evm-kms-signer 1.0.0

package/dist/kms/signer.d.ts

@@ -0,0 +1,192 @@
+import type { Address, Hex, TransactionSerializable, SerializeTransactionFn, TypedDataDefinition } from 'viem';
+import type { TypedData } from 'abitype';
+import type { KmsConfig } from '../types';
+/**
+ * KmsSigner provides Ethereum signing capabilities using AWS KMS.
+ *
+ * This class manages the interaction with AWS KMS for cryptographic operations
+ * required by Ethereum accounts:
+ * - Public key retrieval and caching
+ * - Ethereum address derivation from KMS public key
+ * - Message and transaction signing (to be implemented in Part 2)
+ *
+ * The signer caches expensive operations (public key retrieval, address derivation)
+ * to avoid unnecessary KMS API calls.
+ *
+ * @example
+ * ```typescript
+ * const signer = new KmsSigner({
+ *   region: 'us-east-1',
+ *   keyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+ * })
+ *
+ * const address = await signer.getAddress()
+ * console.log('Ethereum address:', address)
+ * ```
+ */
+export declare class KmsSigner {
+    private kmsClient;
+    private keyId;
+    private cachedAddress?;
+    private cachedPublicKey?;
+    /**
+     * Creates a new KMS signer instance.
+     *
+     * @param config - KMS configuration including region, keyId, and optional credentials
+     *
+     * @remarks
+     * The constructor initializes the KMS client but does not make any API calls.
+     * Public key retrieval and address derivation happen lazily on first use.
+     */
+    constructor(config: KmsConfig);
+    /**
+     * Retrieves the uncompressed secp256k1 public key from AWS KMS.
+     *
+     * The public key is retrieved from KMS and extracted from the DER-encoded
+     * SubjectPublicKeyInfo format. The result is cached to avoid redundant KMS calls.
+     *
+     * @returns 65-byte uncompressed public key (0x04 + x coordinate + y coordinate)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If public key format is invalid
+     *
+     * @remarks
+     * The public key format is:
+     * - Byte 0: 0x04 (uncompressed point indicator)
+     * - Bytes 1-32: x coordinate of the public key
+     * - Bytes 33-64: y coordinate of the public key
+     */
+    getPublicKey(): Promise<Uint8Array>;
+    /**
+     * Derives the Ethereum address from the KMS public key.
+     *
+     * The address is calculated by:
+     * 1. Retrieving the public key from KMS (cached if available)
+     * 2. Hashing the public key coordinates with keccak256
+     * 3. Taking the last 20 bytes as the address
+     *
+     * The result is cached to avoid redundant derivation.
+     *
+     * @returns Ethereum address (0x-prefixed, 40 hex characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If public key format is invalid
+     *
+     * @remarks
+     * The returned address follows EIP-55 checksum encoding.
+     */
+    getAddress(): Promise<Address>;
+    /**
+     * Signs a hash using the KMS private key (internal helper method).
+     *
+     * This method is used internally by signMessage, signTransaction, and signTypedData.
+     * It converts the hash to bytes, signs with KMS, parses the DER signature,
+     * and normalizes the s value according to EIP-2.
+     *
+     * @param hash - The hash to sign (32 bytes, hex-encoded)
+     * @returns Object containing r and s as bigints
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {SignatureNormalizationError} If s value is out of valid range
+     *
+     * @remarks
+     * The s value is automatically normalized to the lower half of the curve order (EIP-2)
+     * to prevent signature malleability attacks.
+     */
+    private signHash;
+    /**
+     * Signs a message using EIP-191 personal_sign standard.
+     *
+     * This method:
+     * 1. Hashes the message with EIP-191 prefix: "\x19Ethereum Signed Message:\n" + len(message) + message
+     * 2. Signs the hash with KMS
+     * 3. Calculates the recovery ID to enable public key recovery
+     * 4. Returns the signature in the standard format: r (32 bytes) + s (32 bytes) + v (1 byte)
+     *
+     * @param params - Object containing the message string
+     * @returns The signature as a hex string (0x-prefixed, 130 characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new KmsSigner({ region: 'us-east-1', keyId: 'arn:...' })
+     * const signature = await signer.signMessage({ message: 'Hello, world!' })
+     * // signature: '0x...' (130 characters: 0x + 64 hex chars for r + 64 for s + 2 for v)
+     * ```
+     */
+    signMessage({ message }: {
+        message: string;
+    }): Promise<Hex>;
+    /**
+     * Signs an Ethereum transaction.
+     *
+     * This method:
+     * 1. Serializes the transaction without signature fields (r, s, v)
+     * 2. Hashes the serialized transaction with keccak256
+     * 3. Signs the hash with KMS
+     * 4. Calculates the recovery ID
+     * 5. Computes the v value (EIP-155 if chainId present, legacy otherwise)
+     * 6. Returns the fully serialized transaction with signature
+     *
+     * @param transaction - The transaction to sign
+     * @param options - Optional serializer function (defaults to viem's serializeTransaction)
+     * @returns The serialized signed transaction as a hex string
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new KmsSigner({ region: 'us-east-1', keyId: 'arn:...' })
+     * const signedTx = await signer.signTransaction({
+     *   to: '0x...',
+     *   value: parseEther('1'),
+     *   chainId: 1
+     * })
+     * ```
+     */
+    signTransaction(transaction: TransactionSerializable, { serializer }?: {
+        serializer?: SerializeTransactionFn;
+    }): Promise<Hex>;
+    /**
+     * Signs typed data according to EIP-712.
+     *
+     * This method:
+     * 1. Hashes the typed data using EIP-712 (domain separator + type hash)
+     * 2. Signs the hash with KMS
+     * 3. Calculates the recovery ID
+     * 4. Returns the signature in the standard format: r (32 bytes) + s (32 bytes) + v (1 byte)
+     *
+     * @param typedData - The EIP-712 typed data to sign
+     * @returns The signature as a hex string (0x-prefixed, 130 characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new KmsSigner({ region: 'us-east-1', keyId: 'arn:...' })
+     * const signature = await signer.signTypedData({
+     *   domain: {
+     *     name: 'MyApp',
+     *     version: '1',
+     *     chainId: 1,
+     *     verifyingContract: '0x...'
+     *   },
+     *   types: {
+     *     Person: [
+     *       { name: 'name', type: 'string' },
+     *       { name: 'wallet', type: 'address' }
+     *     ]
+     *   },
+     *   primaryType: 'Person',
+     *   message: {
+     *     name: 'Alice',
+     *     wallet: '0x...'
+     *   }
+     * })
+     * ```
+     */
+    signTypedData<const TTypedData extends TypedData | Record<string, unknown>, TPrimaryType extends keyof TTypedData | 'EIP712Domain' = keyof TTypedData>(typedData: TypedDataDefinition<TTypedData, TPrimaryType>): Promise<Hex>;
+}
+//# sourceMappingURL=signer.d.ts.map

package/dist/kms/signer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.d.ts","sourceRoot":"","sources":["../../src/kms/signer.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,mBAAmB,EAAE,MAAM,MAAM,CAAA;AAC9G,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,SAAS,CAAA;AAMxC,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AAEzC;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,qBAAa,SAAS;IACpB,OAAO,CAAC,SAAS,CAAW;IAC5B,OAAO,CAAC,KAAK,CAAQ;IACrB,OAAO,CAAC,aAAa,CAAC,CAAS;IAC/B,OAAO,CAAC,eAAe,CAAC,CAAY;IAEpC;;;;;;;;OAQG;gBACS,MAAM,EAAE,SAAS;IAK7B;;;;;;;;;;;;;;;OAeG;IACG,YAAY,IAAI,OAAO,CAAC,UAAU,CAAC;IAWzC;;;;;;;;;;;;;;;;OAgBG;IACG,UAAU,IAAI,OAAO,CAAC,OAAO,CAAC;IAWpC;;;;;;;;;;;;;;;;OAgBG;YACW,QAAQ;IAoBtB;;;;;;;;;;;;;;;;;;;;;OAqBG;IACG,WAAW,CAAC,EAAE,OAAO,EAAE,EAAE;QAAE,OAAO,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,GAAG,CAAC;IA2BjE;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACG,eAAe,CACnB,WAAW,EAAE,uBAAuB,EACpC,EAAE,UAAiC,EAAE,GAAE;QAAE,UAAU,CAAC,EAAE,sBAAsB,CAAA;KAAO,GAClF,OAAO,CAAC,GAAG,CAAC;IAgCf;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAsCG;IACG,aAAa,CACjB,KAAK,CAAC,UAAU,SAAS,SAAS,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAC5D,YAAY,SAAS,MAAM,UAAU,GAAG,cAAc,GAAG,MAAM,UAAU,EACzE,SAAS,EAAE,mBAAmB,CAAC,UAAU,EAAE,YAAY,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC;CA0B1E"}

package/dist/kms/signer.js

@@ -0,0 +1,271 @@
+import { fromHex, toHex, hashMessage, concat, keccak256, serializeTransaction, hashTypedData } from 'viem';
+import { KmsClient } from './client';
+import { extractPublicKeyFromDer, publicKeyToAddress } from '../utils/address';
+import { parseDerSignature } from '../utils/der';
+import { normalizeS, calculateRecoveryId, uint8ArrayToBigInt } from '../utils/signature';
+/**
+ * KmsSigner provides Ethereum signing capabilities using AWS KMS.
+ *
+ * This class manages the interaction with AWS KMS for cryptographic operations
+ * required by Ethereum accounts:
+ * - Public key retrieval and caching
+ * - Ethereum address derivation from KMS public key
+ * - Message and transaction signing (to be implemented in Part 2)
+ *
+ * The signer caches expensive operations (public key retrieval, address derivation)
+ * to avoid unnecessary KMS API calls.
+ *
+ * @example
+ * ```typescript
+ * const signer = new KmsSigner({
+ *   region: 'us-east-1',
+ *   keyId: 'arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012'
+ * })
+ *
+ * const address = await signer.getAddress()
+ * console.log('Ethereum address:', address)
+ * ```
+ */
+export class KmsSigner {
+    /**
+     * Creates a new KMS signer instance.
+     *
+     * @param config - KMS configuration including region, keyId, and optional credentials
+     *
+     * @remarks
+     * The constructor initializes the KMS client but does not make any API calls.
+     * Public key retrieval and address derivation happen lazily on first use.
+     */
+    constructor(config) {
+        this.kmsClient = new KmsClient(config);
+        this.keyId = config.keyId;
+    }
+    /**
+     * Retrieves the uncompressed secp256k1 public key from AWS KMS.
+     *
+     * The public key is retrieved from KMS and extracted from the DER-encoded
+     * SubjectPublicKeyInfo format. The result is cached to avoid redundant KMS calls.
+     *
+     * @returns 65-byte uncompressed public key (0x04 + x coordinate + y coordinate)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If public key format is invalid
+     *
+     * @remarks
+     * The public key format is:
+     * - Byte 0: 0x04 (uncompressed point indicator)
+     * - Bytes 1-32: x coordinate of the public key
+     * - Bytes 33-64: y coordinate of the public key
+     */
+    async getPublicKey() {
+        if (this.cachedPublicKey) {
+            return this.cachedPublicKey;
+        }
+        const derPublicKey = await this.kmsClient.getPublicKey();
+        const publicKey = extractPublicKeyFromDer(derPublicKey);
+        this.cachedPublicKey = publicKey;
+        return publicKey;
+    }
+    /**
+     * Derives the Ethereum address from the KMS public key.
+     *
+     * The address is calculated by:
+     * 1. Retrieving the public key from KMS (cached if available)
+     * 2. Hashing the public key coordinates with keccak256
+     * 3. Taking the last 20 bytes as the address
+     *
+     * The result is cached to avoid redundant derivation.
+     *
+     * @returns Ethereum address (0x-prefixed, 40 hex characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If public key format is invalid
+     *
+     * @remarks
+     * The returned address follows EIP-55 checksum encoding.
+     */
+    async getAddress() {
+        if (this.cachedAddress) {
+            return this.cachedAddress;
+        }
+        const publicKey = await this.getPublicKey();
+        const address = publicKeyToAddress(publicKey);
+        this.cachedAddress = address;
+        return address;
+    }
+    /**
+     * Signs a hash using the KMS private key (internal helper method).
+     *
+     * This method is used internally by signMessage, signTransaction, and signTypedData.
+     * It converts the hash to bytes, signs with KMS, parses the DER signature,
+     * and normalizes the s value according to EIP-2.
+     *
+     * @param hash - The hash to sign (32 bytes, hex-encoded)
+     * @returns Object containing r and s as bigints
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {SignatureNormalizationError} If s value is out of valid range
+     *
+     * @remarks
+     * The s value is automatically normalized to the lower half of the curve order (EIP-2)
+     * to prevent signature malleability attacks.
+     */
+    async signHash(hash) {
+        // Convert Hex to Uint8Array
+        const hashBytes = fromHex(hash, 'bytes');
+        // Sign with KMS
+        const derSignature = await this.kmsClient.sign(hashBytes);
+        // Parse DER signature
+        const { r: rBytes, s: sBytes } = parseDerSignature(derSignature);
+        // Convert to bigint
+        let r = uint8ArrayToBigInt(rBytes);
+        let s = uint8ArrayToBigInt(sBytes);
+        // EIP-2 normalization
+        s = normalizeS(s);
+        return { r, s };
+    }
+    /**
+     * Signs a message using EIP-191 personal_sign standard.
+     *
+     * This method:
+     * 1. Hashes the message with EIP-191 prefix: "\x19Ethereum Signed Message:\n" + len(message) + message
+     * 2. Signs the hash with KMS
+     * 3. Calculates the recovery ID to enable public key recovery
+     * 4. Returns the signature in the standard format: r (32 bytes) + s (32 bytes) + v (1 byte)
+     *
+     * @param params - Object containing the message string
+     * @returns The signature as a hex string (0x-prefixed, 130 characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new KmsSigner({ region: 'us-east-1', keyId: 'arn:...' })
+     * const signature = await signer.signMessage({ message: 'Hello, world!' })
+     * // signature: '0x...' (130 characters: 0x + 64 hex chars for r + 64 for s + 2 for v)
+     * ```
+     */
+    async signMessage({ message }) {
+        // EIP-191 hashing (viem handles automatically)
+        const messageHash = hashMessage(message);
+        // Sign with KMS
+        const { r, s } = await this.signHash(messageHash);
+        // Calculate recovery ID
+        const address = await this.getAddress();
+        const recoveryId = await calculateRecoveryId(messageHash, toHex(r, { size: 32 }), toHex(s, { size: 32 }), address);
+        // Calculate v value (Legacy, no chain)
+        const v = 27 + recoveryId;
+        // Serialize signature
+        return concat([
+            toHex(r, { size: 32 }),
+            toHex(s, { size: 32 }),
+            toHex(v, { size: 1 })
+        ]);
+    }
+    /**
+     * Signs an Ethereum transaction.
+     *
+     * This method:
+     * 1. Serializes the transaction without signature fields (r, s, v)
+     * 2. Hashes the serialized transaction with keccak256
+     * 3. Signs the hash with KMS
+     * 4. Calculates the recovery ID
+     * 5. Computes the v value (EIP-155 if chainId present, legacy otherwise)
+     * 6. Returns the fully serialized transaction with signature
+     *
+     * @param transaction - The transaction to sign
+     * @param options - Optional serializer function (defaults to viem's serializeTransaction)
+     * @returns The serialized signed transaction as a hex string
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new KmsSigner({ region: 'us-east-1', keyId: 'arn:...' })
+     * const signedTx = await signer.signTransaction({
+     *   to: '0x...',
+     *   value: parseEther('1'),
+     *   chainId: 1
+     * })
+     * ```
+     */
+    async signTransaction(transaction, { serializer = serializeTransaction } = {}) {
+        // Serialize transaction for signing (without r, s, v)
+        const serializedTx = serializeTransaction({ ...transaction, r: undefined, s: undefined, v: undefined });
+        const hash = keccak256(serializedTx);
+        // Sign with KMS
+        const { r, s } = await this.signHash(hash);
+        // Calculate recovery ID
+        const address = await this.getAddress();
+        const recoveryId = await calculateRecoveryId(hash, toHex(r, { size: 32 }), toHex(s, { size: 32 }), address);
+        // Calculate v value
+        const chainId = transaction.chainId;
+        const v = chainId
+            ? BigInt(chainId * 2 + 35 + recoveryId) // EIP-155
+            : BigInt(27 + recoveryId); // Legacy
+        // Final serialization with signature
+        return serializer({
+            ...transaction,
+            r: toHex(r, { size: 32 }),
+            s: toHex(s, { size: 32 }),
+            v
+        });
+    }
+    /**
+     * Signs typed data according to EIP-712.
+     *
+     * This method:
+     * 1. Hashes the typed data using EIP-712 (domain separator + type hash)
+     * 2. Signs the hash with KMS
+     * 3. Calculates the recovery ID
+     * 4. Returns the signature in the standard format: r (32 bytes) + s (32 bytes) + v (1 byte)
+     *
+     * @param typedData - The EIP-712 typed data to sign
+     * @returns The signature as a hex string (0x-prefixed, 130 characters)
+     * @throws {KmsClientError} If KMS API call fails
+     * @throws {DerParsingError} If signature format is invalid
+     * @throws {RecoveryIdCalculationError} If recovery ID calculation fails
+     *
+     * @example
+     * ```typescript
+     * const signer = new KmsSigner({ region: 'us-east-1', keyId: 'arn:...' })
+     * const signature = await signer.signTypedData({
+     *   domain: {
+     *     name: 'MyApp',
+     *     version: '1',
+     *     chainId: 1,
+     *     verifyingContract: '0x...'
+     *   },
+     *   types: {
+     *     Person: [
+     *       { name: 'name', type: 'string' },
+     *       { name: 'wallet', type: 'address' }
+     *     ]
+     *   },
+     *   primaryType: 'Person',
+     *   message: {
+     *     name: 'Alice',
+     *     wallet: '0x...'
+     *   }
+     * })
+     * ```
+     */
+    async signTypedData(typedData) {
+        // EIP-712 hashing (viem handles domain separator and type hash)
+        const hash = hashTypedData(typedData);
+        // Sign with KMS
+        const { r, s } = await this.signHash(hash);
+        // Calculate recovery ID
+        const address = await this.getAddress();
+        const recoveryId = await calculateRecoveryId(hash, toHex(r, { size: 32 }), toHex(s, { size: 32 }), address);
+        // Calculate v value (Legacy, no chain for typed data)
+        const v = 27 + recoveryId;
+        // Serialize signature
+        return concat([
+            toHex(r, { size: 32 }),
+            toHex(s, { size: 32 }),
+            toHex(v, { size: 1 })
+        ]);
+    }
+}
+//# sourceMappingURL=signer.js.map

package/dist/kms/signer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"signer.js","sourceRoot":"","sources":["../../src/kms/signer.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,WAAW,EAAE,MAAM,EAAE,SAAS,EAAE,oBAAoB,EAAE,aAAa,EAAE,MAAM,MAAM,CAAA;AAC1G,OAAO,EAAE,SAAS,EAAE,MAAM,UAAU,CAAA;AACpC,OAAO,EAAE,uBAAuB,EAAE,kBAAkB,EAAE,MAAM,kBAAkB,CAAA;AAC9E,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAChD,OAAO,EAAE,UAAU,EAAE,mBAAmB,EAAE,kBAAkB,EAAE,MAAM,oBAAoB,CAAA;AAGxF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,MAAM,OAAO,SAAS;IAMpB;;;;;;;;OAQG;IACH,YAAY,MAAiB;QAC3B,IAAI,CAAC,SAAS,GAAG,IAAI,SAAS,CAAC,MAAM,CAAC,CAAA;QACtC,IAAI,CAAC,KAAK,GAAG,MAAM,CAAC,KAAK,CAAA;IAC3B,CAAC;IAED;;;;;;;;;;;;;;;OAeG;IACH,KAAK,CAAC,YAAY;QAChB,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,OAAO,IAAI,CAAC,eAAe,CAAA;QAC7B,CAAC;QAED,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,YAAY,EAAE,CAAA;QACxD,MAAM,SAAS,GAAG,uBAAuB,CAAC,YAAY,CAAC,CAAA;QACvD,IAAI,CAAC,eAAe,GAAG,SAAS,CAAA;QAChC,OAAO,SAAS,CAAA;IAClB,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACH,KAAK,CAAC,UAAU;QACd,IAAI,IAAI,CAAC,aAAa,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC,aAAa,CAAA;QAC3B,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,IAAI,CAAC,YAAY,EAAE,CAAA;QAC3C,MAAM,OAAO,GAAG,kBAAkB,CAAC,SAAS,CAAC,CAAA;QAC7C,IAAI,CAAC,aAAa,GAAG,OAAO,CAAA;QAC5B,OAAO,OAAO,CAAA;IAChB,CAAC;IAED;;;;;;;;;;;;;;;;OAgBG;IACK,KAAK,CAAC,QAAQ,CAAC,IAAS;QAC9B,4BAA4B;QAC5B,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,CAAA;QAExC,gBAAgB;QAChB,MAAM,YAAY,GAAG,MAAM,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,SAAS,CAAC,CAAA;QAEzD,sBAAsB;QACtB,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAA;QAEhE,oBAAoB;QACpB,IAAI,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAA;QAClC,IAAI,CAAC,GAAG,kBAAkB,CAAC,MAAM,CAAC,CAAA;QAElC,sBAAsB;QACtB,CAAC,GAAG,UAAU,CAAC,CAAC,CAAC,CAAA;QAEjB,OAAO,EAAE,CAAC,EAAE,CAAC,EAAE,CAAA;IACjB,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;OAqBG;IACH,KAAK,CAAC,WAAW,CAAC,EAAE,OAAO,EAAuB;QAChD,+CAA+C;QAC/C,MAAM,WAAW,GAAG,WAAW,CAAC,OAAO,CAAC,CAAA;QAExC,gBAAgB;QAChB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAA;QAEjD,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAA;QACvC,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAC1C,WAAW,EACX,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,OAAO,CACR,CAAA;QAED,uCAAuC;QACvC,MAAM,CAAC,GAAG,EAAE,GAAG,UAAU,CAAA;QAEzB,sBAAsB;QACtB,OAAO,MAAM,CAAC;YACZ,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;SACtB,CAAQ,CAAA;IACX,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;OA2BG;IACH,KAAK,CAAC,eAAe,CACnB,WAAoC,EACpC,EAAE,UAAU,GAAG,oBAAoB,KAA8C,EAAE;QAEnF,sDAAsD;QACtD,MAAM,YAAY,GAAG,oBAAoB,CAAC,EAAE,GAAG,WAAW,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,CAAA;QACvG,MAAM,IAAI,GAAG,SAAS,CAAC,YAAY,CAAC,CAAA;QAEpC,gBAAgB;QAChB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;QAE1C,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAA;QACvC,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAC1C,IAAI,EACJ,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,OAAO,CACR,CAAA;QAED,oBAAoB;QACpB,MAAM,OAAO,GAAG,WAAW,CAAC,OAAO,CAAA;QACnC,MAAM,CAAC,GAAG,OAAO;YACf,CAAC,CAAC,MAAM,CAAC,OAAO,GAAG,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC,CAAE,UAAU;YACnD,CAAC,CAAC,MAAM,CAAC,EAAE,GAAG,UAAU,CAAC,CAAA,CAAiB,SAAS;QAErD,qCAAqC;QACrC,OAAO,UAAU,CAAC;YAChB,GAAG,WAAW;YACd,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACzB,CAAC,EAAE,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACzB,CAAC;SACF,CAAC,CAAA;IACJ,CAAC;IAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAsCG;IACH,KAAK,CAAC,aAAa,CAGjB,SAAwD;QACxD,gEAAgE;QAChE,MAAM,IAAI,GAAG,aAAa,CAAC,SAAS,CAAC,CAAA;QAErC,gBAAgB;QAChB,MAAM,EAAE,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAA;QAE1C,wBAAwB;QACxB,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,UAAU,EAAE,CAAA;QACvC,MAAM,UAAU,GAAG,MAAM,mBAAmB,CAC1C,IAAI,EACJ,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,EACtB,OAAO,CACR,CAAA;QAED,sDAAsD;QACtD,MAAM,CAAC,GAAG,EAAE,GAAG,UAAU,CAAA;QAEzB,sBAAsB;QACtB,OAAO,MAAM,CAAC;YACZ,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC;YACtB,KAAK,CAAC,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;SACtB,CAAQ,CAAA;IACX,CAAC;CACF"}

package/dist/types/index.d.ts

@@ -0,0 +1,56 @@
+/**
+ * AWS KMS configuration for signing operations
+ */
+export interface KmsConfig {
+    /**
+     * AWS region where the KMS key is located (e.g., "us-east-1")
+     */
+    region: string;
+    /**
+     * KMS key ID or ARN to use for signing
+     */
+    keyId: string;
+    /**
+     * Optional AWS credentials. If not provided, AWS SDK will use the default credential chain
+     * (environment variables, IAM roles, etc.)
+     */
+    credentials?: {
+        accessKeyId: string;
+        secretAccessKey: string;
+    };
+}
+/**
+ * DER-parsed signature as raw byte arrays
+ * Used internally by DER parsing utilities
+ */
+export interface DerSignature {
+    /**
+     * r component of ECDSA signature (32 bytes)
+     */
+    r: Uint8Array;
+    /**
+     * s component of ECDSA signature (32 bytes)
+     */
+    s: Uint8Array;
+}
+/**
+ * Ethereum signature with recovery ID
+ * Used for final signature serialization
+ */
+export interface SignatureData {
+    /**
+     * r component of ECDSA signature as bigint
+     */
+    r: bigint;
+    /**
+     * s component of ECDSA signature as bigint (after EIP-2 normalization)
+     */
+    s: bigint;
+    /**
+     * Recovery ID as bigint
+     * - 27-28 for legacy signatures
+     * - 35+ for EIP-155 signatures (includes chain ID)
+     */
+    v: bigint;
+}
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,SAAS;IACxB;;OAEG;IACH,MAAM,EAAE,MAAM,CAAA;IAEd;;OAEG;IACH,KAAK,EAAE,MAAM,CAAA;IAEb;;;OAGG;IACH,WAAW,CAAC,EAAE;QACZ,WAAW,EAAE,MAAM,CAAA;QACnB,eAAe,EAAE,MAAM,CAAA;KACxB,CAAA;CACF;AAED;;;GAGG;AACH,MAAM,WAAW,YAAY;IAC3B;;OAEG;IACH,CAAC,EAAE,UAAU,CAAA;IAEb;;OAEG;IACH,CAAC,EAAE,UAAU,CAAA;CACd;AAED;;;GAGG;AACH,MAAM,WAAW,aAAa;IAC5B;;OAEG;IACH,CAAC,EAAE,MAAM,CAAA;IAET;;OAEG;IACH,CAAC,EAAE,MAAM,CAAA;IAET;;;;OAIG;IACH,CAAC,EAAE,MAAM,CAAA;CACV"}

package/dist/types/index.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=index.js.map

package/dist/types/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/types/index.ts"],"names":[],"mappings":""}

package/dist/utils/address.d.ts

@@ -0,0 +1,29 @@
+import { type Address } from 'viem';
+/**
+ * Extract uncompressed public key from DER-encoded SubjectPublicKeyInfo
+ *
+ * AWS KMS returns public keys in SubjectPublicKeyInfo (SPKI) format:
+ * SEQUENCE (algorithm identifier + public key bit string)
+ *
+ * For secp256k1, the last 65 bytes are the uncompressed public key:
+ * 0x04 (uncompressed marker) + 32-byte x coordinate + 32-byte y coordinate
+ *
+ * @param der - DER-encoded public key from AWS KMS GetPublicKeyCommand
+ * @returns 65-byte uncompressed public key (0x04 + x + y)
+ * @throws DerParsingError if public key format is invalid
+ */
+export declare function extractPublicKeyFromDer(der: Uint8Array): Uint8Array;
+/**
+ * Convert uncompressed public key to Ethereum address
+ *
+ * Ethereum address derivation:
+ * 1. Remove 0x04 prefix from public key (keep only x and y coordinates)
+ * 2. Hash the 64-byte coordinate data with keccak256
+ * 3. Take the last 20 bytes of the hash
+ * 4. Format as 0x-prefixed hex string (checksummed)
+ *
+ * @param publicKey - 65-byte uncompressed public key (0x04 + x + y)
+ * @returns Ethereum address (0x-prefixed, 40 hex chars)
+ */
+export declare function publicKeyToAddress(publicKey: Uint8Array): Address;
+//# sourceMappingURL=address.d.ts.map

package/dist/utils/address.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"address.d.ts","sourceRoot":"","sources":["../../src/utils/address.ts"],"names":[],"mappings":"AAAA,OAAO,EAAoB,KAAK,OAAO,EAAE,MAAM,MAAM,CAAA;AAGrD;;;;;;;;;;;;GAYG;AACH,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,UAAU,GAAG,UAAU,CAuBnE;AAED;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,UAAU,GAAG,OAAO,CAsBjE"}

package/dist/utils/address.js

@@ -0,0 +1,60 @@
+import { keccak256, toHex } from 'viem';
+import { DerParsingError } from '../errors';
+/**
+ * Extract uncompressed public key from DER-encoded SubjectPublicKeyInfo
+ *
+ * AWS KMS returns public keys in SubjectPublicKeyInfo (SPKI) format:
+ * SEQUENCE (algorithm identifier + public key bit string)
+ *
+ * For secp256k1, the last 65 bytes are the uncompressed public key:
+ * 0x04 (uncompressed marker) + 32-byte x coordinate + 32-byte y coordinate
+ *
+ * @param der - DER-encoded public key from AWS KMS GetPublicKeyCommand
+ * @returns 65-byte uncompressed public key (0x04 + x + y)
+ * @throws DerParsingError if public key format is invalid
+ */
+export function extractPublicKeyFromDer(der) {
+    // Validate minimum length
+    if (der.length === 0) {
+        throw new DerParsingError('Invalid DER: empty buffer');
+    }
+    if (der.length < 65) {
+        throw new DerParsingError(`Invalid DER: buffer too short (expected at least 65 bytes, got ${der.length})`);
+    }
+    // Simple implementation: last 65 bytes are the public key
+    // (0x04 + x coordinate 32 bytes + y coordinate 32 bytes)
+    const publicKey = der.slice(-65);
+    if (publicKey[0] !== 0x04) {
+        throw new DerParsingError(`Invalid public key format: expected uncompressed (0x04), got 0x${publicKey[0].toString(16).padStart(2, '0')}`);
+    }
+    return publicKey;
+}
+/**
+ * Convert uncompressed public key to Ethereum address
+ *
+ * Ethereum address derivation:
+ * 1. Remove 0x04 prefix from public key (keep only x and y coordinates)
+ * 2. Hash the 64-byte coordinate data with keccak256
+ * 3. Take the last 20 bytes of the hash
+ * 4. Format as 0x-prefixed hex string (checksummed)
+ *
+ * @param publicKey - 65-byte uncompressed public key (0x04 + x + y)
+ * @returns Ethereum address (0x-prefixed, 40 hex chars)
+ */
+export function publicKeyToAddress(publicKey) {
+    // Validate public key length
+    if (publicKey.length === 0) {
+        throw new DerParsingError('Invalid public key: empty buffer');
+    }
+    if (publicKey.length < 65) {
+        throw new DerParsingError(`Invalid public key: expected at least 65 bytes, got ${publicKey.length}`);
+    }
+    // Remove 0x04 prefix, hash only x and y coordinates
+    const publicKeyWithoutPrefix = publicKey.slice(1);
+    // Calculate keccak256 hash
+    const hash = keccak256(toHex(publicKeyWithoutPrefix));
+    // Last 20 bytes = Ethereum address
+    const address = `0x${hash.slice(-40)}`;
+    return address;
+}
+//# sourceMappingURL=address.js.map

package/dist/utils/address.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"address.js","sourceRoot":"","sources":["../../src/utils/address.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,SAAS,EAAE,KAAK,EAAgB,MAAM,MAAM,CAAA;AACrD,OAAO,EAAE,eAAe,EAAE,MAAM,WAAW,CAAA;AAE3C;;;;;;;;;;;;GAYG;AACH,MAAM,UAAU,uBAAuB,CAAC,GAAe;IACrD,0BAA0B;IAC1B,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACrB,MAAM,IAAI,eAAe,CAAC,2BAA2B,CAAC,CAAA;IACxD,CAAC;IAED,IAAI,GAAG,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QACpB,MAAM,IAAI,eAAe,CACvB,kEAAkE,GAAG,CAAC,MAAM,GAAG,CAChF,CAAA;IACH,CAAC;IAED,0DAA0D;IAC1D,yDAAyD;IACzD,MAAM,SAAS,GAAG,GAAG,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAA;IAEhC,IAAI,SAAS,CAAC,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1B,MAAM,IAAI,eAAe,CACvB,kEAAkE,SAAS,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAC/G,CAAA;IACH,CAAC;IAED,OAAO,SAAS,CAAA;AAClB,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,UAAU,kBAAkB,CAAC,SAAqB;IACtD,6BAA6B;IAC7B,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,MAAM,IAAI,eAAe,CAAC,kCAAkC,CAAC,CAAA;IAC/D,CAAC;IAED,IAAI,SAAS,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC1B,MAAM,IAAI,eAAe,CACvB,uDAAuD,SAAS,CAAC,MAAM,EAAE,CAC1E,CAAA;IACH,CAAC;IAED,oDAAoD;IACpD,MAAM,sBAAsB,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;IAEjD,2BAA2B;IAC3B,MAAM,IAAI,GAAG,SAAS,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAAC,CAAA;IAErD,mCAAmC;IACnC,MAAM,OAAO,GAAG,KAAK,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,EAAa,CAAA;IAEjD,OAAO,OAAO,CAAA;AAChB,CAAC"}

package/dist/utils/der.d.ts

@@ -0,0 +1,15 @@
+import type { DerSignature } from '../types';
+/**
+ * Parse DER-encoded ECDSA signature into r and s components
+ *
+ * DER structure:
+ * SEQUENCE (0x30) [total_length]
+ *   INTEGER (0x02) [r_length] [r_bytes]
+ *   INTEGER (0x02) [s_length] [s_bytes]
+ *
+ * @param der - DER-encoded signature from AWS KMS
+ * @returns Object with r and s as 32-byte Uint8Arrays
+ * @throws DerParsingError if signature format is invalid
+ */
+export declare function parseDerSignature(der: Uint8Array): DerSignature;
+//# sourceMappingURL=der.d.ts.map

package/dist/utils/der.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"der.d.ts","sourceRoot":"","sources":["../../src/utils/der.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAA;AAG5C;;;;;;;;;;;GAWG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,UAAU,GAAG,YAAY,CA0G/D"}