158 lines
4.1 KiB
TypeScript
158 lines
4.1 KiB
TypeScript
import { InfisicalSDK } from "../src";
|
|
import { EncryptionAlgorithm, KeyUsage, KmsKey } from "../src/api/types/kms";
|
|
|
|
(async () => {
|
|
const client = new InfisicalSDK({
|
|
siteUrl: "https://app.infisical.com" // Optional, defaults to https://app.infisical.com
|
|
});
|
|
|
|
const universalAuthClientId = process.env.UNIVERSAL_AUTH_CLIENT_ID;
|
|
const universalAuthClientSecret = process.env.UNIVERSAL_AUTH_CLIENT_SECRET;
|
|
const projectId = process.env.PROJECT_ID;
|
|
|
|
if (!universalAuthClientId || !universalAuthClientSecret) {
|
|
throw new Error("UNIVERSAL_AUTH_CLIENT_ID and UNIVERSAL_AUTH_CLIENT_SECRET must be set");
|
|
}
|
|
|
|
if (!projectId) {
|
|
throw new Error("PROJECT_ID must be set");
|
|
}
|
|
|
|
console.log("Logging in");
|
|
|
|
await client.auth().universalAuth.login({
|
|
clientId: universalAuthClientId,
|
|
clientSecret: universalAuthClientSecret
|
|
});
|
|
console.log("Logged in");
|
|
|
|
console.log("Creating keys");
|
|
|
|
const keysToCreate = [
|
|
{
|
|
name: "test-aes-256-gcm",
|
|
keyUsage: KeyUsage.ENCRYPTION,
|
|
encryptionAlgorithm: EncryptionAlgorithm.AES_256_GCM
|
|
},
|
|
{
|
|
name: "test-aes-128-gcm",
|
|
keyUsage: KeyUsage.ENCRYPTION,
|
|
encryptionAlgorithm: EncryptionAlgorithm.AES_128_GCM
|
|
},
|
|
{
|
|
name: "test-ecc-nist-p256",
|
|
keyUsage: KeyUsage.SIGNING,
|
|
encryptionAlgorithm: EncryptionAlgorithm.ECC_NIST_P256
|
|
},
|
|
{
|
|
name: "test-rsa-4096",
|
|
keyUsage: KeyUsage.SIGNING,
|
|
encryptionAlgorithm: EncryptionAlgorithm.RSA_4096
|
|
}
|
|
] as const;
|
|
|
|
console.log("Creating keys", keysToCreate);
|
|
|
|
const createdKeys: KmsKey[] = [];
|
|
|
|
// Create all the keys
|
|
for (const key of keysToCreate) {
|
|
const createdKey = await client.kms().keys().create({
|
|
projectId,
|
|
description: key.name,
|
|
encryptionAlgorithm: key.encryptionAlgorithm,
|
|
keyUsage: key.keyUsage,
|
|
name: key.name
|
|
});
|
|
console.log("Created key", createdKey.name);
|
|
createdKeys.push(createdKey);
|
|
}
|
|
|
|
// Get all the keys by name
|
|
for (const createdKey of createdKeys) {
|
|
const key = await client.kms().keys().getByName({
|
|
projectId: createdKey.projectId,
|
|
name: createdKey.name
|
|
});
|
|
|
|
console.log(key);
|
|
console.log("Got key by name", key.name);
|
|
}
|
|
|
|
// Encrypt / decrypt data with encryption keys
|
|
|
|
for (const createdKey of createdKeys) {
|
|
if (createdKey.keyUsage !== KeyUsage.ENCRYPTION) {
|
|
console.log("Skipping key for encryption mode:", createdKey.name);
|
|
continue;
|
|
}
|
|
|
|
const encryptedData = await client
|
|
.kms()
|
|
.encryption()
|
|
.encrypt({
|
|
keyId: createdKey.id,
|
|
plaintext: Buffer.from("test data").toString("base64")
|
|
});
|
|
|
|
const decryptedData = await client.kms().encryption().decrypt({
|
|
keyId: createdKey.id,
|
|
ciphertext: encryptedData
|
|
});
|
|
|
|
console.log("Encrypted data:", {
|
|
raw: encryptedData
|
|
});
|
|
console.log("Decrypted data:", {
|
|
raw: decryptedData,
|
|
decoded: Buffer.from(decryptedData, "base64").toString("utf-8")
|
|
});
|
|
}
|
|
|
|
// Sign / verify data with signing keys
|
|
for (const createdKey of createdKeys) {
|
|
if (createdKey.keyUsage !== KeyUsage.SIGNING) {
|
|
console.log("Skipping key for signing mode:", createdKey.name);
|
|
continue;
|
|
}
|
|
|
|
const testData = Buffer.from("some test data to sign").toString("base64");
|
|
|
|
const publicKey = await client.kms().signing().getPublicKey({
|
|
keyId: createdKey.id
|
|
});
|
|
console.log(`Public key for key ${createdKey.name}:`, publicKey);
|
|
|
|
const signingAlgorithms = await client.kms().signing().listSigningAlgorithms({
|
|
keyId: createdKey.id
|
|
});
|
|
|
|
console.log(`Signing algorithms for key ${createdKey.name}:`, signingAlgorithms);
|
|
|
|
for (const signingAlgorithm of signingAlgorithms) {
|
|
const signedData = await client.kms().signing().sign({
|
|
keyId: createdKey.id,
|
|
data: testData,
|
|
signingAlgorithm: signingAlgorithm
|
|
});
|
|
|
|
console.log("Signed data:", signedData);
|
|
const verifiedData = await client.kms().signing().verify({
|
|
keyId: createdKey.id,
|
|
data: testData,
|
|
signature: signedData.signature,
|
|
signingAlgorithm: signingAlgorithm
|
|
});
|
|
console.log("Verified data:", verifiedData);
|
|
}
|
|
}
|
|
|
|
// Delete all the keys
|
|
for (const createdKey of createdKeys) {
|
|
await client.kms().keys().delete({
|
|
keyId: createdKey.id
|
|
});
|
|
console.log("Deleted key", createdKey.name);
|
|
}
|
|
})();
|