@oma3/omatrust 0.1.0-alpha.1 → 0.1.0-alpha.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +21 -7
- package/dist/identity/index.cjs +544 -1
- package/dist/identity/index.cjs.map +1 -1
- package/dist/identity/index.d.cts +2 -1
- package/dist/identity/index.d.ts +2 -1
- package/dist/identity/index.js +528 -2
- package/dist/identity/index.js.map +1 -1
- package/dist/index-BOvk-7Ku.d.cts +235 -0
- package/dist/index-C2w5EvFH.d.ts +329 -0
- package/dist/index-QueRiudB.d.cts +329 -0
- package/dist/index-R78TpAhN.d.ts +235 -0
- package/dist/index.cjs +2020 -145
- package/dist/index.cjs.map +1 -1
- package/dist/index.d.cts +4 -2
- package/dist/index.d.ts +4 -2
- package/dist/index.js +2021 -146
- package/dist/index.js.map +1 -1
- package/dist/reputation/index.browser.cjs +3010 -0
- package/dist/reputation/index.browser.cjs.map +1 -0
- package/dist/reputation/index.browser.d.cts +14 -0
- package/dist/reputation/index.browser.d.ts +14 -0
- package/dist/reputation/index.browser.js +2946 -0
- package/dist/reputation/index.browser.js.map +1 -0
- package/dist/reputation/index.cjs +1884 -123
- package/dist/reputation/index.cjs.map +1 -1
- package/dist/reputation/index.d.cts +3 -1
- package/dist/reputation/index.d.ts +3 -1
- package/dist/reputation/index.js +1861 -123
- package/dist/reputation/index.js.map +1 -1
- package/dist/subject-ownership-B7cFlm8c.d.cts +664 -0
- package/dist/subject-ownership-B7cFlm8c.d.ts +664 -0
- package/dist/types-dpYxRq8N.d.cts +281 -0
- package/dist/types-dpYxRq8N.d.ts +281 -0
- package/dist/widgets/index.cjs +238 -0
- package/dist/widgets/index.cjs.map +1 -0
- package/dist/widgets/index.d.cts +158 -0
- package/dist/widgets/index.d.ts +158 -0
- package/dist/widgets/index.js +226 -0
- package/dist/widgets/index.js.map +1 -0
- package/package.json +35 -7
- package/dist/index-ChbJxwOA.d.cts +0 -415
- package/dist/index-ChbJxwOA.d.ts +0 -415
- package/dist/index-QZDExA4I.d.cts +0 -90
- package/dist/index-QZDExA4I.d.ts +0 -90
|
@@ -0,0 +1,281 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* JWK and did:jwk Helpers — Phase 2
|
|
3
|
+
*
|
|
4
|
+
* Provides conversion between public JWKs and did:jwk DIDs,
|
|
5
|
+
* deterministic JWK comparison, and public JWK validation.
|
|
6
|
+
*
|
|
7
|
+
* did:jwk is the preferred durable DID representation for JWS/JWK public key
|
|
8
|
+
* material. It is immutable (the DID IS the key) and should be used as the
|
|
9
|
+
* controllerDid for authorization checks.
|
|
10
|
+
*
|
|
11
|
+
* Uses the `jose` library for base64url encoding/decoding and JWK thumbprints.
|
|
12
|
+
*/
|
|
13
|
+
/** Minimal public JWK structure */
|
|
14
|
+
interface PublicJwk {
|
|
15
|
+
kty: string;
|
|
16
|
+
[key: string]: unknown;
|
|
17
|
+
}
|
|
18
|
+
/** Result of JWK validation */
|
|
19
|
+
interface JwkValidationResult {
|
|
20
|
+
valid: boolean;
|
|
21
|
+
error?: string;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Validate that a JWK object is a well-formed public key.
|
|
25
|
+
*
|
|
26
|
+
* Requirements:
|
|
27
|
+
* - Must be a non-null object
|
|
28
|
+
* - Must have a valid `kty` (EC, OKP, RSA)
|
|
29
|
+
* - Must have required public key fields for its key type
|
|
30
|
+
* - Must NOT contain private key material (d, p, q, dp, dq, qi, oth)
|
|
31
|
+
*/
|
|
32
|
+
declare function validatePublicJwk(jwk: unknown): JwkValidationResult;
|
|
33
|
+
/**
|
|
34
|
+
* Convert a public JWK to a did:jwk DID.
|
|
35
|
+
*
|
|
36
|
+
* Uses deterministic (sorted-key) JSON serialization and base64url encoding.
|
|
37
|
+
* Rejects JWKs containing private key material.
|
|
38
|
+
*
|
|
39
|
+
* @param jwk - A public JWK object
|
|
40
|
+
* @returns The did:jwk DID string
|
|
41
|
+
* @throws OmaTrustError if the JWK is invalid or contains private key material
|
|
42
|
+
*/
|
|
43
|
+
declare function jwkToDidJwk(jwk: unknown): string;
|
|
44
|
+
/**
|
|
45
|
+
* Convert a did:jwk DID back to a public JWK object.
|
|
46
|
+
*
|
|
47
|
+
* Validates the DID structure, decodes the base64url payload,
|
|
48
|
+
* parses JSON, and validates the resulting JWK.
|
|
49
|
+
*
|
|
50
|
+
* @param didJwk - A did:jwk DID string
|
|
51
|
+
* @returns The decoded public JWK object
|
|
52
|
+
* @throws OmaTrustError if the DID is malformed or contains private key material
|
|
53
|
+
*/
|
|
54
|
+
declare function didJwkToJwk(didJwk: string): PublicJwk;
|
|
55
|
+
/**
|
|
56
|
+
* Compare two public JWKs for equality.
|
|
57
|
+
*
|
|
58
|
+
* Compares only the public key material fields (kty, crv, x, y, n, e, etc.).
|
|
59
|
+
* Ignores property order, metadata fields (kid, use, alg, key_ops, ext),
|
|
60
|
+
* and rejects/strips private key fields before comparison.
|
|
61
|
+
*
|
|
62
|
+
* @param a - First public JWK
|
|
63
|
+
* @param b - Second public JWK
|
|
64
|
+
* @returns true if both JWKs represent the same public key
|
|
65
|
+
* @throws OmaTrustError if either JWK contains private key material
|
|
66
|
+
*/
|
|
67
|
+
declare function publicJwkEquals(a: unknown, b: unknown): boolean;
|
|
68
|
+
/**
|
|
69
|
+
* Compute an RFC 7638 JWK Thumbprint for a public JWK.
|
|
70
|
+
*
|
|
71
|
+
* Returns the base64url-encoded SHA-256 thumbprint. This is a compact,
|
|
72
|
+
* deterministic fingerprint of the public key material.
|
|
73
|
+
*
|
|
74
|
+
* Used in OMATrust DNS TXT records as: `jkt=S256:<thumbprint>`
|
|
75
|
+
*
|
|
76
|
+
* @param jwk - A public JWK object
|
|
77
|
+
* @param digestAlgorithm - Hash algorithm (default: "sha256")
|
|
78
|
+
* @returns base64url-encoded thumbprint string
|
|
79
|
+
* @throws OmaTrustError if the JWK is invalid or contains private key material
|
|
80
|
+
*/
|
|
81
|
+
declare function computeJwkThumbprint(jwk: unknown, digestAlgorithm?: "sha256" | "sha384" | "sha512"): Promise<string>;
|
|
82
|
+
/**
|
|
83
|
+
* Format a JWK thumbprint as an OMATrust DNS TXT `jkt` value.
|
|
84
|
+
*
|
|
85
|
+
* Format: `jkt=S256:<base64url-thumbprint>`
|
|
86
|
+
*
|
|
87
|
+
* @param jwk - A public JWK object
|
|
88
|
+
* @returns Formatted jkt string for DNS TXT records
|
|
89
|
+
*/
|
|
90
|
+
declare function formatJktValue(jwk: unknown): Promise<string>;
|
|
91
|
+
|
|
92
|
+
/**
|
|
93
|
+
* DID URL Key Resolution — Phase 3
|
|
94
|
+
*
|
|
95
|
+
* Resolves DID URL key references (e.g. did:web:api.example.com#key-1) to
|
|
96
|
+
* public key material and derives durable did:jwk controller DIDs.
|
|
97
|
+
*
|
|
98
|
+
* DID URLs are mutable key references. This module resolves them to the
|
|
99
|
+
* actual public key material they currently point to, then converts that
|
|
100
|
+
* material into an immutable did:jwk for use as a controller DID.
|
|
101
|
+
*/
|
|
102
|
+
|
|
103
|
+
/** Result of resolving a DID URL to public key material */
|
|
104
|
+
interface ResolvedPublicKey {
|
|
105
|
+
/** The original DID URL */
|
|
106
|
+
didUrl: string;
|
|
107
|
+
/** The base DID (without fragment) */
|
|
108
|
+
did: string;
|
|
109
|
+
/** The fragment identifier */
|
|
110
|
+
fragment: string | null;
|
|
111
|
+
/** The resolved public JWK */
|
|
112
|
+
publicKeyJwk: PublicJwk;
|
|
113
|
+
/** The verification method ID that matched */
|
|
114
|
+
verificationMethodId: string;
|
|
115
|
+
}
|
|
116
|
+
/** Result of resolving a DID URL to a durable controller DID */
|
|
117
|
+
interface ResolvedControllerDid extends ResolvedPublicKey {
|
|
118
|
+
/** The durable did:jwk derived from the resolved public key */
|
|
119
|
+
controllerDid: string;
|
|
120
|
+
}
|
|
121
|
+
/** Options for DID URL key resolution */
|
|
122
|
+
interface ResolveKeyOptions {
|
|
123
|
+
/**
|
|
124
|
+
* Custom DID document fetcher. If not provided, uses the shared
|
|
125
|
+
* fetchDidDocument which fetches from `/.well-known/did.json`.
|
|
126
|
+
*/
|
|
127
|
+
fetchDidDocument?: (domain: string) => Promise<Record<string, unknown>>;
|
|
128
|
+
}
|
|
129
|
+
/**
|
|
130
|
+
* Resolve a DID URL to public key material.
|
|
131
|
+
*
|
|
132
|
+
* Currently supports:
|
|
133
|
+
* - did:web with fragment (e.g. did:web:api.example.com#key-1)
|
|
134
|
+
*
|
|
135
|
+
* Resolution steps:
|
|
136
|
+
* 1. Parse the DID URL
|
|
137
|
+
* 2. Resolve the base DID (fetch DID document)
|
|
138
|
+
* 3. Find the matching verification method
|
|
139
|
+
* 4. Extract and validate publicKeyJwk
|
|
140
|
+
*
|
|
141
|
+
* This function only obtains key material. It does not make authorization
|
|
142
|
+
* decisions or check Controller Witness / Key Binding records.
|
|
143
|
+
*
|
|
144
|
+
* @param didUrl - A DID URL string (e.g. "did:web:api.example.com#key-1")
|
|
145
|
+
* @param options - Optional configuration (custom fetcher, etc.)
|
|
146
|
+
* @returns Resolved public key information
|
|
147
|
+
* @throws OmaTrustError if resolution fails
|
|
148
|
+
*/
|
|
149
|
+
declare function resolveDidUrlToPublicKey(didUrl: string, options?: ResolveKeyOptions): Promise<ResolvedPublicKey>;
|
|
150
|
+
/**
|
|
151
|
+
* Resolve a DID URL to a durable controller DID.
|
|
152
|
+
*
|
|
153
|
+
* This wraps resolveDidUrlToPublicKey and adds the did:jwk conversion step.
|
|
154
|
+
* The returned controllerDid is the durable DID that callers should pass
|
|
155
|
+
* to getControllerAuthorization.
|
|
156
|
+
*
|
|
157
|
+
* @param didUrl - A DID URL string (e.g. "did:web:api.example.com#key-1")
|
|
158
|
+
* @param options - Optional configuration (custom fetcher, etc.)
|
|
159
|
+
* @returns Resolved public key plus derived did:jwk controller DID
|
|
160
|
+
* @throws OmaTrustError if resolution fails
|
|
161
|
+
*/
|
|
162
|
+
declare function resolveDidUrlToControllerDid(didUrl: string, options?: ResolveKeyOptions): Promise<ResolvedControllerDid>;
|
|
163
|
+
|
|
164
|
+
/**
|
|
165
|
+
* Identity Types — Phase 4
|
|
166
|
+
*
|
|
167
|
+
* Types for JWS verification results and authorization metadata.
|
|
168
|
+
* These define the contract between signature verification and
|
|
169
|
+
* downstream authorization checks via getControllerAuthorization.
|
|
170
|
+
*/
|
|
171
|
+
|
|
172
|
+
/** Source of the public key used for JWS signature verification */
|
|
173
|
+
type PublicKeySource = "embedded-jwk" | "kid-resolution";
|
|
174
|
+
/**
|
|
175
|
+
* Structured result of JWS signature verification.
|
|
176
|
+
*
|
|
177
|
+
* This result is NOT an authorization result. It does not determine whether
|
|
178
|
+
* the signing key was authorized to act for the service identified by resourceUrl.
|
|
179
|
+
*
|
|
180
|
+
* It provides enough information for callers to perform downstream authorization
|
|
181
|
+
* checks via getControllerAuthorization:
|
|
182
|
+
* - publicKeyDid (did:jwk) is the durable controller DID
|
|
183
|
+
* - resourceUrl identifies the service subject
|
|
184
|
+
* - issuedAt enables authorization-window checks for receipts
|
|
185
|
+
*/
|
|
186
|
+
interface JwsVerificationResult {
|
|
187
|
+
/** Whether the JWS signature is cryptographically valid */
|
|
188
|
+
valid: boolean;
|
|
189
|
+
/** Decoded JWS protected header */
|
|
190
|
+
header: Record<string, unknown>;
|
|
191
|
+
/** Decoded JWS payload */
|
|
192
|
+
payload: Record<string, unknown>;
|
|
193
|
+
/** kid from the JWS header (a key reference, NOT a controller DID) */
|
|
194
|
+
kid: string | null;
|
|
195
|
+
/** The public JWK used for signature verification */
|
|
196
|
+
publicKeyJwk: PublicJwk;
|
|
197
|
+
/** How the public key was obtained */
|
|
198
|
+
publicKeySource: PublicKeySource;
|
|
199
|
+
/**
|
|
200
|
+
* The durable did:jwk derived from the public key.
|
|
201
|
+
* This is the controller DID for downstream authorization checks.
|
|
202
|
+
* Pass this as controllerDid to getControllerAuthorization.
|
|
203
|
+
*/
|
|
204
|
+
publicKeyDid: string;
|
|
205
|
+
/** Error details when valid is false */
|
|
206
|
+
error?: JwsVerificationError;
|
|
207
|
+
}
|
|
208
|
+
/** Error details for failed JWS verification */
|
|
209
|
+
interface JwsVerificationError {
|
|
210
|
+
code: string;
|
|
211
|
+
message: string;
|
|
212
|
+
}
|
|
213
|
+
/**
|
|
214
|
+
* Failed JWS verification result.
|
|
215
|
+
* Returned when parsing, decoding, or signature verification fails.
|
|
216
|
+
*/
|
|
217
|
+
interface JwsVerificationFailure {
|
|
218
|
+
valid: false;
|
|
219
|
+
error: JwsVerificationError;
|
|
220
|
+
header?: Record<string, unknown>;
|
|
221
|
+
payload?: Record<string, unknown>;
|
|
222
|
+
kid?: string | null;
|
|
223
|
+
publicKeyJwk?: PublicJwk;
|
|
224
|
+
publicKeySource?: PublicKeySource;
|
|
225
|
+
publicKeyDid?: string;
|
|
226
|
+
}
|
|
227
|
+
/**
|
|
228
|
+
* Authorization metadata extracted from a verified JWS artifact.
|
|
229
|
+
*
|
|
230
|
+
* This is the information a caller needs to perform an authorization check
|
|
231
|
+
* after JWS signature verification succeeds.
|
|
232
|
+
*
|
|
233
|
+
* Usage:
|
|
234
|
+
* 1. Verify JWS → get JwsVerificationResult
|
|
235
|
+
* 2. Extract AuthorizationMetadata from the result
|
|
236
|
+
* 3. Call getControllerAuthorization({ subjectDid, controllerDid, purpose })
|
|
237
|
+
* 4. Evaluate the returned authorization window against policy
|
|
238
|
+
*/
|
|
239
|
+
interface AuthorizationMetadata {
|
|
240
|
+
/**
|
|
241
|
+
* The durable controller DID (did:jwk) derived from the verified public key.
|
|
242
|
+
* Pass this as controllerDid to getControllerAuthorization.
|
|
243
|
+
*/
|
|
244
|
+
controllerDid: string;
|
|
245
|
+
/**
|
|
246
|
+
* The subject DID derived from resourceUrl.
|
|
247
|
+
* For x402 artifacts, this is typically did:web:<domain-from-resourceUrl>.
|
|
248
|
+
* Pass this as subjectDid to getControllerAuthorization.
|
|
249
|
+
*/
|
|
250
|
+
subjectDid: string | null;
|
|
251
|
+
/**
|
|
252
|
+
* The resourceUrl from the signed payload.
|
|
253
|
+
* Identifies the service/resource the artifact is associated with.
|
|
254
|
+
*/
|
|
255
|
+
resourceUrl: string | null;
|
|
256
|
+
/**
|
|
257
|
+
* The issuedAt timestamp from the signed payload (receipts).
|
|
258
|
+
* Used for authorization-window checks — was the controller authorized at this time?
|
|
259
|
+
*/
|
|
260
|
+
issuedAt: string | null;
|
|
261
|
+
/**
|
|
262
|
+
* The kid from the JWS header (mutable key reference).
|
|
263
|
+
* Useful for key-pinning lookups but NOT a controller DID.
|
|
264
|
+
*/
|
|
265
|
+
kid: string | null;
|
|
266
|
+
/** The public JWK used for signature verification */
|
|
267
|
+
publicKeyJwk: PublicJwk;
|
|
268
|
+
}
|
|
269
|
+
/**
|
|
270
|
+
* Extract authorization metadata from a successful JWS verification result.
|
|
271
|
+
*
|
|
272
|
+
* Derives the subject DID from resourceUrl when possible (assumes did:web
|
|
273
|
+
* for HTTPS URLs). Returns null for subjectDid if resourceUrl is missing
|
|
274
|
+
* or cannot be parsed.
|
|
275
|
+
*
|
|
276
|
+
* @param result - A successful JwsVerificationResult (valid === true)
|
|
277
|
+
* @returns Authorization metadata for downstream getControllerAuthorization calls
|
|
278
|
+
*/
|
|
279
|
+
declare function extractAuthorizationMetadata(result: JwsVerificationResult): AuthorizationMetadata;
|
|
280
|
+
|
|
281
|
+
export { type AuthorizationMetadata as A, type JwkValidationResult as J, type PublicJwk as P, type ResolveKeyOptions as R, type JwsVerificationError as a, type JwsVerificationFailure as b, type JwsVerificationResult as c, type PublicKeySource as d, type ResolvedControllerDid as e, type ResolvedPublicKey as f, computeJwkThumbprint as g, didJwkToJwk as h, extractAuthorizationMetadata as i, formatJktValue as j, jwkToDidJwk as k, resolveDidUrlToPublicKey as l, publicJwkEquals as p, resolveDidUrlToControllerDid as r, validatePublicJwk as v };
|
|
@@ -0,0 +1,281 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* JWK and did:jwk Helpers — Phase 2
|
|
3
|
+
*
|
|
4
|
+
* Provides conversion between public JWKs and did:jwk DIDs,
|
|
5
|
+
* deterministic JWK comparison, and public JWK validation.
|
|
6
|
+
*
|
|
7
|
+
* did:jwk is the preferred durable DID representation for JWS/JWK public key
|
|
8
|
+
* material. It is immutable (the DID IS the key) and should be used as the
|
|
9
|
+
* controllerDid for authorization checks.
|
|
10
|
+
*
|
|
11
|
+
* Uses the `jose` library for base64url encoding/decoding and JWK thumbprints.
|
|
12
|
+
*/
|
|
13
|
+
/** Minimal public JWK structure */
|
|
14
|
+
interface PublicJwk {
|
|
15
|
+
kty: string;
|
|
16
|
+
[key: string]: unknown;
|
|
17
|
+
}
|
|
18
|
+
/** Result of JWK validation */
|
|
19
|
+
interface JwkValidationResult {
|
|
20
|
+
valid: boolean;
|
|
21
|
+
error?: string;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Validate that a JWK object is a well-formed public key.
|
|
25
|
+
*
|
|
26
|
+
* Requirements:
|
|
27
|
+
* - Must be a non-null object
|
|
28
|
+
* - Must have a valid `kty` (EC, OKP, RSA)
|
|
29
|
+
* - Must have required public key fields for its key type
|
|
30
|
+
* - Must NOT contain private key material (d, p, q, dp, dq, qi, oth)
|
|
31
|
+
*/
|
|
32
|
+
declare function validatePublicJwk(jwk: unknown): JwkValidationResult;
|
|
33
|
+
/**
|
|
34
|
+
* Convert a public JWK to a did:jwk DID.
|
|
35
|
+
*
|
|
36
|
+
* Uses deterministic (sorted-key) JSON serialization and base64url encoding.
|
|
37
|
+
* Rejects JWKs containing private key material.
|
|
38
|
+
*
|
|
39
|
+
* @param jwk - A public JWK object
|
|
40
|
+
* @returns The did:jwk DID string
|
|
41
|
+
* @throws OmaTrustError if the JWK is invalid or contains private key material
|
|
42
|
+
*/
|
|
43
|
+
declare function jwkToDidJwk(jwk: unknown): string;
|
|
44
|
+
/**
|
|
45
|
+
* Convert a did:jwk DID back to a public JWK object.
|
|
46
|
+
*
|
|
47
|
+
* Validates the DID structure, decodes the base64url payload,
|
|
48
|
+
* parses JSON, and validates the resulting JWK.
|
|
49
|
+
*
|
|
50
|
+
* @param didJwk - A did:jwk DID string
|
|
51
|
+
* @returns The decoded public JWK object
|
|
52
|
+
* @throws OmaTrustError if the DID is malformed or contains private key material
|
|
53
|
+
*/
|
|
54
|
+
declare function didJwkToJwk(didJwk: string): PublicJwk;
|
|
55
|
+
/**
|
|
56
|
+
* Compare two public JWKs for equality.
|
|
57
|
+
*
|
|
58
|
+
* Compares only the public key material fields (kty, crv, x, y, n, e, etc.).
|
|
59
|
+
* Ignores property order, metadata fields (kid, use, alg, key_ops, ext),
|
|
60
|
+
* and rejects/strips private key fields before comparison.
|
|
61
|
+
*
|
|
62
|
+
* @param a - First public JWK
|
|
63
|
+
* @param b - Second public JWK
|
|
64
|
+
* @returns true if both JWKs represent the same public key
|
|
65
|
+
* @throws OmaTrustError if either JWK contains private key material
|
|
66
|
+
*/
|
|
67
|
+
declare function publicJwkEquals(a: unknown, b: unknown): boolean;
|
|
68
|
+
/**
|
|
69
|
+
* Compute an RFC 7638 JWK Thumbprint for a public JWK.
|
|
70
|
+
*
|
|
71
|
+
* Returns the base64url-encoded SHA-256 thumbprint. This is a compact,
|
|
72
|
+
* deterministic fingerprint of the public key material.
|
|
73
|
+
*
|
|
74
|
+
* Used in OMATrust DNS TXT records as: `jkt=S256:<thumbprint>`
|
|
75
|
+
*
|
|
76
|
+
* @param jwk - A public JWK object
|
|
77
|
+
* @param digestAlgorithm - Hash algorithm (default: "sha256")
|
|
78
|
+
* @returns base64url-encoded thumbprint string
|
|
79
|
+
* @throws OmaTrustError if the JWK is invalid or contains private key material
|
|
80
|
+
*/
|
|
81
|
+
declare function computeJwkThumbprint(jwk: unknown, digestAlgorithm?: "sha256" | "sha384" | "sha512"): Promise<string>;
|
|
82
|
+
/**
|
|
83
|
+
* Format a JWK thumbprint as an OMATrust DNS TXT `jkt` value.
|
|
84
|
+
*
|
|
85
|
+
* Format: `jkt=S256:<base64url-thumbprint>`
|
|
86
|
+
*
|
|
87
|
+
* @param jwk - A public JWK object
|
|
88
|
+
* @returns Formatted jkt string for DNS TXT records
|
|
89
|
+
*/
|
|
90
|
+
declare function formatJktValue(jwk: unknown): Promise<string>;
|
|
91
|
+
|
|
92
|
+
/**
|
|
93
|
+
* DID URL Key Resolution — Phase 3
|
|
94
|
+
*
|
|
95
|
+
* Resolves DID URL key references (e.g. did:web:api.example.com#key-1) to
|
|
96
|
+
* public key material and derives durable did:jwk controller DIDs.
|
|
97
|
+
*
|
|
98
|
+
* DID URLs are mutable key references. This module resolves them to the
|
|
99
|
+
* actual public key material they currently point to, then converts that
|
|
100
|
+
* material into an immutable did:jwk for use as a controller DID.
|
|
101
|
+
*/
|
|
102
|
+
|
|
103
|
+
/** Result of resolving a DID URL to public key material */
|
|
104
|
+
interface ResolvedPublicKey {
|
|
105
|
+
/** The original DID URL */
|
|
106
|
+
didUrl: string;
|
|
107
|
+
/** The base DID (without fragment) */
|
|
108
|
+
did: string;
|
|
109
|
+
/** The fragment identifier */
|
|
110
|
+
fragment: string | null;
|
|
111
|
+
/** The resolved public JWK */
|
|
112
|
+
publicKeyJwk: PublicJwk;
|
|
113
|
+
/** The verification method ID that matched */
|
|
114
|
+
verificationMethodId: string;
|
|
115
|
+
}
|
|
116
|
+
/** Result of resolving a DID URL to a durable controller DID */
|
|
117
|
+
interface ResolvedControllerDid extends ResolvedPublicKey {
|
|
118
|
+
/** The durable did:jwk derived from the resolved public key */
|
|
119
|
+
controllerDid: string;
|
|
120
|
+
}
|
|
121
|
+
/** Options for DID URL key resolution */
|
|
122
|
+
interface ResolveKeyOptions {
|
|
123
|
+
/**
|
|
124
|
+
* Custom DID document fetcher. If not provided, uses the shared
|
|
125
|
+
* fetchDidDocument which fetches from `/.well-known/did.json`.
|
|
126
|
+
*/
|
|
127
|
+
fetchDidDocument?: (domain: string) => Promise<Record<string, unknown>>;
|
|
128
|
+
}
|
|
129
|
+
/**
|
|
130
|
+
* Resolve a DID URL to public key material.
|
|
131
|
+
*
|
|
132
|
+
* Currently supports:
|
|
133
|
+
* - did:web with fragment (e.g. did:web:api.example.com#key-1)
|
|
134
|
+
*
|
|
135
|
+
* Resolution steps:
|
|
136
|
+
* 1. Parse the DID URL
|
|
137
|
+
* 2. Resolve the base DID (fetch DID document)
|
|
138
|
+
* 3. Find the matching verification method
|
|
139
|
+
* 4. Extract and validate publicKeyJwk
|
|
140
|
+
*
|
|
141
|
+
* This function only obtains key material. It does not make authorization
|
|
142
|
+
* decisions or check Controller Witness / Key Binding records.
|
|
143
|
+
*
|
|
144
|
+
* @param didUrl - A DID URL string (e.g. "did:web:api.example.com#key-1")
|
|
145
|
+
* @param options - Optional configuration (custom fetcher, etc.)
|
|
146
|
+
* @returns Resolved public key information
|
|
147
|
+
* @throws OmaTrustError if resolution fails
|
|
148
|
+
*/
|
|
149
|
+
declare function resolveDidUrlToPublicKey(didUrl: string, options?: ResolveKeyOptions): Promise<ResolvedPublicKey>;
|
|
150
|
+
/**
|
|
151
|
+
* Resolve a DID URL to a durable controller DID.
|
|
152
|
+
*
|
|
153
|
+
* This wraps resolveDidUrlToPublicKey and adds the did:jwk conversion step.
|
|
154
|
+
* The returned controllerDid is the durable DID that callers should pass
|
|
155
|
+
* to getControllerAuthorization.
|
|
156
|
+
*
|
|
157
|
+
* @param didUrl - A DID URL string (e.g. "did:web:api.example.com#key-1")
|
|
158
|
+
* @param options - Optional configuration (custom fetcher, etc.)
|
|
159
|
+
* @returns Resolved public key plus derived did:jwk controller DID
|
|
160
|
+
* @throws OmaTrustError if resolution fails
|
|
161
|
+
*/
|
|
162
|
+
declare function resolveDidUrlToControllerDid(didUrl: string, options?: ResolveKeyOptions): Promise<ResolvedControllerDid>;
|
|
163
|
+
|
|
164
|
+
/**
|
|
165
|
+
* Identity Types — Phase 4
|
|
166
|
+
*
|
|
167
|
+
* Types for JWS verification results and authorization metadata.
|
|
168
|
+
* These define the contract between signature verification and
|
|
169
|
+
* downstream authorization checks via getControllerAuthorization.
|
|
170
|
+
*/
|
|
171
|
+
|
|
172
|
+
/** Source of the public key used for JWS signature verification */
|
|
173
|
+
type PublicKeySource = "embedded-jwk" | "kid-resolution";
|
|
174
|
+
/**
|
|
175
|
+
* Structured result of JWS signature verification.
|
|
176
|
+
*
|
|
177
|
+
* This result is NOT an authorization result. It does not determine whether
|
|
178
|
+
* the signing key was authorized to act for the service identified by resourceUrl.
|
|
179
|
+
*
|
|
180
|
+
* It provides enough information for callers to perform downstream authorization
|
|
181
|
+
* checks via getControllerAuthorization:
|
|
182
|
+
* - publicKeyDid (did:jwk) is the durable controller DID
|
|
183
|
+
* - resourceUrl identifies the service subject
|
|
184
|
+
* - issuedAt enables authorization-window checks for receipts
|
|
185
|
+
*/
|
|
186
|
+
interface JwsVerificationResult {
|
|
187
|
+
/** Whether the JWS signature is cryptographically valid */
|
|
188
|
+
valid: boolean;
|
|
189
|
+
/** Decoded JWS protected header */
|
|
190
|
+
header: Record<string, unknown>;
|
|
191
|
+
/** Decoded JWS payload */
|
|
192
|
+
payload: Record<string, unknown>;
|
|
193
|
+
/** kid from the JWS header (a key reference, NOT a controller DID) */
|
|
194
|
+
kid: string | null;
|
|
195
|
+
/** The public JWK used for signature verification */
|
|
196
|
+
publicKeyJwk: PublicJwk;
|
|
197
|
+
/** How the public key was obtained */
|
|
198
|
+
publicKeySource: PublicKeySource;
|
|
199
|
+
/**
|
|
200
|
+
* The durable did:jwk derived from the public key.
|
|
201
|
+
* This is the controller DID for downstream authorization checks.
|
|
202
|
+
* Pass this as controllerDid to getControllerAuthorization.
|
|
203
|
+
*/
|
|
204
|
+
publicKeyDid: string;
|
|
205
|
+
/** Error details when valid is false */
|
|
206
|
+
error?: JwsVerificationError;
|
|
207
|
+
}
|
|
208
|
+
/** Error details for failed JWS verification */
|
|
209
|
+
interface JwsVerificationError {
|
|
210
|
+
code: string;
|
|
211
|
+
message: string;
|
|
212
|
+
}
|
|
213
|
+
/**
|
|
214
|
+
* Failed JWS verification result.
|
|
215
|
+
* Returned when parsing, decoding, or signature verification fails.
|
|
216
|
+
*/
|
|
217
|
+
interface JwsVerificationFailure {
|
|
218
|
+
valid: false;
|
|
219
|
+
error: JwsVerificationError;
|
|
220
|
+
header?: Record<string, unknown>;
|
|
221
|
+
payload?: Record<string, unknown>;
|
|
222
|
+
kid?: string | null;
|
|
223
|
+
publicKeyJwk?: PublicJwk;
|
|
224
|
+
publicKeySource?: PublicKeySource;
|
|
225
|
+
publicKeyDid?: string;
|
|
226
|
+
}
|
|
227
|
+
/**
|
|
228
|
+
* Authorization metadata extracted from a verified JWS artifact.
|
|
229
|
+
*
|
|
230
|
+
* This is the information a caller needs to perform an authorization check
|
|
231
|
+
* after JWS signature verification succeeds.
|
|
232
|
+
*
|
|
233
|
+
* Usage:
|
|
234
|
+
* 1. Verify JWS → get JwsVerificationResult
|
|
235
|
+
* 2. Extract AuthorizationMetadata from the result
|
|
236
|
+
* 3. Call getControllerAuthorization({ subjectDid, controllerDid, purpose })
|
|
237
|
+
* 4. Evaluate the returned authorization window against policy
|
|
238
|
+
*/
|
|
239
|
+
interface AuthorizationMetadata {
|
|
240
|
+
/**
|
|
241
|
+
* The durable controller DID (did:jwk) derived from the verified public key.
|
|
242
|
+
* Pass this as controllerDid to getControllerAuthorization.
|
|
243
|
+
*/
|
|
244
|
+
controllerDid: string;
|
|
245
|
+
/**
|
|
246
|
+
* The subject DID derived from resourceUrl.
|
|
247
|
+
* For x402 artifacts, this is typically did:web:<domain-from-resourceUrl>.
|
|
248
|
+
* Pass this as subjectDid to getControllerAuthorization.
|
|
249
|
+
*/
|
|
250
|
+
subjectDid: string | null;
|
|
251
|
+
/**
|
|
252
|
+
* The resourceUrl from the signed payload.
|
|
253
|
+
* Identifies the service/resource the artifact is associated with.
|
|
254
|
+
*/
|
|
255
|
+
resourceUrl: string | null;
|
|
256
|
+
/**
|
|
257
|
+
* The issuedAt timestamp from the signed payload (receipts).
|
|
258
|
+
* Used for authorization-window checks — was the controller authorized at this time?
|
|
259
|
+
*/
|
|
260
|
+
issuedAt: string | null;
|
|
261
|
+
/**
|
|
262
|
+
* The kid from the JWS header (mutable key reference).
|
|
263
|
+
* Useful for key-pinning lookups but NOT a controller DID.
|
|
264
|
+
*/
|
|
265
|
+
kid: string | null;
|
|
266
|
+
/** The public JWK used for signature verification */
|
|
267
|
+
publicKeyJwk: PublicJwk;
|
|
268
|
+
}
|
|
269
|
+
/**
|
|
270
|
+
* Extract authorization metadata from a successful JWS verification result.
|
|
271
|
+
*
|
|
272
|
+
* Derives the subject DID from resourceUrl when possible (assumes did:web
|
|
273
|
+
* for HTTPS URLs). Returns null for subjectDid if resourceUrl is missing
|
|
274
|
+
* or cannot be parsed.
|
|
275
|
+
*
|
|
276
|
+
* @param result - A successful JwsVerificationResult (valid === true)
|
|
277
|
+
* @returns Authorization metadata for downstream getControllerAuthorization calls
|
|
278
|
+
*/
|
|
279
|
+
declare function extractAuthorizationMetadata(result: JwsVerificationResult): AuthorizationMetadata;
|
|
280
|
+
|
|
281
|
+
export { type AuthorizationMetadata as A, type JwkValidationResult as J, type PublicJwk as P, type ResolveKeyOptions as R, type JwsVerificationError as a, type JwsVerificationFailure as b, type JwsVerificationResult as c, type PublicKeySource as d, type ResolvedControllerDid as e, type ResolvedPublicKey as f, computeJwkThumbprint as g, didJwkToJwk as h, extractAuthorizationMetadata as i, formatJktValue as j, jwkToDidJwk as k, resolveDidUrlToPublicKey as l, publicJwkEquals as p, resolveDidUrlToControllerDid as r, validatePublicJwk as v };
|