@sphereon/ssi-sdk-ext.kms-azure/dist/AzureKeyVaultKeyManagementSystem.js

Sphereon SSI-SDK plugin for Azure KeyVault Key Management System.

"use strict";
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
    return new (P || (P = Promise))(function (resolve, reject) {
        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
        step((generator = generator.apply(thisArg, _arguments || [])).next());
    });
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.AzureKeyVaultKeyManagementSystem = void 0;
const kmp_crypto_kms_azure_1 = require("@sphereon/kmp-crypto-kms-azure");
const key_manager_1 = require("@veramo/key-manager");
const ssi_sdk_ext_key_utils_1 = require("@sphereon/ssi-sdk-ext.key-utils");
const ssi_types_1 = require("@sphereon/ssi-types");
var SignatureAlgorithm = kmp_crypto_kms_azure_1.com.sphereon.crypto.generic.SignatureAlgorithm;
var KeyOperations = kmp_crypto_kms_azure_1.com.sphereon.crypto.generic.KeyOperations;
var JwkUse = kmp_crypto_kms_azure_1.com.sphereon.crypto.jose.JwkUse;
class AzureKeyVaultKeyManagementSystem extends key_manager_1.AbstractKeyManagementSystem {
    constructor(options) {
        super();
        this.signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm) => {
            switch (signatureAlgorithm) {
                case SignatureAlgorithm.ECDSA_SHA256:
                    return 'sha256';
                default:
                    throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by AzureKeyVaultKMS`);
            }
        };
        this.signatureAlgorithmToCurve = (signatureAlgorithm) => {
            switch (signatureAlgorithm) {
                case SignatureAlgorithm.ECDSA_SHA256:
                    return ssi_types_1.JoseCurve.P_256;
                default:
                    throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by AzureKeyVaultKMS`);
            }
        };
        this.mapKeyUsage = (usage) => {
            switch (usage) {
                case 'sig':
                    return JwkUse.sig;
                case 'enc':
                    return JwkUse.enc;
                default:
                    throw new Error(`Key usage ${usage} is not supported by AzureKeyVaultKMS`);
            }
        };
        this.mapKeyTypeToSignatureAlgorithm = (type) => {
            switch (type) {
                case 'Secp256r1':
                    return SignatureAlgorithm.ECDSA_SHA256;
                default:
                    throw new Error(`Key type ${type} is not supported by AzureKeyVaultKMS`);
            }
        };
        this.mapKeyOperation = (operation) => {
            switch (operation) {
                case 'sign':
                    return KeyOperations.SIGN;
                case 'verify':
                    return KeyOperations.VERIFY;
                default:
                    throw new Error(`Key operation ${operation} is not supported by AzureKeyVaultKMS`);
            }
        };
        this.mapKeyOperations = (operations) => {
            return operations.map((operation) => this.mapKeyOperation(operation));
        };
        const credentialOptions = new kmp_crypto_kms_azure_1.com.sphereon.crypto.kms.azure.CredentialOpts(kmp_crypto_kms_azure_1.com.sphereon.crypto.kms.azure.CredentialMode.SERVICE_CLIENT_SECRET, new kmp_crypto_kms_azure_1.com.sphereon.crypto.kms.azure.SecretCredentialOpts(options.keyVaultClientId, options.keyVaultClientSecret));
        const azureKeyVaultClientConfig = new kmp_crypto_kms_azure_1.com.sphereon.crypto.kms.azure.AzureKeyVaultClientConfig(options.applicationId, options.keyVaultUrl, options.keyVaultClientIdTenantId, credentialOptions);
        this.id = options.applicationId;
        this.client = new kmp_crypto_kms_azure_1.AzureKeyVaultCryptoProvider(azureKeyVaultClientConfig);
    }
    createKey(args) {
        return __awaiter(this, void 0, void 0, function* () {
            var _a, _b;
            const { type, meta } = args;
            const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type);
            const options = new kmp_crypto_kms_azure_1.AzureKeyVaultCryptoProvider.GenerateKeyRequest((meta === null || meta === void 0 ? void 0 : meta.keyAlias) || `key-${crypto.randomUUID()}`, meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.sig, meta && 'keyOperations' in meta ? this.mapKeyOperations(meta.keyOperations) : [KeyOperations.SIGN], signatureAlgorithm);
            const key = yield this.client.generateKeyAsync(options);
            const jwk = Object.assign(Object.assign({}, key.jose.publicJwk.toPublicKey()), { kty: key.jose.publicJwk.toPublicKey().kty.name, crv: this.signatureAlgorithmToCurve(signatureAlgorithm), x: key.jose.publicJwk.toPublicKey().x, y: key.jose.publicJwk.toPublicKey().y, kid: key.jose.publicJwk.toPublicKey().kid });
            return {
                kid: key.kmsKeyRef,
                kms: this.id,
                type,
                meta: {
                    alias: key.kid,
                    algorithms: [(_b = (_a = key.jose.publicJwk.alg) === null || _a === void 0 ? void 0 : _a.name) !== null && _b !== void 0 ? _b : 'PS256'],
                    jwkThumbprint: (0, ssi_sdk_ext_key_utils_1.calculateJwkThumbprint)({
                        jwk,
                        digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),
                    }),
                },
                publicKeyHex: Buffer.from(key.jose.toString(), 'utf8').toString('base64'),
            };
        });
    }
    sign(args) {
        return __awaiter(this, void 0, void 0, function* () {
            if (!args.keyRef) {
                throw new Error('key_not_found: No key ref provided');
            }
            const key = yield this.client.fetchKeyAsync(args.keyRef.kid);
            const signature = yield this.client.createRawSignatureAsync({
                keyInfo: key,
                // @ts-ignore
                input: args.data,
            });
            return Buffer.from(signature).toString('hex');
        });
    }
    verify(args) {
        return __awaiter(this, void 0, void 0, function* () {
            if (!args.keyRef) {
                throw new Error('key_not_found: No key ref provided');
            }
            try {
                const key = yield this.client.fetchKeyAsync(args.keyRef.kid);
                return yield this.client.isValidRawSignatureAsync({
                    keyInfo: key,
                    // @ts-ignore
                    signature: Buffer.from(args.signature, 'hex'),
                    // @ts-ignore
                    input: args.data,
                });
            }
            catch (e) {
                console.error(e);
                return false;
            }
        });
    }
    sharedSecret(args) {
        throw new Error('sharedSecret is not implemented for AzureKeyVaultKMS.');
    }
    importKey(args) {
        return __awaiter(this, void 0, void 0, function* () {
            throw new Error('importKey is not implemented for AzureKeyVaultKMS.');
        });
    }
    deleteKey(_a) {
        return __awaiter(this, arguments, void 0, function* ({ kid }) {
            throw new Error('deleteKey is not implemented for AzureKeyVaultKMS.');
        });
    }
    listKeys() {
        return __awaiter(this, void 0, void 0, function* () {
            throw new Error('listKeys is not implemented for AzureKeyVaultKMS.');
        });
    }
}
exports.AzureKeyVaultKeyManagementSystem = AzureKeyVaultKeyManagementSystem;
//# sourceMappingURL=AzureKeyVaultKeyManagementSystem.js.map