UNPKG

@sphereon/ssi-sdk-ext.kms-azure

Version:

Sphereon SSI-SDK plugin for Azure KeyVault Key Management System.

151 lines (150 loc) 5.98 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
var __defProp = Object.defineProperty; var __name = (target, value) => __defProp(target, "name", { value, configurable: true }); // src/AzureKeyVaultKeyManagementSystem.ts import { AzureKeyVaultCryptoProvider } from "@sphereon/kmp-crypto-kms-azure"; import * as kmsAzure from "@sphereon/kmp-crypto-kms-azure"; import { AbstractKeyManagementSystem } from "@veramo/key-manager"; import { calculateJwkThumbprint } from "@sphereon/ssi-sdk-ext.key-utils"; import { JoseCurve } from "@sphereon/ssi-types"; var SignatureAlgorithm = kmsAzure.com.sphereon.crypto.generic.SignatureAlgorithm; var KeyOperations = kmsAzure.com.sphereon.crypto.generic.KeyOperations; var JwkUse = kmsAzure.com.sphereon.crypto.jose.JwkUse; var AzureKeyVaultKeyManagementSystem = class extends AbstractKeyManagementSystem { static { __name(this, "AzureKeyVaultKeyManagementSystem"); } client; id; constructor(options) { super(); const credentialOptions = new kmsAzure.com.sphereon.crypto.kms.azure.CredentialOpts(kmsAzure.com.sphereon.crypto.kms.azure.CredentialMode.SERVICE_CLIENT_SECRET, new kmsAzure.com.sphereon.crypto.kms.azure.SecretCredentialOpts(options.keyVaultClientId, options.keyVaultClientSecret)); const azureKeyVaultClientConfig = new kmsAzure.com.sphereon.crypto.kms.azure.AzureKeyVaultClientConfig(options.applicationId, options.keyVaultUrl, options.keyVaultClientIdTenantId, credentialOptions); this.id = options.applicationId; this.client = new AzureKeyVaultCryptoProvider(azureKeyVaultClientConfig); } async createKey(args) { const { type, meta } = args; const signatureAlgorithm = this.mapKeyTypeToSignatureAlgorithm(type); const options = new AzureKeyVaultCryptoProvider.GenerateKeyRequest(meta?.keyAlias || `key-${crypto.randomUUID()}`, meta && "keyUsage" in meta ? this.mapKeyUsage(meta.keyUsage) : JwkUse.sig, meta && "keyOperations" in meta ? this.mapKeyOperations(meta.keyOperations) : [ KeyOperations.SIGN ], signatureAlgorithm); const key = await this.client.generateKeyAsync(options); const jwk = { ...key.jose.publicJwk.toPublicKey(), kty: key.jose.publicJwk.toPublicKey().kty.name, crv: this.signatureAlgorithmToCurve(signatureAlgorithm), x: key.jose.publicJwk.toPublicKey().x, y: key.jose.publicJwk.toPublicKey().y, kid: key.jose.publicJwk.toPublicKey().kid }; return { kid: key.kmsKeyRef, kms: this.id, type, meta: { alias: key.kid, algorithms: [ key.jose.publicJwk.alg?.name ?? "PS256" ], jwkThumbprint: calculateJwkThumbprint({ jwk, digestAlgorithm: this.signatureAlgorithmToDigestAlgorithm(signatureAlgorithm) }) }, publicKeyHex: Buffer.from(key.jose.toString(), "utf8").toString("base64") }; } async sign(args) { if (!args.keyRef) { throw new Error("key_not_found: No key ref provided"); } const key = await this.client.fetchKeyAsync(args.keyRef.kid); const signature = await this.client.createRawSignatureAsync({ keyInfo: key, // @ts-ignore input: args.data }); return Buffer.from(signature).toString("hex"); } async verify(args) { if (!args.keyRef) { throw new Error("key_not_found: No key ref provided"); } try { const key = await this.client.fetchKeyAsync(args.keyRef.kid); return await this.client.isValidRawSignatureAsync({ keyInfo: key, // @ts-ignore signature: Buffer.from(args.signature, "hex"), // @ts-ignore input: args.data }); } catch (e) { console.error(e); return false; } } sharedSecret(args) { throw new Error("sharedSecret is not implemented for AzureKeyVaultKMS."); } async importKey(args) { throw new Error("importKey is not implemented for AzureKeyVaultKMS."); } async deleteKey({ kid }) { throw new Error("deleteKey is not implemented for AzureKeyVaultKMS."); } async listKeys() { throw new Error("listKeys is not implemented for AzureKeyVaultKMS."); } signatureAlgorithmToDigestAlgorithm = /* @__PURE__ */ __name((signatureAlgorithm) => { switch (signatureAlgorithm) { case SignatureAlgorithm.ECDSA_SHA256: return "sha256"; default: throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by AzureKeyVaultKMS`); } }, "signatureAlgorithmToDigestAlgorithm"); signatureAlgorithmToCurve = /* @__PURE__ */ __name((signatureAlgorithm) => { switch (signatureAlgorithm) { case SignatureAlgorithm.ECDSA_SHA256: return JoseCurve.P_256; default: throw new Error(`Signature algorithm ${signatureAlgorithm} is not supported by AzureKeyVaultKMS`); } }, "signatureAlgorithmToCurve"); mapKeyUsage = /* @__PURE__ */ __name((usage) => { switch (usage) { case "sig": return JwkUse.sig; case "enc": return JwkUse.enc; default: throw new Error(`Key usage ${usage} is not supported by AzureKeyVaultKMS`); } }, "mapKeyUsage"); mapKeyTypeToSignatureAlgorithm = /* @__PURE__ */ __name((type) => { switch (type) { case "Secp256r1": return SignatureAlgorithm.ECDSA_SHA256; default: throw new Error(`Key type ${type} is not supported by AzureKeyVaultKMS`); } }, "mapKeyTypeToSignatureAlgorithm"); mapKeyOperation = /* @__PURE__ */ __name((operation) => { switch (operation) { case "sign": return KeyOperations.SIGN; case "verify": return KeyOperations.VERIFY; default: throw new Error(`Key operation ${operation} is not supported by AzureKeyVaultKMS`); } }, "mapKeyOperation"); mapKeyOperations = /* @__PURE__ */ __name((operations) => { return operations.map((operation) => this.mapKeyOperation(operation)); }, "mapKeyOperations"); }; export { AzureKeyVaultKeyManagementSystem }; //# sourceMappingURL=index.js.map