MaritalWheat/flow-google-kms.ts

## flow-google-kms.ts
import * as fcl from "@onflow/fcl"
import { KeyManagementServiceClient } from "@google-cloud/kms"
import * as crypto from "crypto"
import { fromBER, Sequence, Integer } from "asn1js"
var crc32c = require("fast-crc32c")

/////////////////////////////////////////////////////////////////////////////////////////////////
// This gist shows a quick example of using a Google Cloud managed key to sign a Flow transaction
// This would be called in a pattern similar to the below:
//
// const authorization = this.flowService.authorizeSigner()
// const transaction = [some code for constructing your transaction]
//
// return this.flowService.sendTx({
//     transaction,
//     args: [],
//       authorizations: [authorization],
//       payer: authorization,
//       proposer: authorization,
// })
/////////////////////////////////////////////////////////////////////////////////////////////////

type Transaction = {
  transaction: string
  args: any
  proposer: any
  authorizations: any
  payer: any
}

// Enter your Google Cloud configuration details here
const projectId = "your-value"
const locationId = "your-value"
const keyRingId = "your-value"
const keyId = "your-value"
const versionId = "your-value"

class FlowService {
  constructor(
    private readonly signerFlowAddress: string,
    private readonly signerAccountIndex: string | number
  ) {}

  // Create the proper authorization, utilizing a Google Cloud KMS-stored key
  authorizeSigner = () => {
    return async (account: any = {}) => {
      const user = await this.getAccount(this.signerFlowAddress)
      const key = user.keys[this.signerAccountIndex]

      let sequenceNum
      if (account.role.proposer) {
        sequenceNum = key.sequenceNumber
      }

      const signingFunction = async (data: { message: string }) => {
        const kmsSignature = await this.signAsymmetric(data.message)
        return {
          addr: user.address,
          keyId: key.index,
          signature: kmsSignature,
        }
      }

      return {
        ...account,
        tempId: user.address,
        addr: user.address,
        keyId: key.index,
        sequenceNum,
        signature: account.signature || null,
        signingFunction,
        resolve: null,
        roles: account.roles,
      }
    }
  }

  getAccount = async (addr: string) => {
    const { account } = await fcl.send([fcl.getAccount(addr)])
    return account
  }

  sendTx = async ({
    transaction,
    args,
    proposer,
    authorizations,
    payer,
  }: Transaction): Promise<any> => {
    const response = await fcl.send([
      fcl.transaction`
        ${transaction}
      `,
      fcl.args(args),
      fcl.proposer(proposer),
      fcl.authorizations(authorizations),
      fcl.payer(payer),
      fcl.limit(9999),
    ])

    return await fcl.tx(response).onceSealed()
  }

  // Where the Google KMS signing occurs
  async signAsymmetric(message: string) {
    const client = new KeyManagementServiceClient()

    const versionName = client.cryptoKeyVersionPath(
      projectId,
      locationId,
      keyRingId,
      keyId,
      versionId
    )

    // Create a digest of the message. The digest needs to match the digest
    // configured for the Google Cloud KMS key (note: this appears to be SHA2-256)
    const hash = crypto.createHash("sha256")
    hash.update(Buffer.from(message, "hex"))
    const digest = hash.digest()

    // Optional but recommended: Compute digest's CRC32C.
    const digestCrc32c = crc32c.calculate(digest)

    // Sign the message with Google Cloud KMS
    const [signResponse] = await client.asymmetricSign({
      name: versionName,
      digest: {
        sha256: digest,
      },
      digestCrc32c: {
        value: digestCrc32c,
      },
    })

    // Optional, but recommended: perform integrity verification on signResponse.
    // For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
    // https://cloud.google.com/kms/docs/data-integrity-guidelines
    if (signResponse.name !== versionName) {
      throw new Error("AsymmetricSign: request corrupted in-transit")
    }
    if (!signResponse.verifiedDigestCrc32c) {
      throw new Error("AsymmetricSign: request corrupted in-transit")
    }

    if (crc32c.calculate(signResponse.signature) !== Number(signResponse.signatureCrc32c?.value)) {
      throw new Error("AsymmetricSign: response corrupted in-transit")
    }

    // Because the signature is in a binary format, you need to encode the output before printing it to a
    // console or displaying it on a screen.
    const sig = signResponse.signature
    const encoded = Buffer.concat([sig! as Uint8Array]).toString("base64")
    console.log(`Signature: ${encoded}` + "\n")

    // Convert the binary signature output to to format Flow network expects
    const { r, s } = this.parseSignature(signResponse.signature! as Buffer)
    return Buffer.concat([r, s]).toString("hex")
  }

  toArrayBuffer(buffer: Buffer) {
    const ab = new ArrayBuffer(buffer.length)
    const view = new Uint8Array(ab)
    for (let i = 0; i < buffer.length; ++i) {
      view[i] = buffer[i]
    }
    return ab
  }

  parseSignature(buf: Buffer) {
    const { result } = fromBER(this.toArrayBuffer(buf))
    const values = (result as Sequence).valueBlock.value

    const getHex = (value: Integer) => {
      const buf = Buffer.from(value.valueBlock.valueHex)
      return buf.slice(Math.max(buf.length - 32, 0))
    }

    const r = getHex(values[0] as Integer)
    const s = getHex(values[1] as Integer)
    return { r, s }
  }
}

export { FlowService }
	import * as fcl from "@onflow/fcl"
	import { KeyManagementServiceClient } from "@google-cloud/kms"
	import * as crypto from "crypto"
	import { fromBER, Sequence, Integer } from "asn1js"
	var crc32c = require("fast-crc32c")

	/////////////////////////////////////////////////////////////////////////////////////////////////
	// This gist shows a quick example of using a Google Cloud managed key to sign a Flow transaction
	// This would be called in a pattern similar to the below:
	//
	// const authorization = this.flowService.authorizeSigner()
	// const transaction = [some code for constructing your transaction]
	//
	// return this.flowService.sendTx({
	// transaction,
	// args: [],
	// authorizations: [authorization],
	// payer: authorization,
	// proposer: authorization,
	// })
	/////////////////////////////////////////////////////////////////////////////////////////////////

	type Transaction = {
	transaction: string
	args: any
	proposer: any
	authorizations: any
	payer: any
	}

	// Enter your Google Cloud configuration details here
	const projectId = "your-value"
	const locationId = "your-value"
	const keyRingId = "your-value"
	const keyId = "your-value"
	const versionId = "your-value"

	class FlowService {
	constructor(
	private readonly signerFlowAddress: string,
	private readonly signerAccountIndex: string \| number
	) {}

	// Create the proper authorization, utilizing a Google Cloud KMS-stored key
	authorizeSigner = () => {
	return async (account: any = {}) => {
	const user = await this.getAccount(this.signerFlowAddress)
	const key = user.keys[this.signerAccountIndex]

	let sequenceNum
	if (account.role.proposer) {
	sequenceNum = key.sequenceNumber
	}

	const signingFunction = async (data: { message: string }) => {
	const kmsSignature = await this.signAsymmetric(data.message)
	return {
	addr: user.address,
	keyId: key.index,
	signature: kmsSignature,
	}
	}

	return {
	...account,
	tempId: user.address,
	addr: user.address,
	keyId: key.index,
	sequenceNum,
	signature: account.signature \|\| null,
	signingFunction,
	resolve: null,
	roles: account.roles,
	}
	}
	}

	getAccount = async (addr: string) => {
	const { account } = await fcl.send([fcl.getAccount(addr)])
	return account
	}

	sendTx = async ({
	transaction,
	args,
	proposer,
	authorizations,
	payer,
	}: Transaction): Promise<any> => {
	const response = await fcl.send([
	fcl.transaction`
	${transaction}
	`,
	fcl.args(args),
	fcl.proposer(proposer),
	fcl.authorizations(authorizations),
	fcl.payer(payer),
	fcl.limit(9999),
	])

	return await fcl.tx(response).onceSealed()
	}

	// Where the Google KMS signing occurs
	async signAsymmetric(message: string) {
	const client = new KeyManagementServiceClient()

	const versionName = client.cryptoKeyVersionPath(
	projectId,
	locationId,
	keyRingId,
	keyId,
	versionId
	)

	// Create a digest of the message. The digest needs to match the digest
	// configured for the Google Cloud KMS key (note: this appears to be SHA2-256)
	const hash = crypto.createHash("sha256")
	hash.update(Buffer.from(message, "hex"))
	const digest = hash.digest()

	// Optional but recommended: Compute digest's CRC32C.
	const digestCrc32c = crc32c.calculate(digest)

	// Sign the message with Google Cloud KMS
	const [signResponse] = await client.asymmetricSign({
	name: versionName,
	digest: {
	sha256: digest,
	},
	digestCrc32c: {
	value: digestCrc32c,
	},
	})

	// Optional, but recommended: perform integrity verification on signResponse.
	// For more details on ensuring E2E in-transit integrity to and from Cloud KMS visit:
	// https://cloud.google.com/kms/docs/data-integrity-guidelines
	if (signResponse.name !== versionName) {
	throw new Error("AsymmetricSign: request corrupted in-transit")
	}
	if (!signResponse.verifiedDigestCrc32c) {
	throw new Error("AsymmetricSign: request corrupted in-transit")
	}

	if (crc32c.calculate(signResponse.signature) !== Number(signResponse.signatureCrc32c?.value)) {
	throw new Error("AsymmetricSign: response corrupted in-transit")
	}

	// Because the signature is in a binary format, you need to encode the output before printing it to a
	// console or displaying it on a screen.
	const sig = signResponse.signature
	const encoded = Buffer.concat([sig! as Uint8Array]).toString("base64")
	console.log(`Signature: ${encoded}` + "\n")

	// Convert the binary signature output to to format Flow network expects
	const { r, s } = this.parseSignature(signResponse.signature! as Buffer)
	return Buffer.concat([r, s]).toString("hex")
	}

	toArrayBuffer(buffer: Buffer) {
	const ab = new ArrayBuffer(buffer.length)
	const view = new Uint8Array(ab)
	for (let i = 0; i < buffer.length; ++i) {
	view[i] = buffer[i]
	}
	return ab
	}

	parseSignature(buf: Buffer) {
	const { result } = fromBER(this.toArrayBuffer(buf))
	const values = (result as Sequence).valueBlock.value

	const getHex = (value: Integer) => {
	const buf = Buffer.from(value.valueBlock.valueHex)
	return buf.slice(Math.max(buf.length - 32, 0))
	}

	const r = getHex(values[0] as Integer)
	const s = getHex(values[1] as Integer)
	return { r, s }
	}
	}

	export { FlowService }