@storacha/encrypt-upload-client 0.0.39 → 1.0.0

package/dist/core/{encrypted-metadata.js → metadata/lit-metadata.js}

@@ -3,11 +3,11 @@ import * as dagCBOR from '@ipld/dag-cbor';
 import * as Link from 'multiformats/link';
 import { sha256 } from 'multiformats/hashes/sha2';
 import { CAR, ok, error, Schema } from '@ucanto/core';
-import * as Types from '../types.js';
-import { UnknownFormat } from './errors.js';
-import { stringToBytes, bytesToString } from '../utils.js';
+import * as Types from '../../types.js';
+import { UnknownFormat } from '../errors.js';
+import { stringToBytes, bytesToString } from '../../utils.js';
 export const version = 'encrypted-metadata@0.1';
-export const EncryptedMetadataSchema = Schema.variant({
+export const LitMetadataSchema = Schema.variant({
     [version]: Schema.struct({
         encryptedDataCID: Schema.link(),
         identityBoundCiphertext: Schema.bytes(),
@@ -18,7 +18,7 @@ export const EncryptedMetadataSchema = Schema.variant({
         }).array(),
     }),
 });
-export const EncryptedMetadataInputSchema = Schema.struct({
+export const LitMetadataInputSchema = Schema.struct({
     encryptedDataCID: Schema.string(),
     identityBoundCiphertext: Schema.string(),
     plaintextKeyHash: Schema.string(),
@@ -27,22 +27,22 @@ export const EncryptedMetadataInputSchema = Schema.struct({
         value: Schema.unknown(),
     }).array(),
 });
-/** @implements {Types.EncryptedMetadataView} */
-class EncryptedMetadata {
+/** @implements {Types.LitMetadataView} */
+class LitEncryptedMetadata {
     #encryptedDataCID;
     #identityBoundCiphertext;
     #plaintextKeyHash;
     #accessControlConditions;
-    /** @param {Types.EncryptedMetadata|Types.EncryptedMetadataInput} encryptedMetadataInput */
+    /** @param {Types.LitMetadata|Types.LitMetadataInput} encryptedMetadataInput */
     constructor(encryptedMetadataInput) {
-        /** @type {Types.EncryptedMetadata} */
+        /** @type {Types.LitMetadata} */
         let encryptedMetadata;
-        if (EncryptedMetadataInputSchema.is(encryptedMetadataInput)) {
+        if (LitMetadataInputSchema.is(encryptedMetadataInput)) {
             encryptedMetadata = parse(
-            /** @type {Types.EncryptedMetadataInput} */ (encryptedMetadataInput));
+            /** @type {Types.LitMetadataInput} */ (encryptedMetadataInput));
         }
         else {
-            encryptedMetadata = /** @type {Types.EncryptedMetadata} */ (encryptedMetadataInput);
+            encryptedMetadata = /** @type {Types.LitMetadata} */ (encryptedMetadataInput);
         }
         this.#encryptedDataCID = encryptedMetadata.encryptedDataCID;
         this.#identityBoundCiphertext = encryptedMetadata.identityBoundCiphertext;
@@ -62,18 +62,8 @@ class EncryptedMetadata {
     get accessControlConditions() {
         return this.#accessControlConditions;
     }
-    archive() {
-        /** @type {Types.EncryptedMetadata} */
-        const input = {
-            encryptedDataCID: this.encryptedDataCID,
-            identityBoundCiphertext: this.identityBoundCiphertext,
-            plaintextKeyHash: this.plaintextKeyHash,
-            accessControlConditions: this.accessControlConditions,
-        };
-        return archive(input);
-    }
     archiveBlock() {
-        /** @type {Types.EncryptedMetadata} */
+        /** @type {Types.LitMetadata} */
         const input = {
             encryptedDataCID: this.encryptedDataCID,
             identityBoundCiphertext: this.identityBoundCiphertext,
@@ -82,19 +72,19 @@ class EncryptedMetadata {
         };
         return archiveBlock(input);
     }
-    /** @returns {Types.EncryptedMetadataInput} */
+    /** @returns {Types.LitMetadataInput} */
     toJSON() {
         return toJSON(this);
     }
 }
 /**
- * @param {Types.EncryptedMetadata|Types.EncryptedMetadataInput} encryptedMetadataInput
- * @returns {Types.EncryptedMetadataView}
+ * @param {Types.LitMetadata|Types.LitMetadataInput} encryptedMetadataInput
+ * @returns {Types.LitMetadataView}
  */
-export const create = (encryptedMetadataInput) => new EncryptedMetadata(encryptedMetadataInput);
+export const create = (encryptedMetadataInput) => new LitEncryptedMetadata(encryptedMetadataInput);
 /**
- * @param {Types.EncryptedMetadataView} encryptedMetadata
- * @returns {Types.EncryptedMetadataInput}
+ * @param {Types.LitMetadataView} encryptedMetadata
+ * @returns {Types.LitMetadataInput}
  */
 export const toJSON = (encryptedMetadata) => ({
     encryptedDataCID: encryptedMetadata.encryptedDataCID.toString(),
@@ -103,8 +93,8 @@ export const toJSON = (encryptedMetadata) => ({
     accessControlConditions: encryptedMetadata.accessControlConditions,
 });
 /**
- * @param {Types.EncryptedMetadataInput} encryptedMetadataInput
- * @returns {Types.EncryptedMetadata}
+ * @param {Types.LitMetadataInput} encryptedMetadataInput
+ * @returns {Types.LitMetadata}
  */
 export const parse = (encryptedMetadataInput) => ({
     encryptedDataCID: CID.parse(encryptedMetadataInput.encryptedDataCID),
@@ -113,7 +103,7 @@ export const parse = (encryptedMetadataInput) => ({
     accessControlConditions: encryptedMetadataInput.accessControlConditions,
 });
 /**
- * @param {Types.EncryptedMetadata} encryptedMetadataInput
+ * @param {Types.LitMetadata} encryptedMetadataInput
  * @returns {Promise<import('@ucanto/interface').Block>}
  */
 export const archiveBlock = async (encryptedMetadataInput) => {
@@ -123,16 +113,16 @@ export const archiveBlock = async (encryptedMetadataInput) => {
     return { cid, bytes };
 };
 /**
- * @param {Types.EncryptedMetadata} encryptedMetadataInput
+ * @param {Types.LitMetadata} encryptedMetadata
  * @returns {Promise<Types.Result<Uint8Array>>}
  */
-export const archive = async (encryptedMetadataInput) => {
-    const block = await archiveBlock(encryptedMetadataInput);
+export const archive = async (encryptedMetadata) => {
+    const block = await archiveBlock(encryptedMetadata);
     return ok(CAR.encode({ roots: [block] }));
 };
 /**
  * @param {Uint8Array} archive
- * @returns {Types.Result<Types.EncryptedMetadataView, Types.UnknownFormat>}
+ * @returns {Types.Result<Types.LitMetadataView, Types.UnknownFormat>}
  */
 export const extract = (archive) => {
     const { roots } = CAR.decode(archive);
@@ -148,19 +138,19 @@ export const extract = (archive) => {
 /**
  * @param {object} source
  * @param {Types.IPLDBlock} source.root
- * @returns {Types.Result<Types.EncryptedMetadataView, Types.UnknownFormat>}
+ * @returns {Types.Result<Types.LitMetadataView, Types.UnknownFormat>}
  */
 export const view = ({ root }) => {
     const value = dagCBOR.decode(root.bytes);
-    const [version, encryptedMetadataData] = EncryptedMetadataSchema.match(value);
-    switch (version) {
+    const [matchedVersion, encryptedMetadataData] = LitMetadataSchema.match(value);
+    switch (matchedVersion) {
         case version: {
             const encryptedMetadata = create(
-            /** @type {Types.EncryptedMetadata}*/ (encryptedMetadataData));
+            /** @type {Types.LitMetadata}*/ (encryptedMetadataData));
             return ok(encryptedMetadata);
         }
         default:
-            return error(new UnknownFormat(`unknown index version: ${version}`));
+            return error(new UnknownFormat(`unknown Lit metadata version: ${matchedVersion}`));
     }
 };
-//# sourceMappingURL=encrypted-metadata.js.map
+//# sourceMappingURL=lit-metadata.js.map

package/dist/crypto/adapters/kms-crypto-adapter.d.ts

@@ -0,0 +1,148 @@
+/**
+ * KMSCryptoAdapter implements the complete CryptoAdapter interface using KMS.
+ * It uses composition with a SymmetricCrypto implementation for file encryption/decryption
+ * and KMS via private gateway for key management operations.
+ *
+ * @class
+ * @implements {Type.CryptoAdapter}
+ */
+export class KMSCryptoAdapter implements Type.CryptoAdapter {
+    /**
+     * Create a new KMS crypto adapter
+     *
+     * @param {Type.SymmetricCrypto} symmetricCrypto - The symmetric crypto implementation (browser or node)
+     * @param {URL|string} keyManagerServiceURL - The key manager service URL
+     * @param {`did:${string}:${string}`} keyManagerServiceDID - The key manager service DID
+     * @param {object} [options] - Optional configuration
+     * @param {boolean} [options.allowInsecureHttp] - Allow HTTP for testing (NOT for production)
+     */
+    constructor(symmetricCrypto: Type.SymmetricCrypto, keyManagerServiceURL: URL | string, keyManagerServiceDID: `did:${string}:${string}`, options?: {
+        allowInsecureHttp?: boolean | undefined;
+    });
+    symmetricCrypto: Type.SymmetricCrypto;
+    keyManagerServiceURL: URL;
+    keyManagerServiceDID: import("@ucanto/client").PrincipalView<`did:${string}:${string}`>;
+    /**
+     * Encrypt a stream of data using the symmetric crypto
+     *
+     * @param {Type.BlobLike} data
+     */
+    encryptStream(data: Type.BlobLike): Promise<Type.EncryptOutput>;
+    /**
+     * Decrypt a stream of data using the symmetric crypto
+     *
+     * @param {ReadableStream} encryptedData
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     */
+    decryptStream(encryptedData: ReadableStream, key: Uint8Array, iv: Uint8Array): Promise<ReadableStream<any>>;
+    /**
+     * Encrypt a symmetric key using the KMS
+     *
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     * @param {Type.EncryptionConfig} encryptionConfig
+     * @returns {Promise<Type.EncryptedKeyResult>}
+     */
+    encryptSymmetricKey(key: Uint8Array, iv: Uint8Array, encryptionConfig: Type.EncryptionConfig): Promise<Type.EncryptedKeyResult>;
+    /**
+     * @param {string} encryptedKey
+     * @param {object} configs
+     * @param {Type.DecryptionOptions} configs.decryptionOptions
+     * @param {Type.ExtractedMetadata} configs.metadata
+     * @param {Uint8Array} configs.delegationCAR
+     * @param {Type.AnyLink} configs.resourceCID
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer
+     * @param {import('@storacha/client/types').DID} configs.audience
+     */
+    decryptSymmetricKey(encryptedKey: string, configs: {
+        decryptionOptions: Type.DecryptionOptions;
+        metadata: Type.ExtractedMetadata;
+        delegationCAR: Uint8Array;
+        resourceCID: Type.AnyLink;
+        issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>;
+        audience: import("@storacha/client/types").DID;
+    }): Promise<{
+        key: Uint8Array;
+        iv: Uint8Array;
+    }>;
+    /**
+     * Get decrypted symmetric key in base64 string from KMS via private gateway
+     *
+     * @param {string} encryptedSymmetricKey - The encrypted symmetric key (base64-encoded)
+     * @param {Type.SpaceDID} spaceDID - The space DID
+     * @param {import('@ucanto/interface').Proof} delegationProof - The delegation proof
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} issuer - The issuer
+     * @returns {Promise<{decryptedSymmetricKey: string}>} - The decrypted symmetric key (base64-encoded)
+     */
+    getDecryptedSymmetricKey(encryptedSymmetricKey: string, spaceDID: Type.SpaceDID, delegationProof: import("@ucanto/interface").Proof, issuer: import("@storacha/client/types").Signer<import("@storacha/client/types").DID, import("@storacha/client/types").SigAlg>): Promise<{
+        decryptedSymmetricKey: string;
+    }>;
+    /**
+     * Extract the encrypted metadata from the CAR file
+     * KMS adapter only handles KMS format (encrypted-metadata@0.2)
+     *
+     * @param {Uint8Array} car
+     * @returns {Type.ExtractedMetadata}
+     */
+    extractEncryptedMetadata(car: Uint8Array): Type.ExtractedMetadata;
+    /**
+     * @param {Type.ExtractedMetadata} metadata
+     * @returns {string}
+     */
+    getEncryptedKey(metadata: Type.ExtractedMetadata): string;
+    /**
+     * Encode metadata for upload
+     *
+     * @param {string} encryptedDataCID - The CID of the encrypted data
+     * @param {string} encryptedKey - The encrypted key
+     * @param {Type.KMSKeyMetadata} metadata - The metadata to encode
+     * @returns {Promise<{ cid: import('@storacha/upload-client/types').AnyLink, bytes: Uint8Array }>} - The encoded metadata
+     */
+    encodeMetadata(encryptedDataCID: string, encryptedKey: string, metadata: Type.KMSKeyMetadata): Promise<{
+        cid: import("@storacha/upload-client/types").AnyLink;
+        bytes: Uint8Array;
+    }>;
+    /**
+     * Get the RSA public key from the space/encryption/setup
+     *
+     * @param {Type.EncryptionConfig} encryptionConfig
+     * @returns {Promise<{ publicKey: string, provider: string, algorithm: string }>}
+     */
+    getSpacePublicKey(encryptionConfig: Type.EncryptionConfig): Promise<{
+        publicKey: string;
+        provider: string;
+        algorithm: string;
+    }>;
+    /**
+     * Get the Web Crypto API SubtleCrypto interface (universal compatibility)
+     *
+     * @returns {SubtleCrypto} - The SubtleCrypto interface
+     */
+    getSubtleCrypto(): SubtleCrypto;
+    /**
+     * Encrypt data with RSA-OAEP using the public key
+     *
+     * @param {Uint8Array} dataToEncrypt
+     * @param {string} publicKeyPem
+     * @returns {Promise<Uint8Array>}
+     */
+    encryptWithRSA(dataToEncrypt: Uint8Array, publicKeyPem: string): Promise<Uint8Array>;
+    /**
+     * Convert PEM-encoded public key to ArrayBuffer for Web Crypto API
+     *
+     * @param {string} pem - PEM-encoded public key string
+     * @returns {ArrayBuffer} - DER-encoded key data for crypto.subtle.importKey()
+     */
+    pemToArrayBuffer(pem: string): ArrayBuffer;
+    newKeyManagerServiceConnection(): import("@ucanto/interface").ConnectionView<any>;
+    /**
+     * Sanitize the space DID for the KMS key ID
+     *
+     * @param {Type.SpaceDID} spaceDID
+     * @returns {string}
+     */
+    sanitizeSpaceDIDForKMSKeyId(spaceDID: Type.SpaceDID): string;
+}
+import * as Type from '../../types.js';
+//# sourceMappingURL=kms-crypto-adapter.d.ts.map

package/dist/crypto/adapters/kms-crypto-adapter.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"kms-crypto-adapter.d.ts","sourceRoot":"","sources":["../../../src/crypto/adapters/kms-crypto-adapter.js"],"names":[],"mappings":"AAWA;;;;;;;GAOG;AACH,yCAFgB,IAAI,CAAC,aAAa;IAGhC;;;;;;;;OAQG;IACH,6BANW,IAAI,CAAC,eAAe,wBACpB,GAAG,GAAC,MAAM,wBACV,OAAO,MAAM,IAAI,MAAM,EAAE,YAEjC;QAA0B,iBAAiB;KAC7C,EA0BA;IAnBC,sCAAsC;IAiBtC,0BAA+B;IAC/B,wFAA2D;IAG7D;;;;OAIG;IACH,oBAFW,IAAI,CAAC,QAAQ,+BAIvB;IAED;;;;;;OAMG;IACH,6BAJW,cAAc,OACd,UAAU,MACV,UAAU,gCAIpB;IAED;;;;;;;OAOG;IACH,yBALW,UAAU,MACV,UAAU,oBACV,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC,IAAI,CAAC,kBAAkB,CAAC,CA4B5C;IAED;;;;;;;;;OASG;IACH,kCATW,MAAM,WAEd;QAAwC,iBAAiB,EAAjD,IAAI,CAAC,iBAAiB;QACU,QAAQ,EAAxC,IAAI,CAAC,iBAAiB;QACF,aAAa,EAAjC,UAAU;QACY,WAAW,EAAjC,IAAI,CAAC,OAAO;QACoH,MAAM,EAAtI,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC;QACxE,QAAQ,EAAtD,OAAO,wBAAwB,EAAE,GAAG;KAC9C;;;OA4BA;IAED;;;;;;;;OAQG;IACH,gDANW,MAAM,YACN,IAAI,CAAC,QAAQ,mBACb,OAAO,mBAAmB,EAAE,KAAK,UACjC,OAAO,wBAAwB,EAAE,MAAM,CAAC,OAAO,wBAAwB,EAAE,GAAG,EAAE,OAAO,wBAAwB,EAAE,MAAM,CAAC,GACpH,OAAO,CAAC;QAAC,qBAAqB,EAAE,MAAM,CAAA;KAAC,CAAC,CA4BpD;IAED;;;;;;OAMG;IACH,8BAHW,UAAU,GACR,IAAI,CAAC,iBAAiB,CAiClC;IAED;;;OAGG;IACH,0BAHW,IAAI,CAAC,iBAAiB,GACpB,MAAM,CASlB;IAED;;;;;;;OAOG;IACH,iCALW,MAAM,gBACN,MAAM,YACN,IAAI,CAAC,cAAc,GACjB,OAAO,CAAC;QAAE,GAAG,EAAE,OAAO,+BAA+B,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,UAAU,CAAA;KAAE,CAAC,CAoBhG;IAED;;;;;OAKG;IACH,oCAHW,IAAI,CAAC,gBAAgB,GACnB,OAAO,CAAC;QAAE,SAAS,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,SAAS,EAAE,MAAM,CAAA;KAAE,CAAC,CAyB/E;IAED;;;;OAIG;IACH,mBAFa,YAAY,CAWxB;IAED;;;;;;OAMG;IACH,8BAJW,UAAU,gBACV,MAAM,GACJ,OAAO,CAAC,UAAU,CAAC,CAyB/B;IAED;;;;;OAKG;IACH,sBAHW,MAAM,GACJ,WAAW,CA6BvB;IAED,kFASC;IAED;;;;;OAKG;IACH,sCAHW,IAAI,CAAC,QAAQ,GACX,MAAM,CAIlB;CACF;sBAhZqB,gBAAgB"}

package/dist/crypto/adapters/kms-crypto-adapter.js

@@ -0,0 +1,321 @@
+import { connect } from '@ucanto/client';
+import { CAR, HTTP } from '@ucanto/transport';
+import { base64 } from 'multiformats/bases/base64';
+import * as Type from '../../types.js';
+import { EncryptionSetup, EncryptionKeyDecrypt, } from '@storacha/capabilities/space';
+import { KMSMetadata } from '../../core/metadata/encrypted-metadata.js';
+import * as DID from '@ipld/dag-ucan/did';
+/**
+ * KMSCryptoAdapter implements the complete CryptoAdapter interface using KMS.
+ * It uses composition with a SymmetricCrypto implementation for file encryption/decryption
+ * and KMS via private gateway for key management operations.
+ *
+ * @class
+ * @implements {Type.CryptoAdapter}
+ */
+export class KMSCryptoAdapter {
+    /**
+     * Create a new KMS crypto adapter
+     *
+     * @param {Type.SymmetricCrypto} symmetricCrypto - The symmetric crypto implementation (browser or node)
+     * @param {URL|string} keyManagerServiceURL - The key manager service URL
+     * @param {`did:${string}:${string}`} keyManagerServiceDID - The key manager service DID
+     * @param {object} [options] - Optional configuration
+     * @param {boolean} [options.allowInsecureHttp] - Allow HTTP for testing (NOT for production)
+     */
+    constructor(symmetricCrypto, keyManagerServiceURL, keyManagerServiceDID, options = {}) {
+        this.symmetricCrypto = symmetricCrypto;
+        // SECURITY: Enforce HTTPS protocol for key manager service communications (P1.1)
+        const url = keyManagerServiceURL instanceof URL
+            ? keyManagerServiceURL
+            : new URL(keyManagerServiceURL);
+        const { allowInsecureHttp = false } = options;
+        if (url.protocol !== 'https:' && !allowInsecureHttp) {
+            throw new Error(`Key manager service must use HTTPS protocol for security. Received: ${url.protocol}. ` +
+                `Please update the service URL to use HTTPS (e.g., https://your-key-manager-service.com). ` +
+                `For testing only, you can pass { allowInsecureHttp: true } as the fourth parameter.`);
+        }
+        this.keyManagerServiceURL = url;
+        this.keyManagerServiceDID = DID.parse(keyManagerServiceDID);
+    }
+    /**
+     * Encrypt a stream of data using the symmetric crypto
+     *
+     * @param {Type.BlobLike} data
+     */
+    async encryptStream(data) {
+        return this.symmetricCrypto.encryptStream(data);
+    }
+    /**
+     * Decrypt a stream of data using the symmetric crypto
+     *
+     * @param {ReadableStream} encryptedData
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     */
+    async decryptStream(encryptedData, key, iv) {
+        return this.symmetricCrypto.decryptStream(encryptedData, key, iv);
+    }
+    /**
+     * Encrypt a symmetric key using the KMS
+     *
+     * @param {Uint8Array} key
+     * @param {Uint8Array} iv
+     * @param {Type.EncryptionConfig} encryptionConfig
+     * @returns {Promise<Type.EncryptedKeyResult>}
+     */
+    async encryptSymmetricKey(key, iv, encryptionConfig) {
+        // Step 1: Combine key and IV to encrypt a single string
+        const combinedKeyAndIV = this.symmetricCrypto.combineKeyAndIV(key, iv);
+        // Step 2: Get RSA public key from space/encryption/setup
+        const setupResponse = await this.getSpacePublicKey(encryptionConfig);
+        // Step 3: Encrypt with RSA-OAEP
+        const encryptedKey = await this.encryptWithRSA(combinedKeyAndIV, setupResponse.publicKey);
+        // Step 4: Return the encrypted key and metadata
+        return {
+            strategy: 'kms',
+            encryptedKey: base64.encode(encryptedKey), // base64-encoded for transport/storage
+            metadata: {
+                space: encryptionConfig.spaceDID,
+                kms: {
+                    provider: setupResponse.provider,
+                    keyId: this.sanitizeSpaceDIDForKMSKeyId(encryptionConfig.spaceDID),
+                    algorithm: setupResponse.algorithm,
+                },
+            },
+        };
+    }
+    /**
+     * @param {string} encryptedKey
+     * @param {object} configs
+     * @param {Type.DecryptionOptions} configs.decryptionOptions
+     * @param {Type.ExtractedMetadata} configs.metadata
+     * @param {Uint8Array} configs.delegationCAR
+     * @param {Type.AnyLink} configs.resourceCID
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} configs.issuer
+     * @param {import('@storacha/client/types').DID} configs.audience
+     */
+    async decryptSymmetricKey(encryptedKey, configs) {
+        // Step 1: Validate configs
+        const { decryptionOptions, metadata, issuer } = configs;
+        if (metadata.strategy !== 'kms') {
+            throw new Error('KMSCryptoAdapter can only handle KMS metadata');
+        }
+        const { spaceDID, delegationProof } = decryptionOptions;
+        if (!spaceDID || !delegationProof) {
+            throw new Error('SpaceDID and delegationProof are required');
+        }
+        if (!issuer) {
+            throw new Error('Issuer is required');
+        }
+        // Step 2: Get the decrypted key from KMS via gateway
+        const { decryptedSymmetricKey } = await this.getDecryptedSymmetricKey(encryptedKey, spaceDID, delegationProof, issuer);
+        // Step 3: Decode and split the combined key and IV
+        const combinedKeyAndIV = base64.decode(decryptedSymmetricKey);
+        return this.symmetricCrypto.splitKeyAndIV(combinedKeyAndIV);
+    }
+    /**
+     * Get decrypted symmetric key in base64 string from KMS via private gateway
+     *
+     * @param {string} encryptedSymmetricKey - The encrypted symmetric key (base64-encoded)
+     * @param {Type.SpaceDID} spaceDID - The space DID
+     * @param {import('@ucanto/interface').Proof} delegationProof - The delegation proof
+     * @param {import('@storacha/client/types').Signer<import('@storacha/client/types').DID, import('@storacha/client/types').SigAlg>} issuer - The issuer
+     * @returns {Promise<{decryptedSymmetricKey: string}>} - The decrypted symmetric key (base64-encoded)
+     */
+    async getDecryptedSymmetricKey(encryptedSymmetricKey, spaceDID, delegationProof, issuer) {
+        // Step 1: Invoke the KeyDecrypt capability passing the decryption proof
+        const result = await EncryptionKeyDecrypt.invoke({
+            issuer,
+            audience: this.keyManagerServiceDID,
+            with: spaceDID,
+            nb: {
+                key: base64.decode(encryptedSymmetricKey), // Convert base64 string to bytes
+            },
+            proofs: [delegationProof],
+        }).execute(this.newKeyManagerServiceConnection());
+        // Step 2: Handle the result
+        if (result.out.error) {
+            throw new Error(`KMS decryption failed: ${JSON.stringify(result.out.error)}`);
+        }
+        // Step 3: Return the base64-encoded decrypted key from the gateway response
+        return /** @type {{decryptedSymmetricKey: string}} */ (result.out.ok);
+    }
+    /**
+     * Extract the encrypted metadata from the CAR file
+     * KMS adapter only handles KMS format (encrypted-metadata@0.2)
+     *
+     * @param {Uint8Array} car
+     * @returns {Type.ExtractedMetadata}
+     */
+    extractEncryptedMetadata(car) {
+        const kmsContentResult = KMSMetadata.extract(car);
+        if (kmsContentResult.error) {
+            throw kmsContentResult.error;
+        }
+        const kmsContent = kmsContentResult.ok.toJSON();
+        // Validate it's KMS format
+        if (!kmsContent.encryptedSymmetricKey ||
+            !kmsContent.space ||
+            !kmsContent.kms) {
+            throw new Error('Invalid KMS metadata format - missing encryptedSymmetricKey, space, or kms fields');
+        }
+        // Return with strategy identifier
+        return {
+            strategy: 'kms',
+            encryptedDataCID: kmsContent.encryptedDataCID,
+            encryptedSymmetricKey: kmsContent.encryptedSymmetricKey,
+            space: /** @type {Type.SpaceDID} */ (kmsContent.space),
+            kms: {
+                provider: kmsContent.kms.provider,
+                keyId: kmsContent.kms.keyId,
+                algorithm: kmsContent.kms.algorithm,
+            },
+        };
+    }
+    /**
+     * @param {Type.ExtractedMetadata} metadata
+     * @returns {string}
+     */
+    getEncryptedKey(metadata) {
+        // For KMS metadata, we need to handle the different structure
+        if (metadata.strategy === 'kms') {
+            return /** @type {Type.KMSExtractedMetadata} */ (metadata)
+                .encryptedSymmetricKey;
+        }
+        throw new Error('KMSCryptoAdapter can only handle KMS metadata');
+    }
+    /**
+     * Encode metadata for upload
+     *
+     * @param {string} encryptedDataCID - The CID of the encrypted data
+     * @param {string} encryptedKey - The encrypted key
+     * @param {Type.KMSKeyMetadata} metadata - The metadata to encode
+     * @returns {Promise<{ cid: import('@storacha/upload-client/types').AnyLink, bytes: Uint8Array }>} - The encoded metadata
+     */
+    async encodeMetadata(encryptedDataCID, encryptedKey, metadata) {
+        const kmsKeyMetadata = 
+        /** @type {import('../../types.js').KMSKeyMetadata} */ (metadata);
+        /** @type {Type.KMSMetadataInput} */
+        const uploadData = {
+            encryptedDataCID,
+            encryptedSymmetricKey: encryptedKey,
+            space: kmsKeyMetadata.space,
+            kms: {
+                provider: kmsKeyMetadata.kms.provider,
+                keyId: kmsKeyMetadata.kms.keyId,
+                algorithm: kmsKeyMetadata.kms.algorithm,
+            },
+        };
+        const kmsMetadata = KMSMetadata.create(uploadData);
+        return await kmsMetadata.archiveBlock();
+    }
+    /**
+     * Get the RSA public key from the space/encryption/setup
+     *
+     * @param {Type.EncryptionConfig} encryptionConfig
+     * @returns {Promise<{ publicKey: string, provider: string, algorithm: string }>}
+     */
+    async getSpacePublicKey(encryptionConfig) {
+        // Step 1: Invoke the EncryptionSetup capability
+        const setupResult = await EncryptionSetup.invoke({
+            issuer: encryptionConfig.issuer,
+            audience: this.keyManagerServiceDID,
+            with: encryptionConfig.spaceDID,
+            nb: {
+                location: encryptionConfig.location,
+                keyring: encryptionConfig.keyring,
+            },
+        }).execute(this.newKeyManagerServiceConnection());
+        // Step 2: Handle the result
+        if (setupResult.out.error) {
+            throw new Error(`Failed to get public key: ${JSON.stringify(setupResult.out.error)}`);
+        }
+        // Step 3: Return the public key and key reference
+        return /** @type {{ publicKey: string, provider: string, algorithm: string }} */ (setupResult.out.ok);
+    }
+    /**
+     * Get the Web Crypto API SubtleCrypto interface (universal compatibility)
+     *
+     * @returns {SubtleCrypto} - The SubtleCrypto interface
+     */
+    getSubtleCrypto() {
+        // Web Crypto API is available in modern browsers (secure contexts) and Node.js 16+
+        if (globalThis.crypto?.subtle) {
+            return globalThis.crypto.subtle;
+        }
+        throw new Error('Web Crypto API (SubtleCrypto) not available. Ensure you are running in a secure context (HTTPS) or Node.js 16+.');
+    }
+    /**
+     * Encrypt data with RSA-OAEP using the public key
+     *
+     * @param {Uint8Array} dataToEncrypt
+     * @param {string} publicKeyPem
+     * @returns {Promise<Uint8Array>}
+     */
+    async encryptWithRSA(dataToEncrypt, publicKeyPem) {
+        const subtle = this.getSubtleCrypto();
+        // Step 1. Import the PEM public key
+        const publicKey = await subtle.importKey('spki', this.pemToArrayBuffer(publicKeyPem), {
+            name: 'RSA-OAEP',
+            hash: 'SHA-256',
+        }, false, ['encrypt']);
+        // Step 2. Encrypt the raw data directly
+        const encrypted = await subtle.encrypt({ name: 'RSA-OAEP' }, publicKey, dataToEncrypt);
+        return new Uint8Array(encrypted);
+    }
+    /**
+     * Convert PEM-encoded public key to ArrayBuffer for Web Crypto API
+     *
+     * @param {string} pem - PEM-encoded public key string
+     * @returns {ArrayBuffer} - DER-encoded key data for crypto.subtle.importKey()
+     */
+    pemToArrayBuffer(pem) {
+        // Strip PEM headers, footers, and whitespace to get base64 DER data
+        const base64String = pem
+            .replace('-----BEGIN PUBLIC KEY-----', '')
+            .replace('-----END PUBLIC KEY-----', '')
+            .replace(/\s/g, '');
+        // For Node.js environment, use Buffer for standard base64 decoding
+        if (typeof Buffer !== 'undefined') {
+            return Buffer.from(base64String, 'base64');
+        }
+        // For browser environment, use atob for standard base64 decoding
+        let binaryString;
+        if (typeof globalThis !== 'undefined' && globalThis.atob) {
+            binaryString = globalThis.atob(base64String);
+        }
+        else if (typeof Buffer !== 'undefined') {
+            // @ts-ignore - Buffer exists in Node.js environment
+            binaryString = Buffer.from(base64String, 'base64').toString('binary');
+        }
+        else {
+            throw new Error('Neither atob nor Buffer available for base64 decoding');
+        }
+        const bytes = new Uint8Array(binaryString.length);
+        for (let i = 0; i < binaryString.length; i++) {
+            bytes[i] = binaryString.charCodeAt(i);
+        }
+        return bytes;
+    }
+    newKeyManagerServiceConnection() {
+        return connect({
+            id: this.keyManagerServiceDID,
+            codec: CAR.outbound,
+            channel: HTTP.open({
+                url: this.keyManagerServiceURL,
+                method: 'POST',
+            }),
+        });
+    }
+    /**
+     * Sanitize the space DID for the KMS key ID
+     *
+     * @param {Type.SpaceDID} spaceDID
+     * @returns {string}
+     */
+    sanitizeSpaceDIDForKMSKeyId(spaceDID) {
+        return spaceDID.replace(/^did:key:/, '');
+    }
+}
+//# sourceMappingURL=kms-crypto-adapter.js.map