@did-btcr2/method 0.17.2 → 0.18.0

package/src/core/beacon/aggregation/session/index.ts

@@ -0,0 +1,289 @@
+import { Logger } from '@did-btcr2/common';
+import * as musig2 from '@scure/btc-signer/musig2';
+import { Transaction } from 'bitcoinjs-lib';
+import { AggregateBeaconError } from '../../error.js';
+import { AggregateBeaconCohort } from '../cohort/index.js';
+import { BeaconCohortAuthorizationRequestMessage } from '../cohort/messages/sign/authorization-request.js';
+import { SIGNING_SESSION_STATUS, SIGNING_SESSION_STATUS_TYPE } from './status.js';
+
+/**
+ * Convert a big-endian byte array into a bigint.
+ * @param bytes - The input Uint8Array representing a big-endian integer.
+ * @returns The integer value as a bigint.
+ */
+export function bigEndianToInt(bytes: Uint8Array): bigint {
+  return bytes.reduce((num, b) => (num << 8n) + BigInt(b), 0n);
+}
+
+/**
+ * Convert a bigint to a big-endian Uint8Array of specified length.
+ * @param xInit - The bigint to convert.
+ * @param length - The desired length of the output array in bytes.
+ * @returns A Uint8Array representing the bigint in big-endian form.
+ */
+export function intToBigEndian(xInit: bigint, length: number): Uint8Array {
+  let x = xInit;
+  const result = new Uint8Array(length);
+  for (let i = length - 1; i >= 0; i--) {
+    result[i] = Number(x & 0xffn);
+    x >>= 8n;
+  }
+  return result;
+}
+
+type PublicKeyHex = string;
+type Nonce = Uint8Array;
+type NonceContributions = Map<PublicKeyHex, Nonce>;
+type PartialSignatures = Map<string, Uint8Array>;
+type ProcessedRequests = Record<string, string>;
+
+export interface SigningSession {
+  id?: string;
+  cohort: AggregateBeaconCohort;
+  pendingTx: Transaction;
+  nonceContributions?: NonceContributions;
+  aggregatedNonce?: Uint8Array;
+  partialSignatures?: PartialSignatures;
+  signature?: Uint8Array;
+  status?: SIGNING_SESSION_STATUS_TYPE;
+  processedRequests?: ProcessedRequests;
+  nonceSecrets?: bigint;
+}
+export class BeaconCohortSigningSession implements SigningSession {
+  /**
+   * Unique identifier for the signing session.
+   * @type {string}
+   */
+  public id: string;
+
+  /**
+   * DID of the coordinator.
+   * @type {AggregateBeaconCohort}
+   */
+  public cohort: AggregateBeaconCohort;
+
+  /**
+   * Pending transaction to be signed.
+   * @type {Transaction}
+   */
+  public pendingTx: Transaction;
+
+  /**
+   * Map of nonce contributions from participants.
+   * @type {Map<PublicKeyHex, Nonce>}
+   */
+  public nonceContributions: Map<PublicKeyHex, Nonce> = new Map();
+
+  /**
+   * Aggregated nonce from all participants.
+   * @type {Uint8Array}
+   */
+  public aggregatedNonce?: Uint8Array;
+
+  /**
+   * Map of partial signatures from participants.
+   * @type {Map<string, Uint8Array>}
+   */
+  public partialSignatures: Map<string, Uint8Array> = new Map();
+
+  /**
+   * Final signature for the transaction.
+   * @type {Uint8Array}
+   */
+  public signature?: Uint8Array;
+
+  /**
+   * Current status of the signing session.
+   * @type {SIGNING_SESSION_STATUS_TYPE}
+   */
+  public status: SIGNING_SESSION_STATUS_TYPE;
+
+  /**
+   * Map of processed requests from participants.
+   * @type {Record<string, string>}
+   */
+  public processedRequests: Record<string, string>;
+
+  /**
+   * Secrets for nonces contributed by participants.
+   * @type {Array<bigint>}
+   */
+  public nonceSecrets?: bigint;
+
+  /**
+   * Musig2 session for signing operations.
+   * @type {musig2.Session}
+   */
+  public musig2Session?: musig2.Session;
+
+  /**
+   * Creates a new instance of BeaconCohortSigningSession.
+   * @param {SigningSession} params Parameters to initialize the signing session.
+   * @param {Transaction} params.pendingTx The pending transaction to be signed.
+   * @param {string} [params.id] Optional unique identifier for the signing session. If not provided, a new UUID will be generated.
+   * @param {AggregateBeaconCohort} [params.cohort] The cohort associated with the signing session.
+   * @param {Record<string, string>} [params.processedRequests] Map of processed requests from participants.
+   * @param {SIGNING_SESSION_STATUS_TYPE} [params.status] The current status of the signing session. Defaults to AWAITING_NONCE_CONTRIBUTIONS.
+   */
+  constructor({ id, cohort, pendingTx, processedRequests, status }: SigningSession) {
+    this.id = id || crypto.randomUUID();
+    this.cohort = cohort;
+    this.pendingTx = pendingTx;
+    this.processedRequests = processedRequests || {};
+    this.status = status || SIGNING_SESSION_STATUS.AWAITING_NONCE_CONTRIBUTIONS;
+  }
+
+  /**
+   * Gets the authorization request message for a participant.
+   * @param {string} to The public key of the participant to whom the request is sent.
+   * @param {string} from The public key of the participant sending the request.
+   * @returns {AuthorizationRequest} The authorization request message.
+   */
+  public getAuthorizationRequest(to: string, from: string): BeaconCohortAuthorizationRequestMessage {
+    const txHex = this.pendingTx instanceof Transaction ? this.pendingTx?.toHex() : this.pendingTx;
+    return new BeaconCohortAuthorizationRequestMessage({
+      to,
+      from,
+      sessionId : this.id,
+      cohortId  : this.cohort?.id,
+      pendingTx : txHex,
+    });
+  }
+
+  /**
+   * Adds a nonce contribution from a participant to the session.
+   * @param {string} from The public key of the participant contributing the nonce.
+   * @param {Array<string>} nonceContribution The nonce contribution from the participant.
+   * @throws {Error} If the session is not awaiting nonce contributions or if the contribution is invalid.
+   */
+  public addNonceContribution(from: string, nonceContribution: Uint8Array): void {
+    if(this.status !== SIGNING_SESSION_STATUS.AWAITING_NONCE_CONTRIBUTIONS) {
+      throw new AggregateBeaconError(`Nonce contributions already received. Current status: ${this.status}`);
+    }
+
+    if(nonceContribution.length !== 2) {
+      throw new AggregateBeaconError(`Invalid nonce contribution. Expected 2 points, received ${nonceContribution.length}.`);
+    }
+
+    if (this.nonceContributions.get(from)) {
+      Logger.warn(`WARNING: Nonce contribution already received from ${from}.`);
+    }
+
+    this.nonceContributions.set(from, nonceContribution);
+
+    if(this.nonceContributions.size === this.cohort?.participants.length) {
+      this.status = SIGNING_SESSION_STATUS.NONCE_CONTRIBUTIONS_RECEIVED;
+    }
+  }
+
+  /**
+   * Generates the aggregated nonce from all nonce contributions for the session.
+   * @returns {Uint8Array} The aggregated nonce.
+   * @throws {AggregateBeaconError} If not all nonce contributions have been received.
+   */
+  public generateAggregatedNonce(): Uint8Array {
+    if(this.status !== SIGNING_SESSION_STATUS.NONCE_CONTRIBUTIONS_RECEIVED) {
+      const missing = this.cohort?.participants.length - this.nonceContributions.size;
+      throw new AggregateBeaconError(
+        `Missing ${missing} nonce contributions. ` +
+        `Received ${this.cohort?.participants.length} of ${this.nonceContributions.size} nonce contributions. ` +
+        `Current status: ${this.status}`,
+        'NONCE_CONTRIBUTION_ERROR', this.json()
+      );
+    }
+    const sortedPubkeys = musig2.sortKeys(this.cohort.cohortKeys);
+    const keyAggContext = musig2.keyAggregate(sortedPubkeys);
+    const aggPubkey = musig2.keyAggExport(keyAggContext);
+    this.aggregatedNonce = musig2.nonceAggregate(this.cohort.cohortKeys.map(key => musig2.nonceGen(key, undefined, aggPubkey, this.cohort.trMerkleRoot).public));
+    this.musig2Session = new musig2.Session(this.aggregatedNonce, this.cohort.cohortKeys, this.cohort.trMerkleRoot);
+    return this.aggregatedNonce;
+  }
+
+  /**
+   * Adds a partial signature from a participant to the session.
+   * @param {string} from The public key of the participant contributing the partial signature.
+   * @param {Uint8Array} partialSignature The partial signature from the participant.
+   */
+  public addPartialSignature(from: string, partialSignature: Uint8Array): void {
+    if(this.status !== SIGNING_SESSION_STATUS.AWAITING_PARTIAL_SIGNATURES) {
+      throw new AggregateBeaconError(`Partial signatures not expected. Current status: ${this.status}`);
+    }
+
+    if(this.partialSignatures.get(from)) {
+      Logger.warn(`WARNING: Partial signature already received from ${from}.`);
+    }
+
+    this.partialSignatures.set(from, partialSignature);
+  }
+
+  /**
+   * Generates the final signature from all partial signatures.
+   * @returns {Uint8Array} The final aggregated signature.
+   */
+  public async generateFinalSignature(): Promise<Uint8Array> {
+    if(this.status !== SIGNING_SESSION_STATUS.PARTIAL_SIGNATURES_RECEIVED) {
+      throw new AggregateBeaconError(`Partial signatures not received. Current status: ${this.status}`);
+    }
+
+    const inputIdx = (this.pendingTx?.ins?.length || 0) - 1;
+    if (inputIdx < 0) {
+      throw new AggregateBeaconError('No inputs in the pending transaction to sign.');
+    }
+
+    const prevoutScript = this.pendingTx?.ins[inputIdx].script;
+    if (!prevoutScript) {
+      throw new AggregateBeaconError('Previous output script is missing for the input to sign.');
+    }
+
+    const sigSum = [...this.partialSignatures.values()].reduce((sum, sig) => sum + bigEndianToInt(sig), 0n);
+    Logger.info(`Aggregated Signature computed: ${sigSum}`);
+
+    this.aggregatedNonce ??= this.generateAggregatedNonce();
+
+    const session = new musig2.Session(this.aggregatedNonce!, this.cohort.cohortKeys, this.cohort.trMerkleRoot);
+    this.signature = session.partialSigAgg([...this.partialSignatures.values()]);
+
+    return this.signature;
+  }
+
+  /**
+   * Generates a partial signature for the session using the participant's secret key.
+   * @param {Uint8Array} participantSk The secret key of the participant.
+   * @returns {Uint8Array} The partial signature generated by the participant.
+   */
+  public generatePartialSignature(participantSk: Uint8Array): Uint8Array {
+    if (!this.aggregatedNonce) {
+      throw new AggregateBeaconError('Aggregated nonce is not available. Please generate it first.');
+    }
+    const sigHash = this.pendingTx?.hashForSignature(0, this.pendingTx?.ins[0].script, Transaction.SIGHASH_DEFAULT);
+    if(!sigHash) {
+      throw new AggregateBeaconError('Signature hash is not available. Please ensure the transaction is properly set up.');
+    }
+    const session = new musig2.Session(this.aggregatedNonce!, this.cohort.cohortKeys, this.cohort.trMerkleRoot);
+    return session.sign(this.aggregatedNonce, participantSk);
+  }
+
+  /**
+   * Converts the signing session instance to a JSON object representation.
+   * @returns {BeaconCohortSigningSession} The JSON object representation of the signing session.
+   */
+  public json(): BeaconCohortSigningSession {
+    return Object.json(this) as BeaconCohortSigningSession;
+  }
+
+  /**
+   * Checks if the signing session is a completed state.
+   * @returns {boolean} True if the session is complete, false otherwise.
+   */
+  public isComplete(): boolean {
+    return this.status === SIGNING_SESSION_STATUS.SIGNATURE_COMPLETE;
+  }
+
+  /**
+   * Checks if the signing session is in a failed state.
+   * @returns {boolean} True if the session has failed, false otherwise.
+   */
+  public isFailed(): boolean {
+    return this.status === SIGNING_SESSION_STATUS.FAILED;
+  }
+}

package/src/core/beacon/aggregation/session/status.ts

@@ -0,0 +1,18 @@
+export type SIGNING_SESSION_STATUS_TYPE =
+    | 'AWAITING_NONCE_CONTRIBUTIONS'
+    | 'NONCE_CONTRIBUTION_SENT'
+    | 'NONCE_CONTRIBUTIONS_RECEIVED'
+    | 'AWAITING_PARTIAL_SIGNATURES'
+    | 'PARTIAL_SIGNATURES_RECEIVED'
+    | 'SIGNATURE_COMPLETE'
+    | 'FAILED'
+
+export enum SIGNING_SESSION_STATUS {
+    AWAITING_NONCE_CONTRIBUTIONS = 'AWAITING_NONCE_CONTRIBUTIONS',
+    NONCE_CONTRIBUTION_SENT = 'NONCE_CONTRIBUTION_SENT',
+    NONCE_CONTRIBUTIONS_RECEIVED = 'NONCE_CONTRIBUTIONS_RECEIVED',
+    AWAITING_PARTIAL_SIGNATURES = 'AWAITING_PARTIAL_SIGNATURES',
+    PARTIAL_SIGNATURES_RECEIVED = 'PARTIAL_SIGNATURES_RECEIVED',
+    SIGNATURE_COMPLETE = 'SIGNATURE_COMPLETE',
+    FAILED = 'FAILED',
+}

package/src/core/beacon/cid-aggregate.ts

@@ -1,9 +1,8 @@
-import { MethodError, DidUpdateInvocation, DidUpdatePayload } from '@did-btcr2/common';
-import { DidServiceEndpoint } from '@web5/dids';
-import { Beacon } from '../../interfaces/beacon.js';
-import { BeaconService, BeaconSignal } from '../../interfaces/ibeacon.js';
 import { RawTransactionV2 } from '@did-btcr2/bitcoin';
-import { BeaconSidecarData, CIDAggregateSidecar, SignalsMetadata } from '../../types/crud.js';
+import { DidUpdateInvocation, DidUpdatePayload, MethodError } from '@did-btcr2/common';
+import { DidServiceEndpoint } from '@web5/dids';
+import { Beacon, BeaconService, BeaconSignal } from '../../interfaces/beacon.js';
+import { BeaconSidecarData, CIDAggregateSidecar, SignalsMetadata } from '../../utils/types.js';
 
 /**
  * Implements {@link https://dcdpr.github.io/did-btcr2/#cidaggregate-beacon | 5.2 CIDAggregate Beacon}.

package/src/core/beacon/error.ts

@@ -0,0 +1,44 @@
+import { MethodError } from '@did-btcr2/common';
+
+export class BeaconError extends MethodError {
+  constructor(message: string, type: string = 'BeaconError', data?: Record<string, any>) {
+    super(message, type, data);
+  }
+}
+
+export class BeaconCoordinatorError extends MethodError {
+  constructor(message: string, type: string = 'BeaconCoordinatorError', data?: Record<string, any>) {
+    super(message, type, data);
+  }
+}
+
+export class BeaconParticipantError extends MethodError {
+  constructor(message: string, type: string = 'BeaconParticipantError', data?: Record<string, any>) {
+    super(message, type, data);
+  }
+}
+
+
+export class SingletonBeaconError extends MethodError {
+  constructor(message: string, type: string = 'SingletonBeaconError', data?: Record<string, any>) {
+    super(message, type, data);
+  }
+}
+
+export class AggregateBeaconError extends MethodError {
+  constructor(message: string, type: string = 'AggregateBeaconError', data?: Record<string, any>) {
+    super(message, type, data);
+  }
+}
+
+export class CIDAggregateBeaconError extends MethodError {
+  constructor(message: string, type: string = 'CIDAggregateBeaconError', data?: Record<string, any>) {
+    super(message, type, data);
+  }
+}
+
+export class SMTAggregateBeaconError extends MethodError {
+  constructor(message: string, type: string = 'SMTAggregateBeaconError', data?: Record<string, any>) {
+    super(message, type, data);
+  }
+}

package/src/core/beacon/factory.ts

@@ -1,7 +1,6 @@
 import { MethodError } from '@did-btcr2/common';
-import { Beacon } from '../../interfaces/beacon.js';
-import { BeaconService } from '../../interfaces/ibeacon.js';
-import { CIDAggregateSidecar, SidecarData, SMTAggregateSidecar } from '../../types/crud.js';
+import { Beacon, BeaconService } from '../../interfaces/beacon.js';
+import { CIDAggregateSidecar, SidecarData, SMTAggregateSidecar } from '../../utils/types.js';
 import { CIDAggregateBeacon } from './cid-aggregate.js';
 import { SingletonBeacon } from './singleton.js';
 import { SMTAggregateBeacon } from './smt-aggregate.js';

package/src/core/beacon/singleton.ts

@@ -1,12 +1,13 @@
 import { AddressUtxo, BitcoinNetworkConnection, RawTransactionRest, RawTransactionV2, TxOut, Vout } from '@did-btcr2/bitcoin';
 import { DidUpdatePayload, INVALID_SIDECAR_DATA, LATE_PUBLISHING_ERROR, SingletonBeaconError } from '@did-btcr2/common';
+import { CompressedSecp256k1PublicKey } from '@did-btcr2/keypair';
+import { Kms, Signer } from '@did-btcr2/kms';
 import { opcodes, Psbt, script } from 'bitcoinjs-lib';
 import { base58btc } from 'multiformats/bases/base58';
-import { Beacon } from '../../interfaces/beacon.js';
-import { BeaconService, BeaconSignal } from '../../interfaces/ibeacon.js';
-import { BeaconSidecarData, Metadata, SignalsMetadata, SingletonSidecar } from '../../types/crud.js';
+import { Beacon, BeaconService, BeaconSignal } from '../../interfaces/beacon.js';
+import { BeaconSidecarData, Metadata, SignalsMetadata, SingletonSidecar } from '../../utils/types.js';
 import { Appendix } from '../../utils/appendix.js';
-import { KeyManager, Signer } from '../key-manager/index.js';
+import { Identifier } from '../identifier.js';
 
 const bitcoin = new BitcoinNetworkConnection();
 
@@ -219,13 +220,14 @@ export class SingletonBeacon extends Beacon {
 
     // 6. Retrieve the cryptographic material, e.g private key or signing capability, associated with the bitcoinAddress
     //    or service. How this is done is left to the implementer.
-    // TODO: Determine how we want to handle this. Currently, this code uses the RPC to handle signing.
-    const multikey = await KeyManager.getKeyPair(this.service.id);
-    if (!multikey) {
+    const components = Identifier.decode(this.service.id);
+    const keyUri = new CompressedSecp256k1PublicKey(components.genesisBytes).hex;
+    const keyPair = Kms.getKey(keyUri as string);
+    if (!keyPair) {
       throw new Error('Key pair not found.');
     }
 
-    const signer = new Signer({ multikey, network: bitcoin.network.name });
+    const signer = new Signer({ keyPair, network: bitcoin.network.name });
 
     // 7. Sign the spendTx.
     const signedTx = spendTx.signInput(0, signer)

package/src/core/beacon/smt-aggregate.ts

@@ -1,9 +1,8 @@
-import { MethodError, DidUpdatePayload } from '@did-btcr2/common';
-import { DidServiceEndpoint } from '@web5/dids';
-import { Beacon } from '../../interfaces/beacon.js';
-import { BeaconService, BeaconSignal } from '../../interfaces/ibeacon.js';
 import { RawTransactionV2 } from '@did-btcr2/bitcoin';
-import { BeaconSidecarData, SignalsMetadata, SMTAggregateSidecar } from '../../types/crud.js';
+import { DidUpdatePayload, MethodError } from '@did-btcr2/common';
+import { DidServiceEndpoint } from '@web5/dids';
+import { Beacon, BeaconService, BeaconSignal } from '../../interfaces/beacon.js';
+import { BeaconSidecarData, SignalsMetadata, SMTAggregateSidecar } from '../../utils/types.js';
 
 /**
  * TODO: Finish implementation

package/src/{utils/beacons.ts → core/beacon/utils.ts}

@@ -1,10 +1,10 @@
-import { MethodError, DidMethodError, Maybe, KeyBytes } from '@did-btcr2/common';
+import { DidMethodError, KeyBytes, Maybe, MethodError } from '@did-btcr2/common';
 import { DidService } from '@web5/dids';
 import { networks, payments } from 'bitcoinjs-lib';
-import { BeaconFactory } from '../core/beacon/factory.js';
-import { BeaconService, BeaconServiceAddress } from '../interfaces/ibeacon.js';
-import { Appendix } from './appendix.js';
-import { DidDocument } from './did-document.js';
+import { BeaconService, BeaconServiceAddress } from '../../interfaces/beacon.js';
+import { Appendix } from '../../utils/appendix.js';
+import { DidDocument } from '../../utils/did-document.js';
+import { BeaconFactory } from './factory.js';
 export interface GenerateBeaconParams {
   identifier: string;
   publicKey: KeyBytes;

package/src/core/crud/read.ts

@@ -27,17 +27,18 @@ import { Cryptosuite, DataIntegrityProof, SchnorrMultikey } from '@did-btcr2/cry
 import { CompressedSecp256k1PublicKey } from '@did-btcr2/keypair';
 import { bytesToHex } from '@noble/hashes/utils';
 import { DidBtcr2 } from '../../did-btcr2.js';
+import { BeaconService, BeaconServiceAddress, BeaconSignal } from '../../interfaces/beacon.js';
 import { DidResolutionOptions } from '../../interfaces/crud.js';
-import { BeaconService, BeaconServiceAddress, BeaconSignal } from '../../interfaces/ibeacon.js';
+import { Appendix } from '../../utils/appendix.js';
+import { DidDocument } from '../../utils/did-document.js';
 import {
   CIDAggregateSidecar,
   SidecarData,
   SignalsMetadata
-} from '../../types/crud.js';
-import { Appendix, DidComponents } from '../../utils/appendix.js';
-import { BeaconUtils } from '../../utils/beacons.js';
-import { DidDocument } from '../../utils/did-document.js';
+} from '../../utils/types.js';
 import { BeaconFactory } from '../beacon/factory.js';
+import { BeaconUtils } from '../beacon/utils.js';
+import { DidComponents } from '../identifier.js';
 
 export type FindNextSignalsRestParams = {
   connection: BitcoinRestClient;
@@ -905,17 +906,7 @@ export class Resolve {
 
     // Construct a new Multikey.
     const multikey = SchnorrMultikey.fromPublicKeyMultibase({ id: `#${id}`, controller, publicKeyMultibase });
-    // Logger.warn('// TODO: applyDidUpdate - Refactor Multikey to accept pub/priv bytes => Pub/PrivKey => KeyPair.');
-
     const cryptosuite = new Cryptosuite({ cryptosuite: 'bip340-jcs-2025', multikey });
-    // Logger.warn('// TODO: applyDidUpdate - Refactor Cryptosuite to default to RDFC.');
-
-    // 5. Set expectedProofPurpose to capabilityInvocation.
-    const expectedPurpose = 'capabilityInvocation';
-
-    // 6. Set mediaType to ????
-    // const mediaType = 'application/json';
-    // Logger.warn('// TODO: applyDidUpdate - is this just application/json?');
 
     // 7. Set documentBytes to the bytes representation of update.
     const documentBytes = await JSON.canonicalization.canonicalize(update);
@@ -923,7 +914,7 @@ export class Resolve {
     // 8. Set verificationResult to the result of passing mediaType, documentBytes, cryptosuite, and
     //    expectedProofPurpose into the Verify Proof algorithm defined in the VC Data Integrity specification.
     const diProof = new DataIntegrityProof(cryptosuite);
-    const verificationResult = await diProof.verifyProof({ document: documentBytes, expectedPurpose });
+    const verificationResult = await diProof.verifyProof({ document: documentBytes, expectedPurpose: 'capabilityInvocation' });
 
     // 9. If verificationResult.verified equals False, MUST raise a invalidUpdateProof exception.
     if (!verificationResult.verified) {

package/src/core/crud/update.ts

@@ -1,25 +1,26 @@
 import {
   BTCR2_DID_UPDATE_PAYLOAD_CONTEXT,
-  MethodError,
   DidUpdateInvocation,
   DidUpdatePayload,
   INVALID_DID_DOCUMENT,
   INVALID_DID_UPDATE,
   INVALID_PUBLIC_KEY_TYPE,
   Logger,
+  MethodError,
   NOT_FOUND,
   PatchOperation,
   ProofOptions
 } from '@did-btcr2/common';
 import { SchnorrMultikey } from '@did-btcr2/cryptosuite';
-import { SchnorrKeyPair, Secp256k1SecretKey } from '@did-btcr2/keypair';
+import { CompressedSecp256k1PublicKey, SchnorrKeyPair, Secp256k1SecretKey } from '@did-btcr2/keypair';
+import { Kms } from '@did-btcr2/kms';
 import type { DidService } from '@web5/dids';
-import { BeaconService } from '../../interfaces/ibeacon.js';
-import { SignalsMetadata } from '../../types/crud.js';
+import { BeaconService } from '../../interfaces/beacon.js';
 import { Appendix } from '../../utils/appendix.js';
 import { DidDocument, DidVerificationMethod } from '../../utils/did-document.js';
+import { SignalsMetadata } from '../../utils/types.js';
 import { BeaconFactory } from '../beacon/factory.js';
-import { KeyManager } from '../key-manager/index.js';
+import { Identifier } from '../identifier.js';
 
 export interface ConstructUpdateParams {
     identifier: string;
@@ -160,28 +161,33 @@ export class Update {
 
     // 1. Set privateKeyBytes to the result of retrieving the private key bytes
     // associated with the verificationMethod value.
+    // 1.1 Let id be the fragment portion of verificationMethod.id.
     const id = fullId.slice(fullId.indexOf('#'));
-    const multikey = !secretKeyMultibase
-    // 1.1 Compute the keyUri and check if the key is in the keystore
-      ? await KeyManager.getKeyPair(fullId)
-    // 1.2 If not, use the secretKeyMultibase from the verificationMethod
-      : SchnorrMultikey
-        .create({
-          id,
-          controller,
-          keys : new SchnorrKeyPair({
-            secretKey : Secp256k1SecretKey.decode(secretKeyMultibase)
-          })
-        });
 
-    // 1.3 If the privateKey is not found, throw an error
-    if (!multikey) {
+    // 1.2 Retrieve the key pair from the KMS or from the secretKeyMultibase
+    const components = Identifier.decode(id);
+    const keyUri = new CompressedSecp256k1PublicKey(components.genesisBytes).hex;
+    const keys = secretKeyMultibase
+      ? new SchnorrKeyPair({ secretKey: Secp256k1SecretKey.decode(secretKeyMultibase) })
+      : await Kms.getKey(keyUri as string);
+    if (!keys) {
       throw new MethodError(
         'No privateKey found in kms or vm',
         NOT_FOUND, verificationMethod
       );
     }
 
+    // 1.3 Set multikey to the result of passing verificationMethod and privateKeyBytes into the Multikey Creation algorithm.
+    const multikey = SchnorrMultikey.create({ id, controller, keys });
+
+    // 1.4 If the privateKey is not found, throw an error
+    if (!multikey) {
+      throw new MethodError(
+        'Failed to create multikey from verification method',
+        'MULTKEY_CREATE_FAILED', verificationMethod
+      );
+    }
+
     // 2. Set rootCapability to the result of passing Identifier into the Derive Root Capability from did:btcr2
     //    Identifier algorithm.
     const rootCapability = Appendix.deriveRootCapability(identifier);
@@ -193,7 +199,6 @@ export class Update {
     // 7. Set proofOptions.proofPurpose to capabilityInvocation.
     // 8. Set proofOptions.capability to rootCapability.id.
     // 9. Set proofOptions.capabilityAction to Write.
-    // TODO: Wonder if we actually need this. Arent we always writing?
     const options: ProofOptions = {
       cryptosuite,
       type               : 'DataIntegrityProof',
@@ -207,8 +212,6 @@ export class Update {
     //     Integrity specification passing in proofOptions.
     const diproof = multikey.toCryptosuite(cryptosuite).toDataIntegrityProof();
 
-    // TODO: 11. need to set up the proof instantiation such that it can resolve / dereference the root capability. This is deterministic from the DID.
-
     // 12. Set didUpdateInvocation to the result of executing the Add Proof algorithm from VC Data Integrity passing
     //     didUpdatePayload as the input document, cryptosuite, and the set of proofOptions.
     // 13. Return didUpdateInvocation.

package/src/{utils → core}/identifier.ts

@@ -1,7 +1,23 @@
-import { BitcoinNetworkNames, MethodError, IdentifierTypes, Bytes, INVALID_DID, METHOD_NOT_SUPPORTED } from '@did-btcr2/common';
+import { BitcoinNetworkNames, Bytes, IdentifierTypes, INVALID_DID, METHOD_NOT_SUPPORTED, MethodError } from '@did-btcr2/common';
 import { CompressedSecp256k1PublicKey, SchnorrKeyPair } from '@did-btcr2/keypair';
 import { bech32m } from '@scure/base';
-import { DidComponents } from './appendix.js';
+
+/**
+ * Components of a did:btcr2 identifier.
+ * @interface DidComponents
+ * @property {string} hrp The human-readable part of the Bech32m encoding.
+ * @property {string} idType Identifier type (key or external).
+ * @property {number} version Identifier version.
+ * @property {string | number} network Bitcoin network name or number.
+ * @property {Bytes} genesisBytes Public key or an intermediate document bytes.
+ */
+export interface DidComponents {
+    hrp: string;
+    idType: string;
+    version: number;
+    network: string;
+    genesisBytes: Bytes;
+};
 
 /**
  * Implements {@link https://dcdpr.github.io/did-btcr2/#syntax | 3 Syntax}.
@@ -25,7 +41,7 @@ export class Identifier {
    *    - a key-value representing a secp256k1 public key; or
    *    - a hash-value representing the hash of an initiating external DID document.
    *
-   * @param {CreateIdentifierParams} params See {@link CreateIdentifierParams} for details.
+   * @param {DidComponents} params See {@link DidComponents} for details.
    * @param {IdentifierTypes} params.idType Identifier type (key or external).
    * @param {string} params.network Bitcoin network name.
    * @param {number} params.version Identifier version.
@@ -35,7 +51,7 @@ export class Identifier {
   public static encode({ idType, version, network, genesisBytes }: {
     idType: string;
     version: number;
-    network: string | number;
+    network: string;
     genesisBytes: Bytes;
   }): string {
     // 1. If idType is not a valid value per above, raise invalidDid error.
@@ -267,10 +283,24 @@ export class Identifier {
     const did = this.encode({
       idType       : IdentifierTypes.KEY,
       version      : 1,
-      network      : BitcoinNetworkNames.bitcoin,
+      network      : 'bitcoin',
       genesisBytes : keys.publicKey.compressed
     });
 
     return { keys, identifier: { controller: did, id: '#initialKey'} };
   }
+
+  /**
+   * Validates a did:btcr2 identifier.
+   * @param {string} identifier The did:btcr2 identifier to validate.
+   * @returns {boolean} True if the identifier is valid, false otherwise.
+   */
+  static isValid(identifier: string): boolean {
+    try {
+      this.decode(identifier);
+      return true;
+    } catch {
+      return false;
+    }
+  }
 }