bedrock-ssm-mongodb

Usage

This API is designed to be accessed using the bedrock-package-manager API.

const brPackageManager = require('bedrock-package-manager');

// require this module in the application
// it registers itself with bedrock-package-manager
require('bedrock-ssm-mongodb');

// use the API
exports.callMethod = async ({method, options, plugin}) => {
  // the alias for bedrock-ssm-mongodb is 'ssm-v1'
  // the type for bedrock-ssm-mongodb is 'webkms-module'
  const {packageName} = brPackageManager.get(
    {alias: plugin, type: 'webkms-module'});
  const store = require(packageName);

  const result = await store[method](options);

  return result;
};

API Reference

bedrock-ssm-mongodb

• bedrock-ssm-mongodb
  • .generateKey(options) ⇒ Promise.<object>
  • .wrapKey(options) ⇒ Promise.<object>
  • .unwrapKey(options) ⇒ Promise.<object>
  • .sign(options) ⇒ Promise.<object>
  • .verify(options) ⇒ Promise.<object>
  • .deriveSecret(options) ⇒ Promise.<object>

bedrock-ssm-mongodb.generateKey(options) ⇒ Promise.<object>

Generates a new key.

Kind: static method of bedrock-ssm-mongodb
Returns: Promise.<object> - Key information.

bedrock-ssm-mongodb.wrapKey(options) ⇒ Promise.<object>

Wraps a cryptographic key using a key encryption key (KEK).

Kind: static method of bedrock-ssm-mongodb
Returns: Promise.<object> - An object containing {wrappedKey}.

bedrock-ssm-mongodb.unwrapKey(options) ⇒ Promise.<object>

Unwraps a cryptographic key using a key encryption key (KEK).

Kind: static method of bedrock-ssm-mongodb
Returns: Promise.<object> - An object containing {unwrappedKey}.

bedrock-ssm-mongodb.sign(options) ⇒ Promise.<object>

Signs some data. Note that the data will be sent to the server, so if this data is intended to be secret it should be hashed first. However, hashing the data first may present interoperability issues so choose wisely.

Kind: static method of bedrock-ssm-mongodb
Returns: Promise.<object> - An object containing {signatureValue}.

bedrock-ssm-mongodb.verify(options) ⇒ Promise.<object>

Verifies some data. Note that the data will be sent to the server, so if this data is intended to be secret it should be hashed first. However, hashing the data first may present interoperability issues so choose wisely.

Kind: static method of bedrock-ssm-mongodb
Returns: Promise.<object> - An object containing {verified}.

bedrock-ssm-mongodb.deriveSecret(options) ⇒ Promise.<object>

Derives a shared secret via the given peer public key, typically for use as one parameter for computing a shared key. It should not be used as a shared key itself, but rather input into a key derivation function (KDF) to produce a shared key.

Kind: static method of bedrock-ssm-mongodb
Returns: Promise.<object> - An object containing {secret}.

bedrock-ssm-mongodb ChangeLog

7.2.0 - 2022-03-29

Changed

• Update peer deps:
  • `bedrock@4.5`
  • `bedrock-mongodb@8.5`
  • `bedrock-package-manager@1.2`.
• Update internals to use esm style and use esm.js to transpile to CommonJS.

7.1.0 - 2022-01-14

Added

• Support setting maxCapabilityChainLength during key generation.

7.0.1 - 2022-01-11

Fixed

• Fix webkms context dependency.
• Update peer deps.

7.0.0 - 2022-01-11

Changed

• BREAKING: Override id in public key description if publicAlias is set on key.
• BREAKING: Allow a public alias to be set on a key. During generateKey(), a publicAlias or a publicAliasTemplate may be passed to create a key. If not provided, then a future update to this module may allow a publicAlias or publicAliasTemplate to be be provided via an UpdateKeyOperation that includes a publicAlias or publicAliasTemplate value for the key.
• BREAKING: Require controller to be passed when generating a key or getting a key description.
• BREAKING: Return {keyId, keyDescription} from generateKey.

6.1.0 - 2021-12-14

Changed

• Expose helper functions in order to properly test them.

6.0.2 - 2021-09-01

Fixed

• Strip multicodec header from webkms local ID. Previous 6.x versions were broken and this fixes that bug.

6.0.1 - 2021-08-18

Fixed

• Ensure @context is present on key agreement public keys.

6.0.0 - 2021-07-22

Added

• Add getKeyDescription API.
• Add getKeyCount API.

Changed

• BREAKING: Store @context with keys.
• BREAKING: Key records are indexed by both keystore ID and local ID with the format: keyId == <keystoreId>/<localId>. Databases must be dropped to upgrade to the new format.

5.0.0 - 2021-04-26

Changed

• BREAKING: Use webkms-context url instead of security context v2.
• BREAKING: Replace X25519KeyAgreementKey2019 with X25519KeyAgreementKey2020 suite for key agreement operations.
• BREAKING: Replace the local derived secret (based on scalarMult) with the X25519KeyAgreementKey2020 key pair's own deriveSecret().
• Use aes-key-wrapping-2019-context@1.0.3.
• Use sha256-hmac-key-2019-context@1.0.3.

  4.0.0 - 2021-04-08

Changed

• BREAKING: Remove support for node 10.

Added

• Add Ed25519VerificationKey2020 to asymmetric key types.

3.2.1 - 2020-09-25

Fixed

• Add and apply max age for cache for key records. Without this fix the cache can hold key records indefinitely even when they are changed by other processes.

3.2.0 - 2020-09-22

Added

• Add cache for key records.

3.1.0 - 2020-07-07

Changed

• Update peer deps, test deps and CI workflow.

Fixed

• Fix usage of the MongoDB projection API.

3.0.0 - 2020-06-09

Changed

• BREAKING: Upgrade to bedrock-mongodb ^7.0.0.
• Changed api calls from insert to insertOne.
• Update test dependencies to `bedrock-mongodb: ^7.0.0.

2.0.1 - 2020-01-22

Fixed

• Fix semver tag in package file for bedrock module.

2.0.0 - 2019-12-20

Changed

• BREAKING: Update for use with webkms-switch v1.

Added

• Add support for key agreement keys (e.g., X25519KeyAgreementKey).

1.0.0 - 2019-04-16

• See git history for changes.