@tnaka-dev/aws-kms-ethers-v6-signer 1.0.5

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 nakagawa
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,224 @@
+# aws-kms-ethers-v6-signer
+
+A signer implementation for ethers.js v6 that uses AWS Key Management Service (KMS) for secure cryptographic signing operations.
+
+## Installation
+
+```bash
+npm install @tnaka-dev/aws-kms-ethers-v6-signer
+```
+
+## Usage
+
+### Create AwsKmsSigner
+
+```typescript
+import { ethers } from "ethers";
+import { KMSClientConfig } from "@aws-sdk/client-kms";
+import { AwsKmsSigner } from "@tnaka-dev/aws-kms-ethers-v6-signer";
+
+const keyId = "<your AWS KMS key ID>"; // Replace with your actual AWS KMS key ID
+const config = {
+region: "<your AWS region>", // Replace with your actual AWS region
+credentials: {
+    accessKeyId: "<your AWS access key ID>", // Replace with your actual AWS access key ID
+    secretAccessKey: "<your AWS secret access key>", // Replace with your actual AWS secret access key
+},
+} as KMSClientConfig;
+// Create the signer
+const signer = new AwsKmsSigner(keyId, config, provider);
+// Connect the signer to the provider
+const provider = new ethers.JsonRpcProvider("<your Ethereum JSON-RPC node URL>"); // Replace with your actual Ethereum JSON-RPC node URL
+const connectedSigner = signer.connect(provider);
+```
+
+### getAddress
+
+```typescript
+// Address
+const address = await signer.getAddress();
+console.log("Address:", address);
+```
+
+### signMessage
+
+```typescript
+// Sign a message
+const message = "Hello, AWS KMS Signer!";
+const signature = await signer.signMessage(message);
+console.log(
+  "signMessage verification:",
+  ethers.verifyMessage(message, signature) === address,
+);
+```
+
+### sendTransaction
+
+```typescript
+// Sign a transaction
+const toAddress = "<target Ethereum address>"; // Replace with the actual target Ethereum address
+const tx = await connectedSigner.sendTransaction({
+  to: toAddress,
+  value: ethers.parseEther("0.01"),
+});
+const receipt = await tx.wait();
+console.log("Transaction:", receipt?.status === 1 ? "Success" : "Failure");
+```
+
+### Contract call
+
+```typescript
+const toAddress = "<target Ethereum address>"; // Replace with the actual target Ethereum address
+const contract = new ethers.Contract(
+  "<target ERC20 contract address>", // Replace with the actual target ERC20 contract address
+  [
+    "function decimals() public view returns (uint8)",
+    "function transfer(address to, uint256 value) external returns (bool)",
+    "function balanceOf(address account) external view returns (uint256)",
+  ],
+  connectedSigner,
+);
+const decimals = await contract.decimals();
+const tx = await contract.transfer(
+  toAddress,
+  ethers.parseUnits("100", decimals),
+);
+const receipt = await tx.wait();
+console.log("ERC20 Transfer:", receipt?.status === 1 ? "Success" : "Failure");
+console.log(
+  "toAddress amount:",
+  ethers.formatUnits(await contract.balanceOf(toAddress), decimals),
+);
+```
+
+### signTypedData
+
+Example: Signing typed data for ERC20Permit (ERC-2612) using @openzeppelin/contracts
+
+```typescript
+const contractAddress = "<target ERC20Permit(ERC-2612) contract address>"; // Replace with the actual target ERC20Permit(ERC-2612) contract address
+const contractForView = new ethers.Contract(
+  contractAddress,
+  [
+    "function eip712Domain() public view returns (bytes1 fields, string name, string version, uint256 chainId, address verifyingContract, bytes32 salt, uint256[] memory extensions)",
+    "function decimals() public view returns (uint8)",
+    "function nonces(address owner) public view returns (uint256)",
+  ],
+  provider,
+);
+// domain
+const eip712Domain = await contractForView.eip712Domain();
+const domain = {
+  name: eip712Domain.name, // domain name
+  version: eip712Domain.version, // domain version
+  verifyingContract: eip712Domain.verifyingContract, // contract address
+  chainId: eip712Domain.chainId, // chain ID
+};
+// types and value for permit
+const TYPES = {
+  Permit: [
+    { name: "owner", type: "address" },
+    { name: "spender", type: "address" },
+    { name: "value", type: "uint256" },
+    { name: "nonce", type: "uint256" },
+    { name: "deadline", type: "uint256" },
+  ],
+};
+// value for permit
+const owner = await signer.getAddress();
+const nonce = await contractForView.nonces(owner);
+const decimals = await contractForView.decimals();
+const spender = "<target Ethereum address>"; // Replace with the actual target Ethereum address
+const value = {
+  owner: owner,
+  spender: spender,
+  value: ethers.parseUnits("1", decimals),
+  nonce: nonce,
+  deadline: Math.floor(Date.now() / 1000) + 3600, // 1 hour from now
+};
+// sign typed data
+const signature = await signer.signTypedData(domain, TYPES, value);
+const sign = ethers.Signature.from(signature);
+// send permit transaction
+const contract = new ethers.Contract(
+  contractAddress,
+  [
+    "function permit(address owner, address spender, uint256 value, uint256 deadline, uint8 v, bytes32 r, bytes32 s) public",
+  ],
+  otherConnectedSigner,
+);
+const tx = await contract.permit(
+  value.owner,
+  value.spender,
+  value.value,
+  value.deadline,
+  sign.v,
+  sign.r,
+  sign.s,
+);
+const receipt = await tx.wait();
+console.log(
+  "Permit Transaction:",
+  receipt?.status === 1 ? "Success" : "Failure",
+);
+```
+
+### authorize
+
+Example: EIP-7702: Set Code for EOAs
+
+```typescript
+const delegateContractAddress = "<>target delegate contract address>"; // Replace with the actual target delegate contract address
+
+// address
+const address = await connectedSigner.getAddress();
+// code
+const code = await ethers.provider.getCode(address);
+if (code === "0x") {
+  // nonce
+  const nonce = await connectedSigner.getNonce();
+  // authorize
+  const auth = await connectedSigner.authorize({
+    address: delegateContractAddress,
+    nonce: nonce + 1,
+  });
+  // send transaction with authorization
+  const tx = await connectedSigner.sendTransaction({
+    to: address,
+    type: 4,
+    authorizationList: [auth],
+  });
+  const receipt = await tx.wait();
+  console.log(
+    "Authorization Transaction:",
+    receipt?.status === 1 ? "Success" : "Failure",
+  );
+} else {
+  console.log("There is already code at this address.");
+}
+```
+
+## Prerequisites
+
+- AWS KMS key
+  - Key spec
+    - ECC_SECG_P256K1 (secp256k1)
+  - Action
+    - kms:Sign
+    - kms:GetPublicKey
+
+## Constructor
+
+`new AwsKmsSigner(keyId, config?, provider?)`
+
+Creates a new AwsKmsSigner instance.
+
+- `keyId`: AWS KMS Key ID or ARN
+- `config`: Optional AWS KMS client configuration
+- `provider`: Optional ethers.js Provider
+
+
+
+## License
+
+MIT

package/dist/index.d.ts

@@ -0,0 +1,83 @@
+import { KMSClientConfig } from "@aws-sdk/client-kms";
+import { AbstractSigner, Authorization, AuthorizationRequest, Provider, Signer, TransactionRequest, TypedDataDomain, TypedDataField } from "ethers";
+/**
+ * A Signer implementation that uses AWS KMS to sign messages and transactions.
+ *
+ * The signer retrieves the public key from AWS KMS to compute the Ethereum address
+ */
+export declare class AwsKmsSigner extends AbstractSigner {
+    private keyId;
+    private config;
+    private kmsClient;
+    address: string;
+    /**
+     * Creates a new AwsKmsSigner instance.
+     *
+     * @param keyId - The AWS KMS Key ID or ARN to use for signing
+     * @param config - Optional AWS KMS client configuration
+     * @param provider - Optional ethers.js Provider to use for resolving ENS names and addresses
+     */
+    constructor(keyId: string, config?: KMSClientConfig, provider?: Provider);
+    /**
+     * Retrieves the Ethereum address associated with the AWS KMS key. This is derived from the public key retrieved from AWS KMS. The address is cached after the first retrieval for efficiency.
+     *
+     * @returns A promise that resolves to the Ethereum address as a string
+     */
+    getAddress(): Promise<string>;
+    /**
+     * Connects the signer to a provider.
+     *
+     * @param provider - An ethers.js Provider to connect to
+     * @returns A new Signer instance connected to the provided provider
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L71
+     */
+    connect(provider: Provider): Signer;
+    /**
+     * Signs a transaction with the AWS KMS key.
+     *
+     * @param tx - The transaction to sign
+     * @returns A promise that resolves to the signed transaction as a string
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L75
+     */
+    signTransaction(tx: TransactionRequest): Promise<string>;
+    /**
+     * Signs a message with the AWS KMS key.
+     *
+     * @param message - The message to sign, which can be a string or a Uint8Array
+     * @returns A promise that resolves to the signed message as a string
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L109
+     */
+    signMessage(message: string | Uint8Array): Promise<string>;
+    /**
+     * Signs an authorization request with the AWS KMS key. The authorization request is first resolved to ensure that any ENS names are converted to addresses, and then the resulting data is hashed and signed.
+     *
+     * @param auth - The authorization request to sign, which includes the address, nonce, and chainId
+     * @returns A promise that resolves to the signed authorization, which includes the address, nonce, chainId, and signature
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L116
+     */
+    authorize(auth: AuthorizationRequest): Promise<Authorization>;
+    /**
+     * Signs typed data with the AWS KMS key. The typed data is first resolved to ensure that any ENS names are converted to addresses, and then the resulting data is hashed and signed.
+     *
+     * @param domain - The domain separator for the typed data, which includes the name, version, chainId, and verifyingContract
+     * @param types - The type definitions for the typed data, which is a mapping of type names to arrays of field definitions
+     * @param value - The actual data to sign, which is a mapping of field names to values
+     * @returns A promise that resolves to the signed typed data as a string
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L138
+     */
+    signTypedData(domain: TypedDataDomain, types: Record<string, Array<TypedDataField>>, value: Record<string, any>): Promise<string>;
+    /**
+     * Internal method to sign a digest with the AWS KMS key.
+     * This method sends a SignCommand to AWS KMS with the specified digest and retrieves the signature. The signature is then parsed from ASN.1 format and converted to the format expected by Ethereum, including handling low S values and computing the recovery parameter (v) based on the recovered address.
+     *
+     * @param digest - The digest to sign, which must be a 32-byte value (e.g., the hash of a message or transaction)
+     * @returns A promise that resolves to the signature in the format expected by Ethereum, including r, s, and v components
+     */
+    private _sign;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAEL,eAAe,EAGhB,MAAM,qBAAqB,CAAC;AAI7B,OAAO,EACL,cAAc,EAGd,aAAa,EACb,oBAAoB,EAWpB,QAAQ,EAMR,MAAM,EAKN,kBAAkB,EAClB,eAAe,EAEf,cAAc,EACf,MAAM,QAAQ,CAAC;AAEhB;;;;GAIG;AACH,qBAAa,YAAa,SAAQ,cAAc;IAE9C,OAAO,CAAC,KAAK,CAAS;IAEtB,OAAO,CAAC,MAAM,CAAkB;IAEhC,OAAO,CAAC,SAAS,CAAY;IAE7B,OAAO,EAAG,MAAM,CAAC;IAEjB;;;;;;OAMG;gBACS,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,eAAe,EAAE,QAAQ,CAAC,EAAE,QAAQ;IAOxE;;;;OAIG;IACG,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC;IAiCnC;;;;;;;OAOG;IACH,OAAO,CAAC,QAAQ,EAAE,QAAQ,GAAG,MAAM;IAInC;;;;;;;OAOG;IACG,eAAe,CAAC,EAAE,EAAE,kBAAkB,GAAG,OAAO,CAAC,MAAM,CAAC;IAiC9D;;;;;;;OAOG;IACG,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,GAAG,OAAO,CAAC,MAAM,CAAC;IAIhE;;;;;;;OAOG;IACG,SAAS,CAAC,IAAI,EAAE,oBAAoB,GAAG,OAAO,CAAC,aAAa,CAAC;IAyBnE;;;;;;;;;OASG;IACG,aAAa,CACjB,MAAM,EAAE,eAAe,EACvB,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC,EAI5C,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,GACzB,OAAO,CAAC,MAAM,CAAC;IAoClB;;;;;;OAMG;YACW,KAAK;CA2DpB"}

package/dist/index.js

@@ -0,0 +1,222 @@
+import { KMSClient, GetPublicKeyCommand, SignCommand, } from "@aws-sdk/client-kms";
+import { ECDSASigValue } from "@peculiar/asn1-ecc";
+import { AsnConvert } from "@peculiar/asn1-schema";
+import { SubjectPublicKeyInfo } from "@peculiar/asn1-x509";
+import { AbstractSigner, assert, assertArgument, copyRequest, dataLength, getAddress, getBigInt, getBytes, hashAuthorization, hashMessage, keccak256, N, recoverAddress, resolveAddress, resolveProperties, Signature, toBeHex, toBigInt, Transaction, TypedDataEncoder, } from "ethers";
+/**
+ * A Signer implementation that uses AWS KMS to sign messages and transactions.
+ *
+ * The signer retrieves the public key from AWS KMS to compute the Ethereum address
+ */
+export class AwsKmsSigner extends AbstractSigner {
+    // AWS KMS Key ID or ARN
+    keyId;
+    // AWS KMS client configuration
+    config;
+    // AWS KMS client instance
+    kmsClient;
+    // Cached Ethereum address derived from the KMS public key
+    address;
+    /**
+     * Creates a new AwsKmsSigner instance.
+     *
+     * @param keyId - The AWS KMS Key ID or ARN to use for signing
+     * @param config - Optional AWS KMS client configuration
+     * @param provider - Optional ethers.js Provider to use for resolving ENS names and addresses
+     */
+    constructor(keyId, config, provider) {
+        super(provider);
+        this.keyId = keyId;
+        this.config = config || {};
+        this.kmsClient = new KMSClient(this.config);
+    }
+    /**
+     * Retrieves the Ethereum address associated with the AWS KMS key. This is derived from the public key retrieved from AWS KMS. The address is cached after the first retrieval for efficiency.
+     *
+     * @returns A promise that resolves to the Ethereum address as a string
+     */
+    async getAddress() {
+        // If the address is already cached, return it
+        if (!this.address) {
+            // Retrieve the public key from AWS KMS
+            const command = new GetPublicKeyCommand({
+                KeyId: this.keyId,
+            });
+            // Send the command to AWS KMS and get the response
+            const response = await this.kmsClient.send(command);
+            // Extract the public key from the response
+            const publicKey = response.PublicKey;
+            // If the public key is not available, throw an error
+            if (!publicKey) {
+                throw new Error("Failed to retrieve public key from AWS KMS");
+            }
+            // Parse the public key using ASN.1 to extract the EC public key
+            const ecPublicKey = AsnConvert.parse(Buffer.from(publicKey), SubjectPublicKeyInfo).subjectPublicKey;
+            // Compute the Ethereum address by taking the keccak256 hash of the public key (excluding the first byte) and taking the last 20 bytes of the hash
+            // https://ethereum.github.io/yellowpaper/paper.pdf - Appendix F. Signing Transactions -  Ethereum address A(pr) (a 160-bit value)
+            // https://eips.ethereum.org/EIPS/eip-55 - Ethereum address checksum
+            this.address = getAddress("0x" +
+                keccak256(new Uint8Array(ecPublicKey.slice(1, ecPublicKey.byteLength))).slice(-40));
+        }
+        return this.address;
+    }
+    /**
+     * Connects the signer to a provider.
+     *
+     * @param provider - An ethers.js Provider to connect to
+     * @returns A new Signer instance connected to the provided provider
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L71
+     */
+    connect(provider) {
+        return new AwsKmsSigner(this.keyId, this.config, provider);
+    }
+    /**
+     * Signs a transaction with the AWS KMS key.
+     *
+     * @param tx - The transaction to sign
+     * @returns A promise that resolves to the signed transaction as a string
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L75
+     */
+    async signTransaction(tx) {
+        tx = copyRequest(tx);
+        // Replace any Addressable or ENS name with an address
+        const { to, from } = await resolveProperties({
+            to: tx.to ? resolveAddress(tx.to, this) : undefined,
+            from: tx.from ? resolveAddress(tx.from, this) : undefined,
+        });
+        if (to != null) {
+            tx.to = to;
+        }
+        if (from != null) {
+            tx.from = from;
+        }
+        if (tx.from != null) {
+            assertArgument(getAddress(tx.from) === (await this.getAddress()), "transaction from address mismatch", "tx.from", tx.from);
+            delete tx.from;
+        }
+        // Build the transaction
+        const btx = Transaction.from(tx);
+        btx.signature = await this._sign(btx.unsignedHash);
+        return btx.serialized;
+    }
+    /**
+     * Signs a message with the AWS KMS key.
+     *
+     * @param message - The message to sign, which can be a string or a Uint8Array
+     * @returns A promise that resolves to the signed message as a string
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L109
+     */
+    async signMessage(message) {
+        return (await this._sign(hashMessage(message))).serialized;
+    }
+    /**
+     * Signs an authorization request with the AWS KMS key. The authorization request is first resolved to ensure that any ENS names are converted to addresses, and then the resulting data is hashed and signed.
+     *
+     * @param auth - The authorization request to sign, which includes the address, nonce, and chainId
+     * @returns A promise that resolves to the signed authorization, which includes the address, nonce, chainId, and signature
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L116
+     */
+    async authorize(auth) {
+        auth = Object.assign({}, auth, {
+            address: await resolveAddress(auth.address, this),
+        });
+        auth = await this.populateAuthorization(auth);
+        assertArgument(typeof auth.address === "string", "invalid address for authorizeSync", "auth.address", auth);
+        const signature = await this._sign(hashAuthorization(auth));
+        return Object.assign({}, {
+            address: getAddress(auth.address),
+            nonce: getBigInt(auth.nonce || 0),
+            chainId: getBigInt(auth.chainId || 0),
+        }, { signature });
+    }
+    /**
+     * Signs typed data with the AWS KMS key. The typed data is first resolved to ensure that any ENS names are converted to addresses, and then the resulting data is hashed and signed.
+     *
+     * @param domain - The domain separator for the typed data, which includes the name, version, chainId, and verifyingContract
+     * @param types - The type definitions for the typed data, which is a mapping of type names to arrays of field definitions
+     * @param value - The actual data to sign, which is a mapping of field names to values
+     * @returns A promise that resolves to the signed typed data as a string
+     *
+     * @note https://github.com/ethers-io/ethers.js/blob/b746c3cf6cd191e2357fa55751696676ffda060e/src.ts/wallet/base-wallet.ts#L138
+     */
+    async signTypedData(domain, types, 
+    // `ethers` typings use `any` here for the value mapping.
+    // This is intentional and matches the abstract signer interface, so we suppress the lint warning.
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    value) {
+        // Populate any ENS names
+        const populated = await TypedDataEncoder.resolveNames(domain, types, value, async (name) => {
+            // @TODO: this should use resolveName; addresses don't
+            //        need a provider
+            assert(this.provider != null, "cannot resolve ENS names without a provider", "UNSUPPORTED_OPERATION", {
+                operation: "resolveName",
+                info: { name },
+            });
+            const address = await this.provider.resolveName(name);
+            assert(address != null, "unconfigured ENS name", "UNCONFIGURED_NAME", {
+                value: name,
+            });
+            return address;
+        });
+        return (await this._sign(TypedDataEncoder.hash(populated.domain, types, populated.value))).serialized;
+    }
+    /**
+     * Internal method to sign a digest with the AWS KMS key.
+     * This method sends a SignCommand to AWS KMS with the specified digest and retrieves the signature. The signature is then parsed from ASN.1 format and converted to the format expected by Ethereum, including handling low S values and computing the recovery parameter (v) based on the recovered address.
+     *
+     * @param digest - The digest to sign, which must be a 32-byte value (e.g., the hash of a message or transaction)
+     * @returns A promise that resolves to the signature in the format expected by Ethereum, including r, s, and v components
+     */
+    async _sign(digest) {
+        assertArgument(dataLength(digest) === 32, "invalid digest length", "digest", digest);
+        // Send the SignCommand to AWS KMS with the specified digest and signing parameters
+        const command = new SignCommand({
+            KeyId: this.keyId,
+            Message: getBytes(digest),
+            SigningAlgorithm: "ECDSA_SHA_256",
+            MessageType: "DIGEST",
+        });
+        // Retrieve the signature from AWS KMS
+        const response = await this.kmsClient.send(command);
+        const signature = response.Signature;
+        // If the signature is not available, throw an error
+        if (!signature) {
+            throw new Error("Failed to sign message with AWS KMS");
+        }
+        // Parse the signature from ASN.1 format to extract the r and s values
+        const ecdsaSig = AsnConvert.parse(Buffer.from(signature), ECDSASigValue);
+        // Handle low S values by ensuring that s is less than or equal to N/2.
+        // If s is greater than N/2, it is replaced with N - s to ensure that the signature is in canonical form, which is required by Ethereum.
+        // https://ethereum.github.io/yellowpaper/paper.pdf - Appendix F. Signing Transactions
+        let s = toBigInt(new Uint8Array(ecdsaSig.s));
+        const HALF = N >> 1n;
+        if (s > HALF) {
+            s = N - s;
+        }
+        // Construct the signature object with r, s, and a default v value of 0x1b (27 in decimal).
+        // The r and s values are converted to hexadecimal format with appropriate padding.
+        const sig = {
+            r: toBeHex(toBigInt(new Uint8Array(ecdsaSig.r))),
+            s: toBeHex(s, 32),
+            v: 0x1b,
+        };
+        // Compute the recovery parameter (v) by recovering the address from the signature and comparing it to the signer's address. If they do not match, set v to 0x1c.
+        const recover = recoverAddress(digest, {
+            r: sig.r,
+            s: sig.s,
+            v: sig.v,
+        });
+        // Retrieve the signer's address from AWS KMS (this will be cached after the first retrieval)
+        const address = await this.getAddress();
+        // If the recovered address does not match the signer's address, set v to 0x1c (28 in decimal) to indicate that the signature is valid but the recovery parameter is different.
+        if (address.toLowerCase() !== recover.toLowerCase()) {
+            sig.v = 0x1c;
+        }
+        return Signature.from(sig);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EAET,mBAAmB,EACnB,WAAW,GACZ,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EACL,cAAc,EACd,MAAM,EACN,cAAc,EAId,WAAW,EACX,UAAU,EACV,UAAU,EACV,SAAS,EACT,QAAQ,EACR,iBAAiB,EACjB,WAAW,EACX,SAAS,EACT,CAAC,EAED,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,SAAS,EAGT,OAAO,EACP,QAAQ,EACR,WAAW,EAIX,gBAAgB,GAEjB,MAAM,QAAQ,CAAC;AAEhB;;;;GAIG;AACH,MAAM,OAAO,YAAa,SAAQ,cAAc;IAC9C,wBAAwB;IAChB,KAAK,CAAS;IACtB,+BAA+B;IACvB,MAAM,CAAkB;IAChC,0BAA0B;IAClB,SAAS,CAAY;IAC7B,0DAA0D;IAC1D,OAAO,CAAU;IAEjB;;;;;;OAMG;IACH,YAAY,KAAa,EAAE,MAAwB,EAAE,QAAmB;QACtE,KAAK,CAAC,QAAQ,CAAC,CAAC;QAChB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;QACnB,IAAI,CAAC,MAAM,GAAG,MAAM,IAAI,EAAE,CAAC;QAC3B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAC9C,CAAC;IAED;;;;OAIG;IACH,KAAK,CAAC,UAAU;QACd,8CAA8C;QAC9C,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;YAClB,uCAAuC;YACvC,MAAM,OAAO,GAAG,IAAI,mBAAmB,CAAC;gBACtC,KAAK,EAAE,IAAI,CAAC,KAAK;aAClB,CAAC,CAAC;YACH,mDAAmD;YACnD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpD,2CAA2C;YAC3C,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;YACrC,qDAAqD;YACrD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,MAAM,IAAI,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAChE,CAAC;YACD,gEAAgE;YAChE,MAAM,WAAW,GAAG,UAAU,CAAC,KAAK,CAClC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EACtB,oBAAoB,CACrB,CAAC,gBAAgB,CAAC;YACnB,kJAAkJ;YAClJ,kIAAkI;YAClI,oEAAoE;YACpE,IAAI,CAAC,OAAO,GAAG,UAAU,CACvB,IAAI;gBACF,SAAS,CACP,IAAI,UAAU,CAAC,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,WAAW,CAAC,UAAU,CAAC,CAAC,CAC7D,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CACf,CAAC;QACJ,CAAC;QACD,OAAO,IAAI,CAAC,OAAO,CAAC;IACtB,CAAC;IAED;;;;;;;OAOG;IACH,OAAO,CAAC,QAAkB;QACxB,OAAO,IAAI,YAAY,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;IAC7D,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,eAAe,CAAC,EAAsB;QAC1C,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;QAErB,sDAAsD;QACtD,MAAM,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,MAAM,iBAAiB,CAAC;YAC3C,EAAE,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;YACnD,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,cAAc,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC1D,CAAC,CAAC;QAEH,IAAI,EAAE,IAAI,IAAI,EAAE,CAAC;YACf,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC;QACb,CAAC;QACD,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;YACjB,EAAE,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,CAAC;QAED,IAAI,EAAE,CAAC,IAAI,IAAI,IAAI,EAAE,CAAC;YACpB,cAAc,CACZ,UAAU,CAAS,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC,EACzD,mCAAmC,EACnC,SAAS,EACT,EAAE,CAAC,IAAI,CACR,CAAC;YACF,OAAO,EAAE,CAAC,IAAI,CAAC;QACjB,CAAC;QAED,wBAAwB;QACxB,MAAM,GAAG,GAAG,WAAW,CAAC,IAAI,CAA0B,EAAE,CAAC,CAAC;QAC1D,GAAG,CAAC,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAEnD,OAAO,GAAG,CAAC,UAAU,CAAC;IACxB,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,WAAW,CAAC,OAA4B;QAC5C,OAAO,CAAC,MAAM,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC;IAC7D,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,SAAS,CAAC,IAA0B;QACxC,IAAI,GAAG,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,IAAI,EAAE;YAC7B,OAAO,EAAE,MAAM,cAAc,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC;SAClD,CAAC,CAAC;QACH,IAAI,GAAG,MAAM,IAAI,CAAC,qBAAqB,CAAC,IAAI,CAAC,CAAC;QAE9C,cAAc,CACZ,OAAO,IAAI,CAAC,OAAO,KAAK,QAAQ,EAChC,mCAAmC,EACnC,cAAc,EACd,IAAI,CACL,CAAC;QAEF,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC5D,OAAO,MAAM,CAAC,MAAM,CAClB,EAAE,EACF;YACE,OAAO,EAAE,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC;YACjC,KAAK,EAAE,SAAS,CAAC,IAAI,CAAC,KAAK,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,SAAS,CAAC,IAAI,CAAC,OAAO,IAAI,CAAC,CAAC;SACtC,EACD,EAAE,SAAS,EAAE,CACd,CAAC;IACJ,CAAC;IAED;;;;;;;;;OASG;IACH,KAAK,CAAC,aAAa,CACjB,MAAuB,EACvB,KAA4C;IAC5C,yDAAyD;IACzD,kGAAkG;IAClG,8DAA8D;IAC9D,KAA0B;QAE1B,yBAAyB;QACzB,MAAM,SAAS,GAAG,MAAM,gBAAgB,CAAC,YAAY,CACnD,MAAM,EACN,KAAK,EACL,KAAK,EACL,KAAK,EAAE,IAAY,EAAE,EAAE;YACrB,sDAAsD;YACtD,yBAAyB;YAEzB,MAAM,CACJ,IAAI,CAAC,QAAQ,IAAI,IAAI,EACrB,6CAA6C,EAC7C,uBAAuB,EACvB;gBACE,SAAS,EAAE,aAAa;gBACxB,IAAI,EAAE,EAAE,IAAI,EAAE;aACf,CACF,CAAC;YAEF,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC;YACtD,MAAM,CAAC,OAAO,IAAI,IAAI,EAAE,uBAAuB,EAAE,mBAAmB,EAAE;gBACpE,KAAK,EAAE,IAAI;aACZ,CAAC,CAAC;YAEH,OAAO,OAAO,CAAC;QACjB,CAAC,CACF,CAAC;QAEF,OAAO,CACL,MAAM,IAAI,CAAC,KAAK,CACd,gBAAgB,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,KAAK,EAAE,SAAS,CAAC,KAAK,CAAC,CAChE,CACF,CAAC,UAAU,CAAC;IACf,CAAC;IAED;;;;;;OAMG;IACK,KAAK,CAAC,KAAK,CAAC,MAAiB;QACnC,cAAc,CACZ,UAAU,CAAC,MAAM,CAAC,KAAK,EAAE,EACzB,uBAAuB,EACvB,QAAQ,EACR,MAAM,CACP,CAAC;QACF,mFAAmF;QACnF,MAAM,OAAO,GAAG,IAAI,WAAW,CAAC;YAC9B,KAAK,EAAE,IAAI,CAAC,KAAK;YACjB,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC;YACzB,gBAAgB,EAAE,eAAe;YACjC,WAAW,EAAE,QAAQ;SACtB,CAAC,CAAC;QAEH,sCAAsC;QACtC,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACpD,MAAM,SAAS,GAAG,QAAQ,CAAC,SAAS,CAAC;QAErC,oDAAoD;QACpD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QACzD,CAAC;QAED,sEAAsE;QACtE,MAAM,QAAQ,GAAG,UAAU,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,aAAa,CAAC,CAAC;QAEzE,uEAAuE;QACvE,wIAAwI;QACxI,sFAAsF;QACtF,IAAI,CAAC,GAAG,QAAQ,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;QAC7C,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,CAAC;QACrB,IAAI,CAAC,GAAG,IAAI,EAAE,CAAC;YACb,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACZ,CAAC;QAED,2FAA2F;QAC3F,mFAAmF;QACnF,MAAM,GAAG,GAAkB;YACzB,CAAC,EAAE,OAAO,CAAC,QAAQ,CAAC,IAAI,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;YAChD,CAAC,EAAE,OAAO,CAAC,CAAC,EAAE,EAAE,CAAC;YACjB,CAAC,EAAE,IAAI;SACR,CAAC;QAEF,iKAAiK;QACjK,MAAM,OAAO,GAAG,cAAc,CAAC,MAAM,EAAE;YACrC,CAAC,EAAE,GAAG,CAAC,CAAC;YACR,CAAC,EAAE,GAAG,CAAC,CAAC;YACR,CAAC,EAAE,GAAG,CAAC,CAAC;SACT,CAAC,CAAC;QACH,6FAA6F;QAC7F,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAC;QACxC,+KAA+K;QAC/K,IAAI,OAAO,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;YACpD,GAAG,CAAC,CAAC,GAAG,IAAI,CAAC;QACf,CAAC;QAED,OAAO,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC7B,CAAC;CACF"}

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "@tnaka-dev/aws-kms-ethers-v6-signer",
+  "version": "1.0.5",
+  "description": "A signer implementation for ethers.js v6 that uses AWS Key Management Service (KMS) for secure cryptographic signing operations",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "test": "jest",
+    "test:coverage": "jest --coverage",
+    "lint": "eslint src --ext .ts",
+    "build": "tsc"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/tnakagawa/aws-kms-ethers-v6-signer.git"
+  },
+  "keywords": [],
+  "author": "Takatoshi Nakagawa",
+  "license": "MIT",
+  "type": "module",
+  "bugs": {
+    "url": "https://github.com/tnakagawa/aws-kms-ethers-v6-signer/issues"
+  },
+  "homepage": "https://github.com/tnakagawa/aws-kms-ethers-v6-signer#readme",
+  "devDependencies": {
+    "@eslint/js": "^10.0.1",
+    "@types/jest": "^30.0.0",
+    "@types/node": "^25.5.0",
+    "@typescript-eslint/eslint-plugin": "^8.57.0",
+    "@typescript-eslint/parser": "^8.57.0",
+    "eslint": "^10.0.3",
+    "eslint-plugin-jest": "^29.15.0",
+    "globals": "^17.4.0",
+    "jest": "^30.3.0",
+    "jiti": "^2.6.1",
+    "ts-jest": "^29.4.6",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.57.0",
+    "asn1js": "^3.0.7",
+    "aws-sdk-client-mock": "^4.1.0",
+    "pkijs": "^3.3.3"
+  },
+  "dependencies": {
+    "@aws-sdk/client-kms": "^3.1009.0",
+    "@peculiar/asn1-ecc": "^2.6.1",
+    "@peculiar/asn1-schema": "^2.6.0",
+    "@peculiar/asn1-x509": "^2.6.1",
+    "ethers": "^6.16.0"
+  }
+}