An object containing the parameters to use when instantiating the algorithm.
An instance of AwsKeyManager.
An instance of KMSClient from the AWS SDK.
Private _keyThe _keyManager private variable in the EcdsaAlgorithm class holds a reference to an
AwsKeyManager instance, which is an implementation of the CryptoApi interface. This
instance is used for performing various cryptographic operations, such as computing hash
digests and retrieving public keys. By having this reference, EcdsaAlgorithm focus on
ECDSA-specific logic while delegating other cryptographic tasks to AwsKeyManager.
The type is CrytpoApi instead of AwsKeyManager to avoid a circular dependency.
Private _kmsA private instance of KMSClient from the AWS SDK. This client is used for all interactions
with AWS Key Management Service (KMS), such as generating keys, signing data, and retrieving
public keys. If a custom KMSClient is not provided in the constructor, a default instance is
created and used.
Generates a new cryptographic key in AWS KMS with the specified algorithm and returns a unique key URI which can be used to reference the key in subsequent operations.
The parameters for key generation.
A Promise that resolves to the key URI, a unique identifier for the generated key.
const ecdsa = new EcdsaAlgorithm({ keyManager, kmsClient });
const keyUri = await ecdsa.generateKey({ algorithm: 'ES256K' });
console.log(keyUri); // Outputs the key URI
Generates an ECDSA signature of given data using the private key identified by the provided key URI.
The parameters for the signing operation.
A Promise resolving to the digital signature as a Uint8Array.
This method uses the signature algorithm determined by the given algorithm to sign the
provided data. The algorithm is used to avoid another round trip to AWS KMS to determine the
KeySpec since it was already retrieved in AwsKeyManager.sign().
The signature can later be verified by parties with access to the corresponding public key, ensuring that the data has not been tampered with and was indeed signed by the holder of the private key.
Note: Data is pre-hashed before signing to accommodate AWS KMS limitations for signature payloads. AWS KMS restricts the size of the data payload to 4096 bytes for direct signing. Hashing the data first ensures that the input to the signing operation is within this limit, regardless of the original data size.
Note: The signature returned is normalized to low-S to prevent signature malleability. This ensures that the signature can be verified by other libraries that enforce strict verification. More information on signature malleability can be found here.
const ecdsa = new EcdsaAlgorithm({ keyManager, kmsClient });
const data = new TextEncoder().encode('Message to sign');
const signature = await ecdsa.sign({
algorithm: 'ES256K',
keyUri: 'urn:jwk:...',
data
});
Verifies an ECDSA signature associated with the provided data using the provided key.
The parameters for the verification operation.
A Promise resolving to a boolean indicating whether the signature is valid.
This method uses the signature algorithm determined by the alg and/or crv properties of the
provided key to check the validity of a digital signature against the original data. It
confirms whether the signature was created by the holder of the corresponding private key and
that the data has not been tampered with.
const ecdsa = new EcdsaAlgorithm({ keyManager, kmsClient });
const publicKey = { ... }; // Public key in JWK format corresponding to the private key that signed the data
const signature = new Uint8Array([...]); // Signature to verify
const isValid = await ecdsa.verify({
key: publicKey,
signature,
data
});
The
EcdsaAlgorithmclass is an implementation of theKeyGeneratorandSignerinterfaces for the ECDSA algorithm.