Optional params: AwsKeyManagerParamsPrivate _algorithmA private map that stores instances of cryptographic algorithm implementations. Each key in
this map is an AlgorithmConstructor, and its corresponding value is an instance of a class
that implements a specific cryptographic algorithm. This map is used to cache and reuse
instances for performance optimization, ensuring that each algorithm is instantiated only once.
Private _kmsA private instance of KMSClient from the AWS SDK. This client is used for all interactions
with AWS Key Management Service (KMS), such as generating keys, signing data, and retrieving
public keys. If a custom KMSClient is not provided in the constructor, a default instance is
created and used.
Generates a hash digest of the provided data.
The parameters for the digest operation.
A Promise which will be fulfilled with the hash digest.
A digest is the output of the hash function. It's a fixed-size string of bytes that uniquely represents the data input into the hash function. The digest is often used for data integrity checks, as any alteration in the input data results in a significantly different digest.
It takes the algorithm identifier of the hash function and data to digest as input and returns the digest of the data.
const keyManager = new AwsKeyManager();
const data = new Uint8Array([...]);
const digest = await keyManager.digest({ algorithm: 'SHA-256', data });
Generates a new cryptographic key in AWS KMS with the specified algorithm and returns a unique key URI which can be used to reference the key in subsequent operations.
The parameters for key generation.
A Promise that resolves to the key URI, a unique identifier for the generated key.
This method initiates the creation of a customer-managed key in AWS KMS, using the specified algorithm parameters. The generated key is an AWS KMS key, identified by an AWS-assigned key ID (UUID V4 format) and a key ARN (Amazon Resource Name). The method returns a key URI that uniquely identifies the key and can be used in subsequent cryptographic operations.
const keyManager = new AwsKeyManager();
const keyUri = await keyManager.generateKey({ algorithm: 'ES256K' });
console.log(keyUri); // Outputs the key URI
Private getRetrieves an algorithm implementation instance based on the provided algorithm name.
The parameters for retrieving the algorithm implementation.
The name of the algorithm to retrieve.
An instance of the requested algorithm implementation.
This method checks if the requested algorithm is supported and returns a cached instance if available. If an instance does not exist, it creates and caches a new one. This approach optimizes performance by reusing algorithm instances across cryptographic operations.
const signer = this.getAlgorithm({ algorithm: 'ES256K' });
Error if the requested algorithm is not supported.
Private getDetermines the name of the algorithm based on the key's properties or key specification.
The parameters for determining the algorithm name.
Optional key?: { A JWK containing the alg or crv properties.
Optional alg?: stringOptional crv?: stringOptional keyThe AWS key specification.
The name of the algorithm associated with the key.
This method facilitates the identification of the correct algorithm for cryptographic
operations based on the alg or crv properties of a JWK or a given AWS
key specification.
// Using a JWK.
const publicKey = { ... }; // Public key in JWK format
const algorithm = this.getAlgorithmName({ key: publicKey });
// Using a key specification.
const keySpec = KeySpec.ECC_SECG_P256K1;
const algorithm = this.getAlgorithmName({ keySpec });
Error if the algorithm cannot be determined from the provided input.
Computes the Key URI for a given public JWK (JSON Web Key).
The parameters for getting the key URI.
A Promise that resolves to the key URI as a string.
This method generates a URI
(Uniform Resource Identifier) for the given JWK, which uniquely identifies the key across all
CryptoApi implementations. The key URI is constructed by appending the
JWK thumbprint to the prefix
urn:jwk:. The JWK thumbprint is deterministically computed from the JWK and is consistent
regardless of property order or optional property inclusion in the JWK. This ensures that the
same key material represented as a JWK will always yield the same thumbprint, and therefore,
the same key URI.
const keyManager = new AwsKeyManager();
const publicKey = { ... }; // Public key in JWK format
const keyUri = await keyManager.getKeyUri({ key: publicKey });
Retrieves the public key associated with a previously generated private key, identified by the provided key URI.
The parameters for retrieving the public key.
A Promise that resolves to the public key in JWK format.
const keyManager = new AwsKeyManager();
const keyUri = await keyManager.generateKey({ algorithm: 'ES256K' });
const publicKey = await keyManager.getPublicKey({ keyUri });
Signs the provided data using the private key identified by the provided key URI.
The parameters for the signing operation.
A Promise resolving to the digital signature as a Uint8Array.
This method uses the signature algorithm determined by the AWS KMS KeySpec of the private key
identified by the provided key URI to sign the provided data. The signature can later be
verified by parties with access to the corresponding public key, ensuring that the data has not
been tampered with and was indeed signed by the holder of the private key.
const keyManager = new AwsKeyManager();
const data = new TextEncoder().encode('Message to sign');
const signature = await keyManager.sign({
keyUri: 'urn:jwk:...',
data
});
Verifies a digital signature associated the provided data using the provided key.
The parameters for the verification operation.
A Promise resolving to a boolean indicating whether the signature is valid.
This method uses the signature algorithm determined by the alg and/or crv properties of the
provided key to check the validity of a digital signature against the original data. It
confirms whether the signature was created by the holder of the corresponding private key and
that the data has not been tampered with.
const keyManager = new AwsKeyManager();
const publicKey = { ... }; // Public key in JWK format corresponding to the private key that signed the data
const data = new TextEncoder().encode('Message to sign'); // Data that was signed
const signature = new Uint8Array([...]); // Signature to verify
const isValid = await ecdsa.verify({
key: publicKey,
signature,
data
});
The
AwsKeyManagerclass is an implementation of theCryptoApiinterface tailored for AWS KMS.