@sphereon/ssi-sdk.kms-rest 0.36.1-feature.SSISDK.44.finish.dcql.1 → 0.36.1-feature.SSISDK.70.integrate.digidentity.55

package/src/RestKeyManagementSystem.ts

@@ -1,4 +1,14 @@
-import { calculateJwkThumbprint, toJwk, x25519PublicHexFromPrivateHex, type X509Opts } from '@sphereon/ssi-sdk-ext.key-utils'
+import {
+  calculateJwkThumbprint,
+  isHashString,
+  joseAlgorithmToDigest,
+  shaHasher,
+  signatureAlgorithmFromKeyType,
+  signatureAlgorithmToJoseAlgorithm,
+  toJwk,
+  x25519PublicHexFromPrivateHex,
+  type X509Opts,
+} from '@sphereon/ssi-sdk-ext.key-utils'
 import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'
 import type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'
 import {
@@ -27,13 +37,17 @@ interface KeyManagementSystemOptions {
   applicationId: string
   baseUrl: string
   providerId?: string
+  tenantId?: string
+  userId?: string
   authOpts?: RestClientAuthenticationOpts
 }
 
 export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
   private client: KmsRestClient
   private readonly id: string
-  private providerId: string | undefined
+  private readonly providerId: string | undefined
+  private readonly tenantId: string | undefined
+  private readonly userId: string | undefined
 
   constructor(options: KeyManagementSystemOptions) {
     super()
@@ -45,18 +59,26 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
 
     this.id = options.applicationId
     this.providerId = options.providerId
+    this.tenantId = options.tenantId
+    this.userId = options.userId
     this.client = new KmsRestClient(config)
   }
 
   async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {
     const { type, meta } = args
 
-    const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
+    const joseAlg = signatureAlgorithmFromKeyType({
+      type,
+      algorithms: meta?.algorithms as string[] | undefined,
+    })
+    const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)
     const options = {
       use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
       alg: signatureAlgorithm,
       keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],
       ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),
+      ...(this.tenantId && { tenantId: this.tenantId }),
+      ...(this.userId && { userId: this.userId }),
     }
 
     const key = this.providerId
@@ -68,7 +90,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
 
     const jwk = {
       ...key.keyPair.jose.publicJwk,
-      alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,
+      alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,
     } satisfies JWK
 
     const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid
@@ -85,7 +107,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
         algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],
         jwkThumbprint: calculateJwkThumbprint({
           jwk,
-          digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),
+          digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',
         }),
       },
       publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),
@@ -94,15 +116,20 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
 
   async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {
     const { type } = args
-    const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
     const importKey = this.mapImportKey(args)
 
     const result = this.providerId
       ? await this.client.methods.kmsClientProviderStoreKey({
           ...importKey.key,
           providerId: this.providerId,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
+        })
+      : await this.client.methods.kmsClientStoreKey({
+          ...importKey.key,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
         })
-      : await this.client.methods.kmsClientStoreKey(importKey.key)
 
     return {
       kid: importKey.kid,
@@ -113,7 +140,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
         algorithms: [result.keyInfo.key.alg ?? 'PS256'],
         jwkThumbprint: calculateJwkThumbprint({
           jwk: importKey.publicKeyJwk,
-          digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),
+          digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',
         }),
       },
       publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),
@@ -127,14 +154,27 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
       ? await this.client.methods.kmsClientProviderDeleteKey({
           aliasOrKid: kid,
           providerId: this.providerId,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
+        })
+      : await this.client.methods.kmsClientDeleteKey({
+          aliasOrKid: kid,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
         })
-      : await this.client.methods.kmsClientDeleteKey({ aliasOrKid: kid })
   }
 
   async listKeys(): Promise<ManagedKeyInfo[]> {
     const keys = this.providerId
-      ? await this.client.methods.kmsClientProviderListKeys({ providerId: this.providerId })
-      : await this.client.methods.kmsClientListKeys()
+      ? await this.client.methods.kmsClientProviderListKeys({
+          providerId: this.providerId,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
+        })
+      : await this.client.methods.kmsClientListKeys({
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
+        })
 
     const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
 
@@ -163,7 +203,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
           jwk,
           jwkThumbprint: calculateJwkThumbprint({
             jwk: jwk as JWK,
-            digestAlgorithm: restKey.signatureAlgorithm ? this.signatureAlgorithmToDigestAlgorithm(restKey.signatureAlgorithm) : 'sha256',
+            digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',
           }),
           alias: restKey.alias,
           providerId: restKey.providerId,
@@ -195,35 +235,59 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
   }
 
   async sign(args: SignArgs): Promise<string> {
-    const { keyRef, data } = args
+    const { keyRef, data, algorithm = 'SHA-256' } = args
     const key = this.providerId
       ? await this.client.methods.kmsClientProviderGetKey({
           aliasOrKid: keyRef.kid,
           providerId: this.providerId,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
+        })
+      : await this.client.methods.kmsClientGetKey({
+          aliasOrKid: keyRef.kid,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
         })
-      : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
 
+    // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash
+    const dataToBeSigned: Uint8Array = isHashString(data)
+      ? data
+      : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
     const signingResult = await this.client.methods.kmsClientCreateRawSignature({
       keyInfo: key.keyInfo,
-      input: toString(data, 'base64'),
+      input: toString(dataToBeSigned, 'base64'),
+      ...(this.tenantId && { tenantId: this.tenantId }),
+      ...(this.userId && { userId: this.userId }),
     })
 
     return signingResult.signature
   }
 
   async verify(args: VerifyArgs): Promise<boolean> {
-    const { keyRef, data, signature } = args
+    const { keyRef, data, signature, algorithm = 'SHA-256' } = args
     const key = this.providerId
       ? await this.client.methods.kmsClientProviderGetKey({
           aliasOrKid: keyRef.kid,
           providerId: this.providerId,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
+        })
+      : await this.client.methods.kmsClientGetKey({
+          aliasOrKid: keyRef.kid,
+          ...(this.tenantId && { tenantId: this.tenantId }),
+          ...(this.userId && { userId: this.userId }),
         })
-      : await this.client.methods.kmsClientGetKey({ aliasOrKid: keyRef.kid })
 
+    // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash
+    const dataToBeVerified: Uint8Array = isHashString(data)
+      ? data
+      : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
     const verification = await this.client.methods.kmsClientIsValidRawSignature({
       keyInfo: key.keyInfo,
-      input: toString(data, 'base64'),
+      input: toString(dataToBeVerified, 'base64'),
       signature,
+      ...(this.tenantId && { tenantId: this.tenantId }),
+      ...(this.userId && { userId: this.userId }),
     })
 
     return verification.isValid
@@ -233,23 +297,6 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
     throw new Error('sharedSecret is not implemented for REST KMS.')
   }
 
-  private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {
-    switch (signatureAlgorithm) {
-      case SignatureAlgorithm.EcdsaSha256:
-      case SignatureAlgorithm.RsaSsaPssSha256Mgf1:
-      case SignatureAlgorithm.EckaDhSha256:
-      case SignatureAlgorithm.HmacSha256:
-      case SignatureAlgorithm.Es256K:
-        return 'sha256'
-      case SignatureAlgorithm.EcdsaSha512:
-      case SignatureAlgorithm.HmacSha512:
-      case SignatureAlgorithm.RsaSsaPssSha512Mgf1:
-        return 'sha512'
-      default:
-        throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by REST KMS`)
-    }
-  }
-
   private mapKeyUsage = (usage: string): JwkUse => {
     switch (usage) {
       case 'sig':
@@ -261,53 +308,32 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
     }
   }
 
-  private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {
-    switch (type) {
-      case 'Secp256r1':
-        return SignatureAlgorithm.EcdsaSha256
-      case 'RSA':
-        return SignatureAlgorithm.RsaSsaPssSha256Mgf1
-      case 'X25519':
-        return SignatureAlgorithm.EckaDhSha256
-      default:
-        throw new Error(`Key type ${type} is not supported by REST KMS`)
-    }
-  }
-
-  private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {
+  private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {
     switch (alg) {
-      case 'RS256':
-        return JoseSignatureAlgorithm.RS256
-      case 'RS384':
-        return JoseSignatureAlgorithm.RS384
-      case 'RS512':
-        return JoseSignatureAlgorithm.RS512
-      case 'ES256':
-        return JoseSignatureAlgorithm.ES256
-      case 'ES256K':
-        return JoseSignatureAlgorithm.ES256K
-      case 'ES384':
-        return JoseSignatureAlgorithm.ES384
-      case 'ES512':
-        return JoseSignatureAlgorithm.ES512
-      case 'EdDSA':
-        return JoseSignatureAlgorithm.EdDSA
-      case 'HS256':
-        return JoseSignatureAlgorithm.HS256
-      case 'HS384':
-        return JoseSignatureAlgorithm.HS384
-      case 'HS512':
-        return JoseSignatureAlgorithm.HS512
-      case 'PS256':
-        return JoseSignatureAlgorithm.PS256
-      case 'PS384':
-        return JoseSignatureAlgorithm.PS384
-      case 'PS512':
-        return JoseSignatureAlgorithm.PS512
-      case 'none':
-        return JoseSignatureAlgorithm.none
+      case JoseSignatureAlgorithm.RS256:
+        return SignatureAlgorithm.RsaSha256
+      case JoseSignatureAlgorithm.RS384:
+        return SignatureAlgorithm.RsaSha384
+      case JoseSignatureAlgorithm.RS512:
+        return SignatureAlgorithm.RsaSha512
+      case JoseSignatureAlgorithm.PS256:
+        return SignatureAlgorithm.RsaSsaPssSha256Mgf1
+      case JoseSignatureAlgorithm.PS384:
+        return SignatureAlgorithm.RsaSsaPssSha384Mgf1
+      case JoseSignatureAlgorithm.PS512:
+        return SignatureAlgorithm.RsaSsaPssSha512Mgf1
+      case JoseSignatureAlgorithm.ES256:
+        return SignatureAlgorithm.EcdsaSha256
+      case JoseSignatureAlgorithm.ES384:
+        return SignatureAlgorithm.EcdsaSha384
+      case JoseSignatureAlgorithm.ES512:
+        return SignatureAlgorithm.EcdsaSha512
+      case JoseSignatureAlgorithm.ES256K:
+        return SignatureAlgorithm.Es256K
+      case JoseSignatureAlgorithm.EdDSA:
+        return SignatureAlgorithm.Ed25519
       default:
-        throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)
+        throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)
     }
   }
 

package/src/types/index.ts

@@ -15,6 +15,7 @@ export type CreateKeyArgs = {
 export type SignArgs = {
   keyRef: Pick<IKey, 'kid'>
   data: Uint8Array
+  algorithm?: string
   [x: string]: any
 }
 
@@ -22,6 +23,7 @@ export type VerifyArgs = {
   keyRef: Pick<IKey, 'kid'>
   data: Uint8Array
   signature: string
+  algorithm?: string
   [x: string]: any
 }