@sphereon/ssi-sdk-ext.kms-azure/dist/index.cjs.map

Sphereon SSI-SDK plugin for Azure KeyVault Key Management System.

{"version":3,"sources":["../src/index.ts","../src/AzureKeyVaultKeyManagementSystem.ts"],"sourcesContent":["export { AzureKeyVaultKeyManagementSystem } from './AzureKeyVaultKeyManagementSystem'\n\nexport interface KeyMetadata {\n  algorithms?: string[]\n\n  [x: string]: any\n}\n","import { AzureKeyVaultCryptoProvider } from '@sphereon/kmp-crypto-kms-azure'\nimport * as kmsAzure from '@sphereon/kmp-crypto-kms-azure'\nimport { IKey, ManagedKeyInfo, MinimalImportableKey, TKeyType } from '@veramo/core'\nimport { AbstractKeyManagementSystem } from '@veramo/key-manager'\nimport { KeyMetadata } from './index'\nimport { calculateJwkThumbprint } from '@sphereon/ssi-sdk-ext.key-utils'\nimport { JoseCurve, JWK } from '@sphereon/ssi-types'\nimport SignatureAlgorithm = kmsAzure.com.sphereon.crypto.generic.SignatureAlgorithm\nimport KeyOperations = kmsAzure.com.sphereon.crypto.generic.KeyOperations\nimport JwkUse = kmsAzure.com.sphereon.crypto.jose.JwkUse\n\ninterface AbstractKeyManagementSystemOptions {\n  applicationId: string\n  keyVaultUrl: string\n  keyVaultClientIdTenantId: string\n  keyVaultClientId: string\n  keyVaultClientSecret: string\n}\n\nexport class AzureKeyVaultKeyManagementSystem extends AbstractKeyManagementSystem {\n  private client: AzureKeyVaultCryptoProvider\n  private id: string\n\n  constructor(options: AbstractKeyManagementSystemOptions) {\n    super()\n\n    const credentialOptions = new kmsAzure.com.sphereon.crypto.kms.azure.CredentialOpts(\n      kmsAzure.com.sphereon.crypto.kms.azure.CredentialMode.SERVICE_CLIENT_SECRET,\n      new kmsAzure.com.sphereon.crypto.kms.azure.SecretCredentialOpts(options.keyVaultClientId, options.keyVaultClientSecret),\n    )\n\n    const azureKeyVaultClientConfig = new kmsAzure.com.sphereon.crypto.kms.azure.AzureKeyVaultClientConfig(\n      options.applicationId,\n      options.keyVaultUrl,\n      options.keyVaultClientIdTenantId,\n      credentialOptions,\n    )\n\n    this.id = options.applicationId\n    this.client = new AzureKeyVaultCryptoProvider(azureKeyVaultClientConfig)\n  }\n\n  async createKey(args: { type: TKeyType; meta?: KeyMetadata }): Promise<ManagedKeyInfo> {\n    const { type, meta } = args\n\n    const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type)\n\n    const options = new AzureKeyVaultCryptoProvider.GenerateKeyRequest(\n      meta?.keyAlias || `key-${crypto.randomUUID()}`,\n      meta && 'keyUsage' in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.sig,\n      meta && 'keyOperations' in meta ? this.mapKeyOperations(meta.keyOperations as string[]) : [KeyOperations.SIGN],\n      signatureAlgorithm,\n    )\n    const key = await this.client.generateKeyAsync(options)\n\n    const jwk: JWK = {\n      ...key.jose.publicJwk.toPublicKey(),\n      kty: key.jose.publicJwk.toPublicKey().kty.name,\n      crv: this.signatureAlgorithmToCurve(signatureAlgorithm),\n      x: key.jose.publicJwk.toPublicKey().x!!,\n      y: key.jose.publicJwk.toPublicKey().y!!,\n      kid: key.jose.publicJwk.toPublicKey().kid!!,\n    }\n\n    return {\n      kid: key.kmsKeyRef,\n      kms: this.id,\n      type,\n      meta: {\n        alias: key.kid,\n        algorithms: [key.jose.publicJwk.alg?.name ?? 'PS256'],\n        jwkThumbprint: calculateJwkThumbprint({\n          jwk,\n          digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm),\n        }),\n      },\n      publicKeyHex: Buffer.from(key.jose.toString(), 'utf8').toString('base64'),\n    }\n  }\n\n  async sign(args: { keyRef: Pick<IKey, 'kid'>; data: Uint8Array; [x: string]: any }): Promise<string> {\n    if (!args.keyRef) {\n      throw new Error('key_not_found: No key ref provided')\n    }\n    const key = await this.client.fetchKeyAsync(args.keyRef.kid)\n    const signature = await this.client.createRawSignatureAsync({\n      keyInfo: key,\n      // @ts-ignore\n      input: args.data,\n    })\n\n    // @ts-ignore\n    return Buffer.from(signature).toString('hex')\n  }\n\n  async verify(args: { keyRef: Pick<IKey, 'kid'>; data: Uint8Array; signature: string; [x: string]: any }): Promise<Boolean> {\n    if (!args.keyRef) {\n      throw new Error('key_not_found: No key ref provided')\n    }\n\n    try {\n      const key = await this.client.fetchKeyAsync(args.keyRef.kid)\n      return await this.client.isValidRawSignatureAsync({\n        keyInfo: key,\n        // @ts-ignore\n        signature: Buffer.from(args.signature, 'hex'),\n        // @ts-ignore\n        input: args.data,\n      })\n    } catch (e) {\n      console.error(e)\n      return false\n    }\n  }\n\n  sharedSecret(args: { myKeyRef: Pick<IKey, 'kid'>; theirKey: Pick<IKey, 'publicKeyHex' | 'type'> }): Promise<string> {\n    throw new Error('sharedSecret is not implemented for AzureKeyVaultKMS.')\n  }\n\n  async importKey(args: Omit<MinimalImportableKey, 'kms'> & { privateKeyPEM?: string }): Promise<ManagedKeyInfo> {\n    throw new Error('importKey is not implemented for AzureKeyVaultKMS.')\n  }\n\n  async deleteKey({ kid }: { kid: string }): Promise<boolean> {\n    throw new Error('deleteKey is not implemented for AzureKeyVaultKMS.')\n  }\n\n  async listKeys(): Promise<ManagedKeyInfo[]> {\n    throw new Error('listKeys is not implemented for AzureKeyVaultKMS.')\n  }\n\n  private signatureAlgorithmToDigestAlgorithm = (signatureAlgorithm: SignatureAlgorithm): 'sha256' | 'sha512' => {\n    switch (signatureAlgorithm) {\n      case SignatureAlgorithm.ECDSA_SHA256:\n        return 'sha256'\n      default:\n        throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by AzureKeyVaultKMS`)\n    }\n  }\n\n  private signatureAlgorithmToCurve = (signatureAlgorithm: SignatureAlgorithm): JoseCurve => {\n    switch (signatureAlgorithm) {\n      case SignatureAlgorithm.ECDSA_SHA256:\n        return JoseCurve.P_256\n      default:\n        throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by AzureKeyVaultKMS`)\n    }\n  }\n\n  private mapKeyUsage = (usage: string): JwkUse => {\n    switch (usage) {\n      case 'sig':\n        return JwkUse.sig\n      case 'enc':\n        return JwkUse.enc\n      default:\n        throw new Error(`Key usage ${usage} is not supported by AzureKeyVaultKMS`)\n    }\n  }\n\n  private mapKeyTypeToSignatureAlgorithm = (type: TKeyType): SignatureAlgorithm => {\n    switch (type) {\n      case 'Secp256r1':\n        return SignatureAlgorithm.ECDSA_SHA256\n      default:\n        throw new Error(`Key type ${type} is not supported by AzureKeyVaultKMS`)\n    }\n  }\n\n  private mapKeyOperation = (operation: string): KeyOperations => {\n    switch (operation) {\n      case 'sign':\n        return KeyOperations.SIGN\n      case 'verify':\n        return KeyOperations.VERIFY\n      default:\n        throw new Error(`Key operation ${operation} is not supported by AzureKeyVaultKMS`)\n    }\n  }\n\n  private mapKeyOperations = (operations: string[]): KeyOperations[] => {\n    return operations.map((operation) => this.mapKeyOperation(operation))\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAAA;;;;;;;ACAA,kCAA4C;AAC5C,eAA0B;AAE1B,yBAA4C;AAE5C,yBAAuC;AACvC,uBAA+B;AAC/B,IAAOA,qBAA8B,aAAI,SAAS,OAAO,QAAQ;AACjE,IAAOC,gBAAyB,aAAI,SAAS,OAAO,QAAQ;AAC5D,IAAOC,SAAkB,aAAI,SAAS,OAAO,KAAK;AAU3C,IAAMC,mCAAN,cAA+CC,+CAAAA;EAnBtD,OAmBsDA;;;EAC5CC;EACAC;EAER,YAAYC,SAA6C;AACvD,UAAK;AAEL,UAAMC,oBAAoB,IAAaC,aAAIC,SAASC,OAAOC,IAAIC,MAAMC,eAC1DL,aAAIC,SAASC,OAAOC,IAAIC,MAAME,eAAeC,uBACtD,IAAaP,aAAIC,SAASC,OAAOC,IAAIC,MAAMI,qBAAqBV,QAAQW,kBAAkBX,QAAQY,oBAAoB,CAAA;AAGxH,UAAMC,4BAA4B,IAAaX,aAAIC,SAASC,OAAOC,IAAIC,MAAMQ,0BAC3Ed,QAAQe,eACRf,QAAQgB,aACRhB,QAAQiB,0BACRhB,iBAAAA;AAGF,SAAKF,KAAKC,QAAQe;AAClB,SAAKjB,SAAS,IAAIoB,wDAA4BL,yBAAAA;EAChD;EAEA,MAAMM,UAAUC,MAAuE;AACrF,UAAM,EAAEC,MAAMC,KAAI,IAAKF;AAEvB,UAAMG,qBAAqB,KAAKC,+BAA+BH,IAAAA;AAE/D,UAAMrB,UAAU,IAAIkB,wDAA4BO,mBAC9CH,MAAMI,YAAY,OAAOtB,OAAOuB,WAAU,CAAA,IAC1CL,QAAQ,cAAcA,OAAO,KAAKM,YAAYN,KAAKO,QAAQ,IAAIlC,OAAOmC,KACtER,QAAQ,mBAAmBA,OAAO,KAAKS,iBAAiBT,KAAKU,aAAa,IAAgB;MAACtC,cAAcuC;OACzGV,kBAAAA;AAEF,UAAMW,MAAM,MAAM,KAAKpC,OAAOqC,iBAAiBnC,OAAAA;AAE/C,UAAMoC,MAAW;MACf,GAAGF,IAAIG,KAAKC,UAAUC,YAAW;MACjCC,KAAKN,IAAIG,KAAKC,UAAUC,YAAW,EAAGC,IAAIC;MAC1CC,KAAK,KAAKC,0BAA0BpB,kBAAAA;MACpCqB,GAAGV,IAAIG,KAAKC,UAAUC,YAAW,EAAGK;MACpCC,GAAGX,IAAIG,KAAKC,UAAUC,YAAW,EAAGM;MACpCC,KAAKZ,IAAIG,KAAKC,UAAUC,YAAW,EAAGO;IACxC;AAEA,WAAO;MACLA,KAAKZ,IAAIa;MACT1C,KAAK,KAAKN;MACVsB;MACAC,MAAM;QACJ0B,OAAOd,IAAIY;QACXG,YAAY;UAACf,IAAIG,KAAKC,UAAUY,KAAKT,QAAQ;;QAC7CU,mBAAeC,2CAAuB;UACpChB;UACAiB,iBAAiB,KAAKC,oCAAoC/B,kBAAAA;QAC5D,CAAA;MACF;MACAgC,cAAcC,OAAOC,KAAKvB,IAAIG,KAAKqB,SAAQ,GAAI,MAAA,EAAQA,SAAS,QAAA;IAClE;EACF;EAEA,MAAMC,KAAKvC,MAA0F;AACnG,QAAI,CAACA,KAAKwC,QAAQ;AAChB,YAAM,IAAIC,MAAM,oCAAA;IAClB;AACA,UAAM3B,MAAM,MAAM,KAAKpC,OAAOgE,cAAc1C,KAAKwC,OAAOd,GAAG;AAC3D,UAAMiB,YAAY,MAAM,KAAKjE,OAAOkE,wBAAwB;MAC1DC,SAAS/B;;MAETgC,OAAO9C,KAAK+C;IACd,CAAA;AAGA,WAAOX,OAAOC,KAAKM,SAAAA,EAAWL,SAAS,KAAA;EACzC;EAEA,MAAMU,OAAOhD,MAA8G;AACzH,QAAI,CAACA,KAAKwC,QAAQ;AAChB,YAAM,IAAIC,MAAM,oCAAA;IAClB;AAEA,QAAI;AACF,YAAM3B,MAAM,MAAM,KAAKpC,OAAOgE,cAAc1C,KAAKwC,OAAOd,GAAG;AAC3D,aAAO,MAAM,KAAKhD,OAAOuE,yBAAyB;QAChDJ,SAAS/B;;QAET6B,WAAWP,OAAOC,KAAKrC,KAAK2C,WAAW,KAAA;;QAEvCG,OAAO9C,KAAK+C;MACd,CAAA;IACF,SAASG,GAAG;AACVC,cAAQC,MAAMF,CAAAA;AACd,aAAO;IACT;EACF;EAEAG,aAAarD,MAAuG;AAClH,UAAM,IAAIyC,MAAM,uDAAA;EAClB;EAEA,MAAMa,UAAUtD,MAA+F;AAC7G,UAAM,IAAIyC,MAAM,oDAAA;EAClB;EAEA,MAAMc,UAAU,EAAE7B,IAAG,GAAuC;AAC1D,UAAM,IAAIe,MAAM,oDAAA;EAClB;EAEA,MAAMe,WAAsC;AAC1C,UAAM,IAAIf,MAAM,mDAAA;EAClB;EAEQP,sCAAsC,wBAAC/B,uBAAAA;AAC7C,YAAQA,oBAAAA;MACN,KAAK9B,mBAAmBoF;AACtB,eAAO;MACT;AACE,cAAM,IAAIhB,MAAM,uBAAuBtC,kBAAAA,uCAAyD;IACpG;EACF,GAP8C;EAStCoB,4BAA4B,wBAACpB,uBAAAA;AACnC,YAAQA,oBAAAA;MACN,KAAK9B,mBAAmBoF;AACtB,eAAOC,2BAAUC;MACnB;AACE,cAAM,IAAIlB,MAAM,uBAAuBtC,kBAAAA,uCAAyD;IACpG;EACF,GAPoC;EAS5BK,cAAc,wBAACoD,UAAAA;AACrB,YAAQA,OAAAA;MACN,KAAK;AACH,eAAOrF,OAAOmC;MAChB,KAAK;AACH,eAAOnC,OAAOsF;MAChB;AACE,cAAM,IAAIpB,MAAM,aAAamB,KAAAA,uCAA4C;IAC7E;EACF,GATsB;EAWdxD,iCAAiC,wBAACH,SAAAA;AACxC,YAAQA,MAAAA;MACN,KAAK;AACH,eAAO5B,mBAAmBoF;MAC5B;AACE,cAAM,IAAIhB,MAAM,YAAYxC,IAAAA,uCAA2C;IAC3E;EACF,GAPyC;EASjC6D,kBAAkB,wBAACC,cAAAA;AACzB,YAAQA,WAAAA;MACN,KAAK;AACH,eAAOzF,cAAcuC;MACvB,KAAK;AACH,eAAOvC,cAAc0F;MACvB;AACE,cAAM,IAAIvB,MAAM,iBAAiBsB,SAAAA,uCAAgD;IACrF;EACF,GAT0B;EAWlBpD,mBAAmB,wBAACsD,eAAAA;AAC1B,WAAOA,WAAWC,IAAI,CAACH,cAAc,KAAKD,gBAAgBC,SAAAA,CAAAA;EAC5D,GAF2B;AAG7B;","names":["SignatureAlgorithm","KeyOperations","JwkUse","AzureKeyVaultKeyManagementSystem","AbstractKeyManagementSystem","client","id","options","credentialOptions","com","sphereon","crypto","kms","azure","CredentialOpts","CredentialMode","SERVICE_CLIENT_SECRET","SecretCredentialOpts","keyVaultClientId","keyVaultClientSecret","azureKeyVaultClientConfig","AzureKeyVaultClientConfig","applicationId","keyVaultUrl","keyVaultClientIdTenantId","AzureKeyVaultCryptoProvider","createKey","args","type","meta","signatureAlgorithm","mapKeyTypeToSignatureAlgorithm","GenerateKeyRequest","keyAlias","randomUUID","mapKeyUsage","keyUsage","sig","mapKeyOperations","keyOperations","SIGN","key","generateKeyAsync","jwk","jose","publicJwk","toPublicKey","kty","name","crv","signatureAlgorithmToCurve","x","y","kid","kmsKeyRef","alias","algorithms","alg","jwkThumbprint","calculateJwkThumbprint","digestAlgorithm","signatureAlgorithmToDigestAlgorithm","publicKeyHex","Buffer","from","toString","sign","keyRef","Error","fetchKeyAsync","signature","createRawSignatureAsync","keyInfo","input","data","verify","isValidRawSignatureAsync","e","console","error","sharedSecret","importKey","deleteKey","listKeys","ECDSA_SHA256","JoseCurve","P_256","usage","enc","mapKeyOperation","operation","VERIFY","operations","map"]}