{"version":3,"file":"keyDerivation.mjs","names":[],"sources":["../../../../../src/modules/kms/jwk/alg/keyDerivation.ts"],"sourcesContent":["import { KeyManagementError } from '../../error/KeyManagementError'\nimport { getJwkHumanDescription } from '../humanDescription'\nimport type { KnownJwaKeyAgreementAlgorithm } from '../jwa'\nimport type { KmsJwkPrivate, KmsJwkPublic, KmsJwkPublicCrv } from '../knownJwk'\nimport type { KmsJwkPrivateOct, KmsJwkPublicOct } from '../kty/oct/octJwk'\nimport type { KmsJwkPrivateRsa, KmsJwkPublicRsa } from '../kty/rsa/rsaJwk'\n\nfunction isCrvJwk<Jwk extends KmsJwkPrivate | KmsJwkPublic>(\n  jwk: Jwk\n): jwk is Exclude<Jwk, KmsJwkPrivateOct | KmsJwkPrivateRsa | KmsJwkPublicOct | KmsJwkPublicRsa> {\n  return jwk.kty === 'EC' || jwk.kty === 'OKP'\n}\n\nexport function supportedKeyDerivationAlgsForKey(\n  jwk: KmsJwkPrivate | Exclude<KmsJwkPublic, KmsJwkPublicOct>\n): KnownJwaKeyAgreementAlgorithm[] {\n  const algs: KnownJwaKeyAgreementAlgorithm[] = []\n\n  const allowedCurves: KmsJwkPublicCrv['crv'][] = ['P-256', 'P-384', 'P-521', 'X25519', 'secp256k1']\n  if (isCrvJwk(jwk) && allowedCurves.includes(jwk.crv)) {\n    algs.push('ECDH-ES', 'ECDH-ES+A128KW', 'ECDH-ES+A192KW', 'ECDH-ES+A256KW')\n  }\n\n  // Special case where we allow Ed25519 for X25519 based operation, since that is\n  // how DIDComm v1 works.\n  if (jwk.kty === 'OKP' && (jwk.crv === 'X25519' || jwk.crv === 'Ed25519')) {\n    algs.push('ECDH-HSALSA20')\n  }\n\n  return algs\n}\n\n/**\n * Get the allowed key derivation algs for a key. If takes all the known supported\n * algs and will filter these based on the optional `alg` key in the JWK.\n *\n * This does not handle the intended key `use` and `key_ops`.\n */\nexport function allowedKeyDerivationAlgsForKey(\n  jwk: KmsJwkPrivate | Exclude<KmsJwkPublic, KmsJwkPublicOct>\n): KnownJwaKeyAgreementAlgorithm[] {\n  const supportedAlgs = supportedKeyDerivationAlgsForKey(jwk)\n  const allowedAlg = jwk.alg\n\n  return !allowedAlg\n    ? // If no `alg` specified on jwk, return all supported algs\n      supportedAlgs\n    : // If `alg` is specified and supported, return the allowed alg\n      allowedAlg && supportedAlgs.includes(allowedAlg as KnownJwaKeyAgreementAlgorithm)\n      ? [allowedAlg as KnownJwaKeyAgreementAlgorithm]\n      : // Otherwise nothing is allowed (`alg` is specified but not supported)\n        []\n}\n\nexport function assertAllowedKeyDerivationAlgForKey(\n  jwk: KmsJwkPrivate | Exclude<KmsJwkPublic, KmsJwkPublicOct>,\n  algorithm: KnownJwaKeyAgreementAlgorithm\n) {\n  const allowedAlgs = allowedKeyDerivationAlgsForKey(jwk)\n  if (!allowedAlgs.includes(algorithm)) {\n    const allowedAlgsText =\n      allowedAlgs.length > 0 ? ` Allowed algs are ${allowedAlgs.map((alg) => `'${alg}'`).join(', ')}` : ''\n    throw new KeyManagementError(\n      `${getJwkHumanDescription(\n        jwk\n      )} cannot be used with algorithm '${algorithm}' for key derivation.${allowedAlgsText}`\n    )\n  }\n}\n"],"mappings":";;;;;;AAOA,SAAS,SACP,KAC8F;AAC9F,QAAO,IAAI,QAAQ,QAAQ,IAAI,QAAQ;;AAGzC,SAAgB,iCACd,KACiC;CACjC,MAAM,OAAwC,EAAE;AAGhD,KAAI,SAAS,IAAI,IAD+B;EAAC;EAAS;EAAS;EAAS;EAAU;EAAY,CAC/D,SAAS,IAAI,IAAI,CAClD,MAAK,KAAK,WAAW,kBAAkB,kBAAkB,iBAAiB;AAK5E,KAAI,IAAI,QAAQ,UAAU,IAAI,QAAQ,YAAY,IAAI,QAAQ,WAC5D,MAAK,KAAK,gBAAgB;AAG5B,QAAO;;;;;;;;AAST,SAAgB,+BACd,KACiC;CACjC,MAAM,gBAAgB,iCAAiC,IAAI;CAC3D,MAAM,aAAa,IAAI;AAEvB,QAAO,CAAC,aAEJ,gBAEA,cAAc,cAAc,SAAS,WAA4C,GAC/E,CAAC,WAA4C,GAE7C,EAAE;;AAGV,SAAgB,oCACd,KACA,WACA;CACA,MAAM,cAAc,+BAA+B,IAAI;AACvD,KAAI,CAAC,YAAY,SAAS,UAAU,EAAE;EACpC,MAAM,kBACJ,YAAY,SAAS,IAAI,qBAAqB,YAAY,KAAK,QAAQ,IAAI,IAAI,GAAG,CAAC,KAAK,KAAK,KAAK;AACpG,QAAM,IAAI,mBACR,GAAG,uBACD,IACD,CAAC,kCAAkC,UAAU,uBAAuB,kBACtE"}