Project: certificate-usage · Branch: FHIR-1996_track-ecc-rsa-certificate-usage · Mode: ` · **Model:**claude-sonnet-4-5-20250929`
Stats: 1 user messages, 29 tool calls, tools used: Read, Glob, Grep, Bash.
Conversation
Turn 1 — User
Based on the exploration results, design a detailed implementation plan to simplify certificate tracking by logging the raw JWA string instead of mapping it.
Context from Exploration
Current Flow:
CertificateAnalyzer.analyzeCertificate(cert)
→ JWSUtils.deriveJWAFromCertificate(cert) → returns "RS256", "ES256", "BP256R1", etc.
→ JWAMapper.mapJWAToCertificateInfo(jwa) → returns {certificateType: 'ECC'|'RSA', curveName?: string}
→ trackCertificateType logs to Datadog: {certificateType, curveName, tiEnvironment}
Proposed Simplification:
CertificateAnalyzer.analyzeCertificate(cert)
→ JWSUtils.deriveJWAFromCertificate(cert) → returns "RS256", "ES256", "BP256R1", etc.
→ trackCertificateType logs to Datadog: {jwa: "BP256R1", tiEnvironment}
Critical Files to Modify
- adapter.ts (line 167): Change CertificateAnalyzer to return JWA string
- ti-connect.ts (lines 104-137): Update trackCertificateType to log JWA instead of certificateType/curveName
- ti-connect.test.ts: Update mocks and assertions to expect JWA strings
- Remove entirely: jwaMapper.ts and jwaMapper.test.ts
- index.ts: Remove JWAMapper export
Requirements
- CertificateAnalyzer.analyzeCertificate should return
Promise<string>(the JWA string) instead ofPromise<CertificateInfo> - Datadog tracking should log the raw JWA string (e.g., "BP256R1", "RS256") instead of parsed certificateType/curveName
- All tests must be updated to reflect the new behavior
- JWAMapper class and CertificateInfo type should be completely removed
- No breaking changes to external consumers (only ti-connect.ts uses this)
Design Considerations
- Precision: JWA strings like "BP256R1" already encode both the algorithm type and curve, making the mapping unnecessary
- Simplicity: Remove one layer of abstraction
- Observability: Datadog will receive standardized JWA strings (RFC 7518) instead of custom certificateType/curveName format
Please design: 1. Detailed step-by-step changes for each file 2. How to update the test expectations 3. Verification steps to ensure nothing breaks 4. Consider if there are any edge cases (error handling, 'none' algorithm, etc.)
Turn 1 — Assistant
I'll analyze the codebase to understand the current implementation and design a detailed plan for simplifying the certificate tracking.
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/main/services/ti-connect/adapter.ts
Tool results:
→ result (ERROR): <tool_use_error>File does not exist.</tool_use_error>
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/main/services/ti-connect/ti-connect.ts
Tool results:
→ result (ERROR): <tool_use_error>Sibling tool call errored</tool_use_error>
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/main/services/ti-connect/utils/jwaMapper.ts
Tool results:
→ result (ERROR): <tool_use_error>Sibling tool call errored</tool_use_error>
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/main/services/ti-connect/utils/JWSUtils.ts
Tool results:
→ result (ERROR): <tool_use_error>Sibling tool call errored</tool_use_error>
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/main/services/ti-connect/index.ts
Tool results:
→ result (ERROR): <tool_use_error>Sibling tool call errored</tool_use_error>
Let me search for the correct file paths.
Tools used:
Glob:**/adapter.ts
Tools used:
Glob:**/ti-connect.ts
Tools used:
Glob:**/jwaMapper.ts
Tool results:
→ result (ok): /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/crypto-adapter/adapter.ts
Tool results:
→ result (ok): /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/kbv-ti-connect/main/ti-connect.ts
Tools used:
Glob:**/JWSUtils.ts
Tool results:
→ result (ok): /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/utils/jwaMapper.ts
Tool results:
→ result (ok): /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/node/jose/JWSUtils.ts
Now let me read the relevant files.
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/crypto-adapter/adapter.ts
Tool results:
→ result (ok): 1→import { X509Certificate } from 'node:crypto' 2→import { JWE, JWS as NodeJWS } from '@doctolib/node-jose' 3→import { IOptions } from 'soap' 4→ 5→import { CryptoEngine } from '@module/gematik-crypto/services/crypto-adapter/crypto-engine' 6→import { CustomSoapClientOptions } from '@module/gematik-crypto/services/node/tls/customSoapClientOptions' 7→import { HttpsFetch as DoctoCryptHttpsFetch } from '@module/gematik-crypto/services/docto-crypt/tls/httpsFetch' 8→i …(truncated, 7958 more chars)
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/kbv-ti-connect/main/ti-connect.ts
Tool results:
→ result (ok): 1→import { ipcManager } from '@core/ipc-manager' 2→import { sendPreferences } from '@core/app/main/helpers/preferences-helper' 3→import { TrackingEvent } from '@core/monitoring' 4→ 5→import { CertificateAnalyzer } from '@module/gematik-crypto' 6→import { TiEnvRepository } from '@module/gematik-ti-environment/services/tiEnvRepository' 7→import { kbvTiConnectLogger } from '@module/kbv-ti-connect/services/logger' 8→import tiConnect from '@module/kbv-ti-connect/ser …(truncated, 9718 more chars)
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/utils/jwaMapper.ts
Tool results:
→ result (ok): 1→/ 2→ * Maps JWA (JSON Web Algorithm) strings to certificate tracking format 3→ * Used to convert JWSUtils output to Datadog tracking events 4→ */ 5→/ 6→ * Certificate information extracted from JWA algorithm 7→ * @property certificateType - The type of certificate: ECC (Elliptic Curve Cryptography) or RSA 8→ * @property curveName - The elliptic curve name (e.g., 'brainpoolP256r1', 'P-256'). 9→ * Only present for ECC certificates …(truncated, 2162 more chars)
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/node/jose/JWSUtils.ts
Tool results:
→ result (ok): 1→import { Certificate } from 'pkijs' 2→import * as Asn1 from 'asn1js' 3→ 4→enum JWAlgorithms { 5→ HMAC = 'HS', // There is no MAC expected, so keeping here for the compatibility 6→ 'RSASSA-PKCS1-v1_5' = 'RS', 7→ ECDSA = 'ES', 8→ 'RSASSA-PSS' = 'PS', 9→} 10→ 11→type JWSAlgorithms = 'HMAC' | 'RSASSA-PKCS1-v1_5' | 'ECDSA' | 'RSASSA-PSS' 12→export class JWSUtils { 13→ static concatenateECDSASignature(signature: string, outputLength: numbe …(truncated, 5381 more chars)
Now let me find and read the test files.
Tools used:
Glob:**/ti-connect.test.ts
Tools used:
Glob:**/jwaMapper.test.ts
Tool results:
→ result (ok): /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/kbv-ti-connect/main/tests/ti-connect.test.ts /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/kbv-ti-connect/services/tests/ti-connect.test.ts
Tools used:
Glob:**/adapter.test.ts
Tool results:
→ result (ok): /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/utils/tests/jwaMapper.test.ts
Tool results:
→ result (ok): /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/crypto-adapter/tests_electron/adapter.test.ts
Tools used:
Glob:**/index.tsin/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto
Tool results:
→ result (ok): /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/index.ts /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/crypto-adapter/index.ts /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/docto-crypt/index.ts /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/docto-crypt/jwa/ind …(truncated, 1190 more chars)
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/kbv-ti-connect/main/__tests__/ti-connect.test.ts
Tool results:
→ result (ok): 1→import { Mock } from 'vitest' 2→ 3→import { ipcManager } from '@core/ipc-manager' 4→import { sendPreferences } from '@core/app/main/helpers/preferences-helper' 5→import { sendCustomTrackingEventToObservability, TrackingEvent } from '@core/monitoring' 6→ 7→import { CertificateAnalyzer } from '@module/gematik-crypto' 8→import { TiEnvRepository } from '@module/gematik-ti-environment/services/tiEnvRepository' 9→import { TiEnvValueSet } from '@module/gematik- …(truncated, 31686 more chars)
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/utils/__tests__/jwaMapper.test.ts
Tool results:
→ result (ok): 1→import { describe, expect, it } from 'vitest' 2→ 3→import { JWAMapper } from '../jwaMapper' 4→ 5→describe('JWAMapper', () => { 6→ describe('.mapJWAToCertificateInfo', () => { 7→ it('identifies RSA algorithms (RS family)', () => { 8→ expect(JWAMapper.mapJWAToCertificateInfo('RS256')).toEqual({ 9→ certificateType: 'RSA', 10→ }) 11→ expect(JWAMapper.mapJWAToCertificateInfo('RS384')).toEqual({ 12→ certificateType: …(truncated, 2173 more chars)
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/crypto-adapter/__tests_electron__/adapter.test.ts
Tool results:
→ result (ok): 1→import { isJavaAvailable } from '@module/gematik-crypto/test-utils' 2→import { DoctoCryptExecutor } from '@module/gematik-crypto' 3→ 4→import { JWA, JWKKeyStore } from '../adapter' 5→ 6→// Mock CryptoEngine.isDoctoCrypt() function 7→const mockIsDoctoCrypt = vi.hoisted(() => vi.fn(() => false)) 8→vi.mock('../crypto-engine', () => ({ 9→ CryptoEngine: { 10→ isDoctoCrypt: mockIsDoctoCrypt, 11→ }, 12→ CryptoEngineType: { 13→ Electron: …(truncated, 3847 more chars)
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/index.ts
Tool results:
→ result (ok): 1→export { DoctoCryptExecutor } from './services/docto-crypt' 2→ 3→export * from './services/crypto-adapter' 4→export { Pkcs12Adapter as Pkcs12 } from '@module/gematik-crypto/services/crypto-adapter/pkcs12Adapter' 5→export { KeystoreFile, type DialogOptionProperties } from '@module/gematik-crypto/services/node/keystore/keystoreFile' 6→export { 7→ LdapAdapter as LdapClient, 8→ type SearchOptions, 9→} from '@module/gematik-crypto/services/crypto-adapter/ld …(truncated, 528 more chars)
Now let me check if there are any other consumers of CertificateAnalyzer or JWAMapper.
Tools used:
Grep:CertificateAnalyzer
Tools used:
Grep:JWAMapper
Tool results:
→ result (ok): Found 3 files src/modules/kbv-ti-connect/main/ti-connect.ts src/modules/kbv-ti-connect/main/tests/ti-connect.test.ts src/modules/gematik-crypto/services/crypto-adapter/adapter.ts
Tools used:
Grep:CertificateInfo
Tool results:
→ result (ok): Found 4 files src/modules/gematik-crypto/services/utils/tests/jwaMapper.test.ts src/modules/gematik-crypto/services/utils/jwaMapper.ts src/modules/gematik-crypto/services/crypto-adapter/adapter.ts src/modules/gematik-crypto/index.ts
Tool results:
→ result (ok): Found 7 files src/modules/gematik-crypto/services/utils/tests/jwaMapper.test.ts src/modules/gematik-crypto/services/utils/jwaMapper.ts src/modules/kbv-ti-connect/main/tests/ti-connect.test.ts src/modules/gematik-crypto/services/crypto-adapter/adapter.ts src/modules/gematik-crypto/index.ts src/core/network/services/network-environment-diagnostic.ts src/core/network/main/debug-menu/helpers/electron-helpers.ts
Let me check those other usages to ensure we're not breaking anything.
Tools used:
Grep:CertificateInfoin/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/core/network
Tool results:
→ result (ok): src/core/network/services/network-environment-diagnostic.ts:305:export interface CertificateInfo { src/core/network/services/network-environment-diagnostic.ts:313:export function formatTlsCheckResults(cert: CertificateInfo | null | undefined): string[] { src/core/network/main/debug-menu/helpers/electron-helpers.ts:7:import { CertificateInfo } from '../../../services/network-environment-diagnostic' src/core/network/main/debug-menu/helpers/electron-helpers.ts:12: getPeerCertificate?: () => Certif …(truncated, 162 more chars)
Good, the CertificateInfo in the network module is unrelated. Now let me check the export from the crypto-adapter to understand the full picture.
Tools used:
Read:/Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/crypto-adapter/index.ts
Tool results:
→ result (ok): 1→export * from './adapter' 2→export { CryptoEngine, CryptoEngineType } from './crypto-engine' 3→// Re-export all types 4→export type { 5→ EccJwk, 6→ EccCertificate, 7→ EncryptionKey, 8→ PublicEncryptionJWK, 9→ PublicEncryptionKey, 10→ PrivateEncryptionJWK, 11→ PrivateEncryptionKey, 12→ X509Serialization, 13→ KeyPairResult, 14→} from '../node/jose/types' 15→export type * from '../docto-crypt/types' 16→export { TLSServic …(truncated, 376 more chars)
Perfect. Now let me look at the recent git commits to understand the context better.
Tools used:
Bash:git log --oneline -15 /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage
Tool results:
→ result (ok): 5e9eb7ad9 refactor(FHIR-1996): Fix PR review issues for safe error handling and RSA certificate mapping 8c23f5c41 Merge branch 'master' of https://github.com/doctolib/doctolib-pro-desktop into FHIR-1996_track-ecc-rsa-certificate-usage bb10862aa refactor(FHIR-1996): Remove unused TiCertificateConfigured tracking event 78da4fa09 refactor(FHIR-1996): Fix import consistency and enhance test coverage e7aa76c8a feat(DITTO-4078): logging with lazy initialization and error aggregation (#6980) 9e54598a3 …(truncated, 853 more chars)
Now let me check the diff to see what changed in the recent commits.
Tools used:
Bash:git diff 9e54598a3..HEAD /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/utils/jwaMapper.ts
Tool results:
→ result (ok): diff --git a/src/modules/gematik-crypto/services/utils/jwaMapper.ts b/src/modules/gematik-crypto/services/utils/jwaMapper.ts index 0bde4f257..65cea1fe8 100644 --- a/src/modules/gematik-crypto/services/utils/jwaMapper.ts +++ b/src/modules/gematik-crypto/services/utils/jwaMapper.ts @@ -2,6 +2,12 @@ * Maps JWA (JSON Web Algorithm) strings to certificate tracking format * Used to convert JWSUtils output to Datadog tracking events / +/* + * Certificate information extracted from JWA algorithm …(truncated, 822 more chars)
Tools used:
Bash:git show 9e54598a3 --stat
Tool results:
→ result (ok): commit 9e54598a3aff90c750039ccbc1911ccb03424a5d Author: Clerton Araujo <<REDACTED>> Date: Wed Feb 4 09:23:13 2026 +0100
refactor(FHIR-1996): Consolidate certificate tracking into unified observability pattern
- Replace inline trackCertificateEvent with tiConnectEventObservability for consistency
- Extract certificate tracking to separate trackCertificateType() function for better code organization
- Change operation from 'certificateConfigured' to valid 'read' operation t
…(truncated, 571 more chars)
Perfect! Now I have a complete understanding of the codebase. Let me design the detailed implementation plan.
Detailed Implementation Plan: Simplify Certificate Tracking by Logging Raw JWA String
Overview
The current implementation adds unnecessary complexity by mapping JWA strings (like "BP256R1", "RS256") to a custom CertificateInfo structure with certificateType and curveName fields. This refactoring will simplify the flow by logging the raw JWA string directly to Datadog, eliminating the mapping layer entirely.
Current Architecture Analysis
Data Flow:
1. Certificate (base64) → JWSUtils.deriveJWAFromCertificate() → JWA string (e.g., "BP256R1")
2. JWA string → JWAMapper.mapJWAToCertificateInfo() → {certificateType: 'ECC', curveName: 'brainpoolP256r1'}
3. CertificateInfo → Datadog logging with separate certificateType and curveName fields
Files Involved:
- /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/crypto-adapter/adapter.ts (lines 156-171)
- /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/kbv-ti-connect/main/ti-connect.ts (lines 104-137)
- /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/utils/jwaMapper.ts (entire file - to be deleted)
- /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/index.ts (lines 10)
Test Files:
- /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/kbv-ti-connect/main/__tests__/ti-connect.test.ts
- /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/utils/__tests__/jwaMapper.test.ts (to be deleted)
Step-by-Step Implementation
Phase 1: Modify CertificateAnalyzer (adapter.ts)
File: /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/gematik-crypto/services/crypto-adapter/adapter.ts
Changes Required (lines 156-171):
- Remove JWAMapper import (line 26): ```typescript // BEFORE: import { JWAMapper, type CertificateInfo as CertificateInfoType } from '../utils/jwaMapper'
// AFTER: // Remove this entire line
2. **Simplify CertificateAnalyzer class** (lines 156-171):
```typescript
// BEFORE:
export class CertificateAnalyzer {
/**
* Analyzes a certificate to extract type (ECC/RSA) and curve information
* Used for tracking certificate usage in Datadog
*
* This combines JWA derivation (from JWSUtils) and mapping to certificate info.
* Certificate parsing uses pkijs (pure JavaScript) and is independent of crypto engine.
*
* @param certificate - Base64-encoded certificate (without PEM headers)
* @returns Certificate information with type and optional curve name
*/
static async analyzeCertificate(certificate: string): Promise<CertificateInfoType> {
const jwa = await JWSUtils.deriveJWAFromCertificate(certificate)
return JWAMapper.mapJWAToCertificateInfo(jwa)
}
}
// AFTER:
export class CertificateAnalyzer {
/**
* Analyzes a certificate to derive the JWA (JSON Web Algorithm) identifier
* Used for tracking certificate usage in Datadog
*
* Certificate parsing uses pkijs (pure JavaScript) and is independent of crypto engine.
* Returns standard JWA identifiers as defined in RFC 7518:
* - RSA algorithms: "RS256", "RS384", "RS512", "PS256", "PS384", "PS512"
* - ECC NIST curves: "ES256" (P-256), "ES384" (P-384), "ES512" (P-521)
* - ECC Brainpool: "BP256R1" (brainpoolP256r1)
* - No signature: "none"
*
* @param certificate - Base64-encoded certificate (without PEM headers)
* @returns JWA algorithm identifier string
*/
static async analyzeCertificate(certificate: string): Promise<string> {
return JWSUtils.deriveJWAFromCertificate(certificate)
}
}
Rationale:
- Simplifies the method by removing the mapping step
- Return type changes from Promise<CertificateInfoType> to Promise<string>
- Documentation updated to reflect that we return standard JWA strings
- The JWSUtils call already handles all edge cases including "none" algorithm
Phase 2: Update Certificate Tracking in ti-connect.ts
File: /Users/USER/workspace/doctolib/FHIR-1996_track-ecc-rsa-certificate-usage/src/modules/kbv-ti-connect/main/ti-connect.ts
Changes Required (lines 100-137):
// BEFORE (lines 100-137):
/**
* Track certificate type for Datadog observability (best effort - don't throw errors)
* Analyzes the certificate to extract type (ECC/RSA) and curve information
*/
async function trackCertificateType(cert: string, traceId: string): Promise<void> {
try {
const certificateInfo = await CertificateAnalyzer.analyzeCertificate(cert)
const tiEnvironment = TiEnvRepository.tiEnvValue || 'UNKNOWN'
tiConnectEventObservability.send({
traceId,
functionName: 'onTiConnectDecryptKeyStoreListener',
operation: 'read',
direction: 'output',
data: JSON.stringify({
certificateType: certificateInfo.certificateType,
curveName: certificateInfo.curveName,
tiEnvironment: tiEnvironment,
}),
})
} catch (error) {
// Track error but don't throw - this is observability only
const tiEnvironment = TiEnvRepository.tiEnvValue || 'UNKNOWN'
tiConnectEventObservability.send({
traceId,
functionName: 'onTiConnectDecryptKeyStoreListener',
operation: 'read',
direction: 'output',
data: JSON.stringify({
tiEnvironment: tiEnvironment,
error: true,
errorMessage: error instanceof Error ? error.message : String(error),
errorName: error instanceof Error ? error.name : 'UnknownError',
}),
})
}
}
// AFTER (lines 100-137):
/**
* Track certificate JWA algorithm for Datadog observability (best effort - don't throw errors)
* Analyzes the certificate to extract the JWA (JSON Web Algorithm) identifier
*
* JWA strings are defined in RFC 7518 and include:
* - RSA: "RS256", "RS384", "RS512", "PS256", etc.
* - ECC: "ES256", "ES384", "ES512", "BP256R1"
* - No signature: "none"
*/
async function trackCertificateType(cert: string, traceId: string): Promise<void> {
try {
const jwa = await CertificateAnalyzer.analyzeCertificate(cert)
const tiEnvironment = TiEnvRepository.tiEnvValue || 'UNKNOWN'
tiConnectEventObservability.send({
traceId,
functionName: 'onTiConnectDecryptKeyStoreListener',
operation: 'read',
direction: 'output',
data: JSON.stringify({
jwa,
tiEnvironment,
}),
})
} catch (error) {
// Track error but don't throw - this is observability only
const tiEnvironment = TiEnvRepository.tiEnvValue || 'UNKNOWN'
tiConnectEventObservability.send({
traceId,
functionName: 'onTiConnectDecryptKeyStoreListener',
operation: 'read',
direction: 'output',
data: JSON.stringify({
tiEnvironment,
error: true,
errorMessage: error instanceof Error ? error.message : String(error),
errorName: error instanceof Error ? error.name : 'UnknownError',
}),
})
}
}
Key Changes:
1. Rename variable certificateInfo → jwa (reflects the actual data)
2. Change logged data from {certificateType, curveName, tiEnvironment} to {jwa, tiEnvironment}
3. Update JSDoc comment to clarify we're tracking JWA algorithm strings
4. Error handling remains unchanged (best practice for observability)
Benefits: - Simpler data structure: 2 fields instead of 3 - JWA string is self-documenting (e.g., "BP256R1" clearly indicates Brainpool curve) - Aligns with RFC 7518 standard terminology
Phase 3: Remove JWAMapper Module
Files to Delete: …(truncated, 14066 more chars)