@sphereon/ssi-sdk-ext.kms-azure-rest-client
Version:
Sphereon SSI-SDK plugin for Azure KeyVault Key Management System.
144 lines • 6.51 kB
JavaScript
;
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
var desc = Object.getOwnPropertyDescriptor(m, k);
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
desc = { enumerable: true, get: function() { return m[k]; } };
}
Object.defineProperty(o, k2, desc);
}) : (function(o, m, k, k2) {
if (k2 === undefined) k2 = k;
o[k2] = m[k];
}));
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
Object.defineProperty(o, "default", { enumerable: true, value: v });
}) : function(o, v) {
o["default"] = v;
});
var __importStar = (this && this.__importStar) || function (mod) {
if (mod && mod.__esModule) return mod;
var result = {};
if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
__setModuleDefault(result, mod);
return result;
};
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
return new (P || (P = Promise))(function (resolve, reject) {
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
step((generator = generator.apply(thisArg, _arguments || [])).next());
});
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.AzureKeyVaultKeyManagementSystemRestClient = void 0;
const key_manager_1 = require("@veramo/key-manager");
const AzureRestClient = __importStar(require("./js-client"));
const u8a = __importStar(require("uint8arrays"));
class AzureKeyVaultKeyManagementSystemRestClient extends key_manager_1.AbstractKeyManagementSystem {
constructor(options) {
super();
this.mapKeyTypeCurveName = (type) => {
switch (type) {
case 'Secp256r1':
return 'P-256';
default:
throw new Error(`Key type ${type} is not supported by AzureKeyVaultKMS`);
}
};
this.keyTypeToDigestAlgorithm = (type) => {
switch (type) {
case 'Secp256r1':
return 'sha256';
default:
throw new Error(`Key type ${type} is not supported by AzureKeyVaultKMS`);
}
};
const config = AzureRestClient.createConfiguration({
baseServer: new AzureRestClient.ServerConfiguration(options.vaultUrl, {}),
authMethods: {
apiKeyScheme: options.apiKey,
},
});
this.id = options.applicationId;
this.client = new AzureRestClient.KeyVaultControllerApi(config);
}
createKey(args) {
return __awaiter(this, void 0, void 0, function* () {
var _a, _b;
const { type, meta } = args;
const curveName = this.mapKeyTypeCurveName(type);
const options = {
keyName: meta === null || meta === void 0 ? void 0 : meta.keyAlias.replace(/_/g, "-"),
curveName,
operations: meta && 'keyOperations' in meta ? meta.keyOperations : ['sign', 'verify'],
};
const createKeyResponse = yield this.client.createEcKey(options);
return {
kid: createKeyResponse.name,
kms: this.id,
type,
meta: {
alias: createKeyResponse.name,
algorithms: [(_b = (_a = createKeyResponse.key) === null || _a === void 0 ? void 0 : _a.curveName) !== null && _b !== void 0 ? _b : 'ES256'],
kmsKeyRef: createKeyResponse.id
},
publicKeyHex: this.ecJwkToRawHexKey(createKeyResponse.key),
};
});
}
ecJwkToRawHexKey(jwk) {
if (!jwk.x || !jwk.y) {
throw new Error("EC JWK must contain 'x' and 'y' properties.");
}
// We are converting from base64 to base64url to be sure. The spec uses base64url, but in the wild we sometimes encounter a base64 string
const x = u8a.fromString(jwk.x.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url');
const y = u8a.fromString(jwk.y.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, ''), 'base64url');
return '04' + u8a.toString(x, 'hex') + u8a.toString(y, 'hex');
}
sign(args) {
return __awaiter(this, void 0, void 0, function* () {
if (!args.keyRef) {
throw new Error('key_not_found: No key ref provided');
}
const signResponse = yield this.client.signPayload({
keyName: args.keyRef.kid,
payload: u8a.toString(args.data),
});
return signResponse.signature;
});
}
verify(args) {
return __awaiter(this, void 0, void 0, function* () {
if (!args.keyRef) {
throw new Error('key_not_found: No key ref provided');
}
return yield this.client.verifyPayload({
keyName: args.keyRef.kid,
signature: args.signature,
payload: new TextDecoder().decode(args.data),
});
});
}
sharedSecret(args) {
throw new Error('sharedSecret is not implemented for AzureKeyVaultKMS.');
}
importKey(args) {
return __awaiter(this, void 0, void 0, function* () {
throw new Error('importKey is not implemented for AzureKeyVaultKMS.');
});
}
deleteKey(_a) {
return __awaiter(this, arguments, void 0, function* ({ kid }) {
throw new Error('deleteKey is not implemented for AzureKeyVaultKMS.');
});
}
listKeys() {
return __awaiter(this, void 0, void 0, function* () {
throw new Error('listKeys is not implemented for AzureKeyVaultKMS.');
});
}
}
exports.AzureKeyVaultKeyManagementSystemRestClient = AzureKeyVaultKeyManagementSystemRestClient;
//# sourceMappingURL=AzureKeyVaultKeyManagementSystemRestClient.js.map