this.userId && {
311
+ userId: this.userId
312
+ }
223
313
  });
224
314
  return verification.isValid;
225
315
  }
226
316
  async sharedSecret(args) {
227
317
  throw new Error("sharedSecret is not implemented for REST KMS.");
228
318
  }
229
- signatureAlgorithmToDigestAlgorithm = /* @__PURE__ */ __name((signatureAlgorithm) => {
230
- switch (signatureAlgorithm) {
231
- case import_ssi_sdk.SignatureAlgorithm.EcdsaSha256:
232
- case import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha256Mgf1:
233
- case import_ssi_sdk.SignatureAlgorithm.EckaDhSha256:
234
- case import_ssi_sdk.SignatureAlgorithm.HmacSha256:
235
- case import_ssi_sdk.SignatureAlgorithm.Es256K:
236
- return "sha256";
237
- case import_ssi_sdk.SignatureAlgorithm.EcdsaSha512:
238
- case import_ssi_sdk.SignatureAlgorithm.HmacSha512:
239
- case import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha512Mgf1:
240
- return "sha512";
241
- default:
242
- throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`);
243
- }
244
- }, "signatureAlgorithmToDigestAlgorithm");
245
319
  mapKeyUsage = /* @__PURE__ */ __name((usage) => {
246
320
  switch (usage) {
247
321
  case "sig":
@@ -252,54 +326,34 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
252
326
  throw new Error(`Key usage ${usage} is not supported by REST KMS`);
253
327
  }
254
328
  }, "mapKeyUsage");
255
- mapKeyTypeToSignatureAlgorithm = /* @__PURE__ */ __name((type) => {
256
- switch (type) {
257
- case "Secp256r1":
258
- return import_ssi_sdk.SignatureAlgorithm.EcdsaSha256;
259
- case "RSA":
260
- return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha256Mgf1;
261
- case "X25519":
262
- return import_ssi_sdk.SignatureAlgorithm.EckaDhSha256;
263
- default:
264
- throw new Error(`Key type ${type} is not supported by REST KMS`);
265
- }
266
- }, "mapKeyTypeToSignatureAlgorithm");
267
- mapJoseAlgorithm = /* @__PURE__ */ __name((alg) => {
329
+ mapJoseToRestSignatureAlgorithm = /* @__PURE__ */ __name((alg) => {
268
330
  switch (alg) {
269
- case "RS256":
270
- return import_ssi_types.JoseSignatureAlgorithm.RS256;
271
- case "RS384":
272
- return import_ssi_types.JoseSignatureAlgorithm.RS384;
273
- case "RS512":
274
- return import_ssi_types.JoseSignatureAlgorithm.RS512;
275
- case "ES256":
276
- return import_ssi_types.JoseSignatureAlgorithm.ES256;
277
- case "ES256K":
278
- return import_ssi_types.JoseSignatureAlgorithm.ES256K;
279
- case "ES384":
280
- return import_ssi_types.JoseSignatureAlgorithm.ES384;
281
- case "ES512":
282
- return import_ssi_types.JoseSignatureAlgorithm.ES512;
283
- case "EdDSA":
284
- return import_ssi_types.JoseSignatureAlgorithm.EdDSA;
285
- case "HS256":
286
- return import_ssi_types.JoseSignatureAlgorithm.HS256;
287
- case "HS384":
288
- return import_ssi_types.JoseSignatureAlgorithm.HS384;
289
- case "HS512":
290
- return import_ssi_types.JoseSignatureAlgorithm.HS512;
291
- case "PS256":
292
- return import_ssi_types.JoseSignatureAlgorithm.PS256;
293
- case "PS384":
294
- return import_ssi_types.JoseSignatureAlgorithm.PS384;
295
- case "PS512":
296
- return import_ssi_types.JoseSignatureAlgorithm.PS512;
297
- case "none":
298
- return import_ssi_types.JoseSignatureAlgorithm.none;
331
+ case import_ssi_types.JoseSignatureAlgorithm.RS256:
332
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha256;
333
+ case import_ssi_types.JoseSignatureAlgorithm.RS384:
334
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha384;
335
+ case import_ssi_types.JoseSignatureAlgorithm.RS512:
336
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha512;
337
+ case import_ssi_types.JoseSignatureAlgorithm.PS256:
338
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha256Mgf1;
339
+ case import_ssi_types.JoseSignatureAlgorithm.PS384:
340
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha384Mgf1;
341
+ case import_ssi_types.JoseSignatureAlgorithm.PS512:
342
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha512Mgf1;
343
+ case import_ssi_types.JoseSignatureAlgorithm.ES256:
344
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha256;
345
+ case import_ssi_types.JoseSignatureAlgorithm.ES384:
346
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha384;
347
+ case import_ssi_types.JoseSignatureAlgorithm.ES512:
348
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha512;
349
+ case import_ssi_types.JoseSignatureAlgorithm.ES256K:
350
+ return import_ssi_sdk.SignatureAlgorithm.Es256K;
351
+ case import_ssi_types.JoseSignatureAlgorithm.EdDSA:
352
+ return import_ssi_sdk.SignatureAlgorithm.Ed25519;
299
353
  default:
300
- throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`);
354
+ throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`);
301
355
  }
302
- }, "mapJoseAlgorithm");
356
+ }, "mapJoseToRestSignatureAlgorithm");
303
357
  mapKeyOperation = /* @__PURE__ */ __name((operation) => {
304
358
  switch (operation) {
305
359
  case "sign":
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientStoreKey(importKey.key)\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })\n : await this.client.methods.kmsClientListKeys()\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(data, 'base64'),\n signature,\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n switch (signatureAlgorithm) {\n case SignatureAlgorithm.EcdsaSha256:\n case SignatureAlgorithm.RsaSsaPssSha256Mgf1:\n case SignatureAlgorithm.EckaDhSha256:\n case SignatureAlgorithm.HmacSha256:\n case SignatureAlgorithm.Es256K:\n return 'sha256'\n case SignatureAlgorithm.EcdsaSha512:\n case SignatureAlgorithm.HmacSha512:\n case SignatureAlgorithm.RsaSsaPssSha512Mgf1:\n return 'sha512'\n default:\n throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)\n }\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAA4F;AAC5F,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAS1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EAhC7C,OAgC6CA;;;EACnCC;EACSC;EACTC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKL,KAAKE,QAAQI;AAClB,SAAKL,aAAaC,QAAQD;AAC1B,SAAKF,SAAS,IAAIQ,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;IAChF;AAEA,UAAME,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHD,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUtC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMoD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMqC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKhD,aAChB,MAAM,KAAKF,OAAO4B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACbzB,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQwB,kBAAkBJ,UAAUrB,GAAG;AAE7D,WAAO;MACLU,KAAKW,UAAUX;MACfE,KAAK,KAAKtC;MACVU;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAI/B,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM2D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKR,aACR,MAAM,KAAKF,OAAO4B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQ8B,mBAAmB;MAAED,YAAYpB;IAAI,CAAA;EACrE;EAEA,MAAMsB,WAAsC;AAC1C,UAAMC,OAAO,KAAK1D,aACd,MAAM,KAAKF,OAAO4B,QAAQiC,0BAA0B;MAAE3D,YAAY,KAAKA;IAAW,CAAA,IAClF,MAAM,KAAKF,OAAO4B,QAAQkC,kBAAiB;AAE/C,UAAMC,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKtC;QACVU,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiBwB,QAAQtD,qBAAqB,KAAK+B,oCAAoCuB,QAAQtD,kBAAkB,IAAI;UACvH,CAAA;UACAa,OAAOyC,QAAQzC;UACfxB,YAAYiE,QAAQjE;UACpBuE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,KAAI,IAAKrE;AACzB,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAM6C,gBAAgB,MAAM,KAAKlF,OAAO4B,QAAQuD,4BAA4B;MAC1E9B,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;IACxB,CAAA;AAEA,WAAOG,cAAcG;EACvB;EAEA,MAAMC,OAAO5E,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMM,UAAS,IAAK3E;AACpC,UAAMiB,MAAM,KAAKzB,aACb,MAAM,KAAKF,OAAO4B,QAAQoD,wBAAwB;MAChDvB,YAAYqB,OAAOzC;MACnBnC,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO4B,QAAQqD,gBAAgB;MAAExB,YAAYqB,OAAOzC;IAAI,CAAA;AAEvE,UAAMkD,eAAe,MAAM,KAAKvF,OAAO4B,QAAQ4D,6BAA6B;MAC1EnC,SAAS1B,IAAI0B;MACb+B,OAAOxF,SAASmF,MAAM,QAAA;MACtBM;IACF,CAAA;AAEA,WAAOE,aAAaE;EACtB;EAEA,MAAMC,aAAahF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQM,sCAAsC,wBAAC/B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK8E,kCAAmBC;MACxB,KAAKD,kCAAmBE;MACxB,KAAKF,kCAAmBG;MACxB,KAAKH,kCAAmBI;MACxB,KAAKJ,kCAAmBK;AACtB,eAAO;MACT,KAAKL,kCAAmBM;MACxB,KAAKN,kCAAmBO;MACxB,KAAKP,kCAAmBQ;AACtB,eAAO;MACT;AACE,cAAM,IAAI7D,MAAM,uBAAuBzB,kBAAAA,+BAAiD;IAC5F;EACF,GAf8C;EAiBtCG,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAOgF,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIxD,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOkF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAI/E,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBkG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOhG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAciG;MACvB,KAAK;AACH,eAAOjG,6BAAckG;MACvB,KAAK;AACH,eAAOlG,6BAAcmG;MACvB,KAAK;AACH,eAAOnG,6BAAcoG;MACvB,KAAK;AACH,eAAOpG,6BAAcqG;MACvB,KAAK;AACH,eAAOrG,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB;AACE,cAAM,IAAIxF,MAAM,iBAAiBiF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBjG,mBAAmB,wBAACyG,eAAAA;AAC1B,WAAOA,WAAW7D,IAAI,CAACqD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACtH,SAAAA;AACzB,UAAMuH,OAAOvH,KAAKE,MAAMqH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBxH,KAAKyH,cAAcC,SAAS,KAAA,IAAS1H,KAAKyH,oBAAgBE,8BAAS3H,KAAKyH,eAAe,SAAA;AACrI,UAAM7E,mBAAegF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASnF,cAAc,QAAA;AAC5C,UAAMT,mBAAe6F,8BAASF,YAAAA;AAE9B,UAAM5H,OAAO,CAAC;AACd,QAAIqH,MAAM;AACRrH,WAAKqH,OAAO;QACVU,IAAIV,KAAKU,MAAMjI,KAAK2B,OAAOQ;MAC7B;AACA,UAAI+F,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBnI,aAAKqH,KAAKY,sBAAsBD;AAChC,cAAMnE,UAAMuE,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B3F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKqH,KAAKxD,MAAMA;MAClB;AACA,UAAIwD,KAAKgB,qBAAqB;AAE5B3F,qBAAa4F,MAAMjB,KAAKgB;AACxBrI,aAAKqH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM5G,MAAM3B,KAAK2B,OAAOzB,MAAMqH,MAAMU,MAAM9F;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWhI,KAAKqH,KAAKxD;MACvB;IACF;EACF,GArD0B;EAuDlB8E,wBAAwB,wBAAC7I,SAAAA;AAC/B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM8I,eAAe7J,WAAWwI,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAM5H,UAAU0H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM3G,eAAeb,QAAQ8H,UAAU,MAAM,KAAA;AAC7C,UAAMxG,mBAAeyG,0BAAMlH,cAAc,WAAA;AACzC,UAAM0F,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM3H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACvJ,SAAAA;AAC5B,UAAM,EAAEyH,cAAa,IAAKzH;AAC1B,UAAM6H,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMnH,mBAAeqH,kDAA8B/B,aAAAA;AACnD,UAAM7E,mBAAeyG,0BAAMlH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAG4G;YACHlG;YACA+B,SAAK+E,wCAAwBZ,cAAcnE,KAAK,KAAA;YAChDrD,SAAKqI,oCAAoBb,cAAcxH,KAAK,KAAA;YAC5CsI,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKqH,gBAAgBtH,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAK6I,sBAAsB7I,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKuJ,mBAAmBvJ,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","kmsClientProviderGetKey","kmsClientGetKey","signingResult","kmsClientCreateRawSignature","input","signature","verify","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","HmacSha256","Es256K","EcdsaSha512","HmacSha512","RsaSsaPssSha512Mgf1","usage","Enc","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAUO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,cAAUC,kDAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,UAAMe,sDAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,UAAMuB,0CAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,UAAMuB,0CAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMnC,MAAMmC,QAAQvC;AACpB,UAAIiB,eAAe;AAGnB,UAAIb,IAAIoC,QAAQ,MAAM;AACpBvB,uBAAeb,IAAIqC,KAAK;MAC1B,WAAWrC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIqC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLjC,KAAK6B,QAAQ7B,OAAO6B,QAAQxC;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYsD,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBuB;UACxEL;UACAS,mBAAeC,2CAAuB;YACpCV;YACAW,iBAAiBwB,QAAQvC,IAAIP,UAAMuB,0CAAsBuB,QAAQvC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOwC,QAAQxC;UACf7B,YAAYqE,QAAQrE;UACpB2E,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,qBAA6BC,iCAAaL,IAAAA,IAC5CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK9F,OAAOiC,QAAQ8D,4BAA4B;MAC1EtC,SAASzB,IAAIyB;MACbuC,OAAOpG,SAAS2F,gBAAgB,QAAA;MAChC,GAAI,KAAKpF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO0F,cAAcG;EACvB;EAEA,MAAMC,OAAOtF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMc,WAAWb,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM+F,uBAA+BX,iCAAaL,IAAAA,IAC9CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMgB,eAAe,MAAM,KAAKpG,OAAOiC,QAAQoE,6BAA6B;MAC1E5C,SAASzB,IAAIyB;MACbuC,OAAOpG,SAASuG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK9F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOgG,aAAaE;EACtB;EAEA,MAAMC,aAAa3F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACmF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOjF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOkF;MAChB;AACE,cAAM,IAAI9D,MAAM,aAAa6D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdrF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKiF,wCAAuBC;AAC1B,eAAOC,kCAAmBC;MAC5B,KAAKH,wCAAuBI;AAC1B,eAAOF,kCAAmBG;MAC5B,KAAKL,wCAAuBM;AAC1B,eAAOJ,kCAAmBK;MAC5B,KAAKP,wCAAuBQ;AAC1B,eAAON,kCAAmBO;MAC5B,KAAKT,wCAAuBU;AAC1B,eAAOR,kCAAmBS;MAC5B,KAAKX,wCAAuBY;AAC1B,eAAOV,kCAAmBW;MAC5B,KAAKb,wCAAuBc;AAC1B,eAAOZ,kCAAmBa;MAC5B,KAAKf,wCAAuBgB;AAC1B,eAAOd,kCAAmBe;MAC5B,KAAKjB,wCAAuBkB;AAC1B,eAAOhB,kCAAmBiB;MAC5B,KAAKnB,wCAAuBoB;AAC1B,eAAOlB,kCAAmBmB;MAC5B,KAAKrB,wCAAuBsB;AAC1B,eAAOpB,kCAAmBqB;MAC5B;AACE,cAAM,IAAItF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlCyG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOvG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcwG;MACvB,KAAK;AACH,eAAOxG,6BAAcyG;MACvB,KAAK;AACH,eAAOzG,6BAAc0G;MACvB,KAAK;AACH,eAAO1G,6BAAc2G;MACvB,KAAK;AACH,eAAO3G,6BAAc4G;MACvB,KAAK;AACH,eAAO5G,6BAAc6G;MACvB,KAAK;AACH,eAAO7G,6BAAc8G;MACvB;AACE,cAAM,IAAI/F,MAAM,iBAAiBwF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBxG,mBAAmB,wBAACgH,eAAAA;AAC1B,WAAOA,WAAWrE,IAAI,CAAC6D,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAChI,SAAAA;AACzB,UAAMiI,OAAOjI,KAAKE,MAAM+H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBlI,KAAKmI,cAAcC,SAAS,KAAA,IAASpI,KAAKmI,oBAAgBE,8BAASrI,KAAKmI,eAAe,SAAA;AACrI,UAAMrF,mBAAewF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAAS3F,cAAc,QAAA;AAC5C,UAAMT,mBAAeqG,8BAASF,YAAAA;AAE9B,UAAMtI,OAAO,CAAC;AACd,QAAI+H,MAAM;AACR/H,WAAK+H,OAAO;QACVU,IAAIV,KAAKU,MAAM3I,KAAK8B,OAAOO;MAC7B;AACA,UAAIuG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxB7I,aAAK+H,KAAKY,sBAAsBD;AAChC,cAAM3E,UAAM+E,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BnG,uBAAamB,MAAMA;QACrB;AACA/D,aAAK+H,KAAKhE,MAAMA;MAClB;AACA,UAAIgE,KAAKgB,qBAAqB;AAE5BnG,qBAAaoG,MAAMjB,KAAKgB;AACxB/I,aAAK+H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMnH,MAAM9B,KAAK8B,OAAO5B,MAAM+H,MAAMU,MAAMtG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,SAAKuF,wCAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,SAAK4I,oCAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAW1I,KAAK+H,KAAKhE;MACvB;IACF;EACF,GArD0B;EAuDlBsF,wBAAwB,wBAACvJ,SAAAA;AAC/B,UAAM,EAAEmI,cAAa,IAAKnI;AAC1B,UAAMwJ,eAAezK,WAAWoJ,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMnI,UAAUiI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMnH,eAAeZ,QAAQqI,UAAU,MAAM,KAAA;AAC7C,UAAMhH,mBAAeiH,0BAAM1H,cAAc,WAAA;AACzC,UAAMkG,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAMlI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,SAAKuF,wCAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,SAAK4I,oCAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACjK,SAAAA;AAC5B,UAAM,EAAEmI,cAAa,IAAKnI;AAC1B,UAAMuI,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAM3H,mBAAe6H,kDAA8B/B,aAAAA;AACnD,UAAMrF,mBAAeiH,0BAAM1H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,SAAKuF,wCAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,SAAK4I,oCAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB5G,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK+H,gBAAgBhI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKuJ,sBAAsBvJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKiK,mBAAmBjK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/dist/index.d.cts CHANGED
@@ -14,12 +14,14 @@ type CreateKeyArgs = {
14
14
  type SignArgs = {
15
15
  keyRef: Pick<IKey, 'kid'>;
16
16
  data: Uint8Array;
17
+ algorithm?: string;
17
18
  [x: string]: any;
18
19
  };
19
20
  type VerifyArgs = {
20
21
  keyRef: Pick<IKey, 'kid'>;
21
22
  data: Uint8Array;
22
23
  signature: string;
24
+ algorithm?: string;
23
25
  [x: string]: any;
24
26
  };
25
27
  type SharedSecretArgs = {
@@ -48,12 +50,16 @@ interface KeyManagementSystemOptions {
48
50
  applicationId: string;
49
51
  baseUrl: string;
50
52
  providerId?: string;
53
+ tenantId?: string;
54
+ userId?: string;
51
55
  authOpts?: RestClientAuthenticationOpts;
52
56
  }
53
57
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
54
58
  private client;
55
59
  private readonly id;
56
- private providerId;
60
+ private readonly providerId;
61
+ private readonly tenantId;
62
+ private readonly userId;
57
63
  constructor(options: KeyManagementSystemOptions);
58
64
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
59
65
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
@@ -63,10 +69,8 @@ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
63
69
  sign(args: SignArgs): Promise<string>;
64
70
  verify(args: VerifyArgs): Promise<boolean>;
65
71
  sharedSecret(args: SharedSecretArgs): Promise<string>;
66
- private signatureAlgorithmToDigestAlgorithm;
67
72
  private mapKeyUsage;
68
- private mapKeyTypeToSignatureAlgorithm;
69
- private mapJoseAlgorithm;
73
+ private mapJoseToRestSignatureAlgorithm;
70
74
  private mapKeyOperation;
71
75
  private mapKeyOperations;
72
76
  private mapImportRsaKey;
package/dist/index.d.ts CHANGED
@@ -14,12 +14,14 @@ type CreateKeyArgs = {
14
14
  type SignArgs = {
15
15
  keyRef: Pick<IKey, 'kid'>;
16
16
  data: Uint8Array;
17
+ algorithm?: string;
17
18
  [x: string]: any;
18
19
  };
19
20
  type VerifyArgs = {
20
21
  keyRef: Pick<IKey, 'kid'>;
21
22
  data: Uint8Array;
22
23
  signature: string;
24
+ algorithm?: string;
23
25
  [x: string]: any;
24
26
  };
25
27
  type SharedSecretArgs = {
@@ -48,12 +50,16 @@ interface KeyManagementSystemOptions {
48
50
  applicationId: string;
49
51
  baseUrl: string;
50
52
  providerId?: string;
53
+ tenantId?: string;
54
+ userId?: string;
51
55
  authOpts?: RestClientAuthenticationOpts;
52
56
  }
53
57
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
54
58
  private client;
55
59
  private readonly id;
56
- private providerId;
60
+ private readonly providerId;
61
+ private readonly tenantId;
62
+ private readonly userId;
57
63
  constructor(options: KeyManagementSystemOptions);
58
64
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
59
65
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
@@ -63,10 +69,8 @@ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
63
69
  sign(args: SignArgs): Promise<string>;
64
70
  verify(args: VerifyArgs): Promise<boolean>;
65
71
  sharedSecret(args: SharedSecretArgs): Promise<string>;
66
- private signatureAlgorithmToDigestAlgorithm;
67
72
  private mapKeyUsage;
68
- private mapKeyTypeToSignatureAlgorithm;
69
- private mapJoseAlgorithm;
73
+ private mapJoseToRestSignatureAlgorithm;
70
74
  private mapKeyOperation;
71
75
  private mapKeyOperations;
72
76
  private mapImportRsaKey;