@workit-poa/hedera-kms-wallet 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (28) hide show
  1. package/.env.example +21 -0
  2. package/LICENSE +21 -0
  3. package/README.md +228 -0
  4. package/dist/hederaClient.d.ts +50 -0
  5. package/dist/hederaClient.d.ts.map +1 -0
  6. package/dist/hederaClient.js +136 -0
  7. package/dist/hederaClient.js.map +1 -0
  8. package/dist/hederaKeyCodec.d.ts +10 -0
  9. package/dist/hederaKeyCodec.d.ts.map +1 -0
  10. package/dist/hederaKeyCodec.js +140 -0
  11. package/dist/hederaKeyCodec.js.map +1 -0
  12. package/dist/index.d.ts +6 -0
  13. package/dist/index.d.ts.map +1 -0
  14. package/dist/index.js +22 -0
  15. package/dist/index.js.map +1 -0
  16. package/dist/kmsKeyManager.d.ts +103 -0
  17. package/dist/kmsKeyManager.d.ts.map +1 -0
  18. package/dist/kmsKeyManager.js +496 -0
  19. package/dist/kmsKeyManager.js.map +1 -0
  20. package/dist/kmsSigner.d.ts +18 -0
  21. package/dist/kmsSigner.d.ts.map +1 -0
  22. package/dist/kmsSigner.js +71 -0
  23. package/dist/kmsSigner.js.map +1 -0
  24. package/dist/walletProvisioning.d.ts +66 -0
  25. package/dist/walletProvisioning.d.ts.map +1 -0
  26. package/dist/walletProvisioning.js +276 -0
  27. package/dist/walletProvisioning.js.map +1 -0
  28. package/package.json +62 -0
package/dist/index.js ADDED
@@ -0,0 +1,22 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __exportStar = (this && this.__exportStar) || function(m, exports) {
14
+ for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
15
+ };
16
+ Object.defineProperty(exports, "__esModule", { value: true });
17
+ __exportStar(require("./hederaClient"), exports);
18
+ __exportStar(require("./hederaKeyCodec"), exports);
19
+ __exportStar(require("./kmsKeyManager"), exports);
20
+ __exportStar(require("./kmsSigner"), exports);
21
+ __exportStar(require("./walletProvisioning"), exports);
22
+ //# sourceMappingURL=index.js.map
package/dist/index.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,iDAA+B;AAC/B,mDAAiC;AACjC,kDAAgC;AAChC,8CAA4B;AAC5B,uDAAqC"}
package/dist/kmsKeyManager.d.ts ADDED
@@ -0,0 +1,103 @@
1
+ import { KMSClient, type CreateKeyCommandInput } from "@aws-sdk/client-kms";
2
+ export type KmsAuditOperation = "CreateKey" | "CreateAlias" | "EnableKeyRotation" | "DescribeKey" | "GetPublicKey" | "ListResourceTags" | "Sign" | "ProvisionAccount" | "RotateAccountKey";
3
+ export type KmsAuditStatus = "success" | "failure" | "skipped";
4
+ export interface KmsAuditEvent {
5
+ operation: KmsAuditOperation;
6
+ status: KmsAuditStatus;
7
+ timestamp: string;
8
+ keyId?: string;
9
+ keyArn?: string;
10
+ aliasName?: string;
11
+ userId?: string;
12
+ accountId?: string;
13
+ transactionId?: string;
14
+ network?: string;
15
+ detail?: string;
16
+ }
17
+ export type KmsAuditLogger = (event: KmsAuditEvent) => void;
18
+ export interface KmsKeyPolicyBindings {
19
+ accountId: string;
20
+ keyAdminPrincipalArn: string;
21
+ runtimeSignerPrincipalArn: string;
22
+ }
23
+ export interface CreateUserKmsKeyParams {
24
+ kms: KMSClient;
25
+ userId: string;
26
+ descriptionPrefix?: string;
27
+ aliasPrefix?: string;
28
+ tags?: NonNullable<CreateKeyCommandInput["Tags"]>;
29
+ keyPolicy?: Record<string, unknown>;
30
+ policyBindings?: KmsKeyPolicyBindings;
31
+ allowUnsafeDefaultKeyPolicy?: boolean;
32
+ auditLogger?: KmsAuditLogger;
33
+ }
34
+ export interface UserKmsKeyResult {
35
+ keyId: string;
36
+ keyArn: string;
37
+ aliasName?: string;
38
+ rotationEnabled: boolean;
39
+ rotationNote?: string;
40
+ }
41
+ export interface ValidatedKmsSigningKey {
42
+ keyId: string;
43
+ keyArn: string;
44
+ }
45
+ export declare function createUserKmsKey(params: CreateUserKmsKeyParams): Promise<UserKmsKeyResult>;
46
+ export declare function buildLeastPrivilegeKeyPolicy(bindings: KmsKeyPolicyBindings): Record<string, unknown>;
47
+ export declare function validateKmsSecp256k1SigningKey(kms: KMSClient, keyId: string, auditLogger?: KmsAuditLogger): Promise<ValidatedKmsSigningKey>;
48
+ export declare function getPublicKeyBytes(kms: KMSClient, keyId: string, auditLogger?: KmsAuditLogger): Promise<Buffer>;
49
+ export declare function assertKmsKeyOwnershipForUser(params: {
50
+ kms: KMSClient;
51
+ keyId: string;
52
+ userId: string;
53
+ expectedAppTag?: string;
54
+ auditLogger?: KmsAuditLogger;
55
+ }): Promise<void>;
56
+ export declare function kmsAccessPolicyGuidance(keyArn?: string, aliasArn?: string): {
57
+ runtimeSignerPolicy: {
58
+ Version: string;
59
+ Statement: ({
60
+ Sid: string;
61
+ Effect: string;
62
+ Action: string[];
63
+ Resource: string;
64
+ Condition: {
65
+ StringEquals: {
66
+ "kms:SigningAlgorithm": string;
67
+ };
68
+ };
69
+ } | {
70
+ Sid: string;
71
+ Effect: string;
72
+ Action: string[];
73
+ Resource: string;
74
+ Condition?: undefined;
75
+ })[];
76
+ };
77
+ keyAdminPolicy: {
78
+ Version: string;
79
+ Statement: ({
80
+ Sid: string;
81
+ Effect: string;
82
+ Action: string[];
83
+ Resource: string;
84
+ Condition: {
85
+ StringEquals: {
86
+ "kms:KeySpec": string;
87
+ "kms:KeyUsage": string;
88
+ "aws:RequestTag/app": string;
89
+ };
90
+ "ForAllValues:StringEquals": {
91
+ "aws:TagKeys": string[];
92
+ };
93
+ };
94
+ } | {
95
+ Sid: string;
96
+ Effect: string;
97
+ Action: string[];
98
+ Resource: string;
99
+ Condition?: undefined;
100
+ })[];
101
+ };
102
+ };
103
+ //# sourceMappingURL=kmsKeyManager.d.ts.map
package/dist/kmsKeyManager.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"kmsKeyManager.d.ts","sourceRoot":"","sources":["../src/kmsKeyManager.ts"],"names":[],"mappings":"AAAA,OAAO,EAML,SAAS,EAET,KAAK,qBAAqB,EAE3B,MAAM,qBAAqB,CAAC;AAK7B,MAAM,MAAM,iBAAiB,GACzB,WAAW,GACX,aAAa,GACb,mBAAmB,GACnB,aAAa,GACb,cAAc,GACd,kBAAkB,GAClB,MAAM,GACN,kBAAkB,GAClB,kBAAkB,CAAC;AACvB,MAAM,MAAM,cAAc,GAAG,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;AAE/D,MAAM,WAAW,aAAa;IAC5B,SAAS,EAAE,iBAAiB,CAAC;IAC7B,MAAM,EAAE,cAAc,CAAC;IACvB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,MAAM,cAAc,GAAG,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;AAE5D,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,oBAAoB,EAAE,MAAM,CAAC;IAC7B,yBAAyB,EAAE,MAAM,CAAC;CACnC;AAED,MAAM,WAAW,sBAAsB;IACrC,GAAG,EAAE,SAAS,CAAC;IACf,MAAM,EAAE,MAAM,CAAC;IACf,iBAAiB,CAAC,EAAE,MAAM,CAAC;IAC3B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,WAAW,CAAC,qBAAqB,CAAC,MAAM,CAAC,CAAC,CAAC;IAClD,SAAS,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACpC,cAAc,CAAC,EAAE,oBAAoB,CAAC;IACtC,2BAA2B,CAAC,EAAE,OAAO,CAAC;IACtC,WAAW,CAAC,EAAE,cAAc,CAAC;CAC9B;AAED,MAAM,WAAW,gBAAgB;IAC/B,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,eAAe,EAAE,OAAO,CAAC;IACzB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,sBAAsB;IACrC,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;CAChB;AAoKD,wBAAsB,gBAAgB,CAAC,MAAM,EAAE,sBAAsB,GAAG,OAAO,CAAC,gBAAgB,CAAC,CAsFhG;AAED,wBAAgB,4BAA4B,CAAC,QAAQ,EAAE,oBAAoB,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAiEpG;AAED,wBAAsB,8BAA8B,CAClD,GAAG,EAAE,SAAS,EACd,KAAK,EAAE,MAAM,EACb,WAAW,CAAC,EAAE,cAAc,GAC3B,OAAO,CAAC,sBAAsB,CAAC,CAsEjC;AAED,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,SAAS,EAAE,KAAK,EAAE,MAAM,EAAE,WAAW,CAAC,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAiCpH;AAED,wBAAsB,4BAA4B,CAAC,MAAM,EAAE;IACzD,GAAG,EAAE,SAAS,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,WAAW,CAAC,EAAE,cAAc,CAAC;CAC9B,GAAG,OAAO,CAAC,IAAI,CAAC,CAkEhB;AAED,wBAAgB,uBAAuB,CACrC,MAAM,SAA6C,EACnD,QAAQ,SAAsD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAsE/D"}
package/dist/kmsKeyManager.js ADDED
@@ -0,0 +1,496 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.createUserKmsKey = createUserKmsKey;
4
+ exports.buildLeastPrivilegeKeyPolicy = buildLeastPrivilegeKeyPolicy;
5
+ exports.validateKmsSecp256k1SigningKey = validateKmsSecp256k1SigningKey;
6
+ exports.getPublicKeyBytes = getPublicKeyBytes;
7
+ exports.assertKmsKeyOwnershipForUser = assertKmsKeyOwnershipForUser;
8
+ exports.kmsAccessPolicyGuidance = kmsAccessPolicyGuidance;
9
+ const client_kms_1 = require("@aws-sdk/client-kms");
10
+ const AWS_ACCOUNT_ID_PATTERN = /^\d{12}$/;
11
+ const IAM_PRINCIPAL_ARN_PATTERN = /^arn:aws[a-zA-Z-]*:iam::\d{12}:(?:root|role\/[\w+=,.@\-_/]+|user\/[\w+=,.@\-_/]+)$/;
12
+ function emitAuditEvent(auditLogger, event) {
13
+ if (!auditLogger) {
14
+ return;
15
+ }
16
+ auditLogger({
17
+ ...event,
18
+ timestamp: new Date().toISOString()
19
+ });
20
+ }
21
+ function normalizeAwsAccountId(accountId) {
22
+ const value = accountId.trim();
23
+ if (!AWS_ACCOUNT_ID_PATTERN.test(value)) {
24
+ throw new Error(`Invalid AWS account id "${accountId}". Expected a 12-digit account id.`);
25
+ }
26
+ return value;
27
+ }
28
+ function normalizePrincipalArn(principalArn, fieldName) {
29
+ const value = principalArn.trim();
30
+ if (!IAM_PRINCIPAL_ARN_PATTERN.test(value)) {
31
+ throw new Error(`Invalid ${fieldName} "${principalArn}". Expected an IAM principal ARN like arn:aws:iam::123456789012:role/RoleName.`);
32
+ }
33
+ return value;
34
+ }
35
+ function normalizeTags(userId, tags) {
36
+ const defaultTags = [
37
+ { TagKey: "app", TagValue: "workit" },
38
+ { TagKey: "userId", TagValue: userId }
39
+ ];
40
+ if (!tags) {
41
+ return defaultTags;
42
+ }
43
+ const byTagKey = new Map();
44
+ for (const tag of defaultTags) {
45
+ byTagKey.set(tag.TagKey, tag.TagValue);
46
+ }
47
+ for (const tag of tags) {
48
+ if (!tag.TagKey) {
49
+ throw new Error("KMS key tags must include a non-empty TagKey.");
50
+ }
51
+ if (tag.TagValue === undefined) {
52
+ continue;
53
+ }
54
+ if (tag.TagKey === "userId" && tag.TagValue !== userId) {
55
+ throw new Error(`The userId tag must match the normalized user id "${userId}".`);
56
+ }
57
+ byTagKey.set(tag.TagKey, tag.TagValue);
58
+ }
59
+ if (!byTagKey.get("app")) {
60
+ byTagKey.set("app", "workit");
61
+ }
62
+ if (!byTagKey.get("userId")) {
63
+ byTagKey.set("userId", userId);
64
+ }
65
+ return Array.from(byTagKey.entries()).map(([TagKey, TagValue]) => ({ TagKey, TagValue }));
66
+ }
67
+ function normalizeAliasName(userId, aliasPrefix = "alias/workit/user") {
68
+ const normalizedUserId = userId.replace(/[^a-zA-Z0-9/_-]/g, "-").replace(/-+/g, "-");
69
+ const trimmedAliasPrefix = aliasPrefix.trim();
70
+ if (!trimmedAliasPrefix) {
71
+ throw new Error("aliasPrefix is required");
72
+ }
73
+ const normalizedPrefix = trimmedAliasPrefix.replace(/^alias\/+/, "");
74
+ const prefix = `alias/${normalizedPrefix}`.replace(/\/+$/, "");
75
+ return `${prefix}/${normalizedUserId}`;
76
+ }
77
+ function isUnsupportedAsymmetricRotationError(error) {
78
+ const name = typeof error === "object" && error ? String(error.name ?? "") : "";
79
+ const message = error instanceof Error ? error.message : String(error);
80
+ const lowerName = name.toLowerCase();
81
+ const lowerMessage = message.toLowerCase();
82
+ return (lowerName.includes("unsupportedoperationexception") ||
83
+ lowerName.includes("unsupportedoperation") ||
84
+ (lowerMessage.includes("asymmetric") && lowerMessage.includes("rotation")) ||
85
+ (lowerMessage.includes("automatic rotation") && lowerMessage.includes("not supported")));
86
+ }
87
+ function resolveCreateKeyPolicy(params) {
88
+ if (params.keyPolicy) {
89
+ throw new Error("Custom keyPolicy overrides are not allowed. Use policyBindings to enforce least-privilege key policy controls.");
90
+ }
91
+ if (params.allowUnsafeDefaultKeyPolicy) {
92
+ throw new Error("allowUnsafeDefaultKeyPolicy is not supported. Explicit policyBindings are required for key creation.");
93
+ }
94
+ if (!params.policyBindings) {
95
+ throw new Error("Missing key policy controls. Provide policyBindings for key creation.");
96
+ }
97
+ return buildLeastPrivilegeKeyPolicy(params.policyBindings);
98
+ }
99
+ async function tryEnableRotation(kms, keyId, auditLogger) {
100
+ try {
101
+ await kms.send(new client_kms_1.EnableKeyRotationCommand({ KeyId: keyId }));
102
+ emitAuditEvent(auditLogger, {
103
+ operation: "EnableKeyRotation",
104
+ status: "success",
105
+ keyId
106
+ });
107
+ return { enabled: true };
108
+ }
109
+ catch (error) {
110
+ if (!isUnsupportedAsymmetricRotationError(error)) {
111
+ emitAuditEvent(auditLogger, {
112
+ operation: "EnableKeyRotation",
113
+ status: "failure",
114
+ keyId,
115
+ detail: error instanceof Error ? error.message : String(error)
116
+ });
117
+ throw error;
118
+ }
119
+ // Asymmetric SIGN_VERIFY keys do not support automatic rotation in AWS KMS.
120
+ const message = error instanceof Error ? error.message : String(error);
121
+ emitAuditEvent(auditLogger, {
122
+ operation: "EnableKeyRotation",
123
+ status: "skipped",
124
+ keyId,
125
+ detail: message
126
+ });
127
+ return {
128
+ enabled: false,
129
+ note: `Automatic rotation unavailable for this key type. Use managed key replacement + Hedera AccountUpdate for rotation. Detail: ${message}`
130
+ };
131
+ }
132
+ }
133
+ async function createUserKmsKey(params) {
134
+ const { kms, userId, descriptionPrefix = "Workit Hedera key for user", aliasPrefix = "alias/workit/user", tags, auditLogger } = params;
135
+ const normalizedUserId = userId.trim();
136
+ if (!normalizedUserId) {
137
+ throw new Error("userId is required");
138
+ }
139
+ const keyPolicy = resolveCreateKeyPolicy(params);
140
+ const createKeyInput = {
141
+ KeySpec: "ECC_SECG_P256K1",
142
+ KeyUsage: "SIGN_VERIFY",
143
+ Description: `${descriptionPrefix} ${normalizedUserId}`,
144
+ Tags: normalizeTags(normalizedUserId, tags)
145
+ };
146
+ if (keyPolicy) {
147
+ createKeyInput.Policy = JSON.stringify(keyPolicy);
148
+ }
149
+ const createResp = await kms.send(new client_kms_1.CreateKeyCommand(createKeyInput)).catch(error => {
150
+ emitAuditEvent(auditLogger, {
151
+ operation: "CreateKey",
152
+ status: "failure",
153
+ detail: error instanceof Error ? error.message : String(error)
154
+ });
155
+ throw error;
156
+ });
157
+ const metadata = createResp.KeyMetadata;
158
+ if (!metadata?.KeyId || !metadata.Arn) {
159
+ emitAuditEvent(auditLogger, {
160
+ operation: "CreateKey",
161
+ status: "failure",
162
+ detail: "AWS KMS did not return key metadata"
163
+ });
164
+ throw new Error("AWS KMS did not return key metadata");
165
+ }
166
+ emitAuditEvent(auditLogger, {
167
+ operation: "CreateKey",
168
+ status: "success",
169
+ keyId: metadata.KeyId,
170
+ keyArn: metadata.Arn
171
+ });
172
+ const aliasName = normalizeAliasName(normalizedUserId, aliasPrefix);
173
+ try {
174
+ await kms.send(new client_kms_1.CreateAliasCommand({
175
+ AliasName: aliasName,
176
+ TargetKeyId: metadata.KeyId
177
+ }));
178
+ emitAuditEvent(auditLogger, {
179
+ operation: "CreateAlias",
180
+ status: "success",
181
+ keyId: metadata.KeyId,
182
+ keyArn: metadata.Arn,
183
+ aliasName
184
+ });
185
+ }
186
+ catch (error) {
187
+ emitAuditEvent(auditLogger, {
188
+ operation: "CreateAlias",
189
+ status: "failure",
190
+ keyId: metadata.KeyId,
191
+ keyArn: metadata.Arn,
192
+ aliasName,
193
+ detail: error instanceof Error ? error.message : String(error)
194
+ });
195
+ throw error;
196
+ }
197
+ const rotation = await tryEnableRotation(kms, metadata.KeyId, auditLogger);
198
+ return {
199
+ keyId: metadata.KeyId,
200
+ keyArn: metadata.Arn,
201
+ aliasName,
202
+ rotationEnabled: rotation.enabled,
203
+ rotationNote: rotation.note
204
+ };
205
+ }
206
+ function buildLeastPrivilegeKeyPolicy(bindings) {
207
+ const accountId = normalizeAwsAccountId(bindings.accountId);
208
+ const keyAdminPrincipalArn = normalizePrincipalArn(bindings.keyAdminPrincipalArn, "keyAdminPrincipalArn");
209
+ const runtimeSignerPrincipalArn = normalizePrincipalArn(bindings.runtimeSignerPrincipalArn, "runtimeSignerPrincipalArn");
210
+ return {
211
+ Version: "2012-10-17",
212
+ Statement: [
213
+ {
214
+ Sid: "AllowAccountRootRecovery",
215
+ Effect: "Allow",
216
+ Principal: {
217
+ AWS: `arn:aws:iam::${accountId}:root`
218
+ },
219
+ Action: "kms:*",
220
+ Resource: "*"
221
+ },
222
+ {
223
+ Sid: "AllowKeyAdministration",
224
+ Effect: "Allow",
225
+ Principal: {
226
+ AWS: keyAdminPrincipalArn
227
+ },
228
+ Action: [
229
+ "kms:DescribeKey",
230
+ "kms:ListResourceTags",
231
+ "kms:GetKeyPolicy",
232
+ "kms:PutKeyPolicy",
233
+ "kms:CreateAlias",
234
+ "kms:UpdateAlias",
235
+ "kms:DeleteAlias",
236
+ "kms:TagResource",
237
+ "kms:UntagResource",
238
+ "kms:EnableKey",
239
+ "kms:DisableKey",
240
+ "kms:ScheduleKeyDeletion",
241
+ "kms:CancelKeyDeletion"
242
+ ],
243
+ Resource: "*"
244
+ },
245
+ {
246
+ Sid: "AllowRuntimeSigningOnly",
247
+ Effect: "Allow",
248
+ Principal: {
249
+ AWS: runtimeSignerPrincipalArn
250
+ },
251
+ Action: ["kms:Sign"],
252
+ Resource: "*",
253
+ Condition: {
254
+ StringEquals: {
255
+ "kms:SigningAlgorithm": "ECDSA_SHA_256"
256
+ }
257
+ }
258
+ },
259
+ {
260
+ Sid: "AllowRuntimeMetadataReadOnly",
261
+ Effect: "Allow",
262
+ Principal: {
263
+ AWS: runtimeSignerPrincipalArn
264
+ },
265
+ Action: ["kms:GetPublicKey", "kms:DescribeKey", "kms:ListResourceTags"],
266
+ Resource: "*"
267
+ }
268
+ ]
269
+ };
270
+ }
271
+ async function validateKmsSecp256k1SigningKey(kms, keyId, auditLogger) {
272
+ const normalizedKeyId = keyId.trim();
273
+ if (!normalizedKeyId) {
274
+ throw new Error("keyId is required");
275
+ }
276
+ const response = await kms.send(new client_kms_1.DescribeKeyCommand({ KeyId: normalizedKeyId })).catch(error => {
277
+ emitAuditEvent(auditLogger, {
278
+ operation: "DescribeKey",
279
+ status: "failure",
280
+ keyId: normalizedKeyId,
281
+ detail: error instanceof Error ? error.message : String(error)
282
+ });
283
+ throw error;
284
+ });
285
+ const metadata = response.KeyMetadata;
286
+ if (!metadata?.KeyId || !metadata.Arn) {
287
+ emitAuditEvent(auditLogger, {
288
+ operation: "DescribeKey",
289
+ status: "failure",
290
+ keyId: normalizedKeyId,
291
+ detail: "KMS did not return key metadata"
292
+ });
293
+ throw new Error("KMS did not return key metadata");
294
+ }
295
+ const isKeyEnabled = metadata.Enabled === undefined ? metadata.KeyState === "Enabled" : metadata.Enabled;
296
+ if (!isKeyEnabled || metadata.KeyState !== "Enabled") {
297
+ emitAuditEvent(auditLogger, {
298
+ operation: "DescribeKey",
299
+ status: "failure",
300
+ keyId: metadata.KeyId,
301
+ keyArn: metadata.Arn,
302
+ detail: `KMS key "${metadata.KeyId}" must be in Enabled state for signing.`
303
+ });
304
+ throw new Error(`KMS key "${metadata.KeyId}" must be in Enabled state for signing.`);
305
+ }
306
+ if (metadata.KeySpec !== "ECC_SECG_P256K1") {
307
+ emitAuditEvent(auditLogger, {
308
+ operation: "DescribeKey",
309
+ status: "failure",
310
+ keyId: metadata.KeyId,
311
+ keyArn: metadata.Arn,
312
+ detail: `KMS key "${metadata.KeyId}" must use KeySpec ECC_SECG_P256K1.`
313
+ });
314
+ throw new Error(`KMS key "${metadata.KeyId}" must use KeySpec ECC_SECG_P256K1.`);
315
+ }
316
+ if (metadata.KeyUsage !== "SIGN_VERIFY") {
317
+ emitAuditEvent(auditLogger, {
318
+ operation: "DescribeKey",
319
+ status: "failure",
320
+ keyId: metadata.KeyId,
321
+ keyArn: metadata.Arn,
322
+ detail: `KMS key "${metadata.KeyId}" must use KeyUsage SIGN_VERIFY.`
323
+ });
324
+ throw new Error(`KMS key "${metadata.KeyId}" must use KeyUsage SIGN_VERIFY.`);
325
+ }
326
+ emitAuditEvent(auditLogger, {
327
+ operation: "DescribeKey",
328
+ status: "success",
329
+ keyId: metadata.KeyId,
330
+ keyArn: metadata.Arn
331
+ });
332
+ return {
333
+ keyId: metadata.KeyId,
334
+ keyArn: metadata.Arn
335
+ };
336
+ }
337
+ async function getPublicKeyBytes(kms, keyId, auditLogger) {
338
+ const normalizedKeyId = keyId.trim();
339
+ if (!normalizedKeyId) {
340
+ throw new Error("keyId is required");
341
+ }
342
+ const response = await kms.send(new client_kms_1.GetPublicKeyCommand({ KeyId: normalizedKeyId })).catch(error => {
343
+ emitAuditEvent(auditLogger, {
344
+ operation: "GetPublicKey",
345
+ status: "failure",
346
+ keyId: normalizedKeyId,
347
+ detail: error instanceof Error ? error.message : String(error)
348
+ });
349
+ throw error;
350
+ });
351
+ if (!response.PublicKey) {
352
+ emitAuditEvent(auditLogger, {
353
+ operation: "GetPublicKey",
354
+ status: "failure",
355
+ keyId: normalizedKeyId,
356
+ detail: "KMS did not return public key bytes"
357
+ });
358
+ throw new Error("KMS did not return public key bytes");
359
+ }
360
+ emitAuditEvent(auditLogger, {
361
+ operation: "GetPublicKey",
362
+ status: "success",
363
+ keyId: normalizedKeyId
364
+ });
365
+ return Buffer.from(response.PublicKey);
366
+ }
367
+ async function assertKmsKeyOwnershipForUser(params) {
368
+ const { kms, keyId, userId, expectedAppTag = "workit", auditLogger } = params;
369
+ const normalizedKeyId = keyId.trim();
370
+ if (!normalizedKeyId) {
371
+ throw new Error("keyId is required");
372
+ }
373
+ const normalizedUserId = userId.trim();
374
+ if (!normalizedUserId) {
375
+ throw new Error("userId is required");
376
+ }
377
+ const response = await kms.send(new client_kms_1.ListResourceTagsCommand({ KeyId: normalizedKeyId })).catch(error => {
378
+ emitAuditEvent(auditLogger, {
379
+ operation: "ListResourceTags",
380
+ status: "failure",
381
+ keyId: normalizedKeyId,
382
+ userId: normalizedUserId,
383
+ detail: error instanceof Error ? error.message : String(error)
384
+ });
385
+ throw error;
386
+ });
387
+ const tags = new Map((response.Tags ?? [])
388
+ .filter(tag => Boolean(tag.TagKey))
389
+ .map(tag => [String(tag.TagKey), tag.TagValue === undefined ? "" : String(tag.TagValue)]));
390
+ const keyUserId = tags.get("userId");
391
+ if (keyUserId !== normalizedUserId) {
392
+ const detail = keyUserId === undefined
393
+ ? `KMS key "${normalizedKeyId}" is missing required userId tag for "${normalizedUserId}".`
394
+ : `KMS key "${normalizedKeyId}" is tagged for userId "${keyUserId}", expected "${normalizedUserId}".`;
395
+ emitAuditEvent(auditLogger, {
396
+ operation: "ListResourceTags",
397
+ status: "failure",
398
+ keyId: normalizedKeyId,
399
+ userId: normalizedUserId,
400
+ detail
401
+ });
402
+ throw new Error(detail);
403
+ }
404
+ const appTag = tags.get("app");
405
+ if (appTag !== expectedAppTag) {
406
+ const detail = appTag === undefined
407
+ ? `KMS key "${normalizedKeyId}" is missing required app tag "${expectedAppTag}".`
408
+ : `KMS key "${normalizedKeyId}" has app tag "${appTag}", expected "${expectedAppTag}".`;
409
+ emitAuditEvent(auditLogger, {
410
+ operation: "ListResourceTags",
411
+ status: "failure",
412
+ keyId: normalizedKeyId,
413
+ userId: normalizedUserId,
414
+ detail
415
+ });
416
+ throw new Error(detail);
417
+ }
418
+ emitAuditEvent(auditLogger, {
419
+ operation: "ListResourceTags",
420
+ status: "success",
421
+ keyId: normalizedKeyId,
422
+ userId: normalizedUserId,
423
+ detail: `Verified key ownership for userId "${normalizedUserId}".`
424
+ });
425
+ }
426
+ function kmsAccessPolicyGuidance(keyArn = "arn:aws:kms:REGION:ACCOUNT_ID:key/KEY_ID", aliasArn = "arn:aws:kms:REGION:ACCOUNT_ID:alias/workit/user/*") {
427
+ return {
428
+ runtimeSignerPolicy: {
429
+ Version: "2012-10-17",
430
+ Statement: [
431
+ {
432
+ Sid: "AllowSign",
433
+ Effect: "Allow",
434
+ Action: ["kms:Sign"],
435
+ Resource: keyArn,
436
+ Condition: {
437
+ StringEquals: {
438
+ "kms:SigningAlgorithm": "ECDSA_SHA_256"
439
+ }
440
+ }
441
+ },
442
+ {
443
+ Sid: "AllowReadPublicMetadata",
444
+ Effect: "Allow",
445
+ Action: ["kms:GetPublicKey", "kms:DescribeKey", "kms:ListResourceTags"],
446
+ Resource: keyArn
447
+ }
448
+ ]
449
+ },
450
+ keyAdminPolicy: {
451
+ Version: "2012-10-17",
452
+ Statement: [
453
+ {
454
+ Sid: "AllowCreationOfSecp256k1SigningKeysWithRequiredTags",
455
+ Effect: "Allow",
456
+ Action: ["kms:CreateKey"],
457
+ Resource: "*",
458
+ Condition: {
459
+ StringEquals: {
460
+ "kms:KeySpec": "ECC_SECG_P256K1",
461
+ "kms:KeyUsage": "SIGN_VERIFY",
462
+ "aws:RequestTag/app": "workit"
463
+ },
464
+ "ForAllValues:StringEquals": {
465
+ "aws:TagKeys": ["app", "userId"]
466
+ }
467
+ }
468
+ },
469
+ {
470
+ Sid: "AllowScopedAliasManagement",
471
+ Effect: "Allow",
472
+ Action: ["kms:CreateAlias", "kms:UpdateAlias", "kms:DeleteAlias"],
473
+ Resource: aliasArn
474
+ },
475
+ {
476
+ Sid: "AllowScopedKeyLifecycleManagement",
477
+ Effect: "Allow",
478
+ Action: [
479
+ "kms:TagResource",
480
+ "kms:UntagResource",
481
+ "kms:DescribeKey",
482
+ "kms:ListResourceTags",
483
+ "kms:GetKeyPolicy",
484
+ "kms:PutKeyPolicy",
485
+ "kms:EnableKey",
486
+ "kms:DisableKey",
487
+ "kms:ScheduleKeyDeletion",
488
+ "kms:CancelKeyDeletion"
489
+ ],
490
+ Resource: keyArn
491
+ }
492
+ ]
493
+ }
494
+ };
495
+ }
496
+ //# sourceMappingURL=kmsKeyManager.js.map
package/dist/kmsKeyManager.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"kmsKeyManager.js","sourceRoot":"","sources":["../src/kmsKeyManager.ts"],"names":[],"mappings":";;AA4OA,4CAsFC;AAED,oEAiEC;AAED,wEA0EC;AAED,8CAiCC;AAED,oEAwEC;AAED,0DAwEC;AAxoBD,oDAU6B;AAE7B,MAAM,sBAAsB,GAAG,UAAU,CAAC;AAC1C,MAAM,yBAAyB,GAAG,oFAAoF,CAAC;AA6DvH,SAAS,cAAc,CACrB,WAAuC,EACvC,KAAuC;IAEvC,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,OAAO;IACT,CAAC;IAED,WAAW,CAAC;QACV,GAAG,KAAK;QACR,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;KACpC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,qBAAqB,CAAC,SAAiB;IAC9C,MAAM,KAAK,GAAG,SAAS,CAAC,IAAI,EAAE,CAAC;IAC/B,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,MAAM,IAAI,KAAK,CAAC,2BAA2B,SAAS,oCAAoC,CAAC,CAAC;IAC5F,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,qBAAqB,CAAC,YAAoB,EAAE,SAAiB;IACpE,MAAM,KAAK,GAAG,YAAY,CAAC,IAAI,EAAE,CAAC;IAClC,IAAI,CAAC,yBAAyB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CACb,WAAW,SAAS,KAAK,YAAY,gFAAgF,CACtH,CAAC;IACJ,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,aAAa,CACpB,MAAc,EACd,IAA4D;IAE5D,MAAM,WAAW,GAAgD;QAC/D,EAAE,MAAM,EAAE,KAAK,EAAE,QAAQ,EAAE,QAAQ,EAAE;QACrC,EAAE,MAAM,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,EAAE;KACvC,CAAC;IAEF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC3C,KAAK,MAAM,GAAG,IAAI,WAAW,EAAE,CAAC;QAC9B,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,IAAI,CAAC,GAAG,CAAC,MAAM,EAAE,CAAC;YAChB,MAAM,IAAI,KAAK,CAAC,+CAA+C,CAAC,CAAC;QACnE,CAAC;QAED,IAAI,GAAG,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC/B,SAAS;QACX,CAAC;QAED,IAAI,GAAG,CAAC,MAAM,KAAK,QAAQ,IAAI,GAAG,CAAC,QAAQ,KAAK,MAAM,EAAE,CAAC;YACvD,MAAM,IAAI,KAAK,CAAC,qDAAqD,MAAM,IAAI,CAAC,CAAC;QACnF,CAAC;QAED,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,EAAE,GAAG,CAAC,QAAQ,CAAC,CAAC;IACzC,CAAC;IAED,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,QAAQ,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAChC,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC5B,QAAQ,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,QAAQ,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,MAAM,EAAE,QAAQ,EAAE,CAAC,CAAC,CAAC;AAC5F,CAAC;AAED,SAAS,kBAAkB,CAAC,MAAc,EAAE,WAAW,GAAG,mBAAmB;IAC3E,MAAM,gBAAgB,GAAG,MAAM,CAAC,OAAO,CAAC,kBAAkB,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAErF,MAAM,kBAAkB,GAAG,WAAW,CAAC,IAAI,EAAE,CAAC;IAC9C,IAAI,CAAC,kBAAkB,EAAE,CAAC;QACxB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,gBAAgB,GAAG,kBAAkB,CAAC,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC;IACrE,MAAM,MAAM,GAAG,SAAS,gBAAgB,EAAE,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC/D,OAAO,GAAG,MAAM,IAAI,gBAAgB,EAAE,CAAC;AACzC,CAAC;AAED,SAAS,oCAAoC,CAAC,KAAc;IAC1D,MAAM,IAAI,GAAG,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,CAAC,CAAC,MAAM,CAAE,KAA4B,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACxG,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;IACvE,MAAM,SAAS,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;IACrC,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAE3C,OAAO,CACL,SAAS,CAAC,QAAQ,CAAC,+BAA+B,CAAC;QACnD,SAAS,CAAC,QAAQ,CAAC,sBAAsB,CAAC;QAC1C,CAAC,YAAY,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;QAC1E,CAAC,YAAY,CAAC,QAAQ,CAAC,oBAAoB,CAAC,IAAI,YAAY,CAAC,QAAQ,CAAC,eAAe,CAAC,CAAC,CACxF,CAAC;AACJ,CAAC;AAED,SAAS,sBAAsB,CAAC,MAA8B;IAC5D,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CACb,gHAAgH,CACjH,CAAC;IACJ,CAAC;IAED,IAAI,MAAM,CAAC,2BAA2B,EAAE,CAAC;QACvC,MAAM,IAAI,KAAK,CACb,sGAAsG,CACvG,CAAC;IACJ,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,cAAc,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,uEAAuE,CAAC,CAAC;IAC3F,CAAC;IAED,OAAO,4BAA4B,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC;AAC7D,CAAC;AAED,KAAK,UAAU,iBAAiB,CAC9B,GAAc,EACd,KAAa,EACb,WAA4B;IAE5B,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,qCAAwB,CAAC,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;QAC/D,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,mBAAmB;YAC9B,MAAM,EAAE,SAAS;YACjB,KAAK;SACN,CAAC,CAAC;QACH,OAAO,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IAC3B,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,IAAI,CAAC,oCAAoC,CAAC,KAAK,CAAC,EAAE,CAAC;YACjD,cAAc,CAAC,WAAW,EAAE;gBAC1B,SAAS,EAAE,mBAAmB;gBAC9B,MAAM,EAAE,SAAS;gBACjB,KAAK;gBACL,MAAM,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;aAC/D,CAAC,CAAC;YACH,MAAM,KAAK,CAAC;QACd,CAAC;QAED,4EAA4E;QAC5E,MAAM,OAAO,GAAG,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACvE,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,mBAAmB;YAC9B,MAAM,EAAE,SAAS;YACjB,KAAK;YACL,MAAM,EAAE,OAAO;SAChB,CAAC,CAAC;QACH,OAAO;YACL,OAAO,EAAE,KAAK;YACd,IAAI,EAAE,8HAA8H,OAAO,EAAE;SAC9I,CAAC;IACJ,CAAC;AACH,CAAC;AAEM,KAAK,UAAU,gBAAgB,CAAC,MAA8B;IACnE,MAAM,EACJ,GAAG,EACH,MAAM,EACN,iBAAiB,GAAG,4BAA4B,EAChD,WAAW,GAAG,mBAAmB,EACjC,IAAI,EACJ,WAAW,EACZ,GAAG,MAAM,CAAC;IACX,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,SAAS,GAAG,sBAAsB,CAAC,MAAM,CAAC,CAAC;IACjD,MAAM,cAAc,GAA0B;QAC5C,OAAO,EAAE,iBAAiB;QAC1B,QAAQ,EAAE,aAAa;QACvB,WAAW,EAAE,GAAG,iBAAiB,IAAI,gBAAgB,EAAE;QACvD,IAAI,EAAE,aAAa,CAAC,gBAAgB,EAAE,IAAI,CAAC;KAC5C,CAAC;IACF,IAAI,SAAS,EAAE,CAAC;QACd,cAAc,CAAC,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,UAAU,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,6BAAgB,CAAC,cAAc,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;QACpF,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,WAAW;YACtB,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC/D,CAAC,CAAC;QACH,MAAM,KAAK,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,UAAU,CAAC,WAAsC,CAAC;IACnE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;QACtC,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,WAAW;YACtB,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,qCAAqC;SAC9C,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IACD,cAAc,CAAC,WAAW,EAAE;QAC1B,SAAS,EAAE,WAAW;QACtB,MAAM,EAAE,SAAS;QACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;KACrB,CAAC,CAAC;IAEH,MAAM,SAAS,GAAG,kBAAkB,CAAC,gBAAgB,EAAE,WAAW,CAAC,CAAC;IACpE,IAAI,CAAC;QACH,MAAM,GAAG,CAAC,IAAI,CACZ,IAAI,+BAAkB,CAAC;YACrB,SAAS,EAAE,SAAS;YACpB,WAAW,EAAE,QAAQ,CAAC,KAAK;SAC5B,CAAC,CACH,CAAC;QACF,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,aAAa;YACxB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;YACpB,SAAS;SACV,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,aAAa;YACxB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;YACpB,SAAS;YACT,MAAM,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC/D,CAAC,CAAC;QACH,MAAM,KAAK,CAAC;IACd,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,KAAK,EAAE,WAAW,CAAC,CAAC;IAE3E,OAAO;QACL,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;QACpB,SAAS;QACT,eAAe,EAAE,QAAQ,CAAC,OAAO;QACjC,YAAY,EAAE,QAAQ,CAAC,IAAI;KAC5B,CAAC;AACJ,CAAC;AAED,SAAgB,4BAA4B,CAAC,QAA8B;IACzE,MAAM,SAAS,GAAG,qBAAqB,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;IAC5D,MAAM,oBAAoB,GAAG,qBAAqB,CAAC,QAAQ,CAAC,oBAAoB,EAAE,sBAAsB,CAAC,CAAC;IAC1G,MAAM,yBAAyB,GAAG,qBAAqB,CAAC,QAAQ,CAAC,yBAAyB,EAAE,2BAA2B,CAAC,CAAC;IAEzH,OAAO;QACL,OAAO,EAAE,YAAY;QACrB,SAAS,EAAE;YACT;gBACE,GAAG,EAAE,0BAA0B;gBAC/B,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE;oBACT,GAAG,EAAE,gBAAgB,SAAS,OAAO;iBACtC;gBACD,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,GAAG;aACd;YACD;gBACE,GAAG,EAAE,wBAAwB;gBAC7B,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE;oBACT,GAAG,EAAE,oBAAoB;iBAC1B;gBACD,MAAM,EAAE;oBACN,iBAAiB;oBACjB,sBAAsB;oBACtB,kBAAkB;oBAClB,kBAAkB;oBAClB,iBAAiB;oBACjB,iBAAiB;oBACjB,iBAAiB;oBACjB,iBAAiB;oBACjB,mBAAmB;oBACnB,eAAe;oBACf,gBAAgB;oBAChB,yBAAyB;oBACzB,uBAAuB;iBACxB;gBACD,QAAQ,EAAE,GAAG;aACd;YACD;gBACE,GAAG,EAAE,yBAAyB;gBAC9B,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE;oBACT,GAAG,EAAE,yBAAyB;iBAC/B;gBACD,MAAM,EAAE,CAAC,UAAU,CAAC;gBACpB,QAAQ,EAAE,GAAG;gBACb,SAAS,EAAE;oBACT,YAAY,EAAE;wBACZ,sBAAsB,EAAE,eAAe;qBACxC;iBACF;aACF;YACD;gBACE,GAAG,EAAE,8BAA8B;gBACnC,MAAM,EAAE,OAAO;gBACf,SAAS,EAAE;oBACT,GAAG,EAAE,yBAAyB;iBAC/B;gBACD,MAAM,EAAE,CAAC,kBAAkB,EAAE,iBAAiB,EAAE,sBAAsB,CAAC;gBACvE,QAAQ,EAAE,GAAG;aACd;SACF;KACF,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,8BAA8B,CAClD,GAAc,EACd,KAAa,EACb,WAA4B;IAE5B,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,+BAAkB,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;QAChG,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,aAAa;YACxB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC/D,CAAC,CAAC;QACH,MAAM,KAAK,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAG,QAAQ,CAAC,WAAsC,CAAC;IACjE,IAAI,CAAC,QAAQ,EAAE,KAAK,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,CAAC;QACtC,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,aAAa;YACxB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,iCAAiC;SAC1C,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,iCAAiC,CAAC,CAAC;IACrD,CAAC;IAED,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC;IACzG,IAAI,CAAC,YAAY,IAAI,QAAQ,CAAC,QAAQ,KAAK,SAAS,EAAE,CAAC;QACrD,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,aAAa;YACxB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;YACpB,MAAM,EAAE,YAAY,QAAQ,CAAC,KAAK,yCAAyC;SAC5E,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,YAAY,QAAQ,CAAC,KAAK,yCAAyC,CAAC,CAAC;IACvF,CAAC;IACD,IAAI,QAAQ,CAAC,OAAO,KAAK,iBAAiB,EAAE,CAAC;QAC3C,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,aAAa;YACxB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;YACpB,MAAM,EAAE,YAAY,QAAQ,CAAC,KAAK,qCAAqC;SACxE,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,YAAY,QAAQ,CAAC,KAAK,qCAAqC,CAAC,CAAC;IACnF,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,KAAK,aAAa,EAAE,CAAC;QACxC,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,aAAa;YACxB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;YACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;YACpB,MAAM,EAAE,YAAY,QAAQ,CAAC,KAAK,kCAAkC;SACrE,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,YAAY,QAAQ,CAAC,KAAK,kCAAkC,CAAC,CAAC;IAChF,CAAC;IAED,cAAc,CAAC,WAAW,EAAE;QAC1B,SAAS,EAAE,aAAa;QACxB,MAAM,EAAE,SAAS;QACjB,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;KACrB,CAAC,CAAC;IAEH,OAAO;QACL,KAAK,EAAE,QAAQ,CAAC,KAAK;QACrB,MAAM,EAAE,QAAQ,CAAC,GAAG;KACrB,CAAC;AACJ,CAAC;AAEM,KAAK,UAAU,iBAAiB,CAAC,GAAc,EAAE,KAAa,EAAE,WAA4B;IACjG,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,gCAAmB,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;QACjG,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,cAAc;YACzB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC/D,CAAC,CAAC;QACH,MAAM,KAAK,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,SAAS,EAAE,CAAC;QACxB,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,cAAc;YACzB,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,qCAAqC;SAC9C,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,cAAc,CAAC,WAAW,EAAE;QAC1B,SAAS,EAAE,cAAc;QACzB,MAAM,EAAE,SAAS;QACjB,KAAK,EAAE,eAAe;KACvB,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,SAAS,CAAC,CAAC;AACzC,CAAC;AAEM,KAAK,UAAU,4BAA4B,CAAC,MAMlD;IACC,MAAM,EAAE,GAAG,EAAE,KAAK,EAAE,MAAM,EAAE,cAAc,GAAG,QAAQ,EAAE,WAAW,EAAE,GAAG,MAAM,CAAC;IAC9E,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACrC,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,CAAC;IACvC,CAAC;IACD,MAAM,gBAAgB,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC;IACvC,IAAI,CAAC,gBAAgB,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,oBAAoB,CAAC,CAAC;IACxC,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,IAAI,oCAAuB,CAAC,EAAE,KAAK,EAAE,eAAe,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;QACrG,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,kBAAkB;YAC7B,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,gBAAgB;YACxB,MAAM,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;SAC/D,CAAC,CAAC;QACH,MAAM,KAAK,CAAC;IACd,CAAC,CAAC,CAAC;IAEH,MAAM,IAAI,GAAG,IAAI,GAAG,CAClB,CAAC,QAAQ,CAAC,IAAI,IAAI,EAAE,CAAC;SAClB,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;SAClC,GAAG,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,GAAG,CAAC,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,CAAC,CAC5F,CAAC;IACF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;IACrC,IAAI,SAAS,KAAK,gBAAgB,EAAE,CAAC;QACnC,MAAM,MAAM,GACV,SAAS,KAAK,SAAS;YACrB,CAAC,CAAC,YAAY,eAAe,yCAAyC,gBAAgB,IAAI;YAC1F,CAAC,CAAC,YAAY,eAAe,2BAA2B,SAAS,gBAAgB,gBAAgB,IAAI,CAAC;QAC1G,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,kBAAkB;YAC7B,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,gBAAgB;YACxB,MAAM;SACP,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IAC/B,IAAI,MAAM,KAAK,cAAc,EAAE,CAAC;QAC9B,MAAM,MAAM,GACV,MAAM,KAAK,SAAS;YAClB,CAAC,CAAC,YAAY,eAAe,kCAAkC,cAAc,IAAI;YACjF,CAAC,CAAC,YAAY,eAAe,kBAAkB,MAAM,gBAAgB,cAAc,IAAI,CAAC;QAC5F,cAAc,CAAC,WAAW,EAAE;YAC1B,SAAS,EAAE,kBAAkB;YAC7B,MAAM,EAAE,SAAS;YACjB,KAAK,EAAE,eAAe;YACtB,MAAM,EAAE,gBAAgB;YACxB,MAAM;SACP,CAAC,CAAC;QACH,MAAM,IAAI,KAAK,CAAC,MAAM,CAAC,CAAC;IAC1B,CAAC;IAED,cAAc,CAAC,WAAW,EAAE;QAC1B,SAAS,EAAE,kBAAkB;QAC7B,MAAM,EAAE,SAAS;QACjB,KAAK,EAAE,eAAe;QACtB,MAAM,EAAE,gBAAgB;QACxB,MAAM,EAAE,sCAAsC,gBAAgB,IAAI;KACnE,CAAC,CAAC;AACL,CAAC;AAED,SAAgB,uBAAuB,CACrC,MAAM,GAAG,0CAA0C,EACnD,QAAQ,GAAG,mDAAmD;IAE9D,OAAO;QACL,mBAAmB,EAAE;YACnB,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,GAAG,EAAE,WAAW;oBAChB,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,UAAU,CAAC;oBACpB,QAAQ,EAAE,MAAM;oBAChB,SAAS,EAAE;wBACT,YAAY,EAAE;4BACZ,sBAAsB,EAAE,eAAe;yBACxC;qBACF;iBACF;gBACD;oBACE,GAAG,EAAE,yBAAyB;oBAC9B,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,kBAAkB,EAAE,iBAAiB,EAAE,sBAAsB,CAAC;oBACvE,QAAQ,EAAE,MAAM;iBACjB;aACF;SACF;QACD,cAAc,EAAE;YACd,OAAO,EAAE,YAAY;YACrB,SAAS,EAAE;gBACT;oBACE,GAAG,EAAE,qDAAqD;oBAC1D,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,eAAe,CAAC;oBACzB,QAAQ,EAAE,GAAG;oBACb,SAAS,EAAE;wBACT,YAAY,EAAE;4BACZ,aAAa,EAAE,iBAAiB;4BAChC,cAAc,EAAE,aAAa;4BAC7B,oBAAoB,EAAE,QAAQ;yBAC/B;wBACD,2BAA2B,EAAE;4BAC3B,aAAa,EAAE,CAAC,KAAK,EAAE,QAAQ,CAAC;yBACjC;qBACF;iBACF;gBACD;oBACE,GAAG,EAAE,4BAA4B;oBACjC,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE,CAAC,iBAAiB,EAAE,iBAAiB,EAAE,iBAAiB,CAAC;oBACjE,QAAQ,EAAE,QAAQ;iBACnB;gBACD;oBACE,GAAG,EAAE,mCAAmC;oBACxC,MAAM,EAAE,OAAO;oBACf,MAAM,EAAE;wBACN,iBAAiB;wBACjB,mBAAmB;wBACnB,iBAAiB;wBACjB,sBAAsB;wBACtB,kBAAkB;wBAClB,kBAAkB;wBAClB,eAAe;wBACf,gBAAgB;wBAChB,yBAAyB;wBACzB,uBAAuB;qBACxB;oBACD,QAAQ,EAAE,MAAM;iBACjB;aACF;SACF;KACF,CAAC;AACJ,CAAC"}
package/dist/kmsSigner.d.ts ADDED
@@ -0,0 +1,18 @@
1
+ import { KMSClient } from "@aws-sdk/client-kms";
2
+ import { PublicKey } from "@hashgraph/sdk";
3
+ import { type KmsAuditLogger } from "./kmsKeyManager";
4
+ export interface KmsHederaSigner {
5
+ keyId: string;
6
+ keyArn: string;
7
+ hederaPublicKey: PublicKey;
8
+ uncompressedPublicKey: Buffer;
9
+ compressedPublicKey: Buffer;
10
+ sign: (message: Uint8Array) => Promise<Uint8Array>;
11
+ }
12
+ export interface CreateKmsHederaSignerParams {
13
+ kms: KMSClient;
14
+ keyId: string;
15
+ auditLogger?: KmsAuditLogger;
16
+ }
17
+ export declare function createKmsHederaSigner(params: CreateKmsHederaSignerParams): Promise<KmsHederaSigner>;
18
+ //# sourceMappingURL=kmsSigner.d.ts.map