{"version":3,"file":"KmsEncryptOptions.mjs","names":[],"sources":["../../../../src/modules/kms/options/KmsEncryptOptions.ts"],"sourcesContent":["import { z } from 'zod'\nimport { zAnyUint8Array } from '../../../utils/zod'\nimport { KnownJwaContentEncryptionAlgorithms } from '../jwk/jwa'\nimport { zKmsJwkPrivateOct } from '../jwk/kty/oct/octJwk'\nimport { zKmsKeyId } from './common'\nimport { zKmsKeyAgreementEncryptOptions } from './KmsKeyAgreementEncryptOptions'\n\nconst zKmsEncryptDataEncryptionAesGcm = z.object({\n  // AES-GCM Content Encryption\n  algorithm: z.enum([\n    KnownJwaContentEncryptionAlgorithms.A128GCM,\n    KnownJwaContentEncryptionAlgorithms.A192GCM,\n    KnownJwaContentEncryptionAlgorithms.A256GCM,\n  ]),\n\n  iv: z.optional(zAnyUint8Array.refine((iv) => iv.length === 12, 'iv must be 12 bytes for AES GCM')),\n  aad: z.optional(zAnyUint8Array),\n})\nexport type KmsEncryptDataEncryptionAesGcm = z.output<typeof zKmsEncryptDataEncryptionAesGcm>\n\n// AES-CBC Content Encryption\nconst zKmsEncryptDataEncryptionAesCbc = z.object({\n  algorithm: z.enum([KnownJwaContentEncryptionAlgorithms.A128CBC, KnownJwaContentEncryptionAlgorithms.A256CBC]),\n  iv: z.optional(zAnyUint8Array.refine((iv) => iv.length === 16, 'iv must be 16 bytes for AES CBC')),\n})\nexport type KmsEncryptDataEncryptionAesCbc = z.output<typeof zKmsEncryptDataEncryptionAesCbc>\n\n// AES-CBC with HMAC-SHA2 Content Encryption\nconst zKmsEncryptDataEncryptionAesCbcHmac = z.object({\n  algorithm: z.enum([\n    KnownJwaContentEncryptionAlgorithms.A128CBC_HS256,\n    KnownJwaContentEncryptionAlgorithms.A192CBC_HS384,\n    KnownJwaContentEncryptionAlgorithms.A256CBC_HS512,\n  ]),\n  iv: z.optional(zAnyUint8Array.refine((iv) => iv.length === 16, 'iv must be 16 bytes for AES CBC with HMAC')),\n  aad: z.optional(zAnyUint8Array),\n})\nexport type KmsEncryptDataEncryptionAesCbcHmac = z.output<typeof zKmsEncryptDataEncryptionAesCbcHmac>\n\n// XSalsa-Poly1305 Content Encryption\nconst zKmsDecryptDataEncryptionSalsa = z.object({\n  algorithm: z.enum([KnownJwaContentEncryptionAlgorithms['XSALSA20-POLY1305']]),\n  iv: zAnyUint8Array.optional(),\n})\n\n// ChaCha20-Poly130 Content Encryption\nconst zKmsEncryptDataEncryptionC20p = z.object({\n  algorithm: z.enum([KnownJwaContentEncryptionAlgorithms.C20P, KnownJwaContentEncryptionAlgorithms.XC20P]),\n  iv: z.optional(zAnyUint8Array),\n  aad: z.optional(zAnyUint8Array),\n})\n// FIXME: if we use refine, we can't use discriminated union. and that makes the error handlnig shitty\n// .refine(\n//   ({ iv, algorithm }) => !iv || iv.length === (algorithm === 'C20P' ? 12 : 24),\n//   `iv must be 12 bytes for C20P (ChaCha20-Poly1305) or 24 bytes for XC20P (XChaCha20-Poly1305)`\n// )\n\nexport type KmsEncryptDataEncryptionX20c = z.output<typeof zKmsEncryptDataEncryptionC20p>\n\nexport const zKmsEncryptDataEncryption = z.discriminatedUnion('algorithm', [\n  zKmsEncryptDataEncryptionAesCbc,\n  zKmsEncryptDataEncryptionAesCbcHmac,\n  zKmsEncryptDataEncryptionAesGcm,\n  zKmsEncryptDataEncryptionC20p,\n  zKmsDecryptDataEncryptionSalsa,\n])\nexport type KmsEncryptDataEncryption = z.output<typeof zKmsEncryptDataEncryption>\n\nexport const zKmsEncryptOptions = z.object({\n  /**\n   * The key to use for encrypting. There are three possible formats:\n   * - a key id, pointing to a symmetric (oct) jwk that can be used directly for encryption\n   * - a private symmetric (oct) jwk object that can be used directly for encryption\n   * - an object configuring key agreement, based on an existing asymmetric key\n   */\n  key: z.union([\n    z.object({\n      keyId: zKmsKeyId,\n\n      // never helps with type narrowing\n      privateJwk: z.never().optional(),\n      keyAgreement: z.never().optional(),\n    }),\n    z.object({\n      privateJwk: zKmsJwkPrivateOct.describe('A private oct (symmetric) jwk'),\n\n      // never helps with type narrowing\n      keyId: z.never().optional(),\n      keyAgreement: z.never().optional(),\n    }),\n    z.object({\n      keyAgreement: zKmsKeyAgreementEncryptOptions,\n\n      // never helps with type narrowing\n      keyId: z.never().optional(),\n      privateJwk: z.never().optional(),\n    }),\n  ]),\n\n  /**\n   * The encryption algorithm used to encrypt the data/content.\n   * In JWE this parameter is referred to as \"enc\".\n   */\n  encryption: zKmsEncryptDataEncryption.describe(\n    'Options related to the encryption algorithm to use for encrypting the data'\n  ),\n\n  /**\n   * The data to encrypt\n   */\n  data: zAnyUint8Array.describe('The data to encrypt'),\n})\n\nexport type KmsEncryptOptions = z.output<typeof zKmsEncryptOptions>\nexport interface KmsEncryptReturn {\n  /**\n   * The encrypted data, also known as \"ciphertext\" in JWE\n   */\n  encrypted: Uint8Array\n\n  /**\n   * Optional authentication tag\n   */\n  tag?: Uint8Array\n\n  /**\n   * The initialization vector. For algorithms where the iv is required\n   * and not provided, this will contain the auto-generated value.\n   */\n  iv?: Uint8Array // may be any uint8array since the user can also provide it as input\n\n  /**\n   * The encrypted content encryption key, if key wrapping was used\n   */\n  encryptedKey?: KmsEncryptedKey\n}\n\nexport const zKmsEncryptedKey = z.object({\n  /**\n   * Optional authentication tag\n   */\n  tag: zAnyUint8Array.optional(),\n\n  /**\n   * The initialization vector.\n   */\n  iv: zAnyUint8Array.optional(),\n\n  /**\n   * The encrypted key\n   */\n  encrypted: zAnyUint8Array,\n})\n\n/**\n * An encrypted content encryption key (CEK).\n */\nexport type KmsEncryptedKey = z.infer<typeof zKmsEncryptedKey>\n"],"mappings":";;;;;;;;;;AAOA,MAAM,kCAAkC,EAAE,OAAO;CAE/C,WAAW,EAAE,KAAK;EAChB,oCAAoC;EACpC,oCAAoC;EACpC,oCAAoC;EACrC,CAAC;CAEF,IAAI,EAAE,SAAS,eAAe,QAAQ,OAAO,GAAG,WAAW,IAAI,kCAAkC,CAAC;CAClG,KAAK,EAAE,SAAS,eAAe;CAChC,CAAC;AAIF,MAAM,kCAAkC,EAAE,OAAO;CAC/C,WAAW,EAAE,KAAK,CAAC,oCAAoC,SAAS,oCAAoC,QAAQ,CAAC;CAC7G,IAAI,EAAE,SAAS,eAAe,QAAQ,OAAO,GAAG,WAAW,IAAI,kCAAkC,CAAC;CACnG,CAAC;AAIF,MAAM,sCAAsC,EAAE,OAAO;CACnD,WAAW,EAAE,KAAK;EAChB,oCAAoC;EACpC,oCAAoC;EACpC,oCAAoC;EACrC,CAAC;CACF,IAAI,EAAE,SAAS,eAAe,QAAQ,OAAO,GAAG,WAAW,IAAI,4CAA4C,CAAC;CAC5G,KAAK,EAAE,SAAS,eAAe;CAChC,CAAC;AAIF,MAAM,iCAAiC,EAAE,OAAO;CAC9C,WAAW,EAAE,KAAK,CAAC,oCAAoC,qBAAqB,CAAC;CAC7E,IAAI,eAAe,UAAU;CAC9B,CAAC;AAGF,MAAM,gCAAgC,EAAE,OAAO;CAC7C,WAAW,EAAE,KAAK,CAAC,oCAAoC,MAAM,oCAAoC,MAAM,CAAC;CACxG,IAAI,EAAE,SAAS,eAAe;CAC9B,KAAK,EAAE,SAAS,eAAe;CAChC,CAAC;AASF,MAAa,4BAA4B,EAAE,mBAAmB,aAAa;CACzE;CACA;CACA;CACA;CACA;CACD,CAAC;AAGF,MAAa,qBAAqB,EAAE,OAAO;CAOzC,KAAK,EAAE,MAAM;EACX,EAAE,OAAO;GACP,OAAO;GAGP,YAAY,EAAE,OAAO,CAAC,UAAU;GAChC,cAAc,EAAE,OAAO,CAAC,UAAU;GACnC,CAAC;EACF,EAAE,OAAO;GACP,YAAY,kBAAkB,SAAS,gCAAgC;GAGvE,OAAO,EAAE,OAAO,CAAC,UAAU;GAC3B,cAAc,EAAE,OAAO,CAAC,UAAU;GACnC,CAAC;EACF,EAAE,OAAO;GACP,cAAc;GAGd,OAAO,EAAE,OAAO,CAAC,UAAU;GAC3B,YAAY,EAAE,OAAO,CAAC,UAAU;GACjC,CAAC;EACH,CAAC;CAMF,YAAY,0BAA0B,SACpC,6EACD;CAKD,MAAM,eAAe,SAAS,sBAAsB;CACrD,CAAC;AA0BF,MAAa,mBAAmB,EAAE,OAAO;CAIvC,KAAK,eAAe,UAAU;CAK9B,IAAI,eAAe,UAAU;CAK7B,WAAW;CACZ,CAAC"}