@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-next.100

package/src/agent/IdentifierResolution.ts

@@ -0,0 +1,112 @@
+import { IAgentContext, IAgentPlugin, IDIDManager, IKeyManager } from '@veramo/core'
+import { ensureManagedIdentifierResult, ManagedIdentifierKeyOpts, ManagedIdentifierKeyResult, ManagedIdentifierOptsOrResult, schema } from '..'
+import { resolveExternalIdentifier } from '../functions'
+import {
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierDidResult,
+  ExternalIdentifierOpts,
+  ExternalIdentifierResult,
+  ExternalIdentifierX5cOpts,
+  ExternalIdentifierX5cResult,
+  IIdentifierResolution,
+  ManagedIdentifierDidOpts,
+  ManagedIdentifierDidResult,
+  ManagedIdentifierJwkOpts,
+  ManagedIdentifierJwkResult,
+  ManagedIdentifierKidOpts,
+  ManagedIdentifierKidResult,
+  ManagedIdentifierResult,
+  ManagedIdentifierX5cOpts,
+  ManagedIdentifierX5cResult,
+} from '../types'
+
+/**
+ * @public
+ */
+export class IdentifierResolution implements IAgentPlugin {
+  private readonly _crypto: Crypto
+
+  readonly schema = schema.IMnemonicInfoGenerator
+  readonly methods: IIdentifierResolution = {
+    identifierManagedGet: this.identifierGetManaged.bind(this),
+    identifierManagedGetByDid: this.identifierGetManagedByDid.bind(this),
+    identifierManagedGetByKid: this.identifierGetManagedByKid.bind(this),
+    identifierManagedGetByJwk: this.identifierGetManagedByJwk.bind(this),
+    identifierManagedGetByX5c: this.identifierGetManagedByX5c.bind(this),
+    identifierManagedGetByKey: this.identifierGetManagedByKey.bind(this),
+
+    identifierExternalResolve: this.identifierResolveExternal.bind(this),
+    identifierExternalResolveByDid: this.identifierExternalResolveByDid.bind(this),
+    identifierExternalResolveByX5c: this.identifierExternalResolveByX5c.bind(this),
+
+    // todo: JWKSet, oidc-discovery, oid4vci-issuer etc. Anything we already can resolve and need keys of
+  }
+
+  /**
+   * TODO: Add a cache, as we are retrieving the same keys/info quite often
+   */
+  constructor(opts?: { crypto?: Crypto }) {
+    this._crypto = opts?.crypto ?? global.crypto
+  }
+
+  /**
+   * Main method for managed identifiers. We always go through this method (also the other methods below) as we want to
+   * integrate a plugin for anomaly detection. Having a single method helps
+   * @param args
+   * @param context
+   * @private
+   */
+  private async identifierGetManaged(
+    args: ManagedIdentifierOptsOrResult,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierResult> {
+    return await ensureManagedIdentifierResult({ ...args, crypto: this._crypto }, context)
+  }
+
+  private async identifierGetManagedByDid(
+    args: ManagedIdentifierDidOpts,
+    context: IAgentContext<IKeyManager & IDIDManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierDidResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'did' }, context)) as ManagedIdentifierDidResult
+  }
+
+  private async identifierGetManagedByKid(
+    args: ManagedIdentifierKidOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierKidResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'kid' }, context)) as ManagedIdentifierKidResult
+  }
+
+  private async identifierGetManagedByKey(
+    args: ManagedIdentifierKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierKeyResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'key' }, context)) as ManagedIdentifierKeyResult
+  }
+
+  private async identifierGetManagedByJwk(
+    args: ManagedIdentifierJwkOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierJwkResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'jwk' }, context)) as ManagedIdentifierJwkResult
+  }
+
+  private async identifierGetManagedByX5c(
+    args: ManagedIdentifierX5cOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierX5cResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'x5c' }, context)) as ManagedIdentifierX5cResult
+  }
+
+  private async identifierResolveExternal(args: ExternalIdentifierOpts, context: IAgentContext<IKeyManager>): Promise<ExternalIdentifierResult> {
+    return await resolveExternalIdentifier({ ...args, crypto: this._crypto }, context)
+  }
+
+  private async identifierExternalResolveByDid(args: ExternalIdentifierDidOpts, context: IAgentContext<any>): Promise<ExternalIdentifierDidResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'did' }, context)) as ExternalIdentifierDidResult
+  }
+
+  private async identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'x5c' }, context)) as ExternalIdentifierX5cResult
+  }
+}

package/src/functions/LegacySupport.ts

@@ -0,0 +1,50 @@
+import { IIdentifier } from '@veramo/core'
+import { ManagedIdentifierDidOpts, ManagedIdentifierOptsOrResult } from '../types'
+
+/**
+ * Converts legacy id opts key refs to the new ManagedIdentifierOpts
+ * @param opts
+ */
+export function legacyKeyRefsToIdentifierOpts(opts: {
+  idOpts?: ManagedIdentifierOptsOrResult
+  iss?: string
+  keyRef?: string
+  didOpts?: any
+}): ManagedIdentifierOptsOrResult {
+  if (!opts.idOpts) {
+    console.warn(
+      `Legacy idOpts being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+    )
+    // legacy way
+    let kmsKeyRef =
+      opts.keyRef ??
+      opts.didOpts?.idOpts?.kmsKeyRef ??
+      (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
+    if (!kmsKeyRef) {
+      throw Error('Key ref is needed for access token signer')
+    }
+    return {
+      kmsKeyRef: opts.keyRef ?? kmsKeyRef,
+      identifier: kmsKeyRef,
+      issuer: opts.iss,
+    } satisfies ManagedIdentifierDidOpts
+  } else {
+    const idOpts = opts.idOpts
+    if (opts.keyRef && !idOpts.kmsKeyRef) {
+      // legacy way
+      console.warn(
+        `Legacy keyRef being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+      )
+      idOpts.kmsKeyRef = opts.keyRef
+    }
+    if (opts.iss && !idOpts.issuer) {
+      // legacy way
+      console.warn(
+        `Legacy iss being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+      )
+      idOpts.issuer = opts.iss
+    }
+
+    return idOpts
+  }
+}

package/src/functions/externalIdentifierFunctions.ts

@@ -0,0 +1,183 @@
+import { didDocumentToJwks, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import {
+  getSubjectDN,
+  pemOrDerToX509Certificate,
+  PEMToDer,
+  validateX509CertificateChain,
+  X509ValidationResult,
+} from '@sphereon/ssi-sdk-ext.x509-utils'
+import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
+import { IParsedDID, parseDid } from '@sphereon/ssi-types'
+import { IAgentContext, IDIDManager, IResolver } from '@veramo/core'
+import { isDefined } from '@veramo/utils'
+import { CryptoEngine, setEngine } from 'pkijs'
+import {
+  ExternalIdentifierDidOpts,
+  ExternalIdentifierDidResult,
+  ExternalIdentifierMethod,
+  ExternalIdentifierOpts,
+  ExternalIdentifierResult,
+  ExternalIdentifierX5cOpts,
+  ExternalIdentifierX5cResult,
+  ExternalJwkInfo,
+  isExternalIdentifierDidOpts,
+  isExternalIdentifierJwksUrlOpts,
+  isExternalIdentifierKidOpts,
+  isExternalIdentifierOidcDiscoveryOpts,
+  isExternalIdentifierX5cOpts,
+} from '../types'
+
+export async function resolveExternalIdentifier(
+  opts: ExternalIdentifierOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierResult> {
+  let method: ExternalIdentifierMethod | undefined
+  if (isExternalIdentifierDidOpts(opts)) {
+    return resolveExternalDidIdentifier(opts, context)
+  } else if (isExternalIdentifierX5cOpts(opts)) {
+    return resolveExternalX5cIdentifier(opts, context)
+  } else if (isExternalIdentifierKidOpts(opts)) {
+    method = 'kid'
+  } else if (isExternalIdentifierJwksUrlOpts(opts)) {
+    method = 'jwks-url'
+  } else if (isExternalIdentifierOidcDiscoveryOpts(opts)) {
+    method = 'oidc-discovery'
+  }
+  throw Error(`External resolution method ${method} is not yet implemented`)
+}
+
+export async function resolveExternalX5cIdentifier(
+  opts: ExternalIdentifierX5cOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IResolver & IDIDManager>
+): Promise<ExternalIdentifierX5cResult> {
+  if (!isExternalIdentifierX5cOpts(opts)) {
+    return Promise.reject('External x5c Identifier args need to be provided')
+  }
+  const verify = opts.verify ?? true
+  const x5c = opts.identifier.map((derOrPem) => (derOrPem.includes('CERTIFICATE') ? PEMToDer(derOrPem) : derOrPem))
+  if (x5c.length === 0) {
+    return Promise.reject('Empty certification chain is now allowed')
+  }
+  const certificates = x5c.map(pemOrDerToX509Certificate)
+
+  let verificationResult: X509ValidationResult | undefined
+  let issuerJWK: JWK | undefined
+  let jwks: ExternalJwkInfo[] = []
+
+  if (verify) {
+    // We use the agent plugin if it is available as that is more powerful, but revert to the function otherwise
+    if (contextHasPlugin(context, 'verifyCertificateChain')) {
+      verificationResult = (await context.agent.verifyCertificateChain({
+        chain: opts.identifier,
+        trustAnchors: opts.trustAnchors ?? [],
+        verificationTime: opts.verificationTime,
+      })) as X509ValidationResult // We need to cast, as we know this is the value and we do not want to rely on the x509 plugin perse
+    } else {
+      verificationResult = await validateX509CertificateChain({
+        chain: opts.identifier,
+        trustAnchors: opts.trustAnchors ?? [],
+        verificationTime: opts.verificationTime,
+      })
+    }
+    if (verificationResult.certificateChain) {
+      jwks = verificationResult.certificateChain.map((cert) => {
+        return {
+          jwk: cert.publicKeyJWK,
+          kid: cert.subject.dn.DN,
+          jwkThumbprint: calculateJwkThumbprint({ jwk: cert.publicKeyJWK }),
+        } satisfies ExternalJwkInfo
+      })
+    }
+  }
+  if (!jwks || jwks.length === 0) {
+    const cryptoEngine = new CryptoEngine({
+      name: 'identifier_resolver_external',
+      crypto: opts.crypto ?? global.crypto,
+    })
+    setEngine(cryptoEngine.name, cryptoEngine)
+    jwks = await Promise.all(
+      certificates.map(async (cert) => {
+        const pk = await cert.getPublicKey(undefined, cryptoEngine)
+        const jwk = (await cryptoEngine.exportKey('jwk', pk)) as JWK
+        return {
+          jwk,
+          kid: getSubjectDN(cert).DN,
+          jwkThumbprint: calculateJwkThumbprint({ jwk }),
+        } satisfies ExternalJwkInfo
+      })
+    )
+  }
+  if (jwks.length === 0) {
+    return Promise.reject('Empty certification chain is now allowed')
+  }
+  if (!issuerJWK) {
+    issuerJWK = jwks[0].jwk
+  }
+
+  return {
+    method: 'x5c',
+    verificationResult,
+    issuerJWK,
+    jwks,
+    certificates,
+    x5c,
+  }
+}
+
+export async function resolveExternalDidIdentifier(
+  opts: ExternalIdentifierDidOpts,
+  context: IAgentContext<IResolver & IDIDManager>
+): Promise<ExternalIdentifierDidResult> {
+  if (!isExternalIdentifierDidOpts(opts)) {
+    return Promise.reject('External DID Identifier args need to be provided')
+  } else if (!contextHasPlugin<IResolver & IDIDManager>(context, 'resolveDid')) {
+    return Promise.reject(Error(`Cannot get external DID identifier if DID resolver plugin is not enabled!`))
+  }
+  const { uniresolverResolution = false, localResolution = true, resolverResolution = true } = opts
+  const did = opts.identifier
+  let parsed: IParsedDID
+  try {
+    parsed = parseDid(did)
+  } catch (error: unknown) {
+    // Error from did resolution spec
+    return Promise.reject(error)
+  }
+  const didParsed = parsed
+  const didResolutionResult = await getAgentResolver(context, {
+    uniresolverResolution,
+    localResolution,
+    resolverResolution,
+  }).resolve(did)
+  const didDocument = didResolutionResult.didDocument ?? undefined
+  const didJwks = didDocument ? didDocumentToJwks(didDocument) : undefined
+  const jwks = didJwks
+    ? Array.from(
+        new Set(
+          Object.values(didJwks)
+            .filter((jwks) => isDefined(jwks) && jwks.length > 0)
+            .flatMap((jwks) => jwks)
+        )
+      ).map((jwk) => {
+        return { jwk, jwkThumbprint: calculateJwkThumbprint({ jwk }), kid: jwk.kid }
+      })
+    : []
+
+  if (didResolutionResult?.didDocument) {
+    // @ts-ignore // Mandatory on the original object, but we already provide it directly
+    delete didResolutionResult['didDocument']
+  }
+  return {
+    method: 'did',
+    did,
+    jwks,
+    didJwks,
+    didDocument,
+    didResolutionResult,
+    didParsed,
+  }
+}

package/src/functions/index.ts

@@ -0,0 +1,3 @@
+export * from './managedIdentifierFunctions'
+export * from './externalIdentifierFunctions'
+export * from './LegacySupport'

package/src/functions/managedIdentifierFunctions.ts

@@ -0,0 +1,278 @@
+import { getFirstKeyWithRelation } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, JWK, toJwk } from '@sphereon/ssi-sdk-ext.key-utils'
+import { pemOrDerToX509Certificate } from '@sphereon/ssi-sdk-ext.x509-utils'
+import { contextHasDidManager, contextHasKeyManager } from '@sphereon/ssi-sdk.agent-config'
+import { IAgentContext, IIdentifier, IKey, IKeyManager } from '@veramo/core'
+import { CryptoEngine, setEngine } from 'pkijs'
+import {
+  IIdentifierResolution,
+  isManagedIdentifierDidOpts,
+  isManagedIdentifierDidResult,
+  isManagedIdentifierJwkOpts,
+  isManagedIdentifierJwkResult,
+  isManagedIdentifierKeyOpts,
+  isManagedIdentifierKeyResult,
+  isManagedIdentifierKidOpts,
+  isManagedIdentifierX5cOpts,
+  ManagedIdentifierDidOpts,
+  ManagedIdentifierDidResult,
+  ManagedIdentifierJwkOpts,
+  ManagedIdentifierJwkResult,
+  ManagedIdentifierKeyOpts,
+  ManagedIdentifierKeyResult,
+  ManagedIdentifierKidOpts,
+  ManagedIdentifierKidResult,
+  ManagedIdentifierOptsOrResult,
+  ManagedIdentifierResult,
+  ManagedIdentifierX5cOpts,
+  ManagedIdentifierX5cResult,
+} from '../types'
+
+export async function getManagedKidIdentifier(
+  opts: ManagedIdentifierKidOpts,
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierKidResult> {
+  const method = 'kid'
+  if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
+  }
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? opts.identifier })
+  const jwk = toJwk(key.publicKeyHex, key.type, { key })
+  const jwkThumbprint = (key.meta?.jwkThumbprint as string) ?? calculateJwkThumbprint({ jwk })
+  const kid = opts.kid ?? (key.meta?.verificationMethod?.id as string) ?? jwkThumbprint
+  const issuer = opts.issuer ?? kid // The different identifiers should set the value. Defaults to the kid
+  return {
+    method,
+    key,
+    identifier: opts.identifier,
+    jwk,
+    jwkThumbprint,
+    kid,
+    issuer,
+    kmsKeyRef: key.kid,
+    opts,
+  } satisfies ManagedIdentifierKidResult
+}
+
+function isManagedIdentifierResult(identifier: ManagedIdentifierOptsOrResult & { crypto?: Crypto }): identifier is ManagedIdentifierResult {
+  return 'key' in identifier && 'kmsKeyRef' in identifier && 'method' in identifier && 'opts' in identifier
+}
+
+/**
+ * Allows to get a managed identifier result in case identifier options are passed in, but returns the identifier directly in case results are passed in. This means resolution can have happened before, or happens in this method
+ * @param identifier
+ * @param context
+ */
+export async function ensureManagedIdentifierResult(
+  identifier: ManagedIdentifierOptsOrResult & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierResult> {
+  const { lazyDisabled = false } = identifier
+  return !lazyDisabled && isManagedIdentifierResult(identifier) ? identifier : await getManagedIdentifier(identifier, context)
+}
+
+/**
+ * This function is just a convenience function to get a common result. The user already apparently had a key, so could have called the kid version as well
+ * @param opts
+ * @param _context
+ */
+export async function getManagedKeyIdentifier(opts: ManagedIdentifierKeyOpts, _context?: IAgentContext<any>): Promise<ManagedIdentifierKeyResult> {
+  const method = 'key'
+  const key: IKey = opts.identifier
+  if (opts.kmsKeyRef && opts.kmsKeyRef !== key.kid) {
+    return Promise.reject(Error(`Cannot get a managed key object by providing a key and a kmsKeyRef that are different.}`))
+  }
+  const jwk = toJwk(key.publicKeyHex, key.type, { key })
+  const jwkThumbprint = (key.meta?.jwkThumbprint as string) ?? calculateJwkThumbprint({ jwk })
+  const kid = opts.kid ?? (key.meta?.verificationMethod?.id as string) ?? jwkThumbprint
+  const issuer = opts.issuer ?? kid // The different identifiers should set the value. Defaults to the kid
+  return {
+    method,
+    key,
+    identifier: key,
+    jwk,
+    jwkThumbprint,
+    kid,
+    issuer,
+    kmsKeyRef: key.kid,
+    opts,
+  } satisfies ManagedIdentifierKeyResult
+}
+
+export async function getManagedDidIdentifier(opts: ManagedIdentifierDidOpts, context: IAgentContext<any>): Promise<ManagedIdentifierDidResult> {
+  const method = 'did'
+  if (!contextHasDidManager(context)) {
+    return Promise.reject(Error(`Cannot get DID identifier if DID Manager plugin is not enabled!`))
+  }
+
+  let identifier: IIdentifier
+  if (typeof opts.identifier === 'string') {
+    identifier = await context.agent.didManagerGet({ did: opts.identifier.split('#')[0] })
+  } else {
+    identifier = opts.identifier
+  }
+
+  const did = identifier.did
+  const keys = identifier?.keys // fixme: We really want to return the vmRelationship keys here actually
+  const extendedKey = await getFirstKeyWithRelation(
+    {
+      ...opts,
+      identifier,
+      vmRelationship: opts.vmRelationship ?? 'verificationMethod',
+    },
+    context
+  )
+  const key = extendedKey
+  const controllerKeyId = identifier.controllerKeyId
+  const jwk = toJwk(key.publicKeyHex, key.type, { key })
+  const jwkThumbprint = key.meta?.jwkThumbprint ?? calculateJwkThumbprint({ jwk })
+  let kid = opts.kid ?? extendedKey.meta?.verificationMethod?.id
+  if (!kid.startsWith(did)) {
+    // Make sure we create a fully qualified kid
+    const hash = kid.startsWith('#') ? '' : '#'
+    kid = `${did}${hash}${kid}`
+  }
+  const issuer = opts.issuer ?? did
+  return {
+    method,
+    key,
+    did,
+    kmsKeyRef: key.kid,
+    jwk,
+    jwkThumbprint,
+    controllerKeyId,
+    kid,
+    keys,
+    issuer,
+    identifier,
+    opts,
+  }
+}
+
+export async function getManagedJwkIdentifier(
+  opts: ManagedIdentifierJwkOpts,
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierJwkResult> {
+  const method = 'jwk'
+  const { kid, issuer } = opts
+  if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
+  }
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? calculateJwkThumbprint({ jwk: opts.identifier }) })
+  const jwk = opts.identifier ?? toJwk(key.publicKeyHex, key.type, { key })
+  const jwkThumbprint = (key.meta?.jwkThumbprint as string) ?? calculateJwkThumbprint({ jwk })
+  // we explicitly do not set the kid and issuer, meaning it can remain null. Normally you do not provide a kid and issuer with Jwks.
+  return {
+    method,
+    key,
+    kmsKeyRef: key.kid,
+    identifier: jwk,
+    jwk,
+    jwkThumbprint,
+    kid,
+    issuer,
+    opts,
+  } satisfies ManagedIdentifierJwkResult
+}
+
+export async function getManagedX5cIdentifier(
+  opts: ManagedIdentifierX5cOpts & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierX5cResult> {
+  const { kid, issuer } = opts
+  const method = 'x5c'
+  const x5c = opts.identifier
+  if (x5c.length === 0) {
+    return Promise.reject(`Cannot resolve x5c when an empty x5c is passed in`)
+  } else if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get X5c identifier if KeyManager plugin is not enabled!`))
+  }
+  const cryptoImpl = opts.crypto ?? crypto
+  const certificate = pemOrDerToX509Certificate(x5c[0])
+  const cryptoEngine = new CryptoEngine({ name: 'identifier_resolver_managed', crypto: cryptoImpl })
+  setEngine(cryptoEngine.name, cryptoEngine)
+  const pk = await certificate.getPublicKey(undefined, cryptoEngine)
+  const jwk = (await cryptoEngine.subtle.exportKey('jwk', pk)) as JWK
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? jwkThumbprint })
+  // we explicitly do not set the kid and issuer, meaning it can remain null. Normally you do not provide a kid and issuer with x5c.
+
+  return {
+    method,
+    x5c,
+    identifier: x5c,
+    certificate,
+    jwk,
+    jwkThumbprint,
+    key,
+    kmsKeyRef: key.kid,
+    kid,
+    issuer,
+    opts,
+  } satisfies ManagedIdentifierX5cResult
+}
+
+export async function getManagedIdentifier(
+  opts: ManagedIdentifierOptsOrResult & {
+    crypto?: Crypto
+  },
+  context: IAgentContext<IKeyManager>
+): Promise<ManagedIdentifierResult> {
+  let resolutionResult: ManagedIdentifierResult
+  if (isManagedIdentifierResult(opts)) {
+    opts
+  }
+  if (isManagedIdentifierKidOpts(opts)) {
+    resolutionResult = await getManagedKidIdentifier(opts, context)
+  } else if (isManagedIdentifierDidOpts(opts)) {
+    resolutionResult = await getManagedDidIdentifier(opts, context)
+  } else if (isManagedIdentifierJwkOpts(opts)) {
+    resolutionResult = await getManagedJwkIdentifier(opts, context)
+  } else if (isManagedIdentifierX5cOpts(opts)) {
+    resolutionResult = await getManagedX5cIdentifier(opts, context)
+  } else if (isManagedIdentifierKeyOpts(opts)) {
+    resolutionResult = await getManagedKeyIdentifier(opts, context)
+  } else {
+    return Promise.reject(Error(`Could not determine identifier method. Please provide explicitly`))
+  }
+  const { key } = resolutionResult
+  if (!key || (isManagedIdentifierDidOpts(opts) && isManagedIdentifierDidResult(resolutionResult) && !resolutionResult.identifier)) {
+    console.log(`Cannot find identifier`, opts.identifier)
+    return Promise.reject(`Cannot find identifier ${opts.identifier}`)
+  }
+  return resolutionResult
+}
+
+export async function managedIdentifierToKeyResult(
+  identifier: ManagedIdentifierOptsOrResult,
+  context: IAgentContext<IIdentifierResolution & IKeyManager>
+): Promise<ManagedIdentifierKeyResult> {
+  const resolved = await ensureManagedIdentifierResult(identifier, context)
+  if (isManagedIdentifierKeyResult(resolved)) {
+    return resolved
+  }
+  return {
+    ...resolved,
+    method: 'key',
+    identifier: resolved.key,
+  } satisfies ManagedIdentifierKeyResult
+}
+
+export async function managedIdentifierToJwk(
+  identifier: ManagedIdentifierOptsOrResult,
+  context: IAgentContext<IIdentifierResolution & IKeyManager>
+): Promise<ManagedIdentifierJwkResult> {
+  const resolved = await ensureManagedIdentifierResult(identifier, context)
+  if (isManagedIdentifierJwkResult(resolved)) {
+    return resolved
+  }
+  return {
+    ...resolved,
+    method: 'jwk',
+    identifier: resolved.jwk,
+  } satisfies ManagedIdentifierJwkResult
+}

package/src/index.ts

@@ -0,0 +1,11 @@
+/**
+ * @internal
+ */
+const schema = require('../plugin.schema.json')
+export { schema }
+/**
+ * @public
+ */
+export { IdentifierResolution } from './agent/IdentifierResolution'
+export * from './functions'
+export * from './types'