@sphereon/ssi-sdk.kms-rest 0.36.1-feature.SSISDK.70.integrate.digidentity.10 → 0.36.1-feature.SSISDK.70.integrate.digidentity.56

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/index.cjs +47 -49
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +4 -5
  4. package/dist/index.d.ts +4 -5
  5. package/dist/index.js +48 -50
  6. package/dist/index.js.map +1 -1
  7. package/package.json +6 -6
  8. package/src/RestKeyManagementSystem.ts +68 -58
package/dist/index.cjs CHANGED
@@ -67,7 +67,11 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
67
67
  }
68
68
  async createKey(args) {
69
69
  const { type, meta } = args;
70
- const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
70
+ const joseAlg = (0, import_ssi_sdk_ext.signatureAlgorithmFromKeyType)({
71
+ type,
72
+ algorithms: meta?.algorithms
73
+ });
74
+ const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg);
71
75
  const options = {
72
76
  use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : import_ssi_sdk.JwkUse.Sig,
73
77
  alg: signatureAlgorithm,
@@ -90,7 +94,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
90
94
  }) : await this.client.methods.kmsClientGenerateKey(options);
91
95
  const jwk = {
92
96
  ...key.keyPair.jose.publicJwk,
93
- alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
97
+ alg: key.keyPair.jose.publicJwk.alg ? (0, import_ssi_sdk_ext.signatureAlgorithmToJoseAlgorithm)(key.keyPair.jose.publicJwk.alg) : void 0
94
98
  };
95
99
  const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid;
96
100
  if (!kid) {
@@ -262,7 +266,14 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
262
266
  userId: this.userId
263
267
  }
264
268
  });
265
- const dataToBeSigned = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
269
+ const keyAlg = key.keyInfo.key.alg;
270
+ const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
271
+ let dataToBeSigned;
272
+ if (isEdDSA) {
273
+ dataToBeSigned = data;
274
+ } else {
275
+ dataToBeSigned = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
276
+ }
266
277
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
267
278
  keyInfo: key.keyInfo,
268
279
  input: toString(dataToBeSigned, "base64"),
@@ -295,7 +306,14 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
295
306
  userId: this.userId
296
307
  }
297
308
  });
298
- const dataToBeVerified = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
309
+ const keyAlg = key.keyInfo.key.alg;
310
+ const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
311
+ let dataToBeVerified;
312
+ if (isEdDSA) {
313
+ dataToBeVerified = data;
314
+ } else {
315
+ dataToBeVerified = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
316
+ }
299
317
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
300
318
  keyInfo: key.keyInfo,
301
319
  input: toString(dataToBeVerified, "base64"),
@@ -322,54 +340,34 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
322
340
  throw new Error(`Key usage ${usage} is not supported by REST KMS`);
323
341
  }
324
342
  }, "mapKeyUsage");
325
- mapKeyTypeToSignatureAlgorithm = /* @__PURE__ */ __name((type) => {
326
- switch (type) {
327
- case "Secp256r1":
328
- return import_ssi_sdk.SignatureAlgorithm.EcdsaSha256;
329
- case "RSA":
330
- return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha256Mgf1;
331
- case "X25519":
332
- return import_ssi_sdk.SignatureAlgorithm.EckaDhSha256;
333
- default:
334
- throw new Error(`Key type ${type} is not supported by REST KMS`);
335
- }
336
- }, "mapKeyTypeToSignatureAlgorithm");
337
- mapJoseAlgorithm = /* @__PURE__ */ __name((alg) => {
343
+ mapJoseToRestSignatureAlgorithm = /* @__PURE__ */ __name((alg) => {
338
344
  switch (alg) {
339
- case "RS256":
340
- return import_ssi_types.JoseSignatureAlgorithm.RS256;
341
- case "RS384":
342
- return import_ssi_types.JoseSignatureAlgorithm.RS384;
343
- case "RS512":
344
- return import_ssi_types.JoseSignatureAlgorithm.RS512;
345
- case "ES256":
346
- return import_ssi_types.JoseSignatureAlgorithm.ES256;
347
- case "ES256K":
348
- return import_ssi_types.JoseSignatureAlgorithm.ES256K;
349
- case "ES384":
350
- return import_ssi_types.JoseSignatureAlgorithm.ES384;
351
- case "ES512":
352
- return import_ssi_types.JoseSignatureAlgorithm.ES512;
353
- case "EdDSA":
354
- return import_ssi_types.JoseSignatureAlgorithm.EdDSA;
355
- case "HS256":
356
- return import_ssi_types.JoseSignatureAlgorithm.HS256;
357
- case "HS384":
358
- return import_ssi_types.JoseSignatureAlgorithm.HS384;
359
- case "HS512":
360
- return import_ssi_types.JoseSignatureAlgorithm.HS512;
361
- case "PS256":
362
- return import_ssi_types.JoseSignatureAlgorithm.PS256;
363
- case "PS384":
364
- return import_ssi_types.JoseSignatureAlgorithm.PS384;
365
- case "PS512":
366
- return import_ssi_types.JoseSignatureAlgorithm.PS512;
367
- case "none":
368
- return import_ssi_types.JoseSignatureAlgorithm.none;
345
+ case import_ssi_types.JoseSignatureAlgorithm.RS256:
346
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha256;
347
+ case import_ssi_types.JoseSignatureAlgorithm.RS384:
348
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha384;
349
+ case import_ssi_types.JoseSignatureAlgorithm.RS512:
350
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha512;
351
+ case import_ssi_types.JoseSignatureAlgorithm.PS256:
352
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha256Mgf1;
353
+ case import_ssi_types.JoseSignatureAlgorithm.PS384:
354
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha384Mgf1;
355
+ case import_ssi_types.JoseSignatureAlgorithm.PS512:
356
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha512Mgf1;
357
+ case import_ssi_types.JoseSignatureAlgorithm.ES256:
358
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha256;
359
+ case import_ssi_types.JoseSignatureAlgorithm.ES384:
360
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha384;
361
+ case import_ssi_types.JoseSignatureAlgorithm.ES512:
362
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha512;
363
+ case import_ssi_types.JoseSignatureAlgorithm.ES256K:
364
+ return import_ssi_sdk.SignatureAlgorithm.Es256K;
365
+ case import_ssi_types.JoseSignatureAlgorithm.EdDSA:
366
+ return import_ssi_sdk.SignatureAlgorithm.Ed25519;
369
367
  default:
370
- throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`);
368
+ throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`);
371
369
  }
372
- }, "mapJoseAlgorithm");
370
+ }, "mapJoseToRestSignatureAlgorithm");
373
371
  mapKeyOperation = /* @__PURE__ */ __name((operation) => {
374
372
  switch (operation) {
375
373
  case "sign":
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAQO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA1C7C,OA0C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,UAAMwB,0CAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,UAAMwB,0CAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiBwB,QAAQxC,IAAIP,UAAMwB,0CAAsBuB,QAAQxC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOyC,QAAQzC;UACf1B,YAAYmE,QAAQnE;UACpByE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,qBAA6BC,iCAAaL,IAAAA,IAC5CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOwF,cAAcG;EACvB;EAEA,MAAMC,OAAOpF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMc,WAAWb,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM6F,uBAA+BX,iCAAaL,IAAAA,IAC9CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMgB,eAAe,MAAM,KAAKlG,OAAO8B,QAAQqE,6BAA6B;MAC1E5C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASqG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK5F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO8F,aAAaE;EACtB;EAEA,MAAMC,aAAazF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO2F,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAInE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOsF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAInF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBsG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOpG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcqG;MACvB,KAAK;AACH,eAAOrG,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB,KAAK;AACH,eAAOvG,6BAAcwG;MACvB,KAAK;AACH,eAAOxG,6BAAcyG;MACvB,KAAK;AACH,eAAOzG,6BAAc0G;MACvB,KAAK;AACH,eAAO1G,6BAAc2G;MACvB;AACE,cAAM,IAAI5F,MAAM,iBAAiBqF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBrG,mBAAmB,wBAAC6G,eAAAA;AAC1B,WAAOA,WAAWjE,IAAI,CAACyD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC1H,SAAAA;AACzB,UAAM2H,OAAO3H,KAAKE,MAAMyH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB5H,KAAK6H,cAAcC,SAAS,KAAA,IAAS9H,KAAK6H,oBAAgBE,8BAAS/H,KAAK6H,eAAe,SAAA;AACrI,UAAMjF,mBAAeoF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASvF,cAAc,QAAA;AAC5C,UAAMT,mBAAeiG,8BAASF,YAAAA;AAE9B,UAAMhI,OAAO,CAAC;AACd,QAAIyH,MAAM;AACRzH,WAAKyH,OAAO;QACVU,IAAIV,KAAKU,MAAMrI,KAAK2B,OAAOQ;MAC7B;AACA,UAAImG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBvI,aAAKyH,KAAKY,sBAAsBD;AAChC,cAAMvE,UAAM2E,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B/F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKyH,KAAK5D,MAAMA;MAClB;AACA,UAAI4D,KAAKgB,qBAAqB;AAE5B/F,qBAAagG,MAAMjB,KAAKgB;AACxBzI,aAAKyH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMhH,MAAM3B,KAAK2B,OAAOzB,MAAMyH,MAAMU,MAAMlG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,SAAKmF,wCAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,SAAKyI,oCAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWpI,KAAKyH,KAAK5D;MACvB;IACF;EACF,GArD0B;EAuDlBkF,wBAAwB,wBAACjJ,SAAAA;AAC/B,UAAM,EAAE6H,cAAa,IAAK7H;AAC1B,UAAMkJ,eAAenK,WAAW8I,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMhI,UAAU8H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM/G,eAAeb,QAAQkI,UAAU,MAAM,KAAA;AAC7C,UAAM5G,mBAAe6G,0BAAMtH,cAAc,WAAA;AACzC,UAAM8F,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM/H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,SAAKmF,wCAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,SAAKyI,oCAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC3J,SAAAA;AAC5B,UAAM,EAAE6H,cAAa,IAAK7H;AAC1B,UAAMiI,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMvH,mBAAeyH,kDAA8B/B,aAAAA;AACnD,UAAMjF,mBAAe6G,0BAAMtH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,SAAKmF,wCAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,SAAKyI,oCAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBxG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKyH,gBAAgB1H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKiJ,sBAAsBjJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK2J,mBAAmB3J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeSigned: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are computed over the raw message (PureEdDSA)\n // The algorithm internally handles hashing with SHA-512\n dataToBeSigned = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before signing\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeSigned = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeVerified: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are verified over the raw message (PureEdDSA)\n dataToBeVerified = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before verifying\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeVerified = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAUO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,cAAUC,kDAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,UAAMe,sDAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,UAAMuB,0CAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,UAAMuB,0CAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMnC,MAAMmC,QAAQvC;AACpB,UAAIiB,eAAe;AAGnB,UAAIb,IAAIoC,QAAQ,MAAM;AACpBvB,uBAAeb,IAAIqC,KAAK;MAC1B,WAAWrC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIqC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLjC,KAAK6B,QAAQ7B,OAAO6B,QAAQxC;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYsD,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBuB;UACxEL;UACAS,mBAAeC,2CAAuB;YACpCV;YACAW,iBAAiBwB,QAAQvC,IAAIP,UAAMuB,0CAAsBuB,QAAQvC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOwC,QAAQxC;UACf7B,YAAYqE,QAAQrE;UACpB2E,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,SAASvD,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAM+D,UAAUD,WAAW,WAAWA,WAAW,aAAavD,IAAIyB,QAAQzB,IAAIyD,QAAQ;AAEtF,QAAIC;AACJ,QAAIF,SAAS;AAGXE,uBAAiBP;IACnB,OAAO;AAGLO,2BAAiBC,iCAAaR,IAAAA,IAC1BA,WACAS,8BAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMa,gBAAgB,MAAM,KAAKjG,OAAOiC,QAAQiE,4BAA4B;MAC1EzC,SAASzB,IAAIyB;MACb0C,OAAOvG,SAAS8F,gBAAgB,QAAA;MAChC,GAAI,KAAKvF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO6F,cAAcG;EACvB;EAEA,MAAMC,OAAOzF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMiB,WAAWhB,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,SAASvD,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAM+D,UAAUD,WAAW,WAAWA,WAAW,aAAavD,IAAIyB,QAAQzB,IAAIyD,QAAQ;AAEtF,QAAIa;AACJ,QAAId,SAAS;AAEXc,yBAAmBnB;IACrB,OAAO;AAGLmB,6BAAmBX,iCAAaR,IAAAA,IAC5BA,WACAS,8BAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMmB,eAAe,MAAM,KAAKvG,OAAOiC,QAAQuE,6BAA6B;MAC1E/C,SAASzB,IAAIyB;MACb0C,OAAOvG,SAAS0G,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAKjG,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOmG,aAAaE;EACtB;EAEA,MAAMC,aAAa9F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACsF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOpF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOqF;MAChB;AACE,cAAM,IAAIjE,MAAM,aAAagE,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdxF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKoF,wCAAuBC;AAC1B,eAAOC,kCAAmBC;MAC5B,KAAKH,wCAAuBI;AAC1B,eAAOF,kCAAmBG;MAC5B,KAAKL,wCAAuBM;AAC1B,eAAOJ,kCAAmBK;MAC5B,KAAKP,wCAAuBQ;AAC1B,eAAON,kCAAmBO;MAC5B,KAAKT,wCAAuBU;AAC1B,eAAOR,kCAAmBS;MAC5B,KAAKX,wCAAuBY;AAC1B,eAAOV,kCAAmBW;MAC5B,KAAKb,wCAAuBc;AAC1B,eAAOZ,kCAAmBa;MAC5B,KAAKf,wCAAuBgB;AAC1B,eAAOd,kCAAmBe;MAC5B,KAAKjB,wCAAuBkB;AAC1B,eAAOhB,kCAAmBiB;MAC5B,KAAKnB,wCAAuBoB;AAC1B,eAAOlB,kCAAmBmB;MAC5B,KAAKrB,wCAAuBsB;AAC1B,eAAOpB,kCAAmBqB;MAC5B;AACE,cAAM,IAAIzF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlC4G,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO1G,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAc2G;MACvB,KAAK;AACH,eAAO3G,6BAAc4G;MACvB,KAAK;AACH,eAAO5G,6BAAc6G;MACvB,KAAK;AACH,eAAO7G,6BAAc8G;MACvB,KAAK;AACH,eAAO9G,6BAAc+G;MACvB,KAAK;AACH,eAAO/G,6BAAcgH;MACvB,KAAK;AACH,eAAOhH,6BAAciH;MACvB;AACE,cAAM,IAAIlG,MAAM,iBAAiB2F,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB3G,mBAAmB,wBAACmH,eAAAA;AAC1B,WAAOA,WAAWxE,IAAI,CAACgE,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACnI,SAAAA;AACzB,UAAMoI,OAAOpI,KAAKE,MAAMkI;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBrI,KAAKsI,cAAcC,SAAS,KAAA,IAASvI,KAAKsI,oBAAgBE,8BAASxI,KAAKsI,eAAe,SAAA;AACrI,UAAMxF,mBAAe2F,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAAS9F,cAAc,QAAA;AAC5C,UAAMT,mBAAewG,8BAASF,YAAAA;AAE9B,UAAMzI,OAAO,CAAC;AACd,QAAIkI,MAAM;AACRlI,WAAKkI,OAAO;QACVU,IAAIV,KAAKU,MAAM9I,KAAK8B,OAAOO;MAC7B;AACA,UAAI0G,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBhJ,aAAKkI,KAAKY,sBAAsBD;AAChC,cAAM9E,UAAMkF,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BtG,uBAAamB,MAAMA;QACrB;AACA/D,aAAKkI,KAAKnE,MAAMA;MAClB;AACA,UAAImE,KAAKgB,qBAAqB;AAE5BtG,qBAAauG,MAAMjB,KAAKgB;AACxBlJ,aAAKkI,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMtH,MAAM9B,KAAK8B,OAAO5B,MAAMkI,MAAMU,MAAMzG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,SAAK0F,wCAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,SAAK+I,oCAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,SAAK2E,mCAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;QACAkE,WAAW7I,KAAKkI,KAAKnE;MACvB;IACF;EACF,GArD0B;EAuDlBwF,wBAAwB,wBAACzJ,SAAAA;AAC/B,UAAM,EAAEsI,cAAa,IAAKtI;AAC1B,UAAM0J,eAAe3K,WAAWuJ,cAAcqB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMrI,UAAUmI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMrH,eAAeZ,QAAQuI,UAAU,MAAM,KAAA;AAC7C,UAAMlH,mBAAemH,0BAAM5H,cAAc,WAAA;AACzC,UAAMqG,oBAAgBuB,0BAAM3B,eAAe,aAAa;MAAE4B,cAAc;IAAK,CAAA;AAC7E,UAAMpI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,SAAK0F,wCAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,SAAK+I,oCAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,SAAK2E,mCAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBsF,qBAAqB,wBAACnK,SAAAA;AAC5B,UAAM,EAAEsI,cAAa,IAAKtI;AAC1B,UAAM0I,oBAAgBuB,0BAAM3B,eAAe,UAAU;MAAE4B,cAAc;IAAK,CAAA;AAC1E,UAAM7H,mBAAe+H,kDAA8B9B,aAAAA;AACnD,UAAMxF,mBAAemH,0BAAM5H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,SAAK0F,wCAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,SAAK+I,oCAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,SAAK2E,mCAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpC,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKkI,gBAAgBnI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKyJ,sBAAsBzJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKmK,mBAAmBnK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","keyAlg","isEdDSA","crv","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/dist/index.d.cts CHANGED
@@ -57,9 +57,9 @@ interface KeyManagementSystemOptions {
57
57
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
58
58
  private client;
59
59
  private readonly id;
60
- private providerId;
61
- private tenantId;
62
- private userId;
60
+ private readonly providerId;
61
+ private readonly tenantId;
62
+ private readonly userId;
63
63
  constructor(options: KeyManagementSystemOptions);
64
64
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
65
65
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
@@ -70,8 +70,7 @@ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
70
70
  verify(args: VerifyArgs): Promise<boolean>;
71
71
  sharedSecret(args: SharedSecretArgs): Promise<string>;
72
72
  private mapKeyUsage;
73
- private mapKeyTypeToSignatureAlgorithm;
74
- private mapJoseAlgorithm;
73
+ private mapJoseToRestSignatureAlgorithm;
75
74
  private mapKeyOperation;
76
75
  private mapKeyOperations;
77
76
  private mapImportRsaKey;
package/dist/index.d.ts CHANGED
@@ -57,9 +57,9 @@ interface KeyManagementSystemOptions {
57
57
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
58
58
  private client;
59
59
  private readonly id;
60
- private providerId;
61
- private tenantId;
62
- private userId;
60
+ private readonly providerId;
61
+ private readonly tenantId;
62
+ private readonly userId;
63
63
  constructor(options: KeyManagementSystemOptions);
64
64
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
65
65
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
@@ -70,8 +70,7 @@ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
70
70
  verify(args: VerifyArgs): Promise<boolean>;
71
71
  sharedSecret(args: SharedSecretArgs): Promise<string>;
72
72
  private mapKeyUsage;
73
- private mapKeyTypeToSignatureAlgorithm;
74
- private mapJoseAlgorithm;
73
+ private mapJoseToRestSignatureAlgorithm;
75
74
  private mapKeyOperation;
76
75
  private mapKeyOperations;
77
76
  private mapImportRsaKey;
package/dist/index.js CHANGED
@@ -2,7 +2,7 @@ var __defProp = Object.defineProperty;
2
2
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
3
3
 
4
4
  // src/RestKeyManagementSystem.ts
5
- import { calculateJwkThumbprint, isHashString, joseAlgorithmToDigest, shaHasher, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
5
+ import { calculateJwkThumbprint, isHashString, joseAlgorithmToDigest, shaHasher, signatureAlgorithmFromKeyType, signatureAlgorithmToJoseAlgorithm, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
6
6
  import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
7
7
  import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
8
8
  import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
@@ -33,7 +33,11 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
33
33
  }
34
34
  async createKey(args) {
35
35
  const { type, meta } = args;
36
- const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
36
+ const joseAlg = signatureAlgorithmFromKeyType({
37
+ type,
38
+ algorithms: meta?.algorithms
39
+ });
40
+ const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg);
37
41
  const options = {
38
42
  use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
39
43
  alg: signatureAlgorithm,
@@ -56,7 +60,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
56
60
  }) : await this.client.methods.kmsClientGenerateKey(options);
57
61
  const jwk = {
58
62
  ...key.keyPair.jose.publicJwk,
59
- alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
63
+ alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
60
64
  };
61
65
  const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid;
62
66
  if (!kid) {
@@ -228,7 +232,14 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
228
232
  userId: this.userId
229
233
  }
230
234
  });
231
- const dataToBeSigned = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
235
+ const keyAlg = key.keyInfo.key.alg;
236
+ const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
237
+ let dataToBeSigned;
238
+ if (isEdDSA) {
239
+ dataToBeSigned = data;
240
+ } else {
241
+ dataToBeSigned = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
242
+ }
232
243
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
233
244
  keyInfo: key.keyInfo,
234
245
  input: toString(dataToBeSigned, "base64"),
@@ -261,7 +272,14 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
261
272
  userId: this.userId
262
273
  }
263
274
  });
264
- const dataToBeVerified = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
275
+ const keyAlg = key.keyInfo.key.alg;
276
+ const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
277
+ let dataToBeVerified;
278
+ if (isEdDSA) {
279
+ dataToBeVerified = data;
280
+ } else {
281
+ dataToBeVerified = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
282
+ }
265
283
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
266
284
  keyInfo: key.keyInfo,
267
285
  input: toString(dataToBeVerified, "base64"),
@@ -288,54 +306,34 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
288
306
  throw new Error(`Key usage ${usage} is not supported by REST KMS`);
289
307
  }
290
308
  }, "mapKeyUsage");
291
- mapKeyTypeToSignatureAlgorithm = /* @__PURE__ */ __name((type) => {
292
- switch (type) {
293
- case "Secp256r1":
294
- return SignatureAlgorithm.EcdsaSha256;
295
- case "RSA":
296
- return SignatureAlgorithm.RsaSsaPssSha256Mgf1;
297
- case "X25519":
298
- return SignatureAlgorithm.EckaDhSha256;
299
- default:
300
- throw new Error(`Key type ${type} is not supported by REST KMS`);
301
- }
302
- }, "mapKeyTypeToSignatureAlgorithm");
303
- mapJoseAlgorithm = /* @__PURE__ */ __name((alg) => {
309
+ mapJoseToRestSignatureAlgorithm = /* @__PURE__ */ __name((alg) => {
304
310
  switch (alg) {
305
- case "RS256":
306
- return JoseSignatureAlgorithm.RS256;
307
- case "RS384":
308
- return JoseSignatureAlgorithm.RS384;
309
- case "RS512":
310
- return JoseSignatureAlgorithm.RS512;
311
- case "ES256":
312
- return JoseSignatureAlgorithm.ES256;
313
- case "ES256K":
314
- return JoseSignatureAlgorithm.ES256K;
315
- case "ES384":
316
- return JoseSignatureAlgorithm.ES384;
317
- case "ES512":
318
- return JoseSignatureAlgorithm.ES512;
319
- case "EdDSA":
320
- return JoseSignatureAlgorithm.EdDSA;
321
- case "HS256":
322
- return JoseSignatureAlgorithm.HS256;
323
- case "HS384":
324
- return JoseSignatureAlgorithm.HS384;
325
- case "HS512":
326
- return JoseSignatureAlgorithm.HS512;
327
- case "PS256":
328
- return JoseSignatureAlgorithm.PS256;
329
- case "PS384":
330
- return JoseSignatureAlgorithm.PS384;
331
- case "PS512":
332
- return JoseSignatureAlgorithm.PS512;
333
- case "none":
334
- return JoseSignatureAlgorithm.none;
311
+ case JoseSignatureAlgorithm.RS256:
312
+ return SignatureAlgorithm.RsaSha256;
313
+ case JoseSignatureAlgorithm.RS384:
314
+ return SignatureAlgorithm.RsaSha384;
315
+ case JoseSignatureAlgorithm.RS512:
316
+ return SignatureAlgorithm.RsaSha512;
317
+ case JoseSignatureAlgorithm.PS256:
318
+ return SignatureAlgorithm.RsaSsaPssSha256Mgf1;
319
+ case JoseSignatureAlgorithm.PS384:
320
+ return SignatureAlgorithm.RsaSsaPssSha384Mgf1;
321
+ case JoseSignatureAlgorithm.PS512:
322
+ return SignatureAlgorithm.RsaSsaPssSha512Mgf1;
323
+ case JoseSignatureAlgorithm.ES256:
324
+ return SignatureAlgorithm.EcdsaSha256;
325
+ case JoseSignatureAlgorithm.ES384:
326
+ return SignatureAlgorithm.EcdsaSha384;
327
+ case JoseSignatureAlgorithm.ES512:
328
+ return SignatureAlgorithm.EcdsaSha512;
329
+ case JoseSignatureAlgorithm.ES256K:
330
+ return SignatureAlgorithm.Es256K;
331
+ case JoseSignatureAlgorithm.EdDSA:
332
+ return SignatureAlgorithm.Ed25519;
335
333
  default:
336
- throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`);
334
+ throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`);
337
335
  }
338
- }, "mapJoseAlgorithm");
336
+ }, "mapJoseToRestSignatureAlgorithm");
339
337
  mapKeyOperation = /* @__PURE__ */ __name((operation) => {
340
338
  switch (operation) {
341
339
  case "sign":
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,wBACAC,cACAC,uBACAC,WACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA1C7C,OA0C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,eAAeC,uBAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,MAAMwB,sBAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,eAAeC,uBAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,MAAMwB,sBAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMpC,MAAMoC,QAAQxC;AACpB,UAAIkB,eAAe;AAGnB,UAAId,IAAIqC,QAAQ,MAAM;AACpBvB,uBAAed,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIuC,KAAK;MAC1B,WAAWvC,IAAIqC,QAAQ,OAAO;AAC5BvB,uBAAed,IAAIsC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLlC,KAAK8B,QAAQ9B,OAAO8B,QAAQzC;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY2B,QAAQtD,qBAAqB;YAACsD,QAAQtD;cAAsBuB;UACxEL;UACAU,eAAeC,uBAAuB;YACpCX;YACAY,iBAAiBwB,QAAQxC,IAAIP,MAAMwB,sBAAsBuB,QAAQxC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOyC,QAAQzC;UACf1B,YAAYmE,QAAQnE;UACpByE,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,iBAA6BC,aAAaL,IAAAA,IAC5CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOwF,cAAcG;EACvB;EAEA,MAAMC,OAAOpF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMc,WAAWb,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM6F,mBAA+BX,aAAaL,IAAAA,IAC9CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMgB,eAAe,MAAM,KAAKlG,OAAO8B,QAAQqE,6BAA6B;MAC1E5C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASqG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK5F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO8F,aAAaE;EACtB;EAEA,MAAMC,aAAazF,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO2F,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAInE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOsF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAInF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBsG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOpG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcqG;MACvB,KAAK;AACH,eAAOrG,cAAcsG;MACvB,KAAK;AACH,eAAOtG,cAAcuG;MACvB,KAAK;AACH,eAAOvG,cAAcwG;MACvB,KAAK;AACH,eAAOxG,cAAcyG;MACvB,KAAK;AACH,eAAOzG,cAAc0G;MACvB,KAAK;AACH,eAAO1G,cAAc2G;MACvB;AACE,cAAM,IAAI5F,MAAM,iBAAiBqF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBrG,mBAAmB,wBAAC6G,eAAAA;AAC1B,WAAOA,WAAWjE,IAAI,CAACyD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC1H,SAAAA;AACzB,UAAM2H,OAAO3H,KAAKE,MAAMyH;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB5H,KAAK6H,cAAcC,SAAS,KAAA,IAAS9H,KAAK6H,gBAAgBE,SAAS/H,KAAK6H,eAAe,SAAA;AACrI,UAAMjF,eAAeoF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASvF,cAAc,QAAA;AAC5C,UAAMT,eAAeiG,SAASF,YAAAA;AAE9B,UAAMhI,OAAO,CAAC;AACd,QAAIyH,MAAM;AACRzH,WAAKyH,OAAO;QACVU,IAAIV,KAAKU,MAAMrI,KAAK2B,OAAOQ;MAC7B;AACA,UAAImG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBvI,aAAKyH,KAAKY,sBAAsBD;AAChC,cAAMvE,MAAM2E,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B/F,uBAAamB,MAAMA;QACrB;AACA7D,aAAKyH,KAAK5D,MAAMA;MAClB;AACA,UAAI4D,KAAKgB,qBAAqB;AAE5B/F,qBAAagG,MAAMjB,KAAKgB;AACxBzI,aAAKyH,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMhH,MAAM3B,KAAK2B,OAAOzB,MAAMyH,MAAMU,MAAMlG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,KAAKmF,wBAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,KAAKyI,oBAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAWpI,KAAKyH,KAAK5D;MACvB;IACF;EACF,GArD0B;EAuDlBkF,wBAAwB,wBAACjJ,SAAAA;AAC/B,UAAM,EAAE6H,cAAa,IAAK7H;AAC1B,UAAMkJ,eAAenK,WAAW8I,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMhI,UAAU8H,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM/G,eAAeb,QAAQkI,UAAU,MAAM,KAAA;AAC7C,UAAM5G,eAAe6G,MAAMtH,cAAc,WAAA;AACzC,UAAM8F,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM/H,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,KAAKmF,wBAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,KAAKyI,oBAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC3J,SAAAA;AAC5B,UAAM,EAAE6H,cAAa,IAAK7H;AAC1B,UAAMiI,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMvH,eAAeyH,8BAA8B/B,aAAAA;AACnD,UAAMjF,eAAe6G,MAAMtH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGgH;YACHtG;YACA+B,KAAKmF,wBAAwBZ,cAAcvE,KAAK,KAAA;YAChDrD,KAAKyI,oBAAoBb,cAAc5H,KAAK,KAAA;YAC5C0I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBxG,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKyH,gBAAgB1H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKiJ,sBAAsBjJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK2J,mBAAmB3J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","shaHasher","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeSigned: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are computed over the raw message (PureEdDSA)\n // The algorithm internally handles hashing with SHA-512\n dataToBeSigned = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before signing\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeSigned = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeVerified: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are verified over the raw message (PureEdDSA)\n dataToBeVerified = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before verifying\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeVerified = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,wBACAC,cACAC,uBACAC,WACAC,+BACAC,mCACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,UAAUC,8BAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAMe,kCAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,MAAMuB,sBAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,MAAMuB,sBAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMnC,MAAMmC,QAAQvC;AACpB,UAAIiB,eAAe;AAGnB,UAAIb,IAAIoC,QAAQ,MAAM;AACpBvB,uBAAeb,IAAIqC,KAAK;MAC1B,WAAWrC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIqC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLjC,KAAK6B,QAAQ7B,OAAO6B,QAAQxC;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYsD,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBuB;UACxEL;UACAS,eAAeC,uBAAuB;YACpCV;YACAW,iBAAiBwB,QAAQvC,IAAIP,MAAMuB,sBAAsBuB,QAAQvC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOwC,QAAQxC;UACf7B,YAAYqE,QAAQrE;UACpB2E,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,SAASvD,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAM+D,UAAUD,WAAW,WAAWA,WAAW,aAAavD,IAAIyB,QAAQzB,IAAIyD,QAAQ;AAEtF,QAAIC;AACJ,QAAIF,SAAS;AAGXE,uBAAiBP;IACnB,OAAO;AAGLO,uBAAiBC,aAAaR,IAAAA,IAC1BA,OACAS,UAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMa,gBAAgB,MAAM,KAAKjG,OAAOiC,QAAQiE,4BAA4B;MAC1EzC,SAASzB,IAAIyB;MACb0C,OAAOvG,SAAS8F,gBAAgB,QAAA;MAChC,GAAI,KAAKvF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO6F,cAAcG;EACvB;EAEA,MAAMC,OAAOzF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMiB,WAAWhB,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,SAASvD,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAM+D,UAAUD,WAAW,WAAWA,WAAW,aAAavD,IAAIyB,QAAQzB,IAAIyD,QAAQ;AAEtF,QAAIa;AACJ,QAAId,SAAS;AAEXc,yBAAmBnB;IACrB,OAAO;AAGLmB,yBAAmBX,aAAaR,IAAAA,IAC5BA,OACAS,UAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMmB,eAAe,MAAM,KAAKvG,OAAOiC,QAAQuE,6BAA6B;MAC1E/C,SAASzB,IAAIyB;MACb0C,OAAOvG,SAAS0G,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAKjG,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOmG,aAAaE;EACtB;EAEA,MAAMC,aAAa9F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACsF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOpF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOqF;MAChB;AACE,cAAM,IAAIjE,MAAM,aAAagE,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdxF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKoF,uBAAuBC;AAC1B,eAAOC,mBAAmBC;MAC5B,KAAKH,uBAAuBI;AAC1B,eAAOF,mBAAmBG;MAC5B,KAAKL,uBAAuBM;AAC1B,eAAOJ,mBAAmBK;MAC5B,KAAKP,uBAAuBQ;AAC1B,eAAON,mBAAmBO;MAC5B,KAAKT,uBAAuBU;AAC1B,eAAOR,mBAAmBS;MAC5B,KAAKX,uBAAuBY;AAC1B,eAAOV,mBAAmBW;MAC5B,KAAKb,uBAAuBc;AAC1B,eAAOZ,mBAAmBa;MAC5B,KAAKf,uBAAuBgB;AAC1B,eAAOd,mBAAmBe;MAC5B,KAAKjB,uBAAuBkB;AAC1B,eAAOhB,mBAAmBiB;MAC5B,KAAKnB,uBAAuBoB;AAC1B,eAAOlB,mBAAmBmB;MAC5B,KAAKrB,uBAAuBsB;AAC1B,eAAOpB,mBAAmBqB;MAC5B;AACE,cAAM,IAAIzF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlC4G,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO1G,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAc2G;MACvB,KAAK;AACH,eAAO3G,cAAc4G;MACvB,KAAK;AACH,eAAO5G,cAAc6G;MACvB,KAAK;AACH,eAAO7G,cAAc8G;MACvB,KAAK;AACH,eAAO9G,cAAc+G;MACvB,KAAK;AACH,eAAO/G,cAAcgH;MACvB,KAAK;AACH,eAAOhH,cAAciH;MACvB;AACE,cAAM,IAAIlG,MAAM,iBAAiB2F,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB3G,mBAAmB,wBAACmH,eAAAA;AAC1B,WAAOA,WAAWxE,IAAI,CAACgE,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACnI,SAAAA;AACzB,UAAMoI,OAAOpI,KAAKE,MAAMkI;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBrI,KAAKsI,cAAcC,SAAS,KAAA,IAASvI,KAAKsI,gBAAgBE,SAASxI,KAAKsI,eAAe,SAAA;AACrI,UAAMxF,eAAe2F,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAAS9F,cAAc,QAAA;AAC5C,UAAMT,eAAewG,SAASF,YAAAA;AAE9B,UAAMzI,OAAO,CAAC;AACd,QAAIkI,MAAM;AACRlI,WAAKkI,OAAO;QACVU,IAAIV,KAAKU,MAAM9I,KAAK8B,OAAOO;MAC7B;AACA,UAAI0G,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBhJ,aAAKkI,KAAKY,sBAAsBD;AAChC,cAAM9E,MAAMkF,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BtG,uBAAamB,MAAMA;QACrB;AACA/D,aAAKkI,KAAKnE,MAAMA;MAClB;AACA,UAAImE,KAAKgB,qBAAqB;AAE5BtG,qBAAauG,MAAMjB,KAAKgB;AACxBlJ,aAAKkI,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMtH,MAAM9B,KAAK8B,OAAO5B,MAAMkI,MAAMU,MAAMzG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,KAAK0F,wBAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,KAAK+I,oBAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,KAAK2E,mBAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;QACAkE,WAAW7I,KAAKkI,KAAKnE;MACvB;IACF;EACF,GArD0B;EAuDlBwF,wBAAwB,wBAACzJ,SAAAA;AAC/B,UAAM,EAAEsI,cAAa,IAAKtI;AAC1B,UAAM0J,eAAe3K,WAAWuJ,cAAcqB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMrI,UAAUmI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMrH,eAAeZ,QAAQuI,UAAU,MAAM,KAAA;AAC7C,UAAMlH,eAAemH,MAAM5H,cAAc,WAAA;AACzC,UAAMqG,gBAAgBuB,MAAM3B,eAAe,aAAa;MAAE4B,cAAc;IAAK,CAAA;AAC7E,UAAMpI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,KAAK0F,wBAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,KAAK+I,oBAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,KAAK2E,mBAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBsF,qBAAqB,wBAACnK,SAAAA;AAC5B,UAAM,EAAEsI,cAAa,IAAKtI;AAC1B,UAAM0I,gBAAgBuB,MAAM3B,eAAe,UAAU;MAAE4B,cAAc;IAAK,CAAA;AAC1E,UAAM7H,eAAe+H,8BAA8B9B,aAAAA;AACnD,UAAMxF,eAAemH,MAAM5H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,KAAK0F,wBAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,KAAK+I,oBAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,KAAK2E,mBAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpC,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKkI,gBAAgBnI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKyJ,sBAAsBzJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKmK,mBAAmBnK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","shaHasher","signatureAlgorithmFromKeyType","signatureAlgorithmToJoseAlgorithm","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","keyAlg","isEdDSA","crv","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.kms-rest",
3
3
  "description": "Sphereon SSI-SDK plugin for REST Key Management System.",
4
- "version": "0.36.1-feature.SSISDK.70.integrate.digidentity.10+45caa2eb",
4
+ "version": "0.36.1-feature.SSISDK.70.integrate.digidentity.56+a91ccbf4",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -22,10 +22,10 @@
22
22
  "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
23
23
  },
24
24
  "dependencies": {
25
- "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.SSISDK.70.integrate.digidentity.10+45caa2eb",
26
- "@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.SSISDK.70.integrate.digidentity.10+45caa2eb",
27
- "@sphereon/ssi-sdk.kms-rest-client": "0.36.1-feature.SSISDK.70.integrate.digidentity.10+45caa2eb",
28
- "@sphereon/ssi-types": "0.36.1-feature.SSISDK.70.integrate.digidentity.10+45caa2eb",
25
+ "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.SSISDK.70.integrate.digidentity.56+a91ccbf4",
26
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.SSISDK.70.integrate.digidentity.56+a91ccbf4",
27
+ "@sphereon/ssi-sdk.kms-rest-client": "0.36.1-feature.SSISDK.70.integrate.digidentity.56+a91ccbf4",
28
+ "@sphereon/ssi-types": "0.36.1-feature.SSISDK.70.integrate.digidentity.56+a91ccbf4",
29
29
  "@veramo/core": "4.2.0",
30
30
  "@veramo/key-manager": "4.2.0",
31
31
  "elliptic": "^6.5.4",
@@ -54,5 +54,5 @@
54
54
  "key-management",
55
55
  "Veramo"
56
56
  ],
57
- "gitHead": "45caa2eb0bde996f012fc2570051828588a7f71f"
57
+ "gitHead": "a91ccbf4bacb6f2b99dd713942be0a1521128e13"
58
58
  }
package/src/RestKeyManagementSystem.ts CHANGED
@@ -3,6 +3,8 @@ import {
3
3
  isHashString,
4
4
  joseAlgorithmToDigest,
5
5
  shaHasher,
6
+ signatureAlgorithmFromKeyType,
7
+ signatureAlgorithmToJoseAlgorithm,
6
8
  toJwk,
7
9
  x25519PublicHexFromPrivateHex,
8
10
  type X509Opts,
@@ -43,9 +45,9 @@ interface KeyManagementSystemOptions {
43
45
  export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
44
46
  private client: KmsRestClient
45
47
  private readonly id: string
46
- private providerId: string | undefined
47
- private tenantId: string | undefined
48
- private userId: string | undefined
48
+ private readonly providerId: string | undefined
49
+ private readonly tenantId: string | undefined
50
+ private readonly userId: string | undefined
49
51
 
50
52
  constructor(options: KeyManagementSystemOptions) {
51
53
  super()
@@ -65,7 +67,11 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
65
67
  async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {
66
68
  const { type, meta } = args
67
69
 
68
- const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
70
+ const joseAlg = signatureAlgorithmFromKeyType({
71
+ type,
72
+ algorithms: meta?.algorithms as string[] | undefined,
73
+ })
74
+ const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)
69
75
  const options = {
70
76
  use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
71
77
  alg: signatureAlgorithm,
@@ -84,7 +90,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
84
90
 
85
91
  const jwk = {
86
92
  ...key.keyPair.jose.publicJwk,
87
- alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,
93
+ alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,
88
94
  } satisfies JWK
89
95
 
90
96
  const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid
@@ -243,10 +249,23 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
243
249
  ...(this.userId && { userId: this.userId }),
244
250
  })
245
251
 
246
- // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash
247
- const dataToBeSigned: Uint8Array = isHashString(data)
248
- ? data
249
- : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
252
+ // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash
253
+ const keyAlg = key.keyInfo.key.alg
254
+ const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'
255
+
256
+ let dataToBeSigned: Uint8Array
257
+ if (isEdDSA) {
258
+ // EdDSA signatures are computed over the raw message (PureEdDSA)
259
+ // The algorithm internally handles hashing with SHA-512
260
+ dataToBeSigned = data
261
+ } else {
262
+ // For other algorithms (RSA, ECDSA), hash the data before signing
263
+ // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)
264
+ dataToBeSigned = isHashString(data)
265
+ ? data
266
+ : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
267
+ }
268
+
250
269
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
251
270
  keyInfo: key.keyInfo,
252
271
  input: toString(dataToBeSigned, 'base64'),
@@ -272,10 +291,22 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
272
291
  ...(this.userId && { userId: this.userId }),
273
292
  })
274
293
 
275
- // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash
276
- const dataToBeVerified: Uint8Array = isHashString(data)
277
- ? data
278
- : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
294
+ // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash
295
+ const keyAlg = key.keyInfo.key.alg
296
+ const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'
297
+
298
+ let dataToBeVerified: Uint8Array
299
+ if (isEdDSA) {
300
+ // EdDSA signatures are verified over the raw message (PureEdDSA)
301
+ dataToBeVerified = data
302
+ } else {
303
+ // For other algorithms (RSA, ECDSA), hash the data before verifying
304
+ // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)
305
+ dataToBeVerified = isHashString(data)
306
+ ? data
307
+ : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
308
+ }
309
+
279
310
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
280
311
  keyInfo: key.keyInfo,
281
312
  input: toString(dataToBeVerified, 'base64'),
@@ -302,53 +333,32 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
302
333
  }
303
334
  }
304
335
 
305
- private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {
306
- switch (type) {
307
- case 'Secp256r1':
308
- return SignatureAlgorithm.EcdsaSha256
309
- case 'RSA':
310
- return SignatureAlgorithm.RsaSsaPssSha256Mgf1
311
- case 'X25519':
312
- return SignatureAlgorithm.EckaDhSha256
313
- default:
314
- throw new Error(`Key type ${type} is not supported by REST KMS`)
315
- }
316
- }
317
-
318
- private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {
336
+ private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {
319
337
  switch (alg) {
320
- case 'RS256':
321
- return JoseSignatureAlgorithm.RS256
322
- case 'RS384':
323
- return JoseSignatureAlgorithm.RS384
324
- case 'RS512':
325
- return JoseSignatureAlgorithm.RS512
326
- case 'ES256':
327
- return JoseSignatureAlgorithm.ES256
328
- case 'ES256K':
329
- return JoseSignatureAlgorithm.ES256K
330
- case 'ES384':
331
- return JoseSignatureAlgorithm.ES384
332
- case 'ES512':
333
- return JoseSignatureAlgorithm.ES512
334
- case 'EdDSA':
335
- return JoseSignatureAlgorithm.EdDSA
336
- case 'HS256':
337
- return JoseSignatureAlgorithm.HS256
338
- case 'HS384':
339
- return JoseSignatureAlgorithm.HS384
340
- case 'HS512':
341
- return JoseSignatureAlgorithm.HS512
342
- case 'PS256':
343
- return JoseSignatureAlgorithm.PS256
344
- case 'PS384':
345
- return JoseSignatureAlgorithm.PS384
346
- case 'PS512':
347
- return JoseSignatureAlgorithm.PS512
348
- case 'none':
349
- return JoseSignatureAlgorithm.none
338
+ case JoseSignatureAlgorithm.RS256:
339
+ return SignatureAlgorithm.RsaSha256
340
+ case JoseSignatureAlgorithm.RS384:
341
+ return SignatureAlgorithm.RsaSha384
342
+ case JoseSignatureAlgorithm.RS512:
343
+ return SignatureAlgorithm.RsaSha512
344
+ case JoseSignatureAlgorithm.PS256:
345
+ return SignatureAlgorithm.RsaSsaPssSha256Mgf1
346
+ case JoseSignatureAlgorithm.PS384:
347
+ return SignatureAlgorithm.RsaSsaPssSha384Mgf1
348
+ case JoseSignatureAlgorithm.PS512:
349
+ return SignatureAlgorithm.RsaSsaPssSha512Mgf1
350
+ case JoseSignatureAlgorithm.ES256:
351
+ return SignatureAlgorithm.EcdsaSha256
352
+ case JoseSignatureAlgorithm.ES384:
353
+ return SignatureAlgorithm.EcdsaSha384
354
+ case JoseSignatureAlgorithm.ES512:
355
+ return SignatureAlgorithm.EcdsaSha512
356
+ case JoseSignatureAlgorithm.ES256K:
357
+ return SignatureAlgorithm.Es256K
358
+ case JoseSignatureAlgorithm.EdDSA:
359
+ return SignatureAlgorithm.Ed25519
350
360
  default:
351
- throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)
361
+ throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)
352
362
  }
353
363
  }
354
364