src/crypto/key/kms-adapter.ts
Abstract base class for KMS adapters.
Each KMS adapter (DB, Vault, …) implements only the cryptographic and storage operations specific to that backend. DB queries for routing, config‐import and metadata updates live in the concrete KeyService facade — not here.
Properties |
|
Methods |
|
Accessors |
| Protected Readonly logger |
Type : unknown
|
Default value : new Logger(this.constructor.name)
|
|
Defined in src/crypto/key/kms-adapter.ts:25
|
| Abstract create | ||||||
create(tenantId: string)
|
||||||
|
Defined in src/crypto/key/kms-adapter.ts:44
|
||||||
|
Generate a new key pair and persist it in this KMS.
Parameters :
Returns :
Promise<string>
the key ID |
| Abstract deleteKey |
deleteKey(tenantId: string, keyId: string)
|
|
Defined in src/crypto/key/kms-adapter.ts:85
|
|
Delete a key from this KMS.
Returns :
Promise<void>
|
| Abstract getKid |
getKid(tenantId: string, usage?: KeyUsage)
|
|
Defined in src/crypto/key/kms-adapter.ts:56
|
|
Get the first available key ID for this tenant.
Returns :
Promise<string>
|
| Abstract getPublicKey |
getPublicKey(type: unknown, tenantId: string, keyId?: string)
|
|
Defined in src/crypto/key/kms-adapter.ts:59
|
|
Get the public key in JWK format.
Returns :
Promise<JWK>
|
| Abstract getPublicKey |
getPublicKey(type: unknown, tenantId: string, keyId?: string)
|
|
Defined in src/crypto/key/kms-adapter.ts:65
|
|
Get the public key in PEM format.
Returns :
Promise<string>
|
| Abstract getPublicKey |
getPublicKey(type: "pem" | "jwk", tenantId: string, keyId?: string)
|
|
Defined in src/crypto/key/kms-adapter.ts:70
|
|
Returns :
Promise<JWK | string>
|
| Abstract import | |||||||||
import(tenantId: string, body: KeyImportDto)
|
|||||||||
|
Defined in src/crypto/key/kms-adapter.ts:50
|
|||||||||
|
Import existing key material into this KMS.
Parameters :
Returns :
Promise<string>
the key ID |
| Abstract init | ||||||
init(tenantId: string)
|
||||||
|
Defined in src/crypto/key/kms-adapter.ts:38
|
||||||
|
Initialise the KMS for a tenant (e.g. create a Vault transit mount).
Parameters :
Returns :
Promise<string>
|
| Abstract signer |
signer(tenantId: string, keyId?: string)
|
|
Defined in src/crypto/key/kms-adapter.ts:53
|
|
Get a signer callback for the given key.
Returns :
Promise<Signer>
|
| Abstract signJWT | |||||||||||||||
signJWT(payload: JWTPayload, header: JWSHeaderParameters, tenantId: string, keyId?: string)
|
|||||||||||||||
|
Defined in src/crypto/key/kms-adapter.ts:77
|
|||||||||||||||
|
Sign a JWT.
Parameters :
Returns :
Promise<string>
|
| capabilities |
getcapabilities()
|
|
Defined in src/crypto/key/kms-adapter.ts:31
|
|
Capabilities of this KMS provider. Override in subclasses to restrict operations (e.g. Vault cannot import).
Returns :
KmsProviderCapabilities
|
import { Logger } from "@nestjs/common";
import { Signer } from "@sd-jwt/types";
import { JWK, JWSHeaderParameters, JWTPayload } from "jose";
import { KeyImportDto } from "./dto/key-import.dto";
/**
* Describes what operations a KMS provider supports.
* Returned by the providers endpoint so the UI can adapt accordingly.
*/
export interface KmsProviderCapabilities {
canImport: boolean;
canCreate: boolean;
canDelete: boolean;
}
/**
* Abstract base class for KMS adapters.
*
* Each KMS adapter (DB, Vault, …) implements **only** the cryptographic and
* storage operations specific to that backend. DB queries for routing,
* config‐import and metadata updates live in the concrete {@link KeyService}
* facade — not here.
*/
export abstract class KmsAdapter {
protected readonly logger = new Logger(this.constructor.name);
/**
* Capabilities of this KMS provider.
* Override in subclasses to restrict operations (e.g. Vault cannot import).
*/
get capabilities(): KmsProviderCapabilities {
return { canImport: true, canCreate: true, canDelete: true };
}
/**
* Initialise the KMS for a tenant (e.g. create a Vault transit mount).
*/
abstract init(tenantId: string): Promise<string>;
/**
* Generate a new key pair and persist it in this KMS.
* @returns the key ID
*/
abstract create(tenantId: string): Promise<string>;
/**
* Import existing key material into this KMS.
* @returns the key ID
*/
abstract import(tenantId: string, body: KeyImportDto): Promise<string>;
/** Get a signer callback for the given key. */
abstract signer(tenantId: string, keyId?: string): Promise<Signer>;
/** Get the first available key ID for this tenant. */
abstract getKid(tenantId: string, usage?: KeyUsage): Promise<string>;
/** Get the public key in JWK format. */
abstract getPublicKey(
type: "jwk",
tenantId: string,
keyId?: string,
): Promise<JWK>;
/** Get the public key in PEM format. */
abstract getPublicKey(
type: "pem",
tenantId: string,
keyId?: string,
): Promise<string>;
abstract getPublicKey(
type: "pem" | "jwk",
tenantId: string,
keyId?: string,
): Promise<JWK | string>;
/** Sign a JWT. */
abstract signJWT(
payload: JWTPayload,
header: JWSHeaderParameters,
tenantId: string,
keyId?: string,
): Promise<string>;
/** Delete a key from this KMS. */
abstract deleteKey(tenantId: string, keyId: string): Promise<void>;
}