npm - vaultkeeper - Versions diffs - 0.2.0 → 0.4.0 - Mend

vaultkeeper 0.2.0 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -4,7 +4,7 @@ var child_process = require('child_process');
 var fs5 = require('fs/promises');
 var path5 = require('path');
 var os4 = require('os');
-var crypto3 = require('crypto');
+var crypto4 = require('crypto');
 var fs4 = require('fs');
 var jose = require('jose');
@@ -29,7 +29,7 @@ function _interopNamespace(e) {
 var fs5__namespace = /*#__PURE__*/_interopNamespace(fs5);
 var path5__namespace = /*#__PURE__*/_interopNamespace(path5);
 var os4__namespace = /*#__PURE__*/_interopNamespace(os4);
-var crypto3__namespace = /*#__PURE__*/_interopNamespace(crypto3);
+var crypto4__namespace = /*#__PURE__*/_interopNamespace(crypto4);
 var fs4__namespace = /*#__PURE__*/_interopNamespace(fs4);
 // src/errors.ts
@@ -197,6 +197,11 @@ var RotationInProgressError = class extends VaultError {
   }
 };
+// src/backend/types.ts
+function isListableBackend(backend) {
+  return "list" in backend && typeof backend.list === "function";
+}
 // src/backend/registry.ts
 var BackendRegistry = class {
   static backends = /* @__PURE__ */ new Map();
@@ -232,6 +237,33 @@ var BackendRegistry = class {
   static getTypes() {
     return Array.from(this.backends.keys());
   }
+  /**
+   * Returns backend types that are available on the current system.
+   *
+   * @remarks
+   * Creates each registered backend via its factory, calls `isAvailable()`,
+   * and returns only the type identifiers whose backend reports availability.
+   * If a backend's `isAvailable()` call throws, that backend is excluded from
+   * the result rather than propagating the error.
+   *
+   * @returns Promise resolving to an array of available backend type identifiers
+   * @public
+   */
+  static async getAvailableTypes() {
+    const entries = Array.from(this.backends.entries());
+    const results = await Promise.all(
+      entries.map(async ([type, factory]) => {
+        try {
+          const backend = factory();
+          const available = await backend.isAvailable();
+          return available ? type : null;
+        } catch {
+          return null;
+        }
+      })
+    );
+    return results.filter((type) => type !== null);
+  }
 };
 async function execCommand(command, args, options) {
   const result = await execCommandFull(command, args);
@@ -265,7 +297,7 @@ path5__namespace.join(".vaultkeeper", "file");
 path5__namespace.join(".vaultkeeper", "yubikey");
 function hashExecutable(filePath) {
   return new Promise((resolve, reject) => {
-    const hash = crypto3__namespace.createHash("sha256");
+    const hash = crypto4__namespace.createHash("sha256");
     const stream = fs4__namespace.createReadStream(filePath);
     stream.on("data", (chunk) => {
       hash.update(chunk);
@@ -565,10 +597,10 @@ var KeyManager = class {
   #rotating = false;
   /** Generate a new 32-byte key with a timestamp-based id. */
   generateKey() {
-    const randomSuffix = crypto3__namespace.randomBytes(4).toString("hex");
+    const randomSuffix = crypto4__namespace.randomBytes(4).toString("hex");
     return {
       id: `k-${String(Date.now())}-${randomSuffix}`,
-      key: new Uint8Array(crypto3__namespace.randomBytes(32)),
+      key: new Uint8Array(crypto4__namespace.randomBytes(32)),
       createdAt: /* @__PURE__ */ new Date()
     };
   }
@@ -984,6 +1016,50 @@ function createSecretAccessor(secretValue) {
   return proxy;
 }
+// src/access/sign-util.ts
+var ALLOWED_ALGORITHMS = /* @__PURE__ */ new Set(["sha256", "sha384", "sha512"]);
+function resolveAlgorithmForKey(key, override) {
+  const keyType = key.asymmetricKeyType;
+  if (keyType === "ed25519" || keyType === "ed448") {
+    return { signAlg: null, label: keyType };
+  }
+  const alg = override ?? "sha256";
+  if (!ALLOWED_ALGORITHMS.has(alg)) {
+    throw new VaultError(
+      `Unsupported signing algorithm '${alg}'. Allowed: ${[...ALLOWED_ALGORITHMS].join(", ")}`
+    );
+  }
+  return { signAlg: alg, label: alg };
+}
+// src/access/delegated-sign.ts
+function delegatedSign(secretPem, request) {
+  const key = crypto4__namespace.createPrivateKey(secretPem);
+  const { signAlg, label } = resolveAlgorithmForKey(key, request.algorithm);
+  const data = Buffer.isBuffer(request.data) ? request.data : Buffer.from(request.data);
+  const signature = crypto4__namespace.sign(signAlg, data, key);
+  return {
+    signature: signature.toString("base64"),
+    algorithm: label
+  };
+}
+function delegatedVerify(request) {
+  let key;
+  try {
+    key = crypto4__namespace.createPublicKey(request.publicKey);
+  } catch {
+    return false;
+  }
+  const { signAlg } = resolveAlgorithmForKey(key, request.algorithm);
+  const sig = Buffer.from(request.signature, "base64");
+  try {
+    const data = Buffer.isBuffer(request.data) ? request.data : Buffer.from(request.data);
+    return crypto4__namespace.verify(signAlg, data, key, sig);
+  } catch {
+    return false;
+  }
+}
 // src/doctor/checks.ts
 function parseVersion(raw) {
   const match = /(\d+)\.(\d+)\.(\d+)/.exec(raw);
@@ -1236,7 +1312,7 @@ var VaultKeeper = class _VaultKeeper {
     }
     const now = Math.floor(Date.now() / 1e3);
     const claims = {
-      jti: crypto3__namespace.randomUUID(),
+      jti: crypto4__namespace.randomUUID(),
       exp: now + ttlMinutes * 60,
       iat: now,
       sub: secretName,
@@ -1341,6 +1417,47 @@ var VaultKeeper = class _VaultKeeper {
     const claims = validateCapabilityToken(token);
     return createSecretAccessor(claims.val);
   }
+  /**
+   * Sign data using the private key embedded in a capability token.
+   *
+   * The signing key is extracted from the token's encrypted claims, used
+   * for a single `crypto.sign()` call, and never exposed to the caller.
+   * The algorithm is auto-detected from the key type unless overridden
+   * in the request.
+   *
+   * @param token - A `CapabilityToken` obtained from `authorize()`.
+   * @param request - The data to sign and optional algorithm override.
+   * @returns The base64-encoded signature and algorithm label, together
+   *   with the vault metadata (`vaultResponse`).
+   * @throws {VaultError} If `token` is invalid or was not created by this
+   *   vault instance.
+   */
+  async sign(token, request) {
+    const claims = validateCapabilityToken(token);
+    const result = delegatedSign(claims.val, request);
+    await Promise.resolve();
+    return {
+      result,
+      vaultResponse: { keyStatus: "current" }
+    };
+  }
+  /**
+   * Verify a signature using a public key.
+   *
+   * This is a static method — no VaultKeeper instance, secrets, or
+   * capability tokens are required. It is safe to call from CI or any
+   * context that has access to public key material.
+   *
+   * Never throws. Returns `false` for invalid key material, malformed
+   * signatures, or any verification failure.
+   *
+   * @param request - The data, signature, public key, and optional
+   *   algorithm override.
+   * @returns `true` if the signature is valid, `false` otherwise.
+   */
+  static verify(request) {
+    return delegatedVerify(request);
+  }
   /**
    * Rotate the current encryption key.
    *
@@ -1476,5 +1593,6 @@ exports.TokenRevokedError = TokenRevokedError;
 exports.UsageLimitExceededError = UsageLimitExceededError;
 exports.VaultError = VaultError;
 exports.VaultKeeper = VaultKeeper;
+exports.isListableBackend = isListableBackend;
 //# sourceMappingURL=index.cjs.map
 //# sourceMappingURL=index.cjs.map