@relaycorp/keystore-vault

keystore-vault-js

Vault-based Private Key Store extension for server-side, Node.js-based applications implementing Relaynet -- For example, public endpoints.

Install

This library is available on NPM and the latest version can be installed as follows:

npm i @relaycorp/keystore-vault

Usage

Initialisation

Once you've configured Vault, you need to initialise VaultPrivateKeyStore with the following arguments:

• vaultUrl: The URL to Vault. For example, https://vault.local:8200.
• vaultToken: The auth token.
• kvPath: The path to the KV Secrets Engine. Only Version 2 of the engine is supported.

Adding an identity key

To add an identity key for your own node, use VaultPrivateKeyStore.saveNodeKey();. For example:

await keyStore.saveNodeKey(identityKeyPair.privateKey, identityCertificate);

Make sure to store the output of identityCertificate.getSerialNumber() because you'll need that identifier to retrieve the private key later.

Adding an initial session key

To add an initial session key for your own node, use VaultPrivateKeyStore.saveInitialSessionKey();. For example:

await keyStore.saveInitialSessionKey(sessionKeyPair.privateKey, sessionKeyId);

Signing a RAMF message

To sign a RAMF message, such as a parcel, retrieve the identity key and pass it to the RAMFMessage.serialize() method. For example:

const privateKey = await keyStore.fetchNodeKey(IDENTITY_KEY_ID);
const parcelSerialized = await parcel.serialize(privateKey);

Decrypting a RAMF message payload

To decrypt the payload of a RAMF message -- for example, to extract the service message from a parcel -- you should simply pass the key store instance to RAMFMessage.unwrapPayload(). For example:

const serviceMessage = await parcel.unwrapPayload(keyStore);

API documentation

The API documentation can be found on docs.relaycorp.tech.