Package web5.sdk.keymanager.aws

Class AwsKeyManager

  • All Implemented Interfaces:
    web5.sdk.crypto.KeyManager 
    
public final class AwsKeyManager
 implements KeyManager

    A KeyManager that uses AWS KMS for remote storage of keys and signing operations. Caller is expected to provide connection details for AWSKMS client as per Configure the AWS CLI

    Key aliases are generated from the key's Jwk thumbprint, and stored in AWS KMS. e.g. alias/6uNnyj7xZUgtKTEOFV2mz0f7Hd3cxIH1o5VXsOo4u1M

    AWSKeyManager supports a limited set ECDSA curves for signing:

    • JWSAlgorithm.ES256K

    • Nested Class Summary

      Nested Classes 
      Modifier and Type Class Description

    • Field Summary

      Fields 
      Modifier and Type Field Description

    • Enum Constant Summary

      Enum Constants 
      Enum Constant Description

    • Method Summary

      Modifier and Type Method Description
      String generatePrivateKey(AlgorithmId algorithmId, KeyGenOptions options) Generates and securely stores a private key based on the provided algorithm and options, returning a unique alias that can be utilized to reference the generated key for future operations.
      Jwk getPublicKey(String keyAlias) Retrieves the public key associated with a previously stored private key, identified by the provided alias.
      ByteArray sign(String keyAlias, ByteArray signingInput) Signs the provided payload using the private key identified by the provided alias.
      String getDeterministicAlias(Jwk publicKey) Return the alias of publicKey, as was originally returned by generatePrivateKey.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Constructor Detail

      • AwsKeyManager

        AwsKeyManager(AWSKMS kmsClient)

      • AwsKeyManager

        AwsKeyManager()

    • Method Detail

      • generatePrivateKey

         String generatePrivateKey(AlgorithmId algorithmId, KeyGenOptions options)

        Generates and securely stores a private key based on the provided algorithm and options, returning a unique alias that can be utilized to reference the generated key for future operations.

        Parameters:
        algorithmId - The algorithmId to use for key generation.
        options - (Optional) Additional options to control key generation behavior.
        Returns:

        A unique alias (String) that can be used to reference the stored key.

      • getPublicKey

         Jwk getPublicKey(String keyAlias)

        Retrieves the public key associated with a previously stored private key, identified by the provided alias.

        Parameters:
        keyAlias - The alias referencing the stored private key.
        Returns:

        The associated public key in Jwk (JSON Web Key) format.

      • sign

         ByteArray sign(String keyAlias, ByteArray signingInput)

        Signs the provided payload using the private key identified by the provided alias.

        Parameters:
        keyAlias - The alias referencing the stored private key.
        signingInput - The data to be signed.
        Returns:

        The signature in JWS R+S format