@sphereon/ssi-sdk.kms-rest 0.36.1-feature.SSISDK.82.and.SSISDK.70.35 → 0.36.1-feature.SSISDK.89.metadata.persistence.103

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (8) hide show
  1. package/dist/index.cjs +55 -50
  2. package/dist/index.cjs.map +1 -1
  3. package/dist/index.d.cts +4 -5
  4. package/dist/index.d.ts +4 -5
  5. package/dist/index.js +56 -51
  6. package/dist/index.js.map +1 -1
  7. package/package.json +6 -6
  8. package/src/RestKeyManagementSystem.ts +79 -59
package/dist/index.cjs CHANGED
@@ -67,7 +67,11 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
67
67
  }
68
68
  async createKey(args) {
69
69
  const { type, meta } = args;
70
- const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
70
+ const joseAlg = (0, import_ssi_sdk_ext.signatureAlgorithmFromKeyType)({
71
+ type,
72
+ algorithms: meta?.algorithms
73
+ });
74
+ const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg);
71
75
  const options = {
72
76
  use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : import_ssi_sdk.JwkUse.Sig,
73
77
  alg: signatureAlgorithm,
@@ -90,7 +94,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
90
94
  }) : await this.client.methods.kmsClientGenerateKey(options);
91
95
  const jwk = {
92
96
  ...key.keyPair.jose.publicJwk,
93
- alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
97
+ alg: key.keyPair.jose.publicJwk.alg ? (0, import_ssi_sdk_ext.signatureAlgorithmToJoseAlgorithm)(key.keyPair.jose.publicJwk.alg) : void 0
94
98
  };
95
99
  const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid;
96
100
  if (!kid) {
@@ -190,7 +194,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
190
194
  }
191
195
  });
192
196
  const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
193
- return Promise.all(restKeys.map(async (restKey) => {
197
+ const results = await Promise.allSettled(restKeys.map(async (restKey) => {
194
198
  const jwk = restKey.key;
195
199
  const publicKeyHex = await (0, import_ssi_sdk_ext.jwkToRawHexKey)(jwk);
196
200
  const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
@@ -217,6 +221,13 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
217
221
  }
218
222
  };
219
223
  }));
224
+ return results.filter((result) => {
225
+ if (result.status === "rejected") {
226
+ console.warn("Failed to process key in listKeys:", result.reason);
227
+ return false;
228
+ }
229
+ return true;
230
+ }).map((result) => result.value);
220
231
  }
221
232
  mapRestKeyTypeToTKeyType(keyType) {
222
233
  switch (keyType) {
@@ -255,7 +266,14 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
255
266
  userId: this.userId
256
267
  }
257
268
  });
258
- const dataToBeSigned = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
269
+ const keyAlg = key.keyInfo.key.alg;
270
+ const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
271
+ let dataToBeSigned;
272
+ if (isEdDSA) {
273
+ dataToBeSigned = data;
274
+ } else {
275
+ dataToBeSigned = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
276
+ }
259
277
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
260
278
  keyInfo: key.keyInfo,
261
279
  input: toString(dataToBeSigned, "base64"),
@@ -288,7 +306,14 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
288
306
  userId: this.userId
289
307
  }
290
308
  });
291
- const dataToBeVerified = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
309
+ const keyAlg = key.keyInfo.key.alg;
310
+ const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
311
+ let dataToBeVerified;
312
+ if (isEdDSA) {
313
+ dataToBeVerified = data;
314
+ } else {
315
+ dataToBeVerified = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
316
+ }
292
317
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
293
318
  keyInfo: key.keyInfo,
294
319
  input: toString(dataToBeVerified, "base64"),
@@ -315,54 +340,34 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
315
340
  throw new Error(`Key usage ${usage} is not supported by REST KMS`);
316
341
  }
317
342
  }, "mapKeyUsage");
318
- mapKeyTypeToSignatureAlgorithm = /* @__PURE__ */ __name((type) => {
319
- switch (type) {
320
- case "Secp256r1":
321
- return import_ssi_sdk.SignatureAlgorithm.EcdsaSha256;
322
- case "RSA":
323
- return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha256Mgf1;
324
- case "X25519":
325
- return import_ssi_sdk.SignatureAlgorithm.EckaDhSha256;
326
- default:
327
- throw new Error(`Key type ${type} is not supported by REST KMS`);
328
- }
329
- }, "mapKeyTypeToSignatureAlgorithm");
330
- mapJoseAlgorithm = /* @__PURE__ */ __name((alg) => {
343
+ mapJoseToRestSignatureAlgorithm = /* @__PURE__ */ __name((alg) => {
331
344
  switch (alg) {
332
- case "RS256":
333
- return import_ssi_types.JoseSignatureAlgorithm.RS256;
334
- case "RS384":
335
- return import_ssi_types.JoseSignatureAlgorithm.RS384;
336
- case "RS512":
337
- return import_ssi_types.JoseSignatureAlgorithm.RS512;
338
- case "ES256":
339
- return import_ssi_types.JoseSignatureAlgorithm.ES256;
340
- case "ES256K":
341
- return import_ssi_types.JoseSignatureAlgorithm.ES256K;
342
- case "ES384":
343
- return import_ssi_types.JoseSignatureAlgorithm.ES384;
344
- case "ES512":
345
- return import_ssi_types.JoseSignatureAlgorithm.ES512;
346
- case "EdDSA":
347
- return import_ssi_types.JoseSignatureAlgorithm.EdDSA;
348
- case "HS256":
349
- return import_ssi_types.JoseSignatureAlgorithm.HS256;
350
- case "HS384":
351
- return import_ssi_types.JoseSignatureAlgorithm.HS384;
352
- case "HS512":
353
- return import_ssi_types.JoseSignatureAlgorithm.HS512;
354
- case "PS256":
355
- return import_ssi_types.JoseSignatureAlgorithm.PS256;
356
- case "PS384":
357
- return import_ssi_types.JoseSignatureAlgorithm.PS384;
358
- case "PS512":
359
- return import_ssi_types.JoseSignatureAlgorithm.PS512;
360
- case "none":
361
- return import_ssi_types.JoseSignatureAlgorithm.none;
345
+ case import_ssi_types.JoseSignatureAlgorithm.RS256:
346
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha256;
347
+ case import_ssi_types.JoseSignatureAlgorithm.RS384:
348
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha384;
349
+ case import_ssi_types.JoseSignatureAlgorithm.RS512:
350
+ return import_ssi_sdk.SignatureAlgorithm.RsaSha512;
351
+ case import_ssi_types.JoseSignatureAlgorithm.PS256:
352
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha256Mgf1;
353
+ case import_ssi_types.JoseSignatureAlgorithm.PS384:
354
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha384Mgf1;
355
+ case import_ssi_types.JoseSignatureAlgorithm.PS512:
356
+ return import_ssi_sdk.SignatureAlgorithm.RsaSsaPssSha512Mgf1;
357
+ case import_ssi_types.JoseSignatureAlgorithm.ES256:
358
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha256;
359
+ case import_ssi_types.JoseSignatureAlgorithm.ES384:
360
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha384;
361
+ case import_ssi_types.JoseSignatureAlgorithm.ES512:
362
+ return import_ssi_sdk.SignatureAlgorithm.EcdsaSha512;
363
+ case import_ssi_types.JoseSignatureAlgorithm.ES256K:
364
+ return import_ssi_sdk.SignatureAlgorithm.Es256K;
365
+ case import_ssi_types.JoseSignatureAlgorithm.EdDSA:
366
+ return import_ssi_sdk.SignatureAlgorithm.Ed25519;
362
367
  default:
363
- throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`);
368
+ throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`);
364
369
  }
365
- }, "mapJoseAlgorithm");
370
+ }, "mapJoseToRestSignatureAlgorithm");
366
371
  mapKeyOperation = /* @__PURE__ */ __name((operation) => {
367
372
  switch (operation) {
368
373
  case "sign":
package/dist/index.cjs.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return Promise.all(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAUO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,mBAAeC,2CAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,UAAMwB,0CAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,mBAAeC,2CAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,UAAMwB,0CAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOC,QAAQC,IACbJ,SAASK,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMkB,eAAe,UAAMyB,mCAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY6B,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAU,mBAAeC,2CAAuB;YACpCX;YACAY,iBAAiB0B,QAAQ1C,IAAIP,UAAMwB,0CAAsByB,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf1B,YAAYqE,QAAQrE;UACpByE,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;EAEJ;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,qBAA6BC,iCAAaL,IAAAA,IAC5CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,eAAO2F,sCAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOrF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMe,WAAWd,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM8F,uBAA+BZ,iCAAaL,IAAAA,IAC9CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMiB,eAAe,MAAM,KAAKnG,OAAO8B,QAAQsE,6BAA6B;MAC1E7C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASsG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK7F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO+F,aAAaE;EACtB;EAEA,MAAMC,aAAa1F,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACqF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOnF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOoF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdvF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO4F,kCAAmBC;MAC5B,KAAK;AACH,eAAOD,kCAAmBE;MAC5B,KAAK;AACH,eAAOF,kCAAmBG;MAC5B;AACE,cAAM,IAAIpE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOuF,wCAAuBC;MAChC,KAAK;AACH,eAAOD,wCAAuBE;MAChC,KAAK;AACH,eAAOF,wCAAuBG;MAChC,KAAK;AACH,eAAOH,wCAAuBI;MAChC,KAAK;AACH,eAAOJ,wCAAuBK;MAChC,KAAK;AACH,eAAOL,wCAAuBM;MAChC,KAAK;AACH,eAAON,wCAAuBO;MAChC,KAAK;AACH,eAAOP,wCAAuBQ;MAChC,KAAK;AACH,eAAOR,wCAAuBS;MAChC,KAAK;AACH,eAAOT,wCAAuBU;MAChC,KAAK;AACH,eAAOV,wCAAuBW;MAChC,KAAK;AACH,eAAOX,wCAAuBY;MAChC,KAAK;AACH,eAAOZ,wCAAuBa;MAChC,KAAK;AACH,eAAOb,wCAAuBc;MAChC,KAAK;AACH,eAAOd,wCAAuBe;MAChC;AACE,cAAM,IAAIpF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBuG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOrG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcsG;MACvB,KAAK;AACH,eAAOtG,6BAAcuG;MACvB,KAAK;AACH,eAAOvG,6BAAcwG;MACvB,KAAK;AACH,eAAOxG,6BAAcyG;MACvB,KAAK;AACH,eAAOzG,6BAAc0G;MACvB,KAAK;AACH,eAAO1G,6BAAc2G;MACvB,KAAK;AACH,eAAO3G,6BAAc4G;MACvB;AACE,cAAM,IAAI7F,MAAM,iBAAiBsF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBtG,mBAAmB,wBAAC8G,eAAAA;AAC1B,WAAOA,WAAWhE,IAAI,CAACwD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3H,SAAAA;AACzB,UAAM4H,OAAO5H,KAAKE,MAAM0H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7H,KAAK8H,cAAcC,SAAS,KAAA,IAAS/H,KAAK8H,oBAAgBE,8BAAShI,KAAK8H,eAAe,SAAA;AACrI,UAAMlF,mBAAeqF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAASxF,cAAc,QAAA;AAC5C,UAAMT,mBAAekG,8BAASF,YAAAA;AAE9B,UAAMjI,OAAO,CAAC;AACd,QAAI0H,MAAM;AACR1H,WAAK0H,OAAO;QACVU,IAAIV,KAAKU,MAAMtI,KAAK2B,OAAOQ;MAC7B;AACA,UAAIoG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxI,aAAK0H,KAAKY,sBAAsBD;AAChC,cAAMxE,UAAM4E,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BhG,uBAAamB,MAAMA;QACrB;AACA7D,aAAK0H,KAAK7D,MAAMA;MAClB;AACA,UAAI6D,KAAKgB,qBAAqB;AAE5BhG,qBAAaiG,MAAMjB,KAAKgB;AACxB1I,aAAK0H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMjH,MAAM3B,KAAK2B,OAAOzB,MAAM0H,MAAMU,MAAMnG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;QACAV,WAAWrI,KAAK0H,KAAK7D;MACvB;IACF;EACF,GArD0B;EAuDlBoF,wBAAwB,wBAACnJ,SAAAA;AAC/B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMoJ,eAAerK,WAAW+I,cAAcuB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMlI,UAAUgI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMjH,eAAeb,QAAQoI,UAAU,MAAM,KAAA;AAC7C,UAAM9G,mBAAe+G,0BAAMxH,cAAc,WAAA;AACzC,UAAM+F,oBAAgByB,0BAAM7B,eAAe,aAAa;MAAE8B,cAAc;IAAK,CAAA;AAC7E,UAAMjI,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC7J,SAAAA;AAC5B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMkI,oBAAgByB,0BAAM7B,eAAe,UAAU;MAAE8B,cAAc;IAAK,CAAA;AAC1E,UAAMzH,mBAAe2H,kDAA8BhC,aAAAA;AACnD,UAAMlF,mBAAe+G,0BAAMxH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDzI,SAAK2I,oCAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB1G,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0H,gBAAgB3H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKmJ,sBAAsBnJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK6J,mBAAmB7J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","Promise","all","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n const results = await Promise.allSettled(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n\n return results\n .filter((result): result is PromiseFulfilledResult<ManagedKeyInfo> => {\n if (result.status === 'rejected') {\n console.warn('Failed to process key in listKeys:', result.reason)\n return false\n }\n return true\n })\n .map((result) => result.value)\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeSigned: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are computed over the raw message (PureEdDSA)\n // The algorithm internally handles hashing with SHA-512\n dataToBeSigned = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before signing\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeSigned = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeVerified: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are verified over the raw message (PureEdDSA)\n dataToBeVerified = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before verifying\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeVerified = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAYO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA9C7C,OA8C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,cAAUC,kDAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,UAAMe,sDAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,UAAMuB,0CAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,UAAMuB,0CAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,UAAMC,UAAU,MAAMC,QAAQC,WAC5BL,SAASM,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMiB,eAAe,UAAM0B,mCAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM+D;QACN3B;QACAnC,MAAM;UACJG,YAAYyD,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAS,mBAAeC,2CAAuB;YACpCV;YACAW,iBAAiB2B,QAAQ1C,IAAIP,UAAMuB,0CAAsB0B,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf7B,YAAYwE,QAAQxE;UACpB4E,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;AAGF,WAAOX,QACJY,OAAO,CAAC5B,WAAAA;AACP,UAAIA,OAAO6B,WAAW,YAAY;AAChCC,gBAAQC,KAAK,sCAAsC/B,OAAOgC,MAAM;AAChE,eAAO;MACT;AACA,aAAO;IACT,CAAA,EACCb,IAAI,CAACnB,WAAWA,OAAOiC,KAAK;EACjC;EAEQV,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMY,KAAK5E,MAAiC;AAC1C,UAAM,EAAE6E,QAAQC,MAAMC,YAAY,UAAS,IAAK/E;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQ2D,wBAAwB;MAChD/B,YAAY4B,OAAO/C;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ4D,gBAAgB;MACxChC,YAAY4B,OAAO/C;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM0F,SAAS9D,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAMsE,UAAUD,WAAW,WAAWA,WAAW,aAAa9D,IAAIyB,QAAQzB,IAAIgE,QAAQ;AAEtF,QAAIC;AACJ,QAAIF,SAAS;AAGXE,uBAAiBP;IACnB,OAAO;AAGLO,2BAAiBC,iCAAaR,IAAAA,IAC1BA,WACAS,8BAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMa,gBAAgB,MAAM,KAAKxG,OAAOiC,QAAQwE,4BAA4B;MAC1EhD,SAASzB,IAAIyB;MACbiD,OAAO9G,SAASqG,gBAAgB,QAAA;MAChC,GAAI,KAAK9F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,eAAOuG,sCAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOjG,MAAoC;AAC/C,UAAM,EAAE6E,QAAQC,MAAMkB,WAAWjB,YAAY,UAAS,IAAK/E;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQ2D,wBAAwB;MAChD/B,YAAY4B,OAAO/C;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ4D,gBAAgB;MACxChC,YAAY4B,OAAO/C;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM0F,SAAS9D,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAMsE,UAAUD,WAAW,WAAWA,WAAW,aAAa9D,IAAIyB,QAAQzB,IAAIgE,QAAQ;AAEtF,QAAIc;AACJ,QAAIf,SAAS;AAEXe,yBAAmBpB;IACrB,OAAO;AAGLoB,6BAAmBZ,iCAAaR,IAAAA,IAC5BA,WACAS,8BAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMoB,eAAe,MAAM,KAAK/G,OAAOiC,QAAQ+E,6BAA6B;MAC1EvD,SAASzB,IAAIyB;MACbiD,OAAO9G,SAASkH,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAKzG,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO2G,aAAaE;EACtB;EAEA,MAAMC,aAAatG,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAAC8F,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAO5F,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAO6F;MAChB;AACE,cAAM,IAAIzE,MAAM,aAAawE,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdhG,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAK4F,wCAAuBC;AAC1B,eAAOC,kCAAmBC;MAC5B,KAAKH,wCAAuBI;AAC1B,eAAOF,kCAAmBG;MAC5B,KAAKL,wCAAuBM;AAC1B,eAAOJ,kCAAmBK;MAC5B,KAAKP,wCAAuBQ;AAC1B,eAAON,kCAAmBO;MAC5B,KAAKT,wCAAuBU;AAC1B,eAAOR,kCAAmBS;MAC5B,KAAKX,wCAAuBY;AAC1B,eAAOV,kCAAmBW;MAC5B,KAAKb,wCAAuBc;AAC1B,eAAOZ,kCAAmBa;MAC5B,KAAKf,wCAAuBgB;AAC1B,eAAOd,kCAAmBe;MAC5B,KAAKjB,wCAAuBkB;AAC1B,eAAOhB,kCAAmBiB;MAC5B,KAAKnB,wCAAuBoB;AAC1B,eAAOlB,kCAAmBmB;MAC5B,KAAKrB,wCAAuBsB;AAC1B,eAAOpB,kCAAmBqB;MAC5B;AACE,cAAM,IAAIjG,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlCoH,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOlH,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcmH;MACvB,KAAK;AACH,eAAOnH,6BAAcoH;MACvB,KAAK;AACH,eAAOpH,6BAAcqH;MACvB,KAAK;AACH,eAAOrH,6BAAcsH;MACvB,KAAK;AACH,eAAOtH,6BAAcuH;MACvB,KAAK;AACH,eAAOvH,6BAAcwH;MACvB,KAAK;AACH,eAAOxH,6BAAcyH;MACvB;AACE,cAAM,IAAI1G,MAAM,iBAAiBmG,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBnH,mBAAmB,wBAAC2H,eAAAA;AAC1B,WAAOA,WAAW7E,IAAI,CAACqE,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3I,SAAAA;AACzB,UAAM4I,OAAO5I,KAAKE,MAAM0I;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7I,KAAK8I,cAAcC,SAAS,KAAA,IAAS/I,KAAK8I,oBAAgBE,8BAAShJ,KAAK8I,eAAe,SAAA;AACrI,UAAMhG,mBAAemG,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAAStG,cAAc,QAAA;AAC5C,UAAMT,mBAAegH,8BAASF,YAAAA;AAE9B,UAAMjJ,OAAO,CAAC;AACd,QAAI0I,MAAM;AACR1I,WAAK0I,OAAO;QACVU,IAAIV,KAAKU,MAAMtJ,KAAK8B,OAAOO;MAC7B;AACA,UAAIkH,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxJ,aAAK0I,KAAKY,sBAAsBD;AAChC,cAAMrF,UAAMyF,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B9G,uBAAaoB,MAAMA;QACrB;AACAhE,aAAK0I,KAAK1E,MAAMA;MAClB;AACA,UAAI0E,KAAKgB,qBAAqB;AAE5B9G,qBAAa+G,MAAMjB,KAAKgB;AACxB1J,aAAK0I,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM9H,MAAM9B,KAAK8B,OAAO5B,MAAM0I,MAAMU,MAAMjH;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,SAAKwJ,oCAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,SAAK6E,mCAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;QACAmE,WAAWrJ,KAAK0I,KAAK1E;MACvB;IACF;EACF,GArD0B;EAuDlBgG,wBAAwB,wBAAClK,SAAAA;AAC/B,UAAM,EAAE8I,cAAa,IAAK9I;AAC1B,UAAMmK,eAAepL,WAAW+J,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAM9I,UAAU4I,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9H,eAAeZ,QAAQgJ,UAAU,MAAM,KAAA;AAC7C,UAAM3H,mBAAe4H,0BAAMrI,cAAc,WAAA;AACzC,UAAM6G,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM7I,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,SAAKwJ,oCAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,SAAK6E,mCAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBwF,qBAAqB,wBAAC5K,SAAAA;AAC5B,UAAM,EAAE8I,cAAa,IAAK9I;AAC1B,UAAMkJ,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMtI,mBAAewI,kDAA8B/B,aAAAA;AACnD,UAAMhG,mBAAe4H,0BAAMrI,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,SAAKwJ,oCAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,SAAK6E,mCAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB3C,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0I,gBAAgB3I,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKkK,sBAAsBlK,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK4K,mBAAmB5K,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","results","Promise","allSettled","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","filter","status","console","warn","reason","value","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","keyAlg","isEdDSA","crv","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/dist/index.d.cts CHANGED
@@ -57,9 +57,9 @@ interface KeyManagementSystemOptions {
57
57
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
58
58
  private client;
59
59
  private readonly id;
60
- private providerId;
61
- private tenantId;
62
- private userId;
60
+ private readonly providerId;
61
+ private readonly tenantId;
62
+ private readonly userId;
63
63
  constructor(options: KeyManagementSystemOptions);
64
64
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
65
65
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
@@ -70,8 +70,7 @@ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
70
70
  verify(args: VerifyArgs): Promise<boolean>;
71
71
  sharedSecret(args: SharedSecretArgs): Promise<string>;
72
72
  private mapKeyUsage;
73
- private mapKeyTypeToSignatureAlgorithm;
74
- private mapJoseAlgorithm;
73
+ private mapJoseToRestSignatureAlgorithm;
75
74
  private mapKeyOperation;
76
75
  private mapKeyOperations;
77
76
  private mapImportRsaKey;
package/dist/index.d.ts CHANGED
@@ -57,9 +57,9 @@ interface KeyManagementSystemOptions {
57
57
  declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
58
58
  private client;
59
59
  private readonly id;
60
- private providerId;
61
- private tenantId;
62
- private userId;
60
+ private readonly providerId;
61
+ private readonly tenantId;
62
+ private readonly userId;
63
63
  constructor(options: KeyManagementSystemOptions);
64
64
  createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo>;
65
65
  importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo>;
@@ -70,8 +70,7 @@ declare class RestKeyManagementSystem extends AbstractKeyManagementSystem {
70
70
  verify(args: VerifyArgs): Promise<boolean>;
71
71
  sharedSecret(args: SharedSecretArgs): Promise<string>;
72
72
  private mapKeyUsage;
73
- private mapKeyTypeToSignatureAlgorithm;
74
- private mapJoseAlgorithm;
73
+ private mapJoseToRestSignatureAlgorithm;
75
74
  private mapKeyOperation;
76
75
  private mapKeyOperations;
77
76
  private mapImportRsaKey;
package/dist/index.js CHANGED
@@ -2,7 +2,7 @@ var __defProp = Object.defineProperty;
2
2
  var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
3
3
 
4
4
  // src/RestKeyManagementSystem.ts
5
- import { base64ToBase64Url, calculateJwkThumbprint, isHashString, joseAlgorithmToDigest, jwkToRawHexKey, shaHasher, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
5
+ import { base64ToBase64Url, calculateJwkThumbprint, isHashString, joseAlgorithmToDigest, jwkToRawHexKey, shaHasher, signatureAlgorithmFromKeyType, signatureAlgorithmToJoseAlgorithm, toJwk, x25519PublicHexFromPrivateHex } from "@sphereon/ssi-sdk-ext.key-utils";
6
6
  import { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from "@sphereon/ssi-sdk-ext.x509-utils";
7
7
  import { CurveFromJSONTyped, JwkKeyTypeFromJSONTyped, JwkUse, JwkUseFromJSONTyped, KeyOperations, KmsRestClient, ListKeysResponseToJSONTyped, SignatureAlgorithm } from "@sphereon/ssi-sdk.kms-rest-client";
8
8
  import { JoseSignatureAlgorithm } from "@sphereon/ssi-types";
@@ -33,7 +33,11 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
33
33
  }
34
34
  async createKey(args) {
35
35
  const { type, meta } = args;
36
- const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
36
+ const joseAlg = signatureAlgorithmFromKeyType({
37
+ type,
38
+ algorithms: meta?.algorithms
39
+ });
40
+ const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg);
37
41
  const options = {
38
42
  use: meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
39
43
  alg: signatureAlgorithm,
@@ -56,7 +60,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
56
60
  }) : await this.client.methods.kmsClientGenerateKey(options);
57
61
  const jwk = {
58
62
  ...key.keyPair.jose.publicJwk,
59
- alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
63
+ alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : void 0
60
64
  };
61
65
  const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid;
62
66
  if (!kid) {
@@ -156,7 +160,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
156
160
  }
157
161
  });
158
162
  const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos;
159
- return Promise.all(restKeys.map(async (restKey) => {
163
+ const results = await Promise.allSettled(restKeys.map(async (restKey) => {
160
164
  const jwk = restKey.key;
161
165
  const publicKeyHex = await jwkToRawHexKey(jwk);
162
166
  const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
@@ -183,6 +187,13 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
183
187
  }
184
188
  };
185
189
  }));
190
+ return results.filter((result) => {
191
+ if (result.status === "rejected") {
192
+ console.warn("Failed to process key in listKeys:", result.reason);
193
+ return false;
194
+ }
195
+ return true;
196
+ }).map((result) => result.value);
186
197
  }
187
198
  mapRestKeyTypeToTKeyType(keyType) {
188
199
  switch (keyType) {
@@ -221,7 +232,14 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
221
232
  userId: this.userId
222
233
  }
223
234
  });
224
- const dataToBeSigned = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
235
+ const keyAlg = key.keyInfo.key.alg;
236
+ const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
237
+ let dataToBeSigned;
238
+ if (isEdDSA) {
239
+ dataToBeSigned = data;
240
+ } else {
241
+ dataToBeSigned = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
242
+ }
225
243
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
226
244
  keyInfo: key.keyInfo,
227
245
  input: toString(dataToBeSigned, "base64"),
@@ -254,7 +272,14 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
254
272
  userId: this.userId
255
273
  }
256
274
  });
257
- const dataToBeVerified = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
275
+ const keyAlg = key.keyInfo.key.alg;
276
+ const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
277
+ let dataToBeVerified;
278
+ if (isEdDSA) {
279
+ dataToBeVerified = data;
280
+ } else {
281
+ dataToBeVerified = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
282
+ }
258
283
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
259
284
  keyInfo: key.keyInfo,
260
285
  input: toString(dataToBeVerified, "base64"),
@@ -281,54 +306,34 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
281
306
  throw new Error(`Key usage ${usage} is not supported by REST KMS`);
282
307
  }
283
308
  }, "mapKeyUsage");
284
- mapKeyTypeToSignatureAlgorithm = /* @__PURE__ */ __name((type) => {
285
- switch (type) {
286
- case "Secp256r1":
287
- return SignatureAlgorithm.EcdsaSha256;
288
- case "RSA":
289
- return SignatureAlgorithm.RsaSsaPssSha256Mgf1;
290
- case "X25519":
291
- return SignatureAlgorithm.EckaDhSha256;
292
- default:
293
- throw new Error(`Key type ${type} is not supported by REST KMS`);
294
- }
295
- }, "mapKeyTypeToSignatureAlgorithm");
296
- mapJoseAlgorithm = /* @__PURE__ */ __name((alg) => {
309
+ mapJoseToRestSignatureAlgorithm = /* @__PURE__ */ __name((alg) => {
297
310
  switch (alg) {
298
- case "RS256":
299
- return JoseSignatureAlgorithm.RS256;
300
- case "RS384":
301
- return JoseSignatureAlgorithm.RS384;
302
- case "RS512":
303
- return JoseSignatureAlgorithm.RS512;
304
- case "ES256":
305
- return JoseSignatureAlgorithm.ES256;
306
- case "ES256K":
307
- return JoseSignatureAlgorithm.ES256K;
308
- case "ES384":
309
- return JoseSignatureAlgorithm.ES384;
310
- case "ES512":
311
- return JoseSignatureAlgorithm.ES512;
312
- case "EdDSA":
313
- return JoseSignatureAlgorithm.EdDSA;
314
- case "HS256":
315
- return JoseSignatureAlgorithm.HS256;
316
- case "HS384":
317
- return JoseSignatureAlgorithm.HS384;
318
- case "HS512":
319
- return JoseSignatureAlgorithm.HS512;
320
- case "PS256":
321
- return JoseSignatureAlgorithm.PS256;
322
- case "PS384":
323
- return JoseSignatureAlgorithm.PS384;
324
- case "PS512":
325
- return JoseSignatureAlgorithm.PS512;
326
- case "none":
327
- return JoseSignatureAlgorithm.none;
311
+ case JoseSignatureAlgorithm.RS256:
312
+ return SignatureAlgorithm.RsaSha256;
313
+ case JoseSignatureAlgorithm.RS384:
314
+ return SignatureAlgorithm.RsaSha384;
315
+ case JoseSignatureAlgorithm.RS512:
316
+ return SignatureAlgorithm.RsaSha512;
317
+ case JoseSignatureAlgorithm.PS256:
318
+ return SignatureAlgorithm.RsaSsaPssSha256Mgf1;
319
+ case JoseSignatureAlgorithm.PS384:
320
+ return SignatureAlgorithm.RsaSsaPssSha384Mgf1;
321
+ case JoseSignatureAlgorithm.PS512:
322
+ return SignatureAlgorithm.RsaSsaPssSha512Mgf1;
323
+ case JoseSignatureAlgorithm.ES256:
324
+ return SignatureAlgorithm.EcdsaSha256;
325
+ case JoseSignatureAlgorithm.ES384:
326
+ return SignatureAlgorithm.EcdsaSha384;
327
+ case JoseSignatureAlgorithm.ES512:
328
+ return SignatureAlgorithm.EcdsaSha512;
329
+ case JoseSignatureAlgorithm.ES256K:
330
+ return SignatureAlgorithm.Es256K;
331
+ case JoseSignatureAlgorithm.EdDSA:
332
+ return SignatureAlgorithm.Ed25519;
328
333
  default:
329
- throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`);
334
+ throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`);
330
335
  }
331
- }, "mapJoseAlgorithm");
336
+ }, "mapJoseToRestSignatureAlgorithm");
332
337
  mapKeyOperation = /* @__PURE__ */ __name((operation) => {
333
338
  switch (operation) {
334
339
  case "sign":
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private providerId: string | undefined\n private tenantId: string | undefined\n private userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return Promise.all(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n switch (type) {\n case 'Secp256r1':\n return SignatureAlgorithm.EcdsaSha256\n case 'RSA':\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case 'X25519':\n return SignatureAlgorithm.EckaDhSha256\n default:\n throw new Error(`Key type ${type} is not supported by REST KMS`)\n }\n }\n\n private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {\n switch (alg) {\n case 'RS256':\n return JoseSignatureAlgorithm.RS256\n case 'RS384':\n return JoseSignatureAlgorithm.RS384\n case 'RS512':\n return JoseSignatureAlgorithm.RS512\n case 'ES256':\n return JoseSignatureAlgorithm.ES256\n case 'ES256K':\n return JoseSignatureAlgorithm.ES256K\n case 'ES384':\n return JoseSignatureAlgorithm.ES384\n case 'ES512':\n return JoseSignatureAlgorithm.ES512\n case 'EdDSA':\n return JoseSignatureAlgorithm.EdDSA\n case 'HS256':\n return JoseSignatureAlgorithm.HS256\n case 'HS384':\n return JoseSignatureAlgorithm.HS384\n case 'HS512':\n return JoseSignatureAlgorithm.HS512\n case 'PS256':\n return JoseSignatureAlgorithm.PS256\n case 'PS384':\n return JoseSignatureAlgorithm.PS384\n case 'PS512':\n return JoseSignatureAlgorithm.PS512\n case 'none':\n return JoseSignatureAlgorithm.none\n default:\n throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,mBACAC,wBACAC,cACAC,uBACAC,gBACAC,WACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA5C7C,OA4C6CA;;;EACnCC;EACSC;EACTC;EACAC;EACAC;EAER,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAC/D,UAAMR,UAAU;MACdY,KAAKH,QAAQ,cAAcA,OAAO,KAAKI,YAAYJ,KAAKK,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeT,QAAQA,KAAKS,gBAAgB,KAAKC,iBAAiBV,KAAKS,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIZ,QAAQ,cAAcA,QAAQA,KAAKa,WAAW;QAAEC,OAAOd,KAAKa;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAKxB,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAMyB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQC,6BAA6B;MACrD,GAAG1B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAO8B,QAAQE,qBAAqB3B,OAAAA;AAEnD,UAAM4B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAM,KAAKe,iBAAiBR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAChG;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOC,IAAIK,QAAQN;QACnBc,YAAY;UAACb,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CqB,eAAeC,uBAAuB;UACpCX;UACAY,iBAAiBZ,IAAIX,MAAMwB,sBAAsBb,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKpB,IAAIK,QAAQC,KAAKC,UAAUxC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMsD,UAAUtC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMsC,YAAY,KAAKC,aAAavC,IAAAA;AAEpC,UAAMwC,SAAS,KAAKlD,aAChB,MAAM,KAAKF,OAAO8B,QAAQuB,0BAA0B;MAClD,GAAGH,UAAUrB;MACb3B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQwB,kBAAkB;MAC1C,GAAGJ,UAAUrB;MACb,GAAI,KAAK1B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLmC,KAAKW,UAAUX;MACfE,KAAK,KAAKxC;MACVY;MACAC,MAAM;QACJc,OAAOsB,UAAUrB,IAAI0B,QAAQ3B;QAC7Bc,YAAY;UAACU,OAAOG,QAAQ1B,IAAIP,OAAO;;QACvCqB,eAAeC,uBAAuB;UACpCX,KAAKiB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAalC,MAAMwB,sBAAsBI,UAAUM,aAAalC,GAAG,IAAI;QACpG,CAAA;MACF;MACAyB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQ1B,IAAIjC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM6D,UAAU7C,MAAuC;AACrD,UAAM,EAAE2B,IAAG,IAAK3B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAO8B,QAAQ4B,2BAA2B;MACnDC,YAAYpB;MACZrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQ8B,mBAAmB;MAC3CD,YAAYpB;MACZ,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAMyD,WAAsC;AAC1C,UAAMC,OAAO,KAAK5D,aACd,MAAM,KAAKF,OAAO8B,QAAQiC,0BAA0B;MAClD7D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQkC,kBAAkB;MAC1C,GAAI,KAAK7D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM6D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOC,QAAQC,IACbJ,SAASK,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMkB,eAAe,MAAMyB,eAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAKxC;QACVY,MAAM4D;QACN1B;QACAjC,MAAM;UACJ4B,YAAY6B,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAU,eAAeC,uBAAuB;YACpCX;YACAY,iBAAiB0B,QAAQ1C,IAAIP,MAAMwB,sBAAsByB,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf1B,YAAYqE,QAAQrE;UACpByE,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;EAEJ;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKnE,MAAiC;AAC1C,UAAM,EAAEoE,QAAQC,MAAMC,YAAY,UAAS,IAAKtE;AAChD,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMiF,iBAA6BC,aAAaL,IAAAA,IAC5CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK5F,OAAO8B,QAAQ+D,4BAA4B;MAC1EtC,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASyF,gBAAgB,QAAA;MAChC,GAAI,KAAKlF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO2F,kBAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOrF,MAAoC;AAC/C,UAAM,EAAEoE,QAAQC,MAAMe,WAAWd,YAAY,UAAS,IAAKtE;AAC3D,UAAMiB,MAAM,KAAK3B,aACb,MAAM,KAAKF,OAAO8B,QAAQqD,wBAAwB;MAChDxB,YAAYqB,OAAOzC;MACnBrC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAO8B,QAAQsD,gBAAgB;MACxCzB,YAAYqB,OAAOzC;MACnB,GAAI,KAAKpC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM8F,mBAA+BZ,aAAaL,IAAAA,IAC9CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMiB,eAAe,MAAM,KAAKnG,OAAO8B,QAAQsE,6BAA6B;MAC1E7C,SAAS1B,IAAI0B;MACbuC,OAAOlG,SAASsG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK7F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO+F,aAAaE;EACtB;EAEA,MAAMC,aAAa1F,MAAyC;AAC1D,UAAM,IAAI4B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACqF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOnF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOoF;MAChB;AACE,cAAM,IAAIhE,MAAM,aAAa+D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdvF,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO4F,mBAAmBC;MAC5B,KAAK;AACH,eAAOD,mBAAmBE;MAC5B,KAAK;AACH,eAAOF,mBAAmBG;MAC5B;AACE,cAAM,IAAIpE,MAAM,YAAY3B,IAAAA,+BAAmC;IACnE;EACF,GAXyC;EAajCwB,mBAAmB,wBAACf,QAAAA;AAC1B,YAAQA,KAAAA;MACN,KAAK;AACH,eAAOuF,uBAAuBC;MAChC,KAAK;AACH,eAAOD,uBAAuBE;MAChC,KAAK;AACH,eAAOF,uBAAuBG;MAChC,KAAK;AACH,eAAOH,uBAAuBI;MAChC,KAAK;AACH,eAAOJ,uBAAuBK;MAChC,KAAK;AACH,eAAOL,uBAAuBM;MAChC,KAAK;AACH,eAAON,uBAAuBO;MAChC,KAAK;AACH,eAAOP,uBAAuBQ;MAChC,KAAK;AACH,eAAOR,uBAAuBS;MAChC,KAAK;AACH,eAAOT,uBAAuBU;MAChC,KAAK;AACH,eAAOV,uBAAuBW;MAChC,KAAK;AACH,eAAOX,uBAAuBY;MAChC,KAAK;AACH,eAAOZ,uBAAuBa;MAChC,KAAK;AACH,eAAOb,uBAAuBc;MAChC,KAAK;AACH,eAAOd,uBAAuBe;MAChC;AACE,cAAM,IAAIpF,MAAM,uBAAuBlB,GAAAA,+BAAkC;IAC7E;EACF,GAnC2B;EAqCnBuG,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOrG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcsG;MACvB,KAAK;AACH,eAAOtG,cAAcuG;MACvB,KAAK;AACH,eAAOvG,cAAcwG;MACvB,KAAK;AACH,eAAOxG,cAAcyG;MACvB,KAAK;AACH,eAAOzG,cAAc0G;MACvB,KAAK;AACH,eAAO1G,cAAc2G;MACvB,KAAK;AACH,eAAO3G,cAAc4G;MACvB;AACE,cAAM,IAAI7F,MAAM,iBAAiBsF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBtG,mBAAmB,wBAAC8G,eAAAA;AAC1B,WAAOA,WAAWhE,IAAI,CAACwD,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3H,SAAAA;AACzB,UAAM4H,OAAO5H,KAAKE,MAAM0H;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7H,KAAK8H,cAAcC,SAAS,KAAA,IAAS/H,KAAK8H,gBAAgBE,SAAShI,KAAK8H,eAAe,SAAA;AACrI,UAAMlF,eAAeqF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAASxF,cAAc,QAAA;AAC5C,UAAMT,eAAekG,SAASF,YAAAA;AAE9B,UAAMjI,OAAO,CAAC;AACd,QAAI0H,MAAM;AACR1H,WAAK0H,OAAO;QACVU,IAAIV,KAAKU,MAAMtI,KAAK2B,OAAOQ;MAC7B;AACA,UAAIoG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxI,aAAK0H,KAAKY,sBAAsBD;AAChC,cAAMxE,MAAM4E,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BhG,uBAAamB,MAAMA;QACrB;AACA7D,aAAK0H,KAAK7D,MAAMA;MAClB;AACA,UAAI6D,KAAKgB,qBAAqB;AAE5BhG,qBAAaiG,MAAMjB,KAAKgB;AACxB1I,aAAK0H,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMjH,MAAM3B,KAAK2B,OAAOzB,MAAM0H,MAAMU,MAAMnG;AAC1C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;QACAV,WAAWrI,KAAK0H,KAAK7D;MACvB;IACF;EACF,GArD0B;EAuDlBoF,wBAAwB,wBAACnJ,SAAAA;AAC/B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMoJ,eAAerK,WAAW+I,cAAcuB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMlI,UAAUgI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMjH,eAAeb,QAAQoI,UAAU,MAAM,KAAA;AAC7C,UAAM9G,eAAe+G,MAAMxH,cAAc,WAAA;AACzC,UAAM+F,gBAAgByB,MAAM7B,eAAe,aAAa;MAAE8B,cAAc;IAAK,CAAA;AAC7E,UAAMjI,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAAC7J,SAAAA;AAC5B,UAAM,EAAE8H,cAAa,IAAK9H;AAC1B,UAAMkI,gBAAgByB,MAAM7B,eAAe,UAAU;MAAE8B,cAAc;IAAK,CAAA;AAC1E,UAAMzH,eAAe2H,8BAA8BhC,aAAAA;AACnD,UAAMlF,eAAe+G,MAAMxH,cAAc,QAAA;AACzC,UAAMR,MAAM3B,KAAK2B,OAAOiB,aAAajB,OAAOQ;AAE5C,WAAO;MACLR;MACAiB;MACA3B,KAAK;QACH0B,SAAS;UACP1B,KAAK;YACH,GAAGiH;YACHvG;YACAmH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDzI,KAAK2I,oBAAoBd,cAAc7H,KAAK,KAAA;YAC5C4I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB1G,eAAe,wBAACvC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0H,gBAAgB3H,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKmJ,sBAAsBnJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK6J,mBAAmB7J,IAAAA;MACjC;MACA;AACE,cAAM,IAAI4B,MAAM,YAAY5B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["base64ToBase64Url","calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","jwkToRawHexKey","shaHasher","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","mapJoseAlgorithm","undefined","kid","Error","kms","algorithms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","Promise","all","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","SignatureAlgorithm","EcdsaSha256","RsaSsaPssSha256Mgf1","EckaDhSha256","JoseSignatureAlgorithm","RS256","RS384","RS512","ES256","ES256K","ES384","ES512","EdDSA","HS256","HS384","HS512","PS256","PS384","PS512","none","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
1
+ {"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n const results = await Promise.allSettled(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n\n return results\n .filter((result): result is PromiseFulfilledResult<ManagedKeyInfo> => {\n if (result.status === 'rejected') {\n console.warn('Failed to process key in listKeys:', result.reason)\n return false\n }\n return true\n })\n .map((result) => result.value)\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeSigned: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are computed over the raw message (PureEdDSA)\n // The algorithm internally handles hashing with SHA-512\n dataToBeSigned = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before signing\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeSigned = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeVerified: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are verified over the raw message (PureEdDSA)\n dataToBeVerified = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before verifying\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeVerified = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,mBACAC,wBACAC,cACAC,uBACAC,gBACAC,WACAC,+BACAC,mCACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA9C7C,OA8C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,UAAUC,8BAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAMe,kCAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,MAAMuB,sBAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,MAAMuB,sBAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,UAAMC,UAAU,MAAMC,QAAQC,WAC5BL,SAASM,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMiB,eAAe,MAAM0B,eAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM+D;QACN3B;QACAnC,MAAM;UACJG,YAAYyD,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAS,eAAeC,uBAAuB;YACpCV;YACAW,iBAAiB2B,QAAQ1C,IAAIP,MAAMuB,sBAAsB0B,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf7B,YAAYwE,QAAQxE;UACpB4E,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;AAGF,WAAOX,QACJY,OAAO,CAAC5B,WAAAA;AACP,UAAIA,OAAO6B,WAAW,YAAY;AAChCC,gBAAQC,KAAK,sCAAsC/B,OAAOgC,MAAM;AAChE,eAAO;MACT;AACA,aAAO;IACT,CAAA,EACCb,IAAI,CAACnB,WAAWA,OAAOiC,KAAK;EACjC;EAEQV,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMY,KAAK5E,MAAiC;AAC1C,UAAM,EAAE6E,QAAQC,MAAMC,YAAY,UAAS,IAAK/E;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQ2D,wBAAwB;MAChD/B,YAAY4B,OAAO/C;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ4D,gBAAgB;MACxChC,YAAY4B,OAAO/C;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM0F,SAAS9D,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAMsE,UAAUD,WAAW,WAAWA,WAAW,aAAa9D,IAAIyB,QAAQzB,IAAIgE,QAAQ;AAEtF,QAAIC;AACJ,QAAIF,SAAS;AAGXE,uBAAiBP;IACnB,OAAO;AAGLO,uBAAiBC,aAAaR,IAAAA,IAC1BA,OACAS,UAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMa,gBAAgB,MAAM,KAAKxG,OAAOiC,QAAQwE,4BAA4B;MAC1EhD,SAASzB,IAAIyB;MACbiD,OAAO9G,SAASqG,gBAAgB,QAAA;MAChC,GAAI,KAAK9F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOuG,kBAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOjG,MAAoC;AAC/C,UAAM,EAAE6E,QAAQC,MAAMkB,WAAWjB,YAAY,UAAS,IAAK/E;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQ2D,wBAAwB;MAChD/B,YAAY4B,OAAO/C;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ4D,gBAAgB;MACxChC,YAAY4B,OAAO/C;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM0F,SAAS9D,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAMsE,UAAUD,WAAW,WAAWA,WAAW,aAAa9D,IAAIyB,QAAQzB,IAAIgE,QAAQ;AAEtF,QAAIc;AACJ,QAAIf,SAAS;AAEXe,yBAAmBpB;IACrB,OAAO;AAGLoB,yBAAmBZ,aAAaR,IAAAA,IAC5BA,OACAS,UAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMoB,eAAe,MAAM,KAAK/G,OAAOiC,QAAQ+E,6BAA6B;MAC1EvD,SAASzB,IAAIyB;MACbiD,OAAO9G,SAASkH,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAKzG,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO2G,aAAaE;EACtB;EAEA,MAAMC,aAAatG,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAAC8F,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAO5F,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAO6F;MAChB;AACE,cAAM,IAAIzE,MAAM,aAAawE,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdhG,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAK4F,uBAAuBC;AAC1B,eAAOC,mBAAmBC;MAC5B,KAAKH,uBAAuBI;AAC1B,eAAOF,mBAAmBG;MAC5B,KAAKL,uBAAuBM;AAC1B,eAAOJ,mBAAmBK;MAC5B,KAAKP,uBAAuBQ;AAC1B,eAAON,mBAAmBO;MAC5B,KAAKT,uBAAuBU;AAC1B,eAAOR,mBAAmBS;MAC5B,KAAKX,uBAAuBY;AAC1B,eAAOV,mBAAmBW;MAC5B,KAAKb,uBAAuBc;AAC1B,eAAOZ,mBAAmBa;MAC5B,KAAKf,uBAAuBgB;AAC1B,eAAOd,mBAAmBe;MAC5B,KAAKjB,uBAAuBkB;AAC1B,eAAOhB,mBAAmBiB;MAC5B,KAAKnB,uBAAuBoB;AAC1B,eAAOlB,mBAAmBmB;MAC5B,KAAKrB,uBAAuBsB;AAC1B,eAAOpB,mBAAmBqB;MAC5B;AACE,cAAM,IAAIjG,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlCoH,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOlH,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcmH;MACvB,KAAK;AACH,eAAOnH,cAAcoH;MACvB,KAAK;AACH,eAAOpH,cAAcqH;MACvB,KAAK;AACH,eAAOrH,cAAcsH;MACvB,KAAK;AACH,eAAOtH,cAAcuH;MACvB,KAAK;AACH,eAAOvH,cAAcwH;MACvB,KAAK;AACH,eAAOxH,cAAcyH;MACvB;AACE,cAAM,IAAI1G,MAAM,iBAAiBmG,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBnH,mBAAmB,wBAAC2H,eAAAA;AAC1B,WAAOA,WAAW7E,IAAI,CAACqE,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3I,SAAAA;AACzB,UAAM4I,OAAO5I,KAAKE,MAAM0I;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7I,KAAK8I,cAAcC,SAAS,KAAA,IAAS/I,KAAK8I,gBAAgBE,SAAShJ,KAAK8I,eAAe,SAAA;AACrI,UAAMhG,eAAemG,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAAStG,cAAc,QAAA;AAC5C,UAAMT,eAAegH,SAASF,YAAAA;AAE9B,UAAMjJ,OAAO,CAAC;AACd,QAAI0I,MAAM;AACR1I,WAAK0I,OAAO;QACVU,IAAIV,KAAKU,MAAMtJ,KAAK8B,OAAOO;MAC7B;AACA,UAAIkH,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxJ,aAAK0I,KAAKY,sBAAsBD;AAChC,cAAMrF,MAAMyF,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B9G,uBAAaoB,MAAMA;QACrB;AACAhE,aAAK0I,KAAK1E,MAAMA;MAClB;AACA,UAAI0E,KAAKgB,qBAAqB;AAE5B9G,qBAAa+G,MAAMjB,KAAKgB;AACxB1J,aAAK0I,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM9H,MAAM9B,KAAK8B,OAAO5B,MAAM0I,MAAMU,MAAMjH;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,KAAKwJ,oBAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,KAAK6E,mBAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;QACAmE,WAAWrJ,KAAK0I,KAAK1E;MACvB;IACF;EACF,GArD0B;EAuDlBgG,wBAAwB,wBAAClK,SAAAA;AAC/B,UAAM,EAAE8I,cAAa,IAAK9I;AAC1B,UAAMmK,eAAepL,WAAW+J,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAM9I,UAAU4I,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9H,eAAeZ,QAAQgJ,UAAU,MAAM,KAAA;AAC7C,UAAM3H,eAAe4H,MAAMrI,cAAc,WAAA;AACzC,UAAM6G,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM7I,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,KAAKwJ,oBAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,KAAK6E,mBAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBwF,qBAAqB,wBAAC5K,SAAAA;AAC5B,UAAM,EAAE8I,cAAa,IAAK9I;AAC1B,UAAMkJ,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMtI,eAAewI,8BAA8B/B,aAAAA;AACnD,UAAMhG,eAAe4H,MAAMrI,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,KAAKwJ,oBAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,KAAK6E,mBAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB3C,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0I,gBAAgB3I,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKkK,sBAAsBlK,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK4K,mBAAmB5K,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["base64ToBase64Url","calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","jwkToRawHexKey","shaHasher","signatureAlgorithmFromKeyType","signatureAlgorithmToJoseAlgorithm","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","results","Promise","allSettled","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","filter","status","console","warn","reason","value","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","keyAlg","isEdDSA","crv","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@sphereon/ssi-sdk.kms-rest",
3
3
  "description": "Sphereon SSI-SDK plugin for REST Key Management System.",
4
- "version": "0.36.1-feature.SSISDK.82.and.SSISDK.70.35+b3c0abff",
4
+ "version": "0.36.1-feature.SSISDK.89.metadata.persistence.103+7d41f865",
5
5
  "source": "./src/index.ts",
6
6
  "type": "module",
7
7
  "main": "./dist/index.cjs",
@@ -22,10 +22,10 @@
22
22
  "build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
23
23
  },
24
24
  "dependencies": {
25
- "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.SSISDK.82.and.SSISDK.70.35+b3c0abff",
26
- "@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.SSISDK.82.and.SSISDK.70.35+b3c0abff",
27
- "@sphereon/ssi-sdk.kms-rest-client": "0.36.1-feature.SSISDK.82.and.SSISDK.70.35+b3c0abff",
28
- "@sphereon/ssi-types": "0.36.1-feature.SSISDK.82.and.SSISDK.70.35+b3c0abff",
25
+ "@sphereon/ssi-sdk-ext.key-utils": "0.36.1-feature.SSISDK.89.metadata.persistence.103+7d41f865",
26
+ "@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-feature.SSISDK.89.metadata.persistence.103+7d41f865",
27
+ "@sphereon/ssi-sdk.kms-rest-client": "0.36.1-feature.SSISDK.89.metadata.persistence.103+7d41f865",
28
+ "@sphereon/ssi-types": "0.36.1-feature.SSISDK.89.metadata.persistence.103+7d41f865",
29
29
  "@veramo/core": "4.2.0",
30
30
  "@veramo/key-manager": "4.2.0",
31
31
  "elliptic": "^6.5.4",
@@ -54,5 +54,5 @@
54
54
  "key-management",
55
55
  "Veramo"
56
56
  ],
57
- "gitHead": "b3c0abff5a63fc40d620b95888ce8fdd006b5d00"
57
+ "gitHead": "7d41f86553fed321199e36cb6aacca36cb99032f"
58
58
  }
package/src/RestKeyManagementSystem.ts CHANGED
@@ -5,6 +5,8 @@ import {
5
5
  joseAlgorithmToDigest,
6
6
  jwkToRawHexKey,
7
7
  shaHasher,
8
+ signatureAlgorithmFromKeyType,
9
+ signatureAlgorithmToJoseAlgorithm,
8
10
  toJwk,
9
11
  x25519PublicHexFromPrivateHex,
10
12
  type X509Opts,
@@ -45,9 +47,9 @@ interface KeyManagementSystemOptions {
45
47
  export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
46
48
  private client: KmsRestClient
47
49
  private readonly id: string
48
- private providerId: string | undefined
49
- private tenantId: string | undefined
50
- private userId: string | undefined
50
+ private readonly providerId: string | undefined
51
+ private readonly tenantId: string | undefined
52
+ private readonly userId: string | undefined
51
53
 
52
54
  constructor(options: KeyManagementSystemOptions) {
53
55
  super()
@@ -67,7 +69,11 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
67
69
  async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {
68
70
  const { type, meta } = args
69
71
 
70
- const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)
72
+ const joseAlg = signatureAlgorithmFromKeyType({
73
+ type,
74
+ algorithms: meta?.algorithms as string[] | undefined,
75
+ })
76
+ const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)
71
77
  const options = {
72
78
  use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,
73
79
  alg: signatureAlgorithm,
@@ -86,7 +92,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
86
92
 
87
93
  const jwk = {
88
94
  ...key.keyPair.jose.publicJwk,
89
- alg: key.keyPair.jose.publicJwk.alg ? this.mapJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,
95
+ alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,
90
96
  } satisfies JWK
91
97
 
92
98
  const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid
@@ -174,7 +180,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
174
180
 
175
181
  const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
176
182
 
177
- return Promise.all(
183
+ const results = await Promise.allSettled(
178
184
  restKeys.map(async (restKey: RestManagedKeyInfo) => {
179
185
  const jwk = restKey.key
180
186
  const publicKeyHex = await jwkToRawHexKey(jwk as JWK)
@@ -202,6 +208,16 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
202
208
  } satisfies ManagedKeyInfo
203
209
  }),
204
210
  )
211
+
212
+ return results
213
+ .filter((result): result is PromiseFulfilledResult<ManagedKeyInfo> => {
214
+ if (result.status === 'rejected') {
215
+ console.warn('Failed to process key in listKeys:', result.reason)
216
+ return false
217
+ }
218
+ return true
219
+ })
220
+ .map((result) => result.value)
205
221
  }
206
222
 
207
223
  private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {
@@ -237,10 +253,23 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
237
253
  ...(this.userId && { userId: this.userId }),
238
254
  })
239
255
 
240
- // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash
241
- const dataToBeSigned: Uint8Array = isHashString(data)
242
- ? data
243
- : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
256
+ // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash
257
+ const keyAlg = key.keyInfo.key.alg
258
+ const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'
259
+
260
+ let dataToBeSigned: Uint8Array
261
+ if (isEdDSA) {
262
+ // EdDSA signatures are computed over the raw message (PureEdDSA)
263
+ // The algorithm internally handles hashing with SHA-512
264
+ dataToBeSigned = data
265
+ } else {
266
+ // For other algorithms (RSA, ECDSA), hash the data before signing
267
+ // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)
268
+ dataToBeSigned = isHashString(data)
269
+ ? data
270
+ : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
271
+ }
272
+
244
273
  const signingResult = await this.client.methods.kmsClientCreateRawSignature({
245
274
  keyInfo: key.keyInfo,
246
275
  input: toString(dataToBeSigned, 'base64'),
@@ -266,10 +295,22 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
266
295
  ...(this.userId && { userId: this.userId }),
267
296
  })
268
297
 
269
- // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash
270
- const dataToBeVerified: Uint8Array = isHashString(data)
271
- ? data
272
- : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
298
+ // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash
299
+ const keyAlg = key.keyInfo.key.alg
300
+ const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'
301
+
302
+ let dataToBeVerified: Uint8Array
303
+ if (isEdDSA) {
304
+ // EdDSA signatures are verified over the raw message (PureEdDSA)
305
+ dataToBeVerified = data
306
+ } else {
307
+ // For other algorithms (RSA, ECDSA), hash the data before verifying
308
+ // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)
309
+ dataToBeVerified = isHashString(data)
310
+ ? data
311
+ : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
312
+ }
313
+
273
314
  const verification = await this.client.methods.kmsClientIsValidRawSignature({
274
315
  keyInfo: key.keyInfo,
275
316
  input: toString(dataToBeVerified, 'base64'),
@@ -296,53 +337,32 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
296
337
  }
297
338
  }
298
339
 
299
- private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {
300
- switch (type) {
301
- case 'Secp256r1':
302
- return SignatureAlgorithm.EcdsaSha256
303
- case 'RSA':
304
- return SignatureAlgorithm.RsaSsaPssSha256Mgf1
305
- case 'X25519':
306
- return SignatureAlgorithm.EckaDhSha256
307
- default:
308
- throw new Error(`Key type ${type} is not supported by REST KMS`)
309
- }
310
- }
311
-
312
- private mapJoseAlgorithm = (alg: string): JoseSignatureAlgorithm => {
340
+ private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {
313
341
  switch (alg) {
314
- case 'RS256':
315
- return JoseSignatureAlgorithm.RS256
316
- case 'RS384':
317
- return JoseSignatureAlgorithm.RS384
318
- case 'RS512':
319
- return JoseSignatureAlgorithm.RS512
320
- case 'ES256':
321
- return JoseSignatureAlgorithm.ES256
322
- case 'ES256K':
323
- return JoseSignatureAlgorithm.ES256K
324
- case 'ES384':
325
- return JoseSignatureAlgorithm.ES384
326
- case 'ES512':
327
- return JoseSignatureAlgorithm.ES512
328
- case 'EdDSA':
329
- return JoseSignatureAlgorithm.EdDSA
330
- case 'HS256':
331
- return JoseSignatureAlgorithm.HS256
332
- case 'HS384':
333
- return JoseSignatureAlgorithm.HS384
334
- case 'HS512':
335
- return JoseSignatureAlgorithm.HS512
336
- case 'PS256':
337
- return JoseSignatureAlgorithm.PS256
338
- case 'PS384':
339
- return JoseSignatureAlgorithm.PS384
340
- case 'PS512':
341
- return JoseSignatureAlgorithm.PS512
342
- case 'none':
343
- return JoseSignatureAlgorithm.none
342
+ case JoseSignatureAlgorithm.RS256:
343
+ return SignatureAlgorithm.RsaSha256
344
+ case JoseSignatureAlgorithm.RS384:
345
+ return SignatureAlgorithm.RsaSha384
346
+ case JoseSignatureAlgorithm.RS512:
347
+ return SignatureAlgorithm.RsaSha512
348
+ case JoseSignatureAlgorithm.PS256:
349
+ return SignatureAlgorithm.RsaSsaPssSha256Mgf1
350
+ case JoseSignatureAlgorithm.PS384:
351
+ return SignatureAlgorithm.RsaSsaPssSha384Mgf1
352
+ case JoseSignatureAlgorithm.PS512:
353
+ return SignatureAlgorithm.RsaSsaPssSha512Mgf1
354
+ case JoseSignatureAlgorithm.ES256:
355
+ return SignatureAlgorithm.EcdsaSha256
356
+ case JoseSignatureAlgorithm.ES384:
357
+ return SignatureAlgorithm.EcdsaSha384
358
+ case JoseSignatureAlgorithm.ES512:
359
+ return SignatureAlgorithm.EcdsaSha512
360
+ case JoseSignatureAlgorithm.ES256K:
361
+ return SignatureAlgorithm.Es256K
362
+ case JoseSignatureAlgorithm.EdDSA:
363
+ return SignatureAlgorithm.Ed25519
344
364
  default:
345
- throw new Error(`Signature algorithm ${alg} is not supported by REST KMS`)
365
+ throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)
346
366
  }
347
367
  }
348
368