@sphereon/ssi-sdk.kms-rest 0.36.1-feature.SSISDK.70.integrate.digidentity.55 → 0.36.1-feature.SSISDK.70.integrate.digidentity.57
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +16 -2
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +16 -2
- package/dist/index.js.map +1 -1
- package/package.json +6 -6
- package/src/RestKeyManagementSystem.ts +33 -8
package/dist/index.cjs
CHANGED
|
@@ -266,7 +266,14 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
266
266
|
userId: this.userId
|
|
267
267
|
}
|
|
268
268
|
});
|
|
269
|
-
const
|
|
269
|
+
const keyAlg = key.keyInfo.key.alg;
|
|
270
|
+
const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
|
|
271
|
+
let dataToBeSigned;
|
|
272
|
+
if (isEdDSA) {
|
|
273
|
+
dataToBeSigned = data;
|
|
274
|
+
} else {
|
|
275
|
+
dataToBeSigned = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
276
|
+
}
|
|
270
277
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
271
278
|
keyInfo: key.keyInfo,
|
|
272
279
|
input: toString(dataToBeSigned, "base64"),
|
|
@@ -299,7 +306,14 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
299
306
|
userId: this.userId
|
|
300
307
|
}
|
|
301
308
|
});
|
|
302
|
-
const
|
|
309
|
+
const keyAlg = key.keyInfo.key.alg;
|
|
310
|
+
const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
|
|
311
|
+
let dataToBeVerified;
|
|
312
|
+
if (isEdDSA) {
|
|
313
|
+
dataToBeVerified = data;
|
|
314
|
+
} else {
|
|
315
|
+
dataToBeVerified = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
316
|
+
}
|
|
303
317
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
304
318
|
keyInfo: key.keyInfo,
|
|
305
319
|
input: toString(dataToBeVerified, "base64"),
|
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAUO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,cAAUC,kDAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,UAAMe,sDAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,UAAMuB,0CAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,UAAMuB,0CAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMnC,MAAMmC,QAAQvC;AACpB,UAAIiB,eAAe;AAGnB,UAAIb,IAAIoC,QAAQ,MAAM;AACpBvB,uBAAeb,IAAIqC,KAAK;MAC1B,WAAWrC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIqC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLjC,KAAK6B,QAAQ7B,OAAO6B,QAAQxC;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYsD,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBuB;UACxEL;UACAS,mBAAeC,2CAAuB;YACpCV;YACAW,iBAAiBwB,QAAQvC,IAAIP,UAAMuB,0CAAsBuB,QAAQvC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOwC,QAAQxC;UACf7B,YAAYqE,QAAQrE;UACpB2E,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,qBAA6BC,iCAAaL,IAAAA,IAC5CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK9F,OAAOiC,QAAQ8D,4BAA4B;MAC1EtC,SAASzB,IAAIyB;MACbuC,OAAOpG,SAAS2F,gBAAgB,QAAA;MAChC,GAAI,KAAKpF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO0F,cAAcG;EACvB;EAEA,MAAMC,OAAOtF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMc,WAAWb,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM+F,uBAA+BX,iCAAaL,IAAAA,IAC9CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMgB,eAAe,MAAM,KAAKpG,OAAOiC,QAAQoE,6BAA6B;MAC1E5C,SAASzB,IAAIyB;MACbuC,OAAOpG,SAASuG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK9F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOgG,aAAaE;EACtB;EAEA,MAAMC,aAAa3F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACmF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOjF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOkF;MAChB;AACE,cAAM,IAAI9D,MAAM,aAAa6D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdrF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKiF,wCAAuBC;AAC1B,eAAOC,kCAAmBC;MAC5B,KAAKH,wCAAuBI;AAC1B,eAAOF,kCAAmBG;MAC5B,KAAKL,wCAAuBM;AAC1B,eAAOJ,kCAAmBK;MAC5B,KAAKP,wCAAuBQ;AAC1B,eAAON,kCAAmBO;MAC5B,KAAKT,wCAAuBU;AAC1B,eAAOR,kCAAmBS;MAC5B,KAAKX,wCAAuBY;AAC1B,eAAOV,kCAAmBW;MAC5B,KAAKb,wCAAuBc;AAC1B,eAAOZ,kCAAmBa;MAC5B,KAAKf,wCAAuBgB;AAC1B,eAAOd,kCAAmBe;MAC5B,KAAKjB,wCAAuBkB;AAC1B,eAAOhB,kCAAmBiB;MAC5B,KAAKnB,wCAAuBoB;AAC1B,eAAOlB,kCAAmBmB;MAC5B,KAAKrB,wCAAuBsB;AAC1B,eAAOpB,kCAAmBqB;MAC5B;AACE,cAAM,IAAItF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlCyG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOvG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcwG;MACvB,KAAK;AACH,eAAOxG,6BAAcyG;MACvB,KAAK;AACH,eAAOzG,6BAAc0G;MACvB,KAAK;AACH,eAAO1G,6BAAc2G;MACvB,KAAK;AACH,eAAO3G,6BAAc4G;MACvB,KAAK;AACH,eAAO5G,6BAAc6G;MACvB,KAAK;AACH,eAAO7G,6BAAc8G;MACvB;AACE,cAAM,IAAI/F,MAAM,iBAAiBwF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBxG,mBAAmB,wBAACgH,eAAAA;AAC1B,WAAOA,WAAWrE,IAAI,CAAC6D,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAChI,SAAAA;AACzB,UAAMiI,OAAOjI,KAAKE,MAAM+H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBlI,KAAKmI,cAAcC,SAAS,KAAA,IAASpI,KAAKmI,oBAAgBE,8BAASrI,KAAKmI,eAAe,SAAA;AACrI,UAAMrF,mBAAewF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAAS3F,cAAc,QAAA;AAC5C,UAAMT,mBAAeqG,8BAASF,YAAAA;AAE9B,UAAMtI,OAAO,CAAC;AACd,QAAI+H,MAAM;AACR/H,WAAK+H,OAAO;QACVU,IAAIV,KAAKU,MAAM3I,KAAK8B,OAAOO;MAC7B;AACA,UAAIuG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxB7I,aAAK+H,KAAKY,sBAAsBD;AAChC,cAAM3E,UAAM+E,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BnG,uBAAamB,MAAMA;QACrB;AACA/D,aAAK+H,KAAKhE,MAAMA;MAClB;AACA,UAAIgE,KAAKgB,qBAAqB;AAE5BnG,qBAAaoG,MAAMjB,KAAKgB;AACxB/I,aAAK+H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMnH,MAAM9B,KAAK8B,OAAO5B,MAAM+H,MAAMU,MAAMtG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,SAAKuF,wCAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,SAAK4I,oCAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAW1I,KAAK+H,KAAKhE;MACvB;IACF;EACF,GArD0B;EAuDlBsF,wBAAwB,wBAACvJ,SAAAA;AAC/B,UAAM,EAAEmI,cAAa,IAAKnI;AAC1B,UAAMwJ,eAAezK,WAAWoJ,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMnI,UAAUiI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMnH,eAAeZ,QAAQqI,UAAU,MAAM,KAAA;AAC7C,UAAMhH,mBAAeiH,0BAAM1H,cAAc,WAAA;AACzC,UAAMkG,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAMlI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,SAAKuF,wCAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,SAAK4I,oCAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACjK,SAAAA;AAC5B,UAAM,EAAEmI,cAAa,IAAKnI;AAC1B,UAAMuI,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAM3H,mBAAe6H,kDAA8B/B,aAAAA;AACnD,UAAMrF,mBAAeiH,0BAAM1H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,SAAKuF,wCAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,SAAK4I,oCAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,SAAKC,mCAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB5G,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK+H,gBAAgBhI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKuJ,sBAAsBvJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKiK,mBAAmBjK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeSigned: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are computed over the raw message (PureEdDSA)\n // The algorithm internally handles hashing with SHA-512\n dataToBeSigned = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before signing\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeSigned = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeVerified: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are verified over the raw message (PureEdDSA)\n dataToBeVerified = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before verifying\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeVerified = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAUO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,cAAUC,kDAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,UAAMe,sDAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,UAAMuB,0CAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,UAAMuB,0CAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMnC,MAAMmC,QAAQvC;AACpB,UAAIiB,eAAe;AAGnB,UAAIb,IAAIoC,QAAQ,MAAM;AACpBvB,uBAAeb,IAAIqC,KAAK;MAC1B,WAAWrC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIqC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLjC,KAAK6B,QAAQ7B,OAAO6B,QAAQxC;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYsD,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBuB;UACxEL;UACAS,mBAAeC,2CAAuB;YACpCV;YACAW,iBAAiBwB,QAAQvC,IAAIP,UAAMuB,0CAAsBuB,QAAQvC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOwC,QAAQxC;UACf7B,YAAYqE,QAAQrE;UACpB2E,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,SAASvD,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAM+D,UAAUD,WAAW,WAAWA,WAAW,aAAavD,IAAIyB,QAAQzB,IAAIyD,QAAQ;AAEtF,QAAIC;AACJ,QAAIF,SAAS;AAGXE,uBAAiBP;IACnB,OAAO;AAGLO,2BAAiBC,iCAAaR,IAAAA,IAC1BA,WACAS,8BAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMa,gBAAgB,MAAM,KAAKjG,OAAOiC,QAAQiE,4BAA4B;MAC1EzC,SAASzB,IAAIyB;MACb0C,OAAOvG,SAAS8F,gBAAgB,QAAA;MAChC,GAAI,KAAKvF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO6F,cAAcG;EACvB;EAEA,MAAMC,OAAOzF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMiB,WAAWhB,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,SAASvD,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAM+D,UAAUD,WAAW,WAAWA,WAAW,aAAavD,IAAIyB,QAAQzB,IAAIyD,QAAQ;AAEtF,QAAIa;AACJ,QAAId,SAAS;AAEXc,yBAAmBnB;IACrB,OAAO;AAGLmB,6BAAmBX,iCAAaR,IAAAA,IAC5BA,WACAS,8BAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMmB,eAAe,MAAM,KAAKvG,OAAOiC,QAAQuE,6BAA6B;MAC1E/C,SAASzB,IAAIyB;MACb0C,OAAOvG,SAAS0G,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAKjG,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOmG,aAAaE;EACtB;EAEA,MAAMC,aAAa9F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACsF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOpF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOqF;MAChB;AACE,cAAM,IAAIjE,MAAM,aAAagE,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdxF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKoF,wCAAuBC;AAC1B,eAAOC,kCAAmBC;MAC5B,KAAKH,wCAAuBI;AAC1B,eAAOF,kCAAmBG;MAC5B,KAAKL,wCAAuBM;AAC1B,eAAOJ,kCAAmBK;MAC5B,KAAKP,wCAAuBQ;AAC1B,eAAON,kCAAmBO;MAC5B,KAAKT,wCAAuBU;AAC1B,eAAOR,kCAAmBS;MAC5B,KAAKX,wCAAuBY;AAC1B,eAAOV,kCAAmBW;MAC5B,KAAKb,wCAAuBc;AAC1B,eAAOZ,kCAAmBa;MAC5B,KAAKf,wCAAuBgB;AAC1B,eAAOd,kCAAmBe;MAC5B,KAAKjB,wCAAuBkB;AAC1B,eAAOhB,kCAAmBiB;MAC5B,KAAKnB,wCAAuBoB;AAC1B,eAAOlB,kCAAmBmB;MAC5B,KAAKrB,wCAAuBsB;AAC1B,eAAOpB,kCAAmBqB;MAC5B;AACE,cAAM,IAAIzF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlC4G,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO1G,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAc2G;MACvB,KAAK;AACH,eAAO3G,6BAAc4G;MACvB,KAAK;AACH,eAAO5G,6BAAc6G;MACvB,KAAK;AACH,eAAO7G,6BAAc8G;MACvB,KAAK;AACH,eAAO9G,6BAAc+G;MACvB,KAAK;AACH,eAAO/G,6BAAcgH;MACvB,KAAK;AACH,eAAOhH,6BAAciH;MACvB;AACE,cAAM,IAAIlG,MAAM,iBAAiB2F,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB3G,mBAAmB,wBAACmH,eAAAA;AAC1B,WAAOA,WAAWxE,IAAI,CAACgE,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACnI,SAAAA;AACzB,UAAMoI,OAAOpI,KAAKE,MAAMkI;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBrI,KAAKsI,cAAcC,SAAS,KAAA,IAASvI,KAAKsI,oBAAgBE,8BAASxI,KAAKsI,eAAe,SAAA;AACrI,UAAMxF,mBAAe2F,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAAS9F,cAAc,QAAA;AAC5C,UAAMT,mBAAewG,8BAASF,YAAAA;AAE9B,UAAMzI,OAAO,CAAC;AACd,QAAIkI,MAAM;AACRlI,WAAKkI,OAAO;QACVU,IAAIV,KAAKU,MAAM9I,KAAK8B,OAAOO;MAC7B;AACA,UAAI0G,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBhJ,aAAKkI,KAAKY,sBAAsBD;AAChC,cAAM9E,UAAMkF,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BtG,uBAAamB,MAAMA;QACrB;AACA/D,aAAKkI,KAAKnE,MAAMA;MAClB;AACA,UAAImE,KAAKgB,qBAAqB;AAE5BtG,qBAAauG,MAAMjB,KAAKgB;AACxBlJ,aAAKkI,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMtH,MAAM9B,KAAK8B,OAAO5B,MAAMkI,MAAMU,MAAMzG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,SAAK0F,wCAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,SAAK+I,oCAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,SAAK2E,mCAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;QACAkE,WAAW7I,KAAKkI,KAAKnE;MACvB;IACF;EACF,GArD0B;EAuDlBwF,wBAAwB,wBAACzJ,SAAAA;AAC/B,UAAM,EAAEsI,cAAa,IAAKtI;AAC1B,UAAM0J,eAAe3K,WAAWuJ,cAAcqB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMrI,UAAUmI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMrH,eAAeZ,QAAQuI,UAAU,MAAM,KAAA;AAC7C,UAAMlH,mBAAemH,0BAAM5H,cAAc,WAAA;AACzC,UAAMqG,oBAAgBuB,0BAAM3B,eAAe,aAAa;MAAE4B,cAAc;IAAK,CAAA;AAC7E,UAAMpI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,SAAK0F,wCAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,SAAK+I,oCAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,SAAK2E,mCAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBsF,qBAAqB,wBAACnK,SAAAA;AAC5B,UAAM,EAAEsI,cAAa,IAAKtI;AAC1B,UAAM0I,oBAAgBuB,0BAAM3B,eAAe,UAAU;MAAE4B,cAAc;IAAK,CAAA;AAC1E,UAAM7H,mBAAe+H,kDAA8B9B,aAAAA;AACnD,UAAMxF,mBAAemH,0BAAM5H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,SAAK0F,wCAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,SAAK+I,oCAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,SAAK2E,mCAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpC,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKkI,gBAAgBnI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKyJ,sBAAsBzJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKmK,mBAAmBnK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","keyAlg","isEdDSA","crv","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/dist/index.js
CHANGED
|
@@ -232,7 +232,14 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
232
232
|
userId: this.userId
|
|
233
233
|
}
|
|
234
234
|
});
|
|
235
|
-
const
|
|
235
|
+
const keyAlg = key.keyInfo.key.alg;
|
|
236
|
+
const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
|
|
237
|
+
let dataToBeSigned;
|
|
238
|
+
if (isEdDSA) {
|
|
239
|
+
dataToBeSigned = data;
|
|
240
|
+
} else {
|
|
241
|
+
dataToBeSigned = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
242
|
+
}
|
|
236
243
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
237
244
|
keyInfo: key.keyInfo,
|
|
238
245
|
input: toString(dataToBeSigned, "base64"),
|
|
@@ -265,7 +272,14 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
265
272
|
userId: this.userId
|
|
266
273
|
}
|
|
267
274
|
});
|
|
268
|
-
const
|
|
275
|
+
const keyAlg = key.keyInfo.key.alg;
|
|
276
|
+
const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
|
|
277
|
+
let dataToBeVerified;
|
|
278
|
+
if (isEdDSA) {
|
|
279
|
+
dataToBeVerified = data;
|
|
280
|
+
} else {
|
|
281
|
+
dataToBeVerified = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
282
|
+
}
|
|
269
283
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
270
284
|
keyInfo: key.keyInfo,
|
|
271
285
|
input: toString(dataToBeVerified, "base64"),
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,wBACAC,cACAC,uBACAC,WACAC,+BACAC,mCACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,UAAUC,8BAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAMe,kCAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,MAAMuB,sBAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,MAAMuB,sBAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMnC,MAAMmC,QAAQvC;AACpB,UAAIiB,eAAe;AAGnB,UAAIb,IAAIoC,QAAQ,MAAM;AACpBvB,uBAAeb,IAAIqC,KAAK;MAC1B,WAAWrC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIqC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLjC,KAAK6B,QAAQ7B,OAAO6B,QAAQxC;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYsD,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBuB;UACxEL;UACAS,eAAeC,uBAAuB;YACpCV;YACAW,iBAAiBwB,QAAQvC,IAAIP,MAAMuB,sBAAsBuB,QAAQvC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOwC,QAAQxC;UACf7B,YAAYqE,QAAQrE;UACpB2E,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,iBAA6BC,aAAaL,IAAAA,IAC5CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK9F,OAAOiC,QAAQ8D,4BAA4B;MAC1EtC,SAASzB,IAAIyB;MACbuC,OAAOpG,SAAS2F,gBAAgB,QAAA;MAChC,GAAI,KAAKpF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO0F,cAAcG;EACvB;EAEA,MAAMC,OAAOtF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMc,WAAWb,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM+F,mBAA+BX,aAAaL,IAAAA,IAC9CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMgB,eAAe,MAAM,KAAKpG,OAAOiC,QAAQoE,6BAA6B;MAC1E5C,SAASzB,IAAIyB;MACbuC,OAAOpG,SAASuG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK9F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOgG,aAAaE;EACtB;EAEA,MAAMC,aAAa3F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACmF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOjF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOkF;MAChB;AACE,cAAM,IAAI9D,MAAM,aAAa6D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdrF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKiF,uBAAuBC;AAC1B,eAAOC,mBAAmBC;MAC5B,KAAKH,uBAAuBI;AAC1B,eAAOF,mBAAmBG;MAC5B,KAAKL,uBAAuBM;AAC1B,eAAOJ,mBAAmBK;MAC5B,KAAKP,uBAAuBQ;AAC1B,eAAON,mBAAmBO;MAC5B,KAAKT,uBAAuBU;AAC1B,eAAOR,mBAAmBS;MAC5B,KAAKX,uBAAuBY;AAC1B,eAAOV,mBAAmBW;MAC5B,KAAKb,uBAAuBc;AAC1B,eAAOZ,mBAAmBa;MAC5B,KAAKf,uBAAuBgB;AAC1B,eAAOd,mBAAmBe;MAC5B,KAAKjB,uBAAuBkB;AAC1B,eAAOhB,mBAAmBiB;MAC5B,KAAKnB,uBAAuBoB;AAC1B,eAAOlB,mBAAmBmB;MAC5B,KAAKrB,uBAAuBsB;AAC1B,eAAOpB,mBAAmBqB;MAC5B;AACE,cAAM,IAAItF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlCyG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOvG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcwG;MACvB,KAAK;AACH,eAAOxG,cAAcyG;MACvB,KAAK;AACH,eAAOzG,cAAc0G;MACvB,KAAK;AACH,eAAO1G,cAAc2G;MACvB,KAAK;AACH,eAAO3G,cAAc4G;MACvB,KAAK;AACH,eAAO5G,cAAc6G;MACvB,KAAK;AACH,eAAO7G,cAAc8G;MACvB;AACE,cAAM,IAAI/F,MAAM,iBAAiBwF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBxG,mBAAmB,wBAACgH,eAAAA;AAC1B,WAAOA,WAAWrE,IAAI,CAAC6D,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAChI,SAAAA;AACzB,UAAMiI,OAAOjI,KAAKE,MAAM+H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBlI,KAAKmI,cAAcC,SAAS,KAAA,IAASpI,KAAKmI,gBAAgBE,SAASrI,KAAKmI,eAAe,SAAA;AACrI,UAAMrF,eAAewF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAAS3F,cAAc,QAAA;AAC5C,UAAMT,eAAeqG,SAASF,YAAAA;AAE9B,UAAMtI,OAAO,CAAC;AACd,QAAI+H,MAAM;AACR/H,WAAK+H,OAAO;QACVU,IAAIV,KAAKU,MAAM3I,KAAK8B,OAAOO;MAC7B;AACA,UAAIuG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxB7I,aAAK+H,KAAKY,sBAAsBD;AAChC,cAAM3E,MAAM+E,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BnG,uBAAamB,MAAMA;QACrB;AACA/D,aAAK+H,KAAKhE,MAAMA;MAClB;AACA,UAAIgE,KAAKgB,qBAAqB;AAE5BnG,qBAAaoG,MAAMjB,KAAKgB;AACxB/I,aAAK+H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMnH,MAAM9B,KAAK8B,OAAO5B,MAAM+H,MAAMU,MAAMtG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,KAAKuF,wBAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,KAAK4I,oBAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;QACAT,WAAW1I,KAAK+H,KAAKhE;MACvB;IACF;EACF,GArD0B;EAuDlBsF,wBAAwB,wBAACvJ,SAAAA;AAC/B,UAAM,EAAEmI,cAAa,IAAKnI;AAC1B,UAAMwJ,eAAezK,WAAWoJ,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMnI,UAAUiI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMnH,eAAeZ,QAAQqI,UAAU,MAAM,KAAA;AAC7C,UAAMhH,eAAeiH,MAAM1H,cAAc,WAAA;AACzC,UAAMkG,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAMlI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,KAAKuF,wBAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,KAAK4I,oBAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACjK,SAAAA;AAC5B,UAAM,EAAEmI,cAAa,IAAKnI;AAC1B,UAAMuI,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAM3H,eAAe6H,8BAA8B/B,aAAAA;AACnD,UAAMrF,eAAeiH,MAAM1H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGmH;YACHzG;YACA8B,KAAKuF,wBAAwBZ,cAAc3E,KAAK,KAAA;YAChDpD,KAAK4I,oBAAoBb,cAAc/H,KAAK,KAAA;YAC5C6I,KAAKC,mBAAmBf,cAAcc,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB5G,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK+H,gBAAgBhI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKuJ,sBAAsBvJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKiK,mBAAmBjK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","shaHasher","signatureAlgorithmFromKeyType","signatureAlgorithmToJoseAlgorithm","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return restKeys.map((restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n let publicKeyHex = ''\n\n // Derive publicKeyHex from JWK based on key type\n if (jwk.kty === 'EC') {\n publicKeyHex = jwk.x || ''\n } else if (jwk.kty === 'RSA') {\n publicKeyHex = jwk.n || ''\n } else if (jwk.kty === 'OKP') {\n publicKeyHex = jwk.x || ''\n }\n\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n })\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeSigned: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are computed over the raw message (PureEdDSA)\n // The algorithm internally handles hashing with SHA-512\n dataToBeSigned = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before signing\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeSigned = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return signingResult.signature\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeVerified: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are verified over the raw message (PureEdDSA)\n dataToBeVerified = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before verifying\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeVerified = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,wBACAC,cACAC,uBACAC,WACAC,+BACAC,mCACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,UAAUC,8BAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAMe,kCAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,MAAMuB,sBAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,MAAMuB,sBAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOF,SAASG,IAAI,CAACC,YAAAA;AACnB,YAAMnC,MAAMmC,QAAQvC;AACpB,UAAIiB,eAAe;AAGnB,UAAIb,IAAIoC,QAAQ,MAAM;AACpBvB,uBAAeb,IAAIqC,KAAK;MAC1B,WAAWrC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIsC,KAAK;MAC1B,WAAWtC,IAAIoC,QAAQ,OAAO;AAC5BvB,uBAAeb,IAAIqC,KAAK;MAC1B;AAEA,YAAME,UAAU,KAAKC,yBAAyBL,QAAQI,OAAO;AAE7D,aAAO;QACLjC,KAAK6B,QAAQ7B,OAAO6B,QAAQxC;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYsD,QAAQrD,qBAAqB;YAACqD,QAAQrD;cAAsBuB;UACxEL;UACAS,eAAeC,uBAAuB;YACpCV;YACAW,iBAAiBwB,QAAQvC,IAAIP,MAAMuB,sBAAsBuB,QAAQvC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAOwC,QAAQxC;UACf7B,YAAYqE,QAAQrE;UACpB2E,KAAKN,QAAQM;UACbC,eAAeP,QAAQO;UACvBC,aAAaR,QAAQQ;UACrB,GAAGR,QAAQS;QACb;MACF;IACF,CAAA;EACF;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,SAASvD,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAM+D,UAAUD,WAAW,WAAWA,WAAW,aAAavD,IAAIyB,QAAQzB,IAAIyD,QAAQ;AAEtF,QAAIC;AACJ,QAAIF,SAAS;AAGXE,uBAAiBP;IACnB,OAAO;AAGLO,uBAAiBC,aAAaR,IAAAA,IAC1BA,OACAS,UAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMa,gBAAgB,MAAM,KAAKjG,OAAOiC,QAAQiE,4BAA4B;MAC1EzC,SAASzB,IAAIyB;MACb0C,OAAOvG,SAAS8F,gBAAgB,QAAA;MAChC,GAAI,KAAKvF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO6F,cAAcG;EACvB;EAEA,MAAMC,OAAOzF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMiB,WAAWhB,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,SAASvD,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAM+D,UAAUD,WAAW,WAAWA,WAAW,aAAavD,IAAIyB,QAAQzB,IAAIyD,QAAQ;AAEtF,QAAIa;AACJ,QAAId,SAAS;AAEXc,yBAAmBnB;IACrB,OAAO;AAGLmB,yBAAmBX,aAAaR,IAAAA,IAC5BA,OACAS,UAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMmB,eAAe,MAAM,KAAKvG,OAAOiC,QAAQuE,6BAA6B;MAC1E/C,SAASzB,IAAIyB;MACb0C,OAAOvG,SAAS0G,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAKjG,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOmG,aAAaE;EACtB;EAEA,MAAMC,aAAa9F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACsF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOpF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOqF;MAChB;AACE,cAAM,IAAIjE,MAAM,aAAagE,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdxF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKoF,uBAAuBC;AAC1B,eAAOC,mBAAmBC;MAC5B,KAAKH,uBAAuBI;AAC1B,eAAOF,mBAAmBG;MAC5B,KAAKL,uBAAuBM;AAC1B,eAAOJ,mBAAmBK;MAC5B,KAAKP,uBAAuBQ;AAC1B,eAAON,mBAAmBO;MAC5B,KAAKT,uBAAuBU;AAC1B,eAAOR,mBAAmBS;MAC5B,KAAKX,uBAAuBY;AAC1B,eAAOV,mBAAmBW;MAC5B,KAAKb,uBAAuBc;AAC1B,eAAOZ,mBAAmBa;MAC5B,KAAKf,uBAAuBgB;AAC1B,eAAOd,mBAAmBe;MAC5B,KAAKjB,uBAAuBkB;AAC1B,eAAOhB,mBAAmBiB;MAC5B,KAAKnB,uBAAuBoB;AAC1B,eAAOlB,mBAAmBmB;MAC5B,KAAKrB,uBAAuBsB;AAC1B,eAAOpB,mBAAmBqB;MAC5B;AACE,cAAM,IAAIzF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlC4G,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAO1G,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAc2G;MACvB,KAAK;AACH,eAAO3G,cAAc4G;MACvB,KAAK;AACH,eAAO5G,cAAc6G;MACvB,KAAK;AACH,eAAO7G,cAAc8G;MACvB,KAAK;AACH,eAAO9G,cAAc+G;MACvB,KAAK;AACH,eAAO/G,cAAcgH;MACvB,KAAK;AACH,eAAOhH,cAAciH;MACvB;AACE,cAAM,IAAIlG,MAAM,iBAAiB2F,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlB3G,mBAAmB,wBAACmH,eAAAA;AAC1B,WAAOA,WAAWxE,IAAI,CAACgE,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACnI,SAAAA;AACzB,UAAMoI,OAAOpI,KAAKE,MAAMkI;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBrI,KAAKsI,cAAcC,SAAS,KAAA,IAASvI,KAAKsI,gBAAgBE,SAASxI,KAAKsI,eAAe,SAAA;AACrI,UAAMxF,eAAe2F,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAAS9F,cAAc,QAAA;AAC5C,UAAMT,eAAewG,SAASF,YAAAA;AAE9B,UAAMzI,OAAO,CAAC;AACd,QAAIkI,MAAM;AACRlI,WAAKkI,OAAO;QACVU,IAAIV,KAAKU,MAAM9I,KAAK8B,OAAOO;MAC7B;AACA,UAAI0G,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBhJ,aAAKkI,KAAKY,sBAAsBD;AAChC,cAAM9E,MAAMkF,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BtG,uBAAamB,MAAMA;QACrB;AACA/D,aAAKkI,KAAKnE,MAAMA;MAClB;AACA,UAAImE,KAAKgB,qBAAqB;AAE5BtG,qBAAauG,MAAMjB,KAAKgB;AACxBlJ,aAAKkI,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMtH,MAAM9B,KAAK8B,OAAO5B,MAAMkI,MAAMU,MAAMzG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,KAAK0F,wBAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,KAAK+I,oBAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,KAAK2E,mBAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;QACAkE,WAAW7I,KAAKkI,KAAKnE;MACvB;IACF;EACF,GArD0B;EAuDlBwF,wBAAwB,wBAACzJ,SAAAA;AAC/B,UAAM,EAAEsI,cAAa,IAAKtI;AAC1B,UAAM0J,eAAe3K,WAAWuJ,cAAcqB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMrI,UAAUmI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMrH,eAAeZ,QAAQuI,UAAU,MAAM,KAAA;AAC7C,UAAMlH,eAAemH,MAAM5H,cAAc,WAAA;AACzC,UAAMqG,gBAAgBuB,MAAM3B,eAAe,aAAa;MAAE4B,cAAc;IAAK,CAAA;AAC7E,UAAMpI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,KAAK0F,wBAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,KAAK+I,oBAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,KAAK2E,mBAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBsF,qBAAqB,wBAACnK,SAAAA;AAC5B,UAAM,EAAEsI,cAAa,IAAKtI;AAC1B,UAAM0I,gBAAgBuB,MAAM3B,eAAe,UAAU;MAAE4B,cAAc;IAAK,CAAA;AAC1E,UAAM7H,eAAe+H,8BAA8B9B,aAAAA;AACnD,UAAMxF,eAAemH,MAAM5H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGsH;YACH5G;YACA8B,KAAK0F,wBAAwBZ,cAAc9E,KAAK,KAAA;YAChDpD,KAAK+I,oBAAoBb,cAAclI,KAAK,KAAA;YAC5CqE,KAAK2E,mBAAmBd,cAAc7D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrBpC,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKkI,gBAAgBnI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKyJ,sBAAsBzJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKmK,mBAAmBnK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","shaHasher","signatureAlgorithmFromKeyType","signatureAlgorithmToJoseAlgorithm","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","map","restKey","kty","x","n","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","keyAlg","isEdDSA","crv","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sphereon/ssi-sdk.kms-rest",
|
|
3
3
|
"description": "Sphereon SSI-SDK plugin for REST Key Management System.",
|
|
4
|
-
"version": "0.36.1-feature.SSISDK.70.integrate.digidentity.
|
|
4
|
+
"version": "0.36.1-feature.SSISDK.70.integrate.digidentity.57+64fec028",
|
|
5
5
|
"source": "./src/index.ts",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "./dist/index.cjs",
|
|
@@ -22,10 +22,10 @@
|
|
|
22
22
|
"build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
|
|
23
23
|
},
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.SSISDK.70.integrate.digidentity.
|
|
26
|
-
"@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.SSISDK.70.integrate.digidentity.
|
|
27
|
-
"@sphereon/ssi-sdk.kms-rest-client": "0.36.1-feature.SSISDK.70.integrate.digidentity.
|
|
28
|
-
"@sphereon/ssi-types": "0.36.1-feature.SSISDK.70.integrate.digidentity.
|
|
25
|
+
"@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.SSISDK.70.integrate.digidentity.57+64fec028",
|
|
26
|
+
"@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.SSISDK.70.integrate.digidentity.57+64fec028",
|
|
27
|
+
"@sphereon/ssi-sdk.kms-rest-client": "0.36.1-feature.SSISDK.70.integrate.digidentity.57+64fec028",
|
|
28
|
+
"@sphereon/ssi-types": "0.36.1-feature.SSISDK.70.integrate.digidentity.57+64fec028",
|
|
29
29
|
"@veramo/core": "4.2.0",
|
|
30
30
|
"@veramo/key-manager": "4.2.0",
|
|
31
31
|
"elliptic": "^6.5.4",
|
|
@@ -54,5 +54,5 @@
|
|
|
54
54
|
"key-management",
|
|
55
55
|
"Veramo"
|
|
56
56
|
],
|
|
57
|
-
"gitHead": "
|
|
57
|
+
"gitHead": "64fec028cf7a45b16dcb4c0e82869c443bd27c40"
|
|
58
58
|
}
|
|
@@ -249,10 +249,23 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
249
249
|
...(this.userId && { userId: this.userId }),
|
|
250
250
|
})
|
|
251
251
|
|
|
252
|
-
//
|
|
253
|
-
const
|
|
254
|
-
|
|
255
|
-
|
|
252
|
+
// Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash
|
|
253
|
+
const keyAlg = key.keyInfo.key.alg
|
|
254
|
+
const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'
|
|
255
|
+
|
|
256
|
+
let dataToBeSigned: Uint8Array
|
|
257
|
+
if (isEdDSA) {
|
|
258
|
+
// EdDSA signatures are computed over the raw message (PureEdDSA)
|
|
259
|
+
// The algorithm internally handles hashing with SHA-512
|
|
260
|
+
dataToBeSigned = data
|
|
261
|
+
} else {
|
|
262
|
+
// For other algorithms (RSA, ECDSA), hash the data before signing
|
|
263
|
+
// with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)
|
|
264
|
+
dataToBeSigned = isHashString(data)
|
|
265
|
+
? data
|
|
266
|
+
: shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
|
|
267
|
+
}
|
|
268
|
+
|
|
256
269
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
257
270
|
keyInfo: key.keyInfo,
|
|
258
271
|
input: toString(dataToBeSigned, 'base64'),
|
|
@@ -278,10 +291,22 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
278
291
|
...(this.userId && { userId: this.userId }),
|
|
279
292
|
})
|
|
280
293
|
|
|
281
|
-
//
|
|
282
|
-
const
|
|
283
|
-
|
|
284
|
-
|
|
294
|
+
// Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash
|
|
295
|
+
const keyAlg = key.keyInfo.key.alg
|
|
296
|
+
const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'
|
|
297
|
+
|
|
298
|
+
let dataToBeVerified: Uint8Array
|
|
299
|
+
if (isEdDSA) {
|
|
300
|
+
// EdDSA signatures are verified over the raw message (PureEdDSA)
|
|
301
|
+
dataToBeVerified = data
|
|
302
|
+
} else {
|
|
303
|
+
// For other algorithms (RSA, ECDSA), hash the data before verifying
|
|
304
|
+
// with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)
|
|
305
|
+
dataToBeVerified = isHashString(data)
|
|
306
|
+
? data
|
|
307
|
+
: shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
|
|
308
|
+
}
|
|
309
|
+
|
|
285
310
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
286
311
|
keyInfo: key.keyInfo,
|
|
287
312
|
input: toString(dataToBeVerified, 'base64'),
|