{"version":3,"file":"aws-kms-signer.mjs","names":["#client","#kmsKeyId","#publicKey"],"sources":["../../src/aws/aws-kms-signer.ts"],"sourcesContent":["// Copyright (c) Mysten Labs, Inc.\n// SPDX-License-Identifier: Apache-2.0\nimport type { PublicKey, SignatureFlag } from '@mysten/sui/cryptography';\nimport { SIGNATURE_FLAG_TO_SCHEME, Signer } from '@mysten/sui/cryptography';\nimport { fromBase64, toBase64 } from '@mysten/sui/utils';\n\nimport { getConcatenatedSignature } from '../utils/utils.js';\nimport type { AwsClientOptions } from './aws-client.js';\nimport { AwsKmsClient } from './aws-client.js';\n\n/**\n * Configuration options for initializing the AwsKmsSigner.\n */\nexport interface AwsKmsSignerOptions {\n\t/** AWS KMS Key ID used for signing */\n\tkmsKeyId: string;\n\t/** Options for setting up the AWS KMS client */\n\tclient: AwsKmsClient;\n\t/** Public key */\n\tpublicKey: PublicKey;\n}\n\n/**\n * Aws KMS Signer integrates AWS Key Management Service (KMS) with the Sui blockchain\n * to provide signing capabilities using AWS-managed cryptographic keys.\n */\nexport class AwsKmsSigner extends Signer {\n\t#publicKey: PublicKey;\n\t/** AWS KMS client instance */\n\t#client: AwsKmsClient;\n\t/** AWS KMS Key ID used for signing */\n\t#kmsKeyId: string;\n\n\t/**\n\t * Creates an instance of AwsKmsSigner. It's expected to call the static `fromKeyId` method to create an instance.\n\t * For example:\n\t * ```\n\t * const signer = await AwsKmsSigner.fromKeyId(keyId, options);\n\t * ```\n\t * @throws Will throw an error if required AWS credentials or region are not provided.\n\t */\n\tconstructor({ kmsKeyId, client, publicKey }: AwsKmsSignerOptions) {\n\t\tsuper();\n\t\tif (!kmsKeyId) throw new Error('KMS Key ID is required');\n\n\t\tthis.#client = client;\n\t\tthis.#kmsKeyId = kmsKeyId;\n\t\tthis.#publicKey = publicKey;\n\t}\n\n\t/**\n\t * Retrieves the key scheme used by this signer.\n\t * @returns AWS supports only Secp256k1 and Secp256r1 schemes.\n\t */\n\tgetKeyScheme() {\n\t\treturn SIGNATURE_FLAG_TO_SCHEME[this.#publicKey.flag() as SignatureFlag];\n\t}\n\n\t/**\n\t * Retrieves the public key associated with this signer.\n\t * @returns The Secp256k1PublicKey instance.\n\t * @throws Will throw an error if the public key has not been initialized.\n\t */\n\tgetPublicKey() {\n\t\treturn this.#publicKey;\n\t}\n\n\t/**\n\t * Signs the given data using AWS KMS.\n\t * @param bytes - The data to be signed as a Uint8Array.\n\t * @returns A promise that resolves to the signature as a Uint8Array.\n\t * @throws Will throw an error if the public key is not initialized or if signing fails.\n\t */\n\tasync sign(bytes: Uint8Array): Promise<Uint8Array<ArrayBuffer>> {\n\t\tconst signResponse = await this.#client.runCommand('Sign', {\n\t\t\tKeyId: this.#kmsKeyId,\n\t\t\tMessage: toBase64(bytes),\n\t\t\tMessageType: 'RAW',\n\t\t\tSigningAlgorithm: 'ECDSA_SHA_256',\n\t\t});\n\n\t\t// Concatenate the signature components into a compact form\n\t\treturn getConcatenatedSignature(fromBase64(signResponse.Signature), this.getKeyScheme());\n\t}\n\n\t/**\n\t * Prepares the signer by fetching and setting the public key from AWS KMS.\n\t * It is recommended to initialize an `AwsKmsSigner` instance using this function.\n\t * @returns A promise that resolves once a `AwsKmsSigner` instance is prepared (public key is set).\n\t */\n\tstatic async fromKeyId(keyId: string, options: AwsClientOptions) {\n\t\tconst client = new AwsKmsClient(options);\n\n\t\tconst pubKey = await client.getPublicKey(keyId);\n\n\t\treturn new AwsKmsSigner({\n\t\t\tkmsKeyId: keyId,\n\t\t\tclient,\n\t\t\tpublicKey: pubKey,\n\t\t});\n\t}\n}\n"],"mappings":";;;;;;;;;;AA0BA,IAAa,eAAb,MAAa,qBAAqB,OAAO;CACxC;;CAEA;;CAEA;;;;;;;;;CAUA,YAAY,EAAE,UAAU,QAAQ,aAAkC;AACjE,SAAO;AACP,MAAI,CAAC,SAAU,OAAM,IAAI,MAAM,yBAAyB;AAExD,QAAKA,SAAU;AACf,QAAKC,WAAY;AACjB,QAAKC,YAAa;;;;;;CAOnB,eAAe;AACd,SAAO,yBAAyB,MAAKA,UAAW,MAAM;;;;;;;CAQvD,eAAe;AACd,SAAO,MAAKA;;;;;;;;CASb,MAAM,KAAK,OAAqD;AAS/D,SAAO,yBAAyB,YARX,MAAM,MAAKF,OAAQ,WAAW,QAAQ;GAC1D,OAAO,MAAKC;GACZ,SAAS,SAAS,MAAM;GACxB,aAAa;GACb,kBAAkB;GAClB,CAAC,EAGsD,UAAU,EAAE,KAAK,cAAc,CAAC;;;;;;;CAQzF,aAAa,UAAU,OAAe,SAA2B;EAChE,MAAM,SAAS,IAAI,aAAa,QAAQ;AAIxC,SAAO,IAAI,aAAa;GACvB,UAAU;GACV;GACA,WALc,MAAM,OAAO,aAAa,MAAM;GAM9C,CAAC"}