@sphereon/ssi-sdk.kms-rest 0.36.1-feature.integration.fides.88 → 0.36.1-next.102
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.cjs +24 -3
- package/dist/index.cjs.map +1 -1
- package/dist/index.js +24 -3
- package/dist/index.js.map +1 -1
- package/package.json +6 -6
- package/src/RestKeyManagementSystem.ts +44 -9
package/dist/index.cjs
CHANGED
|
@@ -194,7 +194,7 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
194
194
|
}
|
|
195
195
|
});
|
|
196
196
|
const restKeys = (0, import_ssi_sdk.ListKeysResponseToJSONTyped)(keys, false).keyInfos;
|
|
197
|
-
|
|
197
|
+
const results = await Promise.allSettled(restKeys.map(async (restKey) => {
|
|
198
198
|
const jwk = restKey.key;
|
|
199
199
|
const publicKeyHex = await (0, import_ssi_sdk_ext.jwkToRawHexKey)(jwk);
|
|
200
200
|
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
|
|
@@ -221,6 +221,13 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
221
221
|
}
|
|
222
222
|
};
|
|
223
223
|
}));
|
|
224
|
+
return results.filter((result) => {
|
|
225
|
+
if (result.status === "rejected") {
|
|
226
|
+
console.warn("Failed to process key in listKeys:", result.reason);
|
|
227
|
+
return false;
|
|
228
|
+
}
|
|
229
|
+
return true;
|
|
230
|
+
}).map((result) => result.value);
|
|
224
231
|
}
|
|
225
232
|
mapRestKeyTypeToTKeyType(keyType) {
|
|
226
233
|
switch (keyType) {
|
|
@@ -259,7 +266,14 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
259
266
|
userId: this.userId
|
|
260
267
|
}
|
|
261
268
|
});
|
|
262
|
-
const
|
|
269
|
+
const keyAlg = key.keyInfo.key.alg;
|
|
270
|
+
const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
|
|
271
|
+
let dataToBeSigned;
|
|
272
|
+
if (isEdDSA) {
|
|
273
|
+
dataToBeSigned = data;
|
|
274
|
+
} else {
|
|
275
|
+
dataToBeSigned = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
276
|
+
}
|
|
263
277
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
264
278
|
keyInfo: key.keyInfo,
|
|
265
279
|
input: toString(dataToBeSigned, "base64"),
|
|
@@ -292,7 +306,14 @@ var RestKeyManagementSystem = class extends import_key_manager.AbstractKeyManage
|
|
|
292
306
|
userId: this.userId
|
|
293
307
|
}
|
|
294
308
|
});
|
|
295
|
-
const
|
|
309
|
+
const keyAlg = key.keyInfo.key.alg;
|
|
310
|
+
const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
|
|
311
|
+
let dataToBeVerified;
|
|
312
|
+
if (isEdDSA) {
|
|
313
|
+
dataToBeVerified = data;
|
|
314
|
+
} else {
|
|
315
|
+
dataToBeVerified = (0, import_ssi_sdk_ext.isHashString)(data) ? data : (0, import_ssi_sdk_ext.shaHasher)(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
316
|
+
}
|
|
296
317
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
297
318
|
keyInfo: key.keyInfo,
|
|
298
319
|
input: toString(dataToBeVerified, "base64"),
|
package/dist/index.cjs.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return Promise.all(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAYO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA9C7C,OA8C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,cAAUC,kDAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,UAAMe,sDAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,UAAMuB,0CAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,UAAMuB,0CAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOC,QAAQC,IACbJ,SAASK,IAAI,OAAOC,YAAAA;AAClB,YAAMrC,MAAMqC,QAAQzC;AACpB,YAAMiB,eAAe,UAAMyB,mCAAetC,GAAAA;AAC1C,YAAMuC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLjC,KAAK+B,QAAQ/B,OAAO+B,QAAQ1C;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYwD,QAAQvD,qBAAqB;YAACuD,QAAQvD;cAAsBuB;UACxEL;UACAS,mBAAeC,2CAAuB;YACpCV;YACAW,iBAAiB0B,QAAQzC,IAAIP,UAAMuB,0CAAsByB,QAAQzC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO0C,QAAQ1C;UACf7B,YAAYuE,QAAQvE;UACpB2E,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;EAEJ;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,qBAA6BC,iCAAaL,IAAAA,IAC5CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK9F,OAAOiC,QAAQ8D,4BAA4B;MAC1EtC,SAASzB,IAAIyB;MACbuC,OAAOpG,SAAS2F,gBAAgB,QAAA;MAChC,GAAI,KAAKpF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,eAAO6F,sCAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOvF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMe,WAAWd,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMgG,uBAA+BZ,iCAAaL,IAAAA,IAC9CA,WACAM,8BAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMiB,eAAe,MAAM,KAAKrG,OAAOiC,QAAQqE,6BAA6B;MAC1E7C,SAASzB,IAAIyB;MACbuC,OAAOpG,SAASwG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK/F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOiG,aAAaE;EACtB;EAEA,MAAMC,aAAa5F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKkF,wCAAuBC;AAC1B,eAAOC,kCAAmBC;MAC5B,KAAKH,wCAAuBI;AAC1B,eAAOF,kCAAmBG;MAC5B,KAAKL,wCAAuBM;AAC1B,eAAOJ,kCAAmBK;MAC5B,KAAKP,wCAAuBQ;AAC1B,eAAON,kCAAmBO;MAC5B,KAAKT,wCAAuBU;AAC1B,eAAOR,kCAAmBS;MAC5B,KAAKX,wCAAuBY;AAC1B,eAAOV,kCAAmBW;MAC5B,KAAKb,wCAAuBc;AAC1B,eAAOZ,kCAAmBa;MAC5B,KAAKf,wCAAuBgB;AAC1B,eAAOd,kCAAmBe;MAC5B,KAAKjB,wCAAuBkB;AAC1B,eAAOhB,kCAAmBiB;MAC5B,KAAKnB,wCAAuBoB;AAC1B,eAAOlB,kCAAmBmB;MAC5B,KAAKrB,wCAAuBsB;AAC1B,eAAOpB,kCAAmBqB;MAC5B;AACE,cAAM,IAAIvF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlC0G,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOxG,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcyG;MACvB,KAAK;AACH,eAAOzG,6BAAc0G;MACvB,KAAK;AACH,eAAO1G,6BAAc2G;MACvB,KAAK;AACH,eAAO3G,6BAAc4G;MACvB,KAAK;AACH,eAAO5G,6BAAc6G;MACvB,KAAK;AACH,eAAO7G,6BAAc8G;MACvB,KAAK;AACH,eAAO9G,6BAAc+G;MACvB;AACE,cAAM,IAAIhG,MAAM,iBAAiByF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBzG,mBAAmB,wBAACiH,eAAAA;AAC1B,WAAOA,WAAWpE,IAAI,CAAC4D,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACjI,SAAAA;AACzB,UAAMkI,OAAOlI,KAAKE,MAAMgI;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBnI,KAAKoI,cAAcC,SAAS,KAAA,IAASrI,KAAKoI,oBAAgBE,8BAAStI,KAAKoI,eAAe,SAAA;AACrI,UAAMtF,mBAAeyF,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAAS5F,cAAc,QAAA;AAC5C,UAAMT,mBAAesG,8BAASF,YAAAA;AAE9B,UAAMvI,OAAO,CAAC;AACd,QAAIgI,MAAM;AACRhI,WAAKgI,OAAO;QACVU,IAAIV,KAAKU,MAAM5I,KAAK8B,OAAOO;MAC7B;AACA,UAAIwG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxB9I,aAAKgI,KAAKY,sBAAsBD;AAChC,cAAM5E,UAAMgF,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BpG,uBAAamB,MAAMA;QACrB;AACA/D,aAAKgI,KAAKjE,MAAMA;MAClB;AACA,UAAIiE,KAAKgB,qBAAqB;AAE5BpG,qBAAaqG,MAAMjB,KAAKgB;AACxBhJ,aAAKgI,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMpH,MAAM9B,KAAK8B,OAAO5B,MAAMgI,MAAMU,MAAMvG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGoH;YACH1G;YACAsH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChD5I,SAAK8I,oCAAoBd,cAAchI,KAAK,KAAA;YAC5C+I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;QACAV,WAAW3I,KAAKgI,KAAKjE;MACvB;IACF;EACF,GArD0B;EAuDlBwF,wBAAwB,wBAACzJ,SAAAA;AAC/B,UAAM,EAAEoI,cAAa,IAAKpI;AAC1B,UAAM0J,eAAe3K,WAAWqJ,cAAcuB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAMrI,UAAUmI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMrH,eAAeZ,QAAQuI,UAAU,MAAM,KAAA;AAC7C,UAAMlH,mBAAemH,0BAAM5H,cAAc,WAAA;AACzC,UAAMmG,oBAAgByB,0BAAM7B,eAAe,aAAa;MAAE8B,cAAc;IAAK,CAAA;AAC7E,UAAMpI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGoH;YACH1G;YACAsH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChD5I,SAAK8I,oCAAoBd,cAAchI,KAAK,KAAA;YAC5C+I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACnK,SAAAA;AAC5B,UAAM,EAAEoI,cAAa,IAAKpI;AAC1B,UAAMwI,oBAAgByB,0BAAM7B,eAAe,UAAU;MAAE8B,cAAc;IAAK,CAAA;AAC1E,UAAM7H,mBAAe+H,kDAA8BhC,aAAAA;AACnD,UAAMtF,mBAAemH,0BAAM5H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGoH;YACH1G;YACAsH,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChD5I,SAAK8I,oCAAoBd,cAAchI,KAAK,KAAA;YAC5C+I,SAAKC,mCAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB9G,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKgI,gBAAgBjI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKyJ,sBAAsBzJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKmK,mBAAmBnK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","Promise","all","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/index.ts","../src/RestKeyManagementSystem.ts"],"sourcesContent":["export { RestKeyManagementSystem } from './RestKeyManagementSystem'\nexport * from './types'\n","import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n const results = await Promise.allSettled(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n\n return results\n .filter((result): result is PromiseFulfilledResult<ManagedKeyInfo> => {\n if (result.status === 'rejected') {\n console.warn('Failed to process key in listKeys:', result.reason)\n return false\n }\n return true\n })\n .map((result) => result.value)\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeSigned: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are computed over the raw message (PureEdDSA)\n // The algorithm internally handles hashing with SHA-512\n dataToBeSigned = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before signing\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeSigned = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeVerified: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are verified over the raw message (PureEdDSA)\n dataToBeVerified = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before verifying\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeVerified = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,yBAYO;AACP,IAAAA,sBAA0E;AAE1E,qBAWO;AACP,uBAAiD;AAEjD,yBAA4C;AAC5C,sBAAqB;AAErB,UAAqB;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,+CAAAA;EA9C7C,OA8C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,6BAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,cAAUC,kDAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,sBAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,6BAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,UAAMe,sDAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,mBAAeC,2CAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,UAAMuB,0CAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,mBAAeC,2CAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,UAAMuB,0CAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,eAAWC,4CAA4BJ,MAAM,KAAA,EAAOK;AAE1D,UAAMC,UAAU,MAAMC,QAAQC,WAC5BL,SAASM,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMiB,eAAe,UAAM0B,mCAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM+D;QACN3B;QACAnC,MAAM;UACJG,YAAYyD,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAS,mBAAeC,2CAAuB;YACpCV;YACAW,iBAAiB2B,QAAQ1C,IAAIP,UAAMuB,0CAAsB0B,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf7B,YAAYwE,QAAQxE;UACpB4E,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;AAGF,WAAOX,QACJY,OAAO,CAAC5B,WAAAA;AACP,UAAIA,OAAO6B,WAAW,YAAY;AAChCC,gBAAQC,KAAK,sCAAsC/B,OAAOgC,MAAM;AAChE,eAAO;MACT;AACA,aAAO;IACT,CAAA,EACCb,IAAI,CAACnB,WAAWA,OAAOiC,KAAK;EACjC;EAEQV,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMY,KAAK5E,MAAiC;AAC1C,UAAM,EAAE6E,QAAQC,MAAMC,YAAY,UAAS,IAAK/E;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQ2D,wBAAwB;MAChD/B,YAAY4B,OAAO/C;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ4D,gBAAgB;MACxChC,YAAY4B,OAAO/C;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM0F,SAAS9D,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAMsE,UAAUD,WAAW,WAAWA,WAAW,aAAa9D,IAAIyB,QAAQzB,IAAIgE,QAAQ;AAEtF,QAAIC;AACJ,QAAIF,SAAS;AAGXE,uBAAiBP;IACnB,OAAO;AAGLO,2BAAiBC,iCAAaR,IAAAA,IAC1BA,WACAS,8BAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMa,gBAAgB,MAAM,KAAKxG,OAAOiC,QAAQwE,4BAA4B;MAC1EhD,SAASzB,IAAIyB;MACbiD,OAAO9G,SAASqG,gBAAgB,QAAA;MAChC,GAAI,KAAK9F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,eAAOuG,sCAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOjG,MAAoC;AAC/C,UAAM,EAAE6E,QAAQC,MAAMkB,WAAWjB,YAAY,UAAS,IAAK/E;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQ2D,wBAAwB;MAChD/B,YAAY4B,OAAO/C;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ4D,gBAAgB;MACxChC,YAAY4B,OAAO/C;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM0F,SAAS9D,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAMsE,UAAUD,WAAW,WAAWA,WAAW,aAAa9D,IAAIyB,QAAQzB,IAAIgE,QAAQ;AAEtF,QAAIc;AACJ,QAAIf,SAAS;AAEXe,yBAAmBpB;IACrB,OAAO;AAGLoB,6BAAmBZ,iCAAaR,IAAAA,IAC5BA,WACAS,8BAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMoB,eAAe,MAAM,KAAK/G,OAAOiC,QAAQ+E,6BAA6B;MAC1EvD,SAASzB,IAAIyB;MACbiD,OAAO9G,SAASkH,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAKzG,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO2G,aAAaE;EACtB;EAEA,MAAMC,aAAatG,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAAC8F,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAO5F,sBAAOC;MAChB,KAAK;AACH,eAAOD,sBAAO6F;MAChB;AACE,cAAM,IAAIzE,MAAM,aAAawE,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdhG,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAK4F,wCAAuBC;AAC1B,eAAOC,kCAAmBC;MAC5B,KAAKH,wCAAuBI;AAC1B,eAAOF,kCAAmBG;MAC5B,KAAKL,wCAAuBM;AAC1B,eAAOJ,kCAAmBK;MAC5B,KAAKP,wCAAuBQ;AAC1B,eAAON,kCAAmBO;MAC5B,KAAKT,wCAAuBU;AAC1B,eAAOR,kCAAmBS;MAC5B,KAAKX,wCAAuBY;AAC1B,eAAOV,kCAAmBW;MAC5B,KAAKb,wCAAuBc;AAC1B,eAAOZ,kCAAmBa;MAC5B,KAAKf,wCAAuBgB;AAC1B,eAAOd,kCAAmBe;MAC5B,KAAKjB,wCAAuBkB;AAC1B,eAAOhB,kCAAmBiB;MAC5B,KAAKnB,wCAAuBoB;AAC1B,eAAOlB,kCAAmBmB;MAC5B,KAAKrB,wCAAuBsB;AAC1B,eAAOpB,kCAAmBqB;MAC5B;AACE,cAAM,IAAIjG,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlCoH,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOlH,6BAAcC;MACvB,KAAK;AACH,eAAOD,6BAAcmH;MACvB,KAAK;AACH,eAAOnH,6BAAcoH;MACvB,KAAK;AACH,eAAOpH,6BAAcqH;MACvB,KAAK;AACH,eAAOrH,6BAAcsH;MACvB,KAAK;AACH,eAAOtH,6BAAcuH;MACvB,KAAK;AACH,eAAOvH,6BAAcwH;MACvB,KAAK;AACH,eAAOxH,6BAAcyH;MACvB;AACE,cAAM,IAAI1G,MAAM,iBAAiBmG,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBnH,mBAAmB,wBAAC2H,eAAAA;AAC1B,WAAOA,WAAW7E,IAAI,CAACqE,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3I,SAAAA;AACzB,UAAM4I,OAAO5I,KAAKE,MAAM0I;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7I,KAAK8I,cAAcC,SAAS,KAAA,IAAS/I,KAAK8I,oBAAgBE,8BAAShJ,KAAK8I,eAAe,SAAA;AACrI,UAAMhG,mBAAemG,8BAASJ,eAAe,QAAA;AAC7C,UAAMK,oBAAgBD,8BAASJ,aAAAA;AAC/B,UAAMM,mBAAeC,8BAAStG,cAAc,QAAA;AAC5C,UAAMT,mBAAegH,8BAASF,YAAAA;AAE9B,UAAMjJ,OAAO,CAAC;AACd,QAAI0I,MAAM;AACR1I,WAAK0I,OAAO;QACVU,IAAIV,KAAKU,MAAMtJ,KAAK8B,OAAOO;MAC7B;AACA,UAAIkH,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxJ,aAAK0I,KAAKY,sBAAsBD;AAChC,cAAMrF,UAAMyF,uCAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B9G,uBAAaoB,MAAMA;QACrB;AACAhE,aAAK0I,KAAK1E,MAAMA;MAClB;AACA,UAAI0E,KAAKgB,qBAAqB;AAE5B9G,qBAAa+G,MAAMjB,KAAKgB;AACxB1J,aAAK0I,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM9H,MAAM9B,KAAK8B,OAAO5B,MAAM0I,MAAMU,MAAMjH;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,SAAKwJ,oCAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,SAAK6E,mCAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;QACAmE,WAAWrJ,KAAK0I,KAAK1E;MACvB;IACF;EACF,GArD0B;EAuDlBgG,wBAAwB,wBAAClK,SAAAA;AAC/B,UAAM,EAAE8I,cAAa,IAAK9I;AAC1B,UAAMmK,eAAepL,WAAW+J,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,gBAAAA,QAASC,GAAG,MAAA;AAClC,UAAM9I,UAAU4I,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9H,eAAeZ,QAAQgJ,UAAU,MAAM,KAAA;AAC7C,UAAM3H,mBAAe4H,0BAAMrI,cAAc,WAAA;AACzC,UAAM6G,oBAAgBwB,0BAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM7I,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,SAAKwJ,oCAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,SAAK6E,mCAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBwF,qBAAqB,wBAAC5K,SAAAA;AAC5B,UAAM,EAAE8I,cAAa,IAAK9I;AAC1B,UAAMkJ,oBAAgBwB,0BAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMtI,mBAAewI,kDAA8B/B,aAAAA;AACnD,UAAMhG,mBAAe4H,0BAAMrI,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,SAAKC,wCAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,SAAKwJ,oCAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,SAAK6E,mCAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB3C,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0I,gBAAgB3I,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKkK,sBAAsBlK,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK4K,mBAAmB5K,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["import_ssi_sdk_ext","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","results","Promise","allSettled","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","filter","status","console","warn","reason","value","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","keyAlg","isEdDSA","crv","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/dist/index.js
CHANGED
|
@@ -160,7 +160,7 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
160
160
|
}
|
|
161
161
|
});
|
|
162
162
|
const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos;
|
|
163
|
-
|
|
163
|
+
const results = await Promise.allSettled(restKeys.map(async (restKey) => {
|
|
164
164
|
const jwk = restKey.key;
|
|
165
165
|
const publicKeyHex = await jwkToRawHexKey(jwk);
|
|
166
166
|
const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType);
|
|
@@ -187,6 +187,13 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
187
187
|
}
|
|
188
188
|
};
|
|
189
189
|
}));
|
|
190
|
+
return results.filter((result) => {
|
|
191
|
+
if (result.status === "rejected") {
|
|
192
|
+
console.warn("Failed to process key in listKeys:", result.reason);
|
|
193
|
+
return false;
|
|
194
|
+
}
|
|
195
|
+
return true;
|
|
196
|
+
}).map((result) => result.value);
|
|
190
197
|
}
|
|
191
198
|
mapRestKeyTypeToTKeyType(keyType) {
|
|
192
199
|
switch (keyType) {
|
|
@@ -225,7 +232,14 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
225
232
|
userId: this.userId
|
|
226
233
|
}
|
|
227
234
|
});
|
|
228
|
-
const
|
|
235
|
+
const keyAlg = key.keyInfo.key.alg;
|
|
236
|
+
const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
|
|
237
|
+
let dataToBeSigned;
|
|
238
|
+
if (isEdDSA) {
|
|
239
|
+
dataToBeSigned = data;
|
|
240
|
+
} else {
|
|
241
|
+
dataToBeSigned = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
242
|
+
}
|
|
229
243
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
230
244
|
keyInfo: key.keyInfo,
|
|
231
245
|
input: toString(dataToBeSigned, "base64"),
|
|
@@ -258,7 +272,14 @@ var RestKeyManagementSystem = class extends AbstractKeyManagementSystem {
|
|
|
258
272
|
userId: this.userId
|
|
259
273
|
}
|
|
260
274
|
});
|
|
261
|
-
const
|
|
275
|
+
const keyAlg = key.keyInfo.key.alg;
|
|
276
|
+
const isEdDSA = keyAlg === "EdDSA" || keyAlg === "ED25519" || key.keyInfo.key.crv === "Ed25519";
|
|
277
|
+
let dataToBeVerified;
|
|
278
|
+
if (isEdDSA) {
|
|
279
|
+
dataToBeVerified = data;
|
|
280
|
+
} else {
|
|
281
|
+
dataToBeVerified = isHashString(data) ? data : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm);
|
|
282
|
+
}
|
|
262
283
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
263
284
|
keyInfo: key.keyInfo,
|
|
264
285
|
input: toString(dataToBeVerified, "base64"),
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n return Promise.all(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeSigned: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash\n const dataToBeVerified: Uint8Array = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,mBACAC,wBACAC,cACAC,uBACAC,gBACAC,WACAC,+BACAC,mCACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA9C7C,OA8C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,UAAUC,8BAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAMe,kCAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,MAAMuB,sBAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,MAAMuB,sBAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,WAAOC,QAAQC,IACbJ,SAASK,IAAI,OAAOC,YAAAA;AAClB,YAAMrC,MAAMqC,QAAQzC;AACpB,YAAMiB,eAAe,MAAMyB,eAAetC,GAAAA;AAC1C,YAAMuC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLjC,KAAK+B,QAAQ/B,OAAO+B,QAAQ1C;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM8D;QACN1B;QACAnC,MAAM;UACJG,YAAYwD,QAAQvD,qBAAqB;YAACuD,QAAQvD;cAAsBuB;UACxEL;UACAS,eAAeC,uBAAuB;YACpCV;YACAW,iBAAiB0B,QAAQzC,IAAIP,MAAMuB,sBAAsByB,QAAQzC,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO0C,QAAQ1C;UACf7B,YAAYuE,QAAQvE;UACpB2E,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;EAEJ;EAEQJ,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIhC,MAAM,qBAAqBgC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMM,KAAKrE,MAAiC;AAC1C,UAAM,EAAEsE,QAAQC,MAAMC,YAAY,UAAS,IAAKxE;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMmF,iBAA6BC,aAAaL,IAAAA,IAC5CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMU,gBAAgB,MAAM,KAAK9F,OAAOiC,QAAQ8D,4BAA4B;MAC1EtC,SAASzB,IAAIyB;MACbuC,OAAOpG,SAAS2F,gBAAgB,QAAA;MAChC,GAAI,KAAKpF,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO6F,kBAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOvF,MAAoC;AAC/C,UAAM,EAAEsE,QAAQC,MAAMe,WAAWd,YAAY,UAAS,IAAKxE;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQoD,wBAAwB;MAChDxB,YAAYqB,OAAOxC;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQqD,gBAAgB;MACxCzB,YAAYqB,OAAOxC;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAMgG,mBAA+BZ,aAAaL,IAAAA,IAC9CA,OACAM,UAAUN,KAAKO,OAAOC,MAAMR,KAAKS,YAAYT,KAAKS,aAAaT,KAAKU,UAAU,GAAGT,SAAAA;AACrF,UAAMiB,eAAe,MAAM,KAAKrG,OAAOiC,QAAQqE,6BAA6B;MAC1E7C,SAASzB,IAAIyB;MACbuC,OAAOpG,SAASwG,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAK/F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOiG,aAAaE;EACtB;EAEA,MAAMC,aAAa5F,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAACoF,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOlF,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAOmF;MAChB;AACE,cAAM,IAAI/D,MAAM,aAAa8D,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdtF,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAKkF,uBAAuBC;AAC1B,eAAOC,mBAAmBC;MAC5B,KAAKH,uBAAuBI;AAC1B,eAAOF,mBAAmBG;MAC5B,KAAKL,uBAAuBM;AAC1B,eAAOJ,mBAAmBK;MAC5B,KAAKP,uBAAuBQ;AAC1B,eAAON,mBAAmBO;MAC5B,KAAKT,uBAAuBU;AAC1B,eAAOR,mBAAmBS;MAC5B,KAAKX,uBAAuBY;AAC1B,eAAOV,mBAAmBW;MAC5B,KAAKb,uBAAuBc;AAC1B,eAAOZ,mBAAmBa;MAC5B,KAAKf,uBAAuBgB;AAC1B,eAAOd,mBAAmBe;MAC5B,KAAKjB,uBAAuBkB;AAC1B,eAAOhB,mBAAmBiB;MAC5B,KAAKnB,uBAAuBoB;AAC1B,eAAOlB,mBAAmBmB;MAC5B,KAAKrB,uBAAuBsB;AAC1B,eAAOpB,mBAAmBqB;MAC5B;AACE,cAAM,IAAIvF,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlC0G,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOxG,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcyG;MACvB,KAAK;AACH,eAAOzG,cAAc0G;MACvB,KAAK;AACH,eAAO1G,cAAc2G;MACvB,KAAK;AACH,eAAO3G,cAAc4G;MACvB,KAAK;AACH,eAAO5G,cAAc6G;MACvB,KAAK;AACH,eAAO7G,cAAc8G;MACvB,KAAK;AACH,eAAO9G,cAAc+G;MACvB;AACE,cAAM,IAAIhG,MAAM,iBAAiByF,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBzG,mBAAmB,wBAACiH,eAAAA;AAC1B,WAAOA,WAAWpE,IAAI,CAAC4D,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAACjI,SAAAA;AACzB,UAAMkI,OAAOlI,KAAKE,MAAMgI;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkBnI,KAAKoI,cAAcC,SAAS,KAAA,IAASrI,KAAKoI,gBAAgBE,SAAStI,KAAKoI,eAAe,SAAA;AACrI,UAAMtF,eAAeyF,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAAS5F,cAAc,QAAA;AAC5C,UAAMT,eAAesG,SAASF,YAAAA;AAE9B,UAAMvI,OAAO,CAAC;AACd,QAAIgI,MAAM;AACRhI,WAAKgI,OAAO;QACVU,IAAIV,KAAKU,MAAM5I,KAAK8B,OAAOO;MAC7B;AACA,UAAIwG,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxB9I,aAAKgI,KAAKY,sBAAsBD;AAChC,cAAM5E,MAAMgF,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7BpG,uBAAamB,MAAMA;QACrB;AACA/D,aAAKgI,KAAKjE,MAAMA;MAClB;AACA,UAAIiE,KAAKgB,qBAAqB;AAE5BpG,qBAAaqG,MAAMjB,KAAKgB;AACxBhJ,aAAKgI,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAMpH,MAAM9B,KAAK8B,OAAO5B,MAAMgI,MAAMU,MAAMvG;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGoH;YACH1G;YACAsH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChD5I,KAAK8I,oBAAoBd,cAAchI,KAAK,KAAA;YAC5C+I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;QACAV,WAAW3I,KAAKgI,KAAKjE;MACvB;IACF;EACF,GArD0B;EAuDlBwF,wBAAwB,wBAACzJ,SAAAA;AAC/B,UAAM,EAAEoI,cAAa,IAAKpI;AAC1B,UAAM0J,eAAe3K,WAAWqJ,cAAcuB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAMrI,UAAUmI,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAMrH,eAAeZ,QAAQuI,UAAU,MAAM,KAAA;AAC7C,UAAMlH,eAAemH,MAAM5H,cAAc,WAAA;AACzC,UAAMmG,gBAAgByB,MAAM7B,eAAe,aAAa;MAAE8B,cAAc;IAAK,CAAA;AAC7E,UAAMpI,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGoH;YACH1G;YACAsH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChD5I,KAAK8I,oBAAoBd,cAAchI,KAAK,KAAA;YAC5C+I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBY,qBAAqB,wBAACnK,SAAAA;AAC5B,UAAM,EAAEoI,cAAa,IAAKpI;AAC1B,UAAMwI,gBAAgByB,MAAM7B,eAAe,UAAU;MAAE8B,cAAc;IAAK,CAAA;AAC1E,UAAM7H,eAAe+H,8BAA8BhC,aAAAA;AACnD,UAAMtF,eAAemH,MAAM5H,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAGoH;YACH1G;YACAsH,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChD5I,KAAK8I,oBAAoBd,cAAchI,KAAK,KAAA;YAC5C+I,KAAKC,mBAAmBhB,cAAce,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB9G,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAKgI,gBAAgBjI,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKyJ,sBAAsBzJ,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAKmK,mBAAmBnK,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["base64ToBase64Url","calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","jwkToRawHexKey","shaHasher","signatureAlgorithmFromKeyType","signatureAlgorithmToJoseAlgorithm","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","Promise","all","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","crv","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
|
1
|
+
{"version":3,"sources":["../src/RestKeyManagementSystem.ts"],"sourcesContent":["import {\n base64ToBase64Url,\n calculateJwkThumbprint,\n isHashString,\n joseAlgorithmToDigest,\n jwkToRawHexKey,\n shaHasher,\n signatureAlgorithmFromKeyType,\n signatureAlgorithmToJoseAlgorithm,\n toJwk,\n x25519PublicHexFromPrivateHex,\n type X509Opts,\n} from '@sphereon/ssi-sdk-ext.key-utils'\nimport { hexToPEM, jwkToPEM, pemCertChainTox5c, PEMToHex, PEMToJwk } from '@sphereon/ssi-sdk-ext.x509-utils'\nimport type { ManagedKeyInfo as RestManagedKeyInfo } from '@sphereon/ssi-sdk.kms-rest-client'\nimport {\n CurveFromJSONTyped,\n JwkKeyTypeFromJSONTyped,\n JwkUse,\n JwkUseFromJSONTyped,\n KeyOperations,\n KmsRestClient,\n ListKeysResponseToJSONTyped,\n type RestClientAuthenticationOpts,\n SignatureAlgorithm,\n type StoreKey,\n} from '@sphereon/ssi-sdk.kms-rest-client'\nimport { JoseSignatureAlgorithm, type JWK } from '@sphereon/ssi-types'\nimport type { ManagedKeyInfo, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport elliptic from 'elliptic'\n// @ts-ignore\nimport * as u8a from 'uint8arrays'\nimport type { CreateKeyArgs, DeleteKeyArgs, ImportKeyArgs, MapImportKeyArgs, MappedImportKey, SharedSecretArgs, SignArgs, VerifyArgs } from './types'\n\nconst { fromString, toString } = u8a\n\ninterface KeyManagementSystemOptions {\n applicationId: string\n baseUrl: string\n providerId?: string\n tenantId?: string\n userId?: string\n authOpts?: RestClientAuthenticationOpts\n}\n\nexport class RestKeyManagementSystem extends AbstractKeyManagementSystem {\n private client: KmsRestClient\n private readonly id: string\n private readonly providerId: string | undefined\n private readonly tenantId: string | undefined\n private readonly userId: string | undefined\n\n constructor(options: KeyManagementSystemOptions) {\n super()\n\n const config = {\n baseUrl: options.baseUrl,\n authOpts: options.authOpts,\n }\n\n this.id = options.applicationId\n this.providerId = options.providerId\n this.tenantId = options.tenantId\n this.userId = options.userId\n this.client = new KmsRestClient(config)\n }\n\n async createKey(args: CreateKeyArgs): Promise<ManagedKeyInfo> {\n const { type, meta } = args\n\n const joseAlg = signatureAlgorithmFromKeyType({\n type,\n algorithms: meta?.algorithms as string[] | undefined,\n })\n const signatureAlgorithm = this.mapJoseToRestSignatureAlgorithm(joseAlg)\n const options = {\n use: meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.Sig,\n alg: signatureAlgorithm,\n keyOperations: meta && meta.keyOperations ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.Sign],\n ...(meta && 'keyAlias' in meta && meta.keyAlias ? { alias: meta.keyAlias } : {}),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n }\n\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGenerateKey({\n ...options,\n providerId: this.providerId,\n })\n : await this.client.methods.kmsClientGenerateKey(options)\n\n const jwk = {\n ...key.keyPair.jose.publicJwk,\n alg: key.keyPair.jose.publicJwk.alg ? signatureAlgorithmToJoseAlgorithm(key.keyPair.jose.publicJwk.alg) : undefined,\n } satisfies JWK\n\n const kid = key.keyPair.kid ?? key.keyPair.jose.publicJwk.kid\n if (!kid) {\n throw new Error(`No kid present in key`)\n }\n\n return {\n kid,\n kms: this.id,\n type,\n meta: {\n alias: key.keyPair.alias,\n algorithms: [key.keyPair.jose.publicJwk.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk,\n digestAlgorithm: jwk.alg ? joseAlgorithmToDigest(jwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(key.keyPair.jose.publicJwk.toString(), 'utf8').toString('base64'),\n }\n }\n\n async importKey(args: ImportKeyArgs): Promise<ManagedKeyInfo> {\n const { type } = args\n const importKey = this.mapImportKey(args)\n\n const result = this.providerId\n ? await this.client.methods.kmsClientProviderStoreKey({\n ...importKey.key,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientStoreKey({\n ...importKey.key,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return {\n kid: importKey.kid,\n kms: this.id,\n type,\n meta: {\n alias: importKey.key.keyInfo.alias,\n algorithms: [result.keyInfo.key.alg ?? 'PS256'],\n jwkThumbprint: calculateJwkThumbprint({\n jwk: importKey.publicKeyJwk,\n digestAlgorithm: importKey.publicKeyJwk.alg ? joseAlgorithmToDigest(importKey.publicKeyJwk.alg) : 'sha256',\n }),\n },\n publicKeyHex: Buffer.from(result.keyInfo.key.toString(), 'utf8').toString('base64'),\n }\n }\n\n async deleteKey(args: DeleteKeyArgs): Promise<boolean> {\n const { kid } = args\n\n return this.providerId\n ? await this.client.methods.kmsClientProviderDeleteKey({\n aliasOrKid: kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientDeleteKey({\n aliasOrKid: kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n }\n\n async listKeys(): Promise<ManagedKeyInfo[]> {\n const keys = this.providerId\n ? await this.client.methods.kmsClientProviderListKeys({\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientListKeys({\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos\n\n const results = await Promise.allSettled(\n restKeys.map(async (restKey: RestManagedKeyInfo) => {\n const jwk = restKey.key\n const publicKeyHex = await jwkToRawHexKey(jwk as JWK)\n const keyType = this.mapRestKeyTypeToTKeyType(restKey.keyType)\n\n return {\n kid: restKey.kid || restKey.alias,\n kms: this.id,\n type: keyType,\n publicKeyHex,\n meta: {\n algorithms: restKey.signatureAlgorithm ? [restKey.signatureAlgorithm] : undefined,\n jwk,\n jwkThumbprint: calculateJwkThumbprint({\n jwk: jwk as JWK,\n digestAlgorithm: restKey.key.alg ? joseAlgorithmToDigest(restKey.key.alg) : 'sha256',\n }),\n alias: restKey.alias,\n providerId: restKey.providerId,\n x5c: restKey.x5c,\n keyVisibility: restKey.keyVisibility,\n keyEncoding: restKey.keyEncoding,\n ...restKey.opts,\n },\n } satisfies ManagedKeyInfo\n }),\n )\n\n return results\n .filter((result): result is PromiseFulfilledResult<ManagedKeyInfo> => {\n if (result.status === 'rejected') {\n console.warn('Failed to process key in listKeys:', result.reason)\n return false\n }\n return true\n })\n .map((result) => result.value)\n }\n\n private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {\n switch (keyType) {\n case 'RSA':\n return 'RSA'\n case 'EC':\n case 'P256':\n return 'Secp256r1'\n case 'X25519':\n return 'X25519'\n case 'Ed25519':\n return 'Ed25519'\n case 'secp256k1':\n return 'Secp256k1'\n default:\n throw new Error(`Unknown key type: ${keyType}`)\n }\n }\n\n async sign(args: SignArgs): Promise<string> {\n const { keyRef, data, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeSigned: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are computed over the raw message (PureEdDSA)\n // The algorithm internally handles hashing with SHA-512\n dataToBeSigned = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before signing\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeSigned = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const signingResult = await this.client.methods.kmsClientCreateRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeSigned, 'base64'),\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return base64ToBase64Url(signingResult.signature)\n }\n\n async verify(args: VerifyArgs): Promise<boolean> {\n const { keyRef, data, signature, algorithm = 'SHA-256' } = args\n const key = this.providerId\n ? await this.client.methods.kmsClientProviderGetKey({\n aliasOrKid: keyRef.kid,\n providerId: this.providerId,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n : await this.client.methods.kmsClientGetKey({\n aliasOrKid: keyRef.kid,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n // Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash\n const keyAlg = key.keyInfo.key.alg\n const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'\n\n let dataToBeVerified: Uint8Array\n if (isEdDSA) {\n // EdDSA signatures are verified over the raw message (PureEdDSA)\n dataToBeVerified = data\n } else {\n // For other algorithms (RSA, ECDSA), hash the data before verifying\n // with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)\n dataToBeVerified = isHashString(data)\n ? data\n : shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)\n }\n\n const verification = await this.client.methods.kmsClientIsValidRawSignature({\n keyInfo: key.keyInfo,\n input: toString(dataToBeVerified, 'base64'),\n signature,\n ...(this.tenantId && { tenantId: this.tenantId }),\n ...(this.userId && { userId: this.userId }),\n })\n\n return verification.isValid\n }\n\n async sharedSecret(args: SharedSecretArgs): Promise<string> {\n throw new Error('sharedSecret is not implemented for REST KMS.')\n }\n\n private mapKeyUsage = (usage: string): JwkUse => {\n switch (usage) {\n case 'sig':\n return JwkUse.Sig\n case 'enc':\n return JwkUse.Enc\n default:\n throw new Error(`Key usage ${usage} is not supported by REST KMS`)\n }\n }\n\n private mapJoseToRestSignatureAlgorithm = (alg: JoseSignatureAlgorithm): SignatureAlgorithm => {\n switch (alg) {\n case JoseSignatureAlgorithm.RS256:\n return SignatureAlgorithm.RsaSha256\n case JoseSignatureAlgorithm.RS384:\n return SignatureAlgorithm.RsaSha384\n case JoseSignatureAlgorithm.RS512:\n return SignatureAlgorithm.RsaSha512\n case JoseSignatureAlgorithm.PS256:\n return SignatureAlgorithm.RsaSsaPssSha256Mgf1\n case JoseSignatureAlgorithm.PS384:\n return SignatureAlgorithm.RsaSsaPssSha384Mgf1\n case JoseSignatureAlgorithm.PS512:\n return SignatureAlgorithm.RsaSsaPssSha512Mgf1\n case JoseSignatureAlgorithm.ES256:\n return SignatureAlgorithm.EcdsaSha256\n case JoseSignatureAlgorithm.ES384:\n return SignatureAlgorithm.EcdsaSha384\n case JoseSignatureAlgorithm.ES512:\n return SignatureAlgorithm.EcdsaSha512\n case JoseSignatureAlgorithm.ES256K:\n return SignatureAlgorithm.Es256K\n case JoseSignatureAlgorithm.EdDSA:\n return SignatureAlgorithm.Ed25519\n default:\n throw new Error(`JOSE algorithm ${alg} not supported by REST KMS`)\n }\n }\n\n private mapKeyOperation = (operation: string): KeyOperations => {\n switch (operation) {\n case 'sign':\n return KeyOperations.Sign\n case 'verify':\n return KeyOperations.Verify\n case 'wrapKey':\n return KeyOperations.WrapKey\n case 'deriveKey':\n return KeyOperations.DeriveKey\n case 'unwrapKey':\n return KeyOperations.UnwrapKey\n case 'decrypt':\n return KeyOperations.Decrypt\n case 'deriveBits':\n return KeyOperations.DeriveBits\n case 'encrypt':\n return KeyOperations.Encrypt\n default:\n throw new Error(`Key operation ${operation} is not supported by REST KMS`)\n }\n }\n\n private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n return operations.map((operation) => this.mapKeyOperation(operation))\n }\n\n private mapImportRsaKey = (args: MapImportKeyArgs): MappedImportKey => {\n const x509 = args.meta?.x509 as X509Opts\n const privateKeyPEM = x509?.privateKeyPEM ?? (args.privateKeyHex.includes('---') ? args.privateKeyHex : hexToPEM(args.privateKeyHex, 'private')) // In case we have x509 opts, the private key hex really was a PEM already (yuck)\n const publicKeyJwk = PEMToJwk(privateKeyPEM, 'public')\n const privateKeyJwk = PEMToJwk(privateKeyPEM)\n const publicKeyPEM = jwkToPEM(publicKeyJwk, 'public')\n const publicKeyHex = PEMToHex(publicKeyPEM)\n\n const meta = {} as any\n if (x509) {\n meta.x509 = {\n cn: x509.cn ?? args.kid ?? publicKeyHex,\n }\n let certChain: string = x509.certificateChainPEM ?? ''\n if (x509.certificatePEM) {\n if (!certChain.includes(x509.certificatePEM)) {\n certChain = `${x509.certificatePEM}\\n${certChain}`\n }\n }\n if (certChain.length > 0) {\n meta.x509.certificateChainPEM = certChain\n const x5c = pemCertChainTox5c(certChain)\n if (!x509.certificateChainURL) {\n // Do not put the chain in the JWK when the chain is hosted. We do put it in the x509 metadata\n // @ts-ignore\n publicKeyJwk.x5c = x5c\n }\n meta.x509.x5c = x5c\n }\n if (x509.certificateChainURL) {\n // @ts-ignore\n publicKeyJwk.x5u = x509.certificateChainURL\n meta.x509.x5u = x509.certificateChainURL\n }\n }\n\n const kid = args.kid ?? meta?.x509?.cn ?? publicKeyHex\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n certChain: meta.x509.x5c,\n } satisfies StoreKey,\n }\n }\n\n private mapImportSecp256r1Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateBytes = fromString(privateKeyHex.toLowerCase(), 'base16')\n const secp256r1 = new elliptic.ec('p256')\n const keyPair = secp256r1.keyFromPrivate(privateBytes, 'hex')\n const publicKeyHex = keyPair.getPublic(true, 'hex')\n const publicKeyJwk = toJwk(publicKeyHex, 'Secp256r1')\n const privateKeyJwk = toJwk(privateKeyHex, 'Secp256r1', { isPrivateKey: true })\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportX25519Key = (args: MapImportKeyArgs): MappedImportKey => {\n const { privateKeyHex } = args\n const privateKeyJwk = toJwk(privateKeyHex, 'X25519', { isPrivateKey: true })\n const publicKeyHex = x25519PublicHexFromPrivateHex(privateKeyHex)\n const publicKeyJwk = toJwk(publicKeyHex, 'X25519')\n const kid = args.kid ?? publicKeyJwk.kid ?? publicKeyHex\n\n return {\n kid,\n publicKeyJwk: publicKeyJwk as JWK,\n key: {\n keyInfo: {\n key: {\n ...privateKeyJwk,\n kid,\n kty: JwkKeyTypeFromJSONTyped(privateKeyJwk.kty, false),\n use: JwkUseFromJSONTyped(privateKeyJwk.use, false),\n crv: CurveFromJSONTyped(privateKeyJwk.crv, false),\n },\n },\n } satisfies StoreKey,\n }\n }\n\n private mapImportKey = (args: MapImportKeyArgs): MappedImportKey => {\n switch (args.type) {\n case 'RSA': {\n return this.mapImportRsaKey(args)\n }\n case 'Secp256r1': {\n return this.mapImportSecp256r1Key(args)\n }\n case 'X25519': {\n return this.mapImportX25519Key(args)\n }\n default:\n throw new Error(`Key type ${args.type} is not supported by REST KMS`)\n }\n }\n}\n"],"mappings":";;;;AAAA,SACEA,mBACAC,wBACAC,cACAC,uBACAC,gBACAC,WACAC,+BACAC,mCACAC,OACAC,qCAEK;AACP,SAASC,UAAUC,UAAUC,mBAAmBC,UAAUC,gBAAgB;AAE1E,SACEC,oBACAC,yBACAC,QACAC,qBACAC,eACAC,eACAC,6BAEAC,0BAEK;AACP,SAASC,8BAAwC;AAEjD,SAASC,mCAAmC;AAC5C,OAAOC,cAAc;AAErB,YAAYC,SAAS;AAGrB,IAAM,EAAEC,YAAYC,SAAQ,IAAKC;AAW1B,IAAMC,0BAAN,cAAsCC,4BAAAA;EA9C7C,OA8C6CA;;;EACnCC;EACSC;EACAC;EACAC;EACAC;EAEjB,YAAYC,SAAqC;AAC/C,UAAK;AAEL,UAAMC,SAAS;MACbC,SAASF,QAAQE;MACjBC,UAAUH,QAAQG;IACpB;AAEA,SAAKP,KAAKI,QAAQI;AAClB,SAAKP,aAAaG,QAAQH;AAC1B,SAAKC,WAAWE,QAAQF;AACxB,SAAKC,SAASC,QAAQD;AACtB,SAAKJ,SAAS,IAAIU,cAAcJ,MAAAA;EAClC;EAEA,MAAMK,UAAUC,MAA8C;AAC5D,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,UAAUC,8BAA8B;MAC5CH;MACAI,YAAYH,MAAMG;IACpB,CAAA;AACA,UAAMC,qBAAqB,KAAKC,gCAAgCJ,OAAAA;AAChE,UAAMV,UAAU;MACde,KAAKN,QAAQ,cAAcA,OAAO,KAAKO,YAAYP,KAAKQ,QAAQ,IAAIC,OAAOC;MAC3EC,KAAKP;MACLQ,eAAeZ,QAAQA,KAAKY,gBAAgB,KAAKC,iBAAiBb,KAAKY,aAAa,IAAgB;QAACE,cAAcC;;MACnH,GAAIf,QAAQ,cAAcA,QAAQA,KAAKgB,WAAW;QAAEC,OAAOjB,KAAKgB;MAAS,IAAI,CAAC;MAC9E,GAAI,KAAK3B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C;AAEA,UAAM4B,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQC,6BAA6B;MACrD,GAAG7B;MACHH,YAAY,KAAKA;IACnB,CAAA,IACA,MAAM,KAAKF,OAAOiC,QAAQE,qBAAqB9B,OAAAA;AAEnD,UAAM+B,MAAM;MACV,GAAGJ,IAAIK,QAAQC,KAAKC;MACpBd,KAAKO,IAAIK,QAAQC,KAAKC,UAAUd,MAAMe,kCAAkCR,IAAIK,QAAQC,KAAKC,UAAUd,GAAG,IAAIgB;IAC5G;AAEA,UAAMC,MAAMV,IAAIK,QAAQK,OAAOV,IAAIK,QAAQC,KAAKC,UAAUG;AAC1D,QAAI,CAACA,KAAK;AACR,YAAM,IAAIC,MAAM,uBAAuB;IACzC;AAEA,WAAO;MACLD;MACAE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOC,IAAIK,QAAQN;QACnBd,YAAY;UAACe,IAAIK,QAAQC,KAAKC,UAAUd,OAAO;;QAC/CoB,eAAeC,uBAAuB;UACpCV;UACAW,iBAAiBX,IAAIX,MAAMuB,sBAAsBZ,IAAIX,GAAG,IAAI;QAC9D,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKnB,IAAIK,QAAQC,KAAKC,UAAU3C,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IACpF;EACF;EAEA,MAAMwD,UAAUxC,MAA8C;AAC5D,UAAM,EAAEC,KAAI,IAAKD;AACjB,UAAMwC,YAAY,KAAKC,aAAazC,IAAAA;AAEpC,UAAM0C,SAAS,KAAKpD,aAChB,MAAM,KAAKF,OAAOiC,QAAQsB,0BAA0B;MAClD,GAAGH,UAAUpB;MACb9B,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQuB,kBAAkB;MAC1C,GAAGJ,UAAUpB;MACb,GAAI,KAAK7B,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,WAAO;MACLsC,KAAKU,UAAUV;MACfE,KAAK,KAAK3C;MACVY;MACAC,MAAM;QACJiB,OAAOqB,UAAUpB,IAAIyB,QAAQ1B;QAC7Bd,YAAY;UAACqC,OAAOG,QAAQzB,IAAIP,OAAO;;QACvCoB,eAAeC,uBAAuB;UACpCV,KAAKgB,UAAUM;UACfX,iBAAiBK,UAAUM,aAAajC,MAAMuB,sBAAsBI,UAAUM,aAAajC,GAAG,IAAI;QACpG,CAAA;MACF;MACAwB,cAAcC,OAAOC,KAAKG,OAAOG,QAAQzB,IAAIpC,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAC5E;EACF;EAEA,MAAM+D,UAAU/C,MAAuC;AACrD,UAAM,EAAE8B,IAAG,IAAK9B;AAEhB,WAAO,KAAKV,aACR,MAAM,KAAKF,OAAOiC,QAAQ2B,2BAA2B;MACnDC,YAAYnB;MACZxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ6B,mBAAmB;MAC3CD,YAAYnB;MACZ,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;EACN;EAEA,MAAM2D,WAAsC;AAC1C,UAAMC,OAAO,KAAK9D,aACd,MAAM,KAAKF,OAAOiC,QAAQgC,0BAA0B;MAClD/D,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQiC,kBAAkB;MAC1C,GAAI,KAAK/D,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEJ,UAAM+D,WAAWC,4BAA4BJ,MAAM,KAAA,EAAOK;AAE1D,UAAMC,UAAU,MAAMC,QAAQC,WAC5BL,SAASM,IAAI,OAAOC,YAAAA;AAClB,YAAMtC,MAAMsC,QAAQ1C;AACpB,YAAMiB,eAAe,MAAM0B,eAAevC,GAAAA;AAC1C,YAAMwC,UAAU,KAAKC,yBAAyBH,QAAQE,OAAO;AAE7D,aAAO;QACLlC,KAAKgC,QAAQhC,OAAOgC,QAAQ3C;QAC5Ba,KAAK,KAAK3C;QACVY,MAAM+D;QACN3B;QACAnC,MAAM;UACJG,YAAYyD,QAAQxD,qBAAqB;YAACwD,QAAQxD;cAAsBuB;UACxEL;UACAS,eAAeC,uBAAuB;YACpCV;YACAW,iBAAiB2B,QAAQ1C,IAAIP,MAAMuB,sBAAsB0B,QAAQ1C,IAAIP,GAAG,IAAI;UAC9E,CAAA;UACAM,OAAO2C,QAAQ3C;UACf7B,YAAYwE,QAAQxE;UACpB4E,KAAKJ,QAAQI;UACbC,eAAeL,QAAQK;UACvBC,aAAaN,QAAQM;UACrB,GAAGN,QAAQO;QACb;MACF;IACF,CAAA,CAAA;AAGF,WAAOX,QACJY,OAAO,CAAC5B,WAAAA;AACP,UAAIA,OAAO6B,WAAW,YAAY;AAChCC,gBAAQC,KAAK,sCAAsC/B,OAAOgC,MAAM;AAChE,eAAO;MACT;AACA,aAAO;IACT,CAAA,EACCb,IAAI,CAACnB,WAAWA,OAAOiC,KAAK;EACjC;EAEQV,yBAAyBD,SAAuC;AACtE,YAAQA,SAAAA;MACN,KAAK;AACH,eAAO;MACT,KAAK;MACL,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT,KAAK;AACH,eAAO;MACT;AACE,cAAM,IAAIjC,MAAM,qBAAqBiC,OAAAA,EAAS;IAClD;EACF;EAEA,MAAMY,KAAK5E,MAAiC;AAC1C,UAAM,EAAE6E,QAAQC,MAAMC,YAAY,UAAS,IAAK/E;AAChD,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQ2D,wBAAwB;MAChD/B,YAAY4B,OAAO/C;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ4D,gBAAgB;MACxChC,YAAY4B,OAAO/C;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM0F,SAAS9D,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAMsE,UAAUD,WAAW,WAAWA,WAAW,aAAa9D,IAAIyB,QAAQzB,IAAIgE,QAAQ;AAEtF,QAAIC;AACJ,QAAIF,SAAS;AAGXE,uBAAiBP;IACnB,OAAO;AAGLO,uBAAiBC,aAAaR,IAAAA,IAC1BA,OACAS,UAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMa,gBAAgB,MAAM,KAAKxG,OAAOiC,QAAQwE,4BAA4B;MAC1EhD,SAASzB,IAAIyB;MACbiD,OAAO9G,SAASqG,gBAAgB,QAAA;MAChC,GAAI,KAAK9F,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAOuG,kBAAkBH,cAAcI,SAAS;EAClD;EAEA,MAAMC,OAAOjG,MAAoC;AAC/C,UAAM,EAAE6E,QAAQC,MAAMkB,WAAWjB,YAAY,UAAS,IAAK/E;AAC3D,UAAMoB,MAAM,KAAK9B,aACb,MAAM,KAAKF,OAAOiC,QAAQ2D,wBAAwB;MAChD/B,YAAY4B,OAAO/C;MACnBxC,YAAY,KAAKA;MACjB,GAAI,KAAKC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA,IACA,MAAM,KAAKJ,OAAOiC,QAAQ4D,gBAAgB;MACxChC,YAAY4B,OAAO/C;MACnB,GAAI,KAAKvC,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAGJ,UAAM0F,SAAS9D,IAAIyB,QAAQzB,IAAIP;AAC/B,UAAMsE,UAAUD,WAAW,WAAWA,WAAW,aAAa9D,IAAIyB,QAAQzB,IAAIgE,QAAQ;AAEtF,QAAIc;AACJ,QAAIf,SAAS;AAEXe,yBAAmBpB;IACrB,OAAO;AAGLoB,yBAAmBZ,aAAaR,IAAAA,IAC5BA,OACAS,UAAUT,KAAKU,OAAOC,MAAMX,KAAKY,YAAYZ,KAAKY,aAAaZ,KAAKa,UAAU,GAAGZ,SAAAA;IACvF;AAEA,UAAMoB,eAAe,MAAM,KAAK/G,OAAOiC,QAAQ+E,6BAA6B;MAC1EvD,SAASzB,IAAIyB;MACbiD,OAAO9G,SAASkH,kBAAkB,QAAA;MAClCF;MACA,GAAI,KAAKzG,YAAY;QAAEA,UAAU,KAAKA;MAAS;MAC/C,GAAI,KAAKC,UAAU;QAAEA,QAAQ,KAAKA;MAAO;IAC3C,CAAA;AAEA,WAAO2G,aAAaE;EACtB;EAEA,MAAMC,aAAatG,MAAyC;AAC1D,UAAM,IAAI+B,MAAM,+CAAA;EAClB;EAEQtB,cAAc,wBAAC8F,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAO5F,OAAOC;MAChB,KAAK;AACH,eAAOD,OAAO6F;MAChB;AACE,cAAM,IAAIzE,MAAM,aAAawE,KAAAA,+BAAoC;IACrE;EACF,GATsB;EAWdhG,kCAAkC,wBAACM,QAAAA;AACzC,YAAQA,KAAAA;MACN,KAAK4F,uBAAuBC;AAC1B,eAAOC,mBAAmBC;MAC5B,KAAKH,uBAAuBI;AAC1B,eAAOF,mBAAmBG;MAC5B,KAAKL,uBAAuBM;AAC1B,eAAOJ,mBAAmBK;MAC5B,KAAKP,uBAAuBQ;AAC1B,eAAON,mBAAmBO;MAC5B,KAAKT,uBAAuBU;AAC1B,eAAOR,mBAAmBS;MAC5B,KAAKX,uBAAuBY;AAC1B,eAAOV,mBAAmBW;MAC5B,KAAKb,uBAAuBc;AAC1B,eAAOZ,mBAAmBa;MAC5B,KAAKf,uBAAuBgB;AAC1B,eAAOd,mBAAmBe;MAC5B,KAAKjB,uBAAuBkB;AAC1B,eAAOhB,mBAAmBiB;MAC5B,KAAKnB,uBAAuBoB;AAC1B,eAAOlB,mBAAmBmB;MAC5B,KAAKrB,uBAAuBsB;AAC1B,eAAOpB,mBAAmBqB;MAC5B;AACE,cAAM,IAAIjG,MAAM,kBAAkBlB,GAAAA,4BAA+B;IACrE;EACF,GA3B0C;EA6BlCoH,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOlH,cAAcC;MACvB,KAAK;AACH,eAAOD,cAAcmH;MACvB,KAAK;AACH,eAAOnH,cAAcoH;MACvB,KAAK;AACH,eAAOpH,cAAcqH;MACvB,KAAK;AACH,eAAOrH,cAAcsH;MACvB,KAAK;AACH,eAAOtH,cAAcuH;MACvB,KAAK;AACH,eAAOvH,cAAcwH;MACvB,KAAK;AACH,eAAOxH,cAAcyH;MACvB;AACE,cAAM,IAAI1G,MAAM,iBAAiBmG,SAAAA,+BAAwC;IAC7E;EACF,GArB0B;EAuBlBnH,mBAAmB,wBAAC2H,eAAAA;AAC1B,WAAOA,WAAW7E,IAAI,CAACqE,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;EAInBS,kBAAkB,wBAAC3I,SAAAA;AACzB,UAAM4I,OAAO5I,KAAKE,MAAM0I;AACxB,UAAMC,gBAAgBD,MAAMC,kBAAkB7I,KAAK8I,cAAcC,SAAS,KAAA,IAAS/I,KAAK8I,gBAAgBE,SAAShJ,KAAK8I,eAAe,SAAA;AACrI,UAAMhG,eAAemG,SAASJ,eAAe,QAAA;AAC7C,UAAMK,gBAAgBD,SAASJ,aAAAA;AAC/B,UAAMM,eAAeC,SAAStG,cAAc,QAAA;AAC5C,UAAMT,eAAegH,SAASF,YAAAA;AAE9B,UAAMjJ,OAAO,CAAC;AACd,QAAI0I,MAAM;AACR1I,WAAK0I,OAAO;QACVU,IAAIV,KAAKU,MAAMtJ,KAAK8B,OAAOO;MAC7B;AACA,UAAIkH,YAAoBX,KAAKY,uBAAuB;AACpD,UAAIZ,KAAKa,gBAAgB;AACvB,YAAI,CAACF,UAAUR,SAASH,KAAKa,cAAc,GAAG;AAC5CF,sBAAY,GAAGX,KAAKa,cAAc;EAAKF,SAAAA;QACzC;MACF;AACA,UAAIA,UAAUG,SAAS,GAAG;AACxBxJ,aAAK0I,KAAKY,sBAAsBD;AAChC,cAAMrF,MAAMyF,kBAAkBJ,SAAAA;AAC9B,YAAI,CAACX,KAAKgB,qBAAqB;AAG7B9G,uBAAaoB,MAAMA;QACrB;AACAhE,aAAK0I,KAAK1E,MAAMA;MAClB;AACA,UAAI0E,KAAKgB,qBAAqB;AAE5B9G,qBAAa+G,MAAMjB,KAAKgB;AACxB1J,aAAK0I,KAAKiB,MAAMjB,KAAKgB;MACvB;IACF;AAEA,UAAM9H,MAAM9B,KAAK8B,OAAO5B,MAAM0I,MAAMU,MAAMjH;AAC1C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,KAAKwJ,oBAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,KAAK6E,mBAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;QACAmE,WAAWrJ,KAAK0I,KAAK1E;MACvB;IACF;EACF,GArD0B;EAuDlBgG,wBAAwB,wBAAClK,SAAAA;AAC/B,UAAM,EAAE8I,cAAa,IAAK9I;AAC1B,UAAMmK,eAAepL,WAAW+J,cAAcsB,YAAW,GAAI,QAAA;AAC7D,UAAMC,YAAY,IAAIC,SAASC,GAAG,MAAA;AAClC,UAAM9I,UAAU4I,UAAUG,eAAeL,cAAc,KAAA;AACvD,UAAM9H,eAAeZ,QAAQgJ,UAAU,MAAM,KAAA;AAC7C,UAAM3H,eAAe4H,MAAMrI,cAAc,WAAA;AACzC,UAAM6G,gBAAgBwB,MAAM5B,eAAe,aAAa;MAAE6B,cAAc;IAAK,CAAA;AAC7E,UAAM7I,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,KAAKwJ,oBAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,KAAK6E,mBAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAzBgC;EA2BxBwF,qBAAqB,wBAAC5K,SAAAA;AAC5B,UAAM,EAAE8I,cAAa,IAAK9I;AAC1B,UAAMkJ,gBAAgBwB,MAAM5B,eAAe,UAAU;MAAE6B,cAAc;IAAK,CAAA;AAC1E,UAAMtI,eAAewI,8BAA8B/B,aAAAA;AACnD,UAAMhG,eAAe4H,MAAMrI,cAAc,QAAA;AACzC,UAAMP,MAAM9B,KAAK8B,OAAOgB,aAAahB,OAAOO;AAE5C,WAAO;MACLP;MACAgB;MACA1B,KAAK;QACHyB,SAAS;UACPzB,KAAK;YACH,GAAG8H;YACHpH;YACAgI,KAAKC,wBAAwBb,cAAcY,KAAK,KAAA;YAChDtJ,KAAKwJ,oBAAoBd,cAAc1I,KAAK,KAAA;YAC5C4E,KAAK6E,mBAAmBf,cAAc9D,KAAK,KAAA;UAC7C;QACF;MACF;IACF;EACF,GAtB6B;EAwBrB3C,eAAe,wBAACzC,SAAAA;AACtB,YAAQA,KAAKC,MAAI;MACf,KAAK,OAAO;AACV,eAAO,KAAK0I,gBAAgB3I,IAAAA;MAC9B;MACA,KAAK,aAAa;AAChB,eAAO,KAAKkK,sBAAsBlK,IAAAA;MACpC;MACA,KAAK,UAAU;AACb,eAAO,KAAK4K,mBAAmB5K,IAAAA;MACjC;MACA;AACE,cAAM,IAAI+B,MAAM,YAAY/B,KAAKC,IAAI,+BAA+B;IACxE;EACF,GAduB;AAezB;","names":["base64ToBase64Url","calculateJwkThumbprint","isHashString","joseAlgorithmToDigest","jwkToRawHexKey","shaHasher","signatureAlgorithmFromKeyType","signatureAlgorithmToJoseAlgorithm","toJwk","x25519PublicHexFromPrivateHex","hexToPEM","jwkToPEM","pemCertChainTox5c","PEMToHex","PEMToJwk","CurveFromJSONTyped","JwkKeyTypeFromJSONTyped","JwkUse","JwkUseFromJSONTyped","KeyOperations","KmsRestClient","ListKeysResponseToJSONTyped","SignatureAlgorithm","JoseSignatureAlgorithm","AbstractKeyManagementSystem","elliptic","u8a","fromString","toString","u8a","RestKeyManagementSystem","AbstractKeyManagementSystem","client","id","providerId","tenantId","userId","options","config","baseUrl","authOpts","applicationId","KmsRestClient","createKey","args","type","meta","joseAlg","signatureAlgorithmFromKeyType","algorithms","signatureAlgorithm","mapJoseToRestSignatureAlgorithm","use","mapKeyUsage","keyUsage","JwkUse","Sig","alg","keyOperations","mapKeyOperations","KeyOperations","Sign","keyAlias","alias","key","methods","kmsClientProviderGenerateKey","kmsClientGenerateKey","jwk","keyPair","jose","publicJwk","signatureAlgorithmToJoseAlgorithm","undefined","kid","Error","kms","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","joseAlgorithmToDigest","publicKeyHex","Buffer","from","importKey","mapImportKey","result","kmsClientProviderStoreKey","kmsClientStoreKey","keyInfo","publicKeyJwk","deleteKey","kmsClientProviderDeleteKey","aliasOrKid","kmsClientDeleteKey","listKeys","keys","kmsClientProviderListKeys","kmsClientListKeys","restKeys","ListKeysResponseToJSONTyped","keyInfos","results","Promise","allSettled","map","restKey","jwkToRawHexKey","keyType","mapRestKeyTypeToTKeyType","x5c","keyVisibility","keyEncoding","opts","filter","status","console","warn","reason","value","sign","keyRef","data","algorithm","kmsClientProviderGetKey","kmsClientGetKey","keyAlg","isEdDSA","crv","dataToBeSigned","isHashString","shaHasher","buffer","slice","byteOffset","byteLength","signingResult","kmsClientCreateRawSignature","input","base64ToBase64Url","signature","verify","dataToBeVerified","verification","kmsClientIsValidRawSignature","isValid","sharedSecret","usage","Enc","JoseSignatureAlgorithm","RS256","SignatureAlgorithm","RsaSha256","RS384","RsaSha384","RS512","RsaSha512","PS256","RsaSsaPssSha256Mgf1","PS384","RsaSsaPssSha384Mgf1","PS512","RsaSsaPssSha512Mgf1","ES256","EcdsaSha256","ES384","EcdsaSha384","ES512","EcdsaSha512","ES256K","Es256K","EdDSA","Ed25519","mapKeyOperation","operation","Verify","WrapKey","DeriveKey","UnwrapKey","Decrypt","DeriveBits","Encrypt","operations","mapImportRsaKey","x509","privateKeyPEM","privateKeyHex","includes","hexToPEM","PEMToJwk","privateKeyJwk","publicKeyPEM","jwkToPEM","PEMToHex","cn","certChain","certificateChainPEM","certificatePEM","length","pemCertChainTox5c","certificateChainURL","x5u","kty","JwkKeyTypeFromJSONTyped","JwkUseFromJSONTyped","CurveFromJSONTyped","mapImportSecp256r1Key","privateBytes","toLowerCase","secp256r1","elliptic","ec","keyFromPrivate","getPublic","toJwk","isPrivateKey","mapImportX25519Key","x25519PublicHexFromPrivateHex"]}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@sphereon/ssi-sdk.kms-rest",
|
|
3
3
|
"description": "Sphereon SSI-SDK plugin for REST Key Management System.",
|
|
4
|
-
"version": "0.36.1-
|
|
4
|
+
"version": "0.36.1-next.102+47fd4911",
|
|
5
5
|
"source": "./src/index.ts",
|
|
6
6
|
"type": "module",
|
|
7
7
|
"main": "./dist/index.cjs",
|
|
@@ -22,10 +22,10 @@
|
|
|
22
22
|
"build": "tsup --config ../../tsup.config.ts --tsconfig ../../tsconfig.tsup.json"
|
|
23
23
|
},
|
|
24
24
|
"dependencies": {
|
|
25
|
-
"@sphereon/ssi-sdk-ext.key-utils": "0.36.1-
|
|
26
|
-
"@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-
|
|
27
|
-
"@sphereon/ssi-sdk.kms-rest-client": "0.36.1-
|
|
28
|
-
"@sphereon/ssi-types": "0.36.1-
|
|
25
|
+
"@sphereon/ssi-sdk-ext.key-utils": "0.36.1-next.102+47fd4911",
|
|
26
|
+
"@sphereon/ssi-sdk-ext.x509-utils": "0.36.1-next.102+47fd4911",
|
|
27
|
+
"@sphereon/ssi-sdk.kms-rest-client": "0.36.1-next.102+47fd4911",
|
|
28
|
+
"@sphereon/ssi-types": "0.36.1-next.102+47fd4911",
|
|
29
29
|
"@veramo/core": "4.2.0",
|
|
30
30
|
"@veramo/key-manager": "4.2.0",
|
|
31
31
|
"elliptic": "^6.5.4",
|
|
@@ -54,5 +54,5 @@
|
|
|
54
54
|
"key-management",
|
|
55
55
|
"Veramo"
|
|
56
56
|
],
|
|
57
|
-
"gitHead": "
|
|
57
|
+
"gitHead": "47fd49119d1d2e1b424a76739ac71a864f150ec4"
|
|
58
58
|
}
|
|
@@ -180,7 +180,7 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
180
180
|
|
|
181
181
|
const restKeys = ListKeysResponseToJSONTyped(keys, false).keyInfos
|
|
182
182
|
|
|
183
|
-
|
|
183
|
+
const results = await Promise.allSettled(
|
|
184
184
|
restKeys.map(async (restKey: RestManagedKeyInfo) => {
|
|
185
185
|
const jwk = restKey.key
|
|
186
186
|
const publicKeyHex = await jwkToRawHexKey(jwk as JWK)
|
|
@@ -208,6 +208,16 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
208
208
|
} satisfies ManagedKeyInfo
|
|
209
209
|
}),
|
|
210
210
|
)
|
|
211
|
+
|
|
212
|
+
return results
|
|
213
|
+
.filter((result): result is PromiseFulfilledResult<ManagedKeyInfo> => {
|
|
214
|
+
if (result.status === 'rejected') {
|
|
215
|
+
console.warn('Failed to process key in listKeys:', result.reason)
|
|
216
|
+
return false
|
|
217
|
+
}
|
|
218
|
+
return true
|
|
219
|
+
})
|
|
220
|
+
.map((result) => result.value)
|
|
211
221
|
}
|
|
212
222
|
|
|
213
223
|
private mapRestKeyTypeToTKeyType(keyType: string | undefined): TKeyType {
|
|
@@ -243,10 +253,23 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
243
253
|
...(this.userId && { userId: this.userId }),
|
|
244
254
|
})
|
|
245
255
|
|
|
246
|
-
//
|
|
247
|
-
const
|
|
248
|
-
|
|
249
|
-
|
|
256
|
+
// Check if this is an EdDSA/Ed25519 key - these algorithms MUST sign the raw message, not a hash
|
|
257
|
+
const keyAlg = key.keyInfo.key.alg
|
|
258
|
+
const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'
|
|
259
|
+
|
|
260
|
+
let dataToBeSigned: Uint8Array
|
|
261
|
+
if (isEdDSA) {
|
|
262
|
+
// EdDSA signatures are computed over the raw message (PureEdDSA)
|
|
263
|
+
// The algorithm internally handles hashing with SHA-512
|
|
264
|
+
dataToBeSigned = data
|
|
265
|
+
} else {
|
|
266
|
+
// For other algorithms (RSA, ECDSA), hash the data before signing
|
|
267
|
+
// with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)
|
|
268
|
+
dataToBeSigned = isHashString(data)
|
|
269
|
+
? data
|
|
270
|
+
: shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
|
|
271
|
+
}
|
|
272
|
+
|
|
250
273
|
const signingResult = await this.client.methods.kmsClientCreateRawSignature({
|
|
251
274
|
keyInfo: key.keyInfo,
|
|
252
275
|
input: toString(dataToBeSigned, 'base64'),
|
|
@@ -272,10 +295,22 @@ export class RestKeyManagementSystem extends AbstractKeyManagementSystem {
|
|
|
272
295
|
...(this.userId && { userId: this.userId }),
|
|
273
296
|
})
|
|
274
297
|
|
|
275
|
-
//
|
|
276
|
-
const
|
|
277
|
-
|
|
278
|
-
|
|
298
|
+
// Check if this is an EdDSA/Ed25519 key - these algorithms MUST verify the raw message, not a hash
|
|
299
|
+
const keyAlg = key.keyInfo.key.alg
|
|
300
|
+
const isEdDSA = keyAlg === 'EdDSA' || keyAlg === 'ED25519' || key.keyInfo.key.crv === 'Ed25519'
|
|
301
|
+
|
|
302
|
+
let dataToBeVerified: Uint8Array
|
|
303
|
+
if (isEdDSA) {
|
|
304
|
+
// EdDSA signatures are verified over the raw message (PureEdDSA)
|
|
305
|
+
dataToBeVerified = data
|
|
306
|
+
} else {
|
|
307
|
+
// For other algorithms (RSA, ECDSA), hash the data before verifying
|
|
308
|
+
// with remote signing we are not going to send the whole data over the network, we need to hash it (unless we already get a hash)
|
|
309
|
+
dataToBeVerified = isHashString(data)
|
|
310
|
+
? data
|
|
311
|
+
: shaHasher(data.buffer.slice(data.byteOffset, data.byteOffset + data.byteLength), algorithm)
|
|
312
|
+
}
|
|
313
|
+
|
|
279
314
|
const verification = await this.client.methods.kmsClientIsValidRawSignature({
|
|
280
315
|
keyInfo: key.keyInfo,
|
|
281
316
|
input: toString(dataToBeVerified, 'base64'),
|