did_resolver 0.1.0

data/lib/did_resolver/did_document.rb

@@ -0,0 +1,186 @@
+# frozen_string_literal: true
+
+module DidResolver
+  # DID Document representation
+  # @see https://www.w3.org/TR/did-core/#did-document-properties
+  class DIDDocument
+    attr_reader :id, :also_known_as, :controller, :verification_method,
+                :authentication, :assertion_method, :key_agreement,
+                :capability_invocation, :capability_delegation, :service,
+                :context, :extra
+
+    def initialize(
+      id:,
+      context: nil,
+      also_known_as: nil,
+      controller: nil,
+      verification_method: nil,
+      authentication: nil,
+      assertion_method: nil,
+      key_agreement: nil,
+      capability_invocation: nil,
+      capability_delegation: nil,
+      service: nil,
+      **extra
+    )
+      @id = id
+      @context = context || ["https://www.w3.org/ns/did/v1"]
+      @also_known_as = also_known_as
+      @controller = controller
+      @verification_method = verification_method || []
+      @authentication = authentication || []
+      @assertion_method = assertion_method || []
+      @key_agreement = key_agreement || []
+      @capability_invocation = capability_invocation || []
+      @capability_delegation = capability_delegation || []
+      @service = service || []
+      @extra = extra
+    end
+
+    # Find a verification method by ID or reference
+    # @param id_or_ref [String] Full ID or fragment reference
+    # @return [VerificationMethod, nil]
+    def find_verification_method(id_or_ref)
+      # Normalize reference - could be full ID or just fragment
+      target_id = id_or_ref.start_with?("#") ? "#{@id}#{id_or_ref}" : id_or_ref
+
+      verification_method.find { |vm| vm[:id] == target_id || vm["id"] == target_id }
+    end
+
+    # Get verification methods for a specific purpose
+    # @param purpose [Symbol] :authentication, :assertion_method, etc.
+    # @return [Array<VerificationMethod>]
+    def verification_methods_for(purpose)
+      refs = send(purpose)
+      return [] unless refs
+
+      refs.map do |ref|
+        if ref.is_a?(String)
+          find_verification_method(ref)
+        else
+          ref
+        end
+      end.compact
+    end
+
+    # Extract public key from a verification method
+    # @param method_id [String] Verification method ID
+    # @return [Hash, nil] Public key info with :type and :key
+    def public_key_for(method_id)
+      vm = find_verification_method(method_id)
+      return nil unless vm
+
+      extract_public_key(vm)
+    end
+
+    # Get the first public key for a purpose (e.g., assertion)
+    # @param purpose [Symbol]
+    # @return [Hash, nil]
+    def first_public_key_for(purpose)
+      vms = verification_methods_for(purpose)
+      return nil if vms.empty?
+
+      extract_public_key(vms.first)
+    end
+
+    def to_h
+      result = {
+        "@context" => @context,
+        "id" => @id
+      }
+
+      result["alsoKnownAs"] = @also_known_as if @also_known_as&.any?
+      result["controller"] = @controller if @controller
+      result["verificationMethod"] = @verification_method if @verification_method&.any?
+      result["authentication"] = @authentication if @authentication&.any?
+      result["assertionMethod"] = @assertion_method if @assertion_method&.any?
+      result["keyAgreement"] = @key_agreement if @key_agreement&.any?
+      result["capabilityInvocation"] = @capability_invocation if @capability_invocation&.any?
+      result["capabilityDelegation"] = @capability_delegation if @capability_delegation&.any?
+      result["service"] = @service if @service&.any?
+
+      # Merge any extra properties
+      result.merge(@extra.transform_keys(&:to_s))
+    end
+
+    def to_json(*)
+      to_h.to_json
+    end
+
+    class << self
+      # Parse a DID Document from a hash
+      # @param data [Hash] The raw DID Document data
+      # @return [DIDDocument]
+      def from_hash(data)
+        data = data.transform_keys { |k| underscore(k.to_s).to_sym }
+
+        new(
+          id: data[:id],
+          context: data[:@context] || data[:context],
+          also_known_as: data[:also_known_as],
+          controller: data[:controller],
+          verification_method: normalize_verification_methods(data[:verification_method]),
+          authentication: data[:authentication],
+          assertion_method: data[:assertion_method],
+          key_agreement: data[:key_agreement],
+          capability_invocation: data[:capability_invocation],
+          capability_delegation: data[:capability_delegation],
+          service: data[:service],
+          **data.reject { |k, _|
+            %i[id @context context also_known_as controller
+               verification_method authentication assertion_method
+               key_agreement capability_invocation capability_delegation service].include?(k)
+          }
+        )
+      end
+
+      private
+
+      # Convert camelCase to snake_case
+      def underscore(str)
+        str.gsub(/([A-Z]+)([A-Z][a-z])/, '\1_\2')
+           .gsub(/([a-z\d])([A-Z])/, '\1_\2')
+           .downcase
+      end
+
+      def normalize_verification_methods(methods)
+        return [] unless methods
+
+        methods.map do |vm|
+          vm.is_a?(Hash) ? vm.transform_keys(&:to_s) : vm
+        end
+      end
+    end
+
+    private
+
+    def extract_public_key(vm)
+      vm = vm.transform_keys(&:to_s) if vm.is_a?(Hash)
+
+      type = vm["type"]
+      key_data = nil
+
+      # Handle different key formats
+      if vm["publicKeyJwk"]
+        key_data = { format: :jwk, value: vm["publicKeyJwk"] }
+      elsif vm["publicKeyMultibase"]
+        key_data = { format: :multibase, value: vm["publicKeyMultibase"] }
+      elsif vm["publicKeyBase58"]
+        key_data = { format: :base58, value: vm["publicKeyBase58"] }
+      elsif vm["publicKeyHex"]
+        key_data = { format: :hex, value: vm["publicKeyHex"] }
+      elsif vm["publicKeyPem"]
+        key_data = { format: :pem, value: vm["publicKeyPem"] }
+      end
+
+      return nil unless key_data
+
+      {
+        id: vm["id"],
+        type: type,
+        controller: vm["controller"],
+        **key_data
+      }
+    end
+  end
+end

data/lib/did_resolver/methods/jwk.rb

@@ -0,0 +1,175 @@
+# frozen_string_literal: true
+
+require "base64"
+require "json"
+
+module DidResolver
+  module Methods
+    # DID JWK Method Resolver
+    #
+    # Resolves did:jwk DIDs according to the DID JWK Method Specification
+    # @see https://github.com/quartzjer/did-jwk/blob/main/spec.md
+    #
+    # did:jwk encodes a JWK directly in the DID identifier using base64url encoding.
+    # The DID Document is deterministically generated from the JWK.
+    #
+    # @example
+    #   resolver = DidResolver::Resolver.new(DidResolver::Methods::Jwk.resolver)
+    #   result = resolver.resolve("did:jwk:eyJrdHkiOiJFQyIsImNydiI6IlAtMjU2IiwieCI6Ii4uLiIsInkiOiIuLi4ifQ")
+    #
+    class Jwk
+      # JWK key type to verification method type mapping
+      KEY_TYPE_TO_VM_TYPE = {
+        "EC" => "JsonWebKey2020",
+        "OKP" => "JsonWebKey2020",
+        "RSA" => "JsonWebKey2020"
+      }.freeze
+
+      # Curves that support key agreement (ECDH)
+      KEY_AGREEMENT_CURVES = %w[X25519 X448 P-256 P-384 P-521].freeze
+
+      # Curves that support signing
+      SIGNING_CURVES = %w[Ed25519 Ed448 P-256 P-384 P-521 secp256k1].freeze
+
+      class << self
+        # Get the resolver hash for registration
+        # @return [Hash] { "jwk" => resolve_proc }
+        def resolver
+          { "jwk" => method(:resolve) }
+        end
+
+        # Resolve a did:jwk DID
+        # @param did [String] The full DID string
+        # @param parsed [ParsedDID] Parsed DID components
+        # @param _resolver [Resolver] Parent resolver
+        # @param _options [Hash] Resolution options
+        # @return [ResolutionResult]
+        def resolve(did, parsed, _resolver, _options = {})
+          # Decode the JWK from the method-specific identifier
+          jwk = decode_jwk(parsed.id)
+          return jwk if jwk.is_a?(ResolutionResult) # Error case
+
+          # Validate the JWK
+          validation = validate_jwk(jwk)
+          return validation if validation
+
+          # Build the DID Document
+          did_document = build_did_document(did, jwk)
+
+          ResolutionResult.success(did_document)
+        rescue StandardError => e
+          ResolutionResult.error("invalidDid", "Failed to resolve did:jwk: #{e.message}")
+        end
+
+        private
+
+        # Decode the base64url-encoded JWK
+        # @param encoded [String] Base64url encoded JWK
+        # @return [Hash, ResolutionResult]
+        def decode_jwk(encoded)
+          # Add padding if needed
+          padding = (4 - encoded.length % 4) % 4
+          padded = encoded + ("=" * padding)
+
+          decoded = Base64.urlsafe_decode64(padded)
+          JSON.parse(decoded)
+        rescue ArgumentError => e
+          ResolutionResult.invalid_did("did:jwk:#{encoded}", "Invalid base64url encoding: #{e.message}")
+        rescue JSON::ParserError => e
+          ResolutionResult.invalid_did("did:jwk:#{encoded}", "Invalid JSON in JWK: #{e.message}")
+        end
+
+        # Validate the JWK structure
+        # @param jwk [Hash] The JWK
+        # @return [ResolutionResult, nil] Error result or nil if valid
+        def validate_jwk(jwk)
+          unless jwk["kty"]
+            return ResolutionResult.error("invalidDid", "JWK missing required 'kty' parameter")
+          end
+
+          unless %w[EC OKP RSA].include?(jwk["kty"])
+            return ResolutionResult.error(
+              "invalidDid",
+              "Unsupported JWK key type: #{jwk["kty"]}"
+            )
+          end
+
+          # EC keys require curve and coordinates
+          if jwk["kty"] == "EC"
+            unless jwk["crv"] && jwk["x"]
+              return ResolutionResult.error("invalidDid", "EC JWK missing required 'crv' or 'x' parameter")
+            end
+          end
+
+          # OKP keys require curve and x
+          if jwk["kty"] == "OKP"
+            unless jwk["crv"] && jwk["x"]
+              return ResolutionResult.error("invalidDid", "OKP JWK missing required 'crv' or 'x' parameter")
+            end
+          end
+
+          # RSA keys require n and e
+          if jwk["kty"] == "RSA"
+            unless jwk["n"] && jwk["e"]
+              return ResolutionResult.error("invalidDid", "RSA JWK missing required 'n' or 'e' parameter")
+            end
+          end
+
+          nil
+        end
+
+        # Build DID Document for the JWK
+        def build_did_document(did, jwk)
+          # Create a public-only JWK (strip private key parameters)
+          public_jwk = jwk.reject { |k, _| %w[d p q dp dq qi].include?(k) }
+
+          vm_id = "#{did}#0"
+
+          # Build verification method
+          verification_method = {
+            "id" => vm_id,
+            "type" => KEY_TYPE_TO_VM_TYPE[jwk["kty"]],
+            "controller" => did,
+            "publicKeyJwk" => public_jwk
+          }
+
+          # Determine verification relationships based on key type and curve
+          authentication = []
+          assertion_method = []
+          key_agreement = []
+          capability_invocation = []
+          capability_delegation = []
+
+          curve = jwk["crv"]
+
+          # Key agreement capability
+          if KEY_AGREEMENT_CURVES.include?(curve)
+            key_agreement << vm_id
+          end
+
+          # Signing capability
+          if SIGNING_CURVES.include?(curve) || jwk["kty"] == "RSA"
+            authentication << vm_id
+            assertion_method << vm_id
+            capability_invocation << vm_id
+            capability_delegation << vm_id
+          end
+
+          DIDDocument.new(
+            id: did,
+            context: [
+              "https://www.w3.org/ns/did/v1",
+              "https://w3id.org/security/suites/jws-2020/v1"
+            ],
+            verification_method: [verification_method],
+            authentication: authentication.any? ? authentication : nil,
+            assertion_method: assertion_method.any? ? assertion_method : nil,
+            key_agreement: key_agreement.any? ? key_agreement : nil,
+            capability_invocation: capability_invocation.any? ? capability_invocation : nil,
+            capability_delegation: capability_delegation.any? ? capability_delegation : nil
+          )
+        end
+      end
+    end
+  end
+end