@sphereon/ssi-sdk-ext.identifier-resolution 0.24.1-next.103 → 0.24.1-next.105

package/src/agent/IdentifierResolution.ts

@@ -1,5 +1,15 @@
 import { IAgentContext, IAgentPlugin, IDIDManager, IKeyManager } from '@veramo/core'
-import { ensureManagedIdentifierResult, ManagedIdentifierKeyOpts, ManagedIdentifierKeyResult, ManagedIdentifierOptsOrResult, schema } from '..'
+import {
+  ensureManagedIdentifierResult,
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
+  ManagedIdentifierKeyOpts,
+  ManagedIdentifierKeyResult,
+  ManagedIdentifierOptsOrResult,
+  schema,
+} from '..'
 import { resolveExternalIdentifier } from '../functions'
 import {
   ExternalIdentifierDidOpts,
@@ -9,6 +19,8 @@ import {
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
   IIdentifierResolution,
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
   ManagedIdentifierJwkOpts,
@@ -34,10 +46,13 @@ export class IdentifierResolution implements IAgentPlugin {
     identifierManagedGetByJwk: this.identifierGetManagedByJwk.bind(this),
     identifierManagedGetByX5c: this.identifierGetManagedByX5c.bind(this),
     identifierManagedGetByKey: this.identifierGetManagedByKey.bind(this),
+    identifierManagedGetByCoseKey: this.identifierGetManagedByCoseKey.bind(this),
 
     identifierExternalResolve: this.identifierResolveExternal.bind(this),
     identifierExternalResolveByDid: this.identifierExternalResolveByDid.bind(this),
     identifierExternalResolveByX5c: this.identifierExternalResolveByX5c.bind(this),
+    identifierExternalResolveByJwk: this.identifierExternalResolveByJwk.bind(this),
+    identifierExternalResolveByCoseKey: this.identifierExternalResolveByCoseKey.bind(this),
 
     // todo: JWKSet, oidc-discovery, oid4vci-issuer etc. Anything we already can resolve and need keys of
   }
@@ -84,6 +99,13 @@ export class IdentifierResolution implements IAgentPlugin {
     return (await this.identifierGetManaged({ ...args, method: 'key' }, context)) as ManagedIdentifierKeyResult
   }
 
+  private async identifierGetManagedByCoseKey(
+    args: ManagedIdentifierCoseKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierCoseKeyResult> {
+    return (await this.identifierGetManaged({ ...args, method: 'cose_key' }, context)) as ManagedIdentifierCoseKeyResult
+  }
+
   private async identifierGetManagedByJwk(
     args: ManagedIdentifierJwkOpts,
     context: IAgentContext<IKeyManager & IIdentifierResolution>
@@ -109,4 +131,14 @@ export class IdentifierResolution implements IAgentPlugin {
   private async identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult> {
     return (await this.identifierResolveExternal({ ...args, method: 'x5c' }, context)) as ExternalIdentifierX5cResult
   }
+
+  private async identifierExternalResolveByCoseKey(
+    args: ExternalIdentifierCoseKeyOpts,
+    context: IAgentContext<any>
+  ): Promise<ExternalIdentifierCoseKeyResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'cose_key' }, context)) as ExternalIdentifierCoseKeyResult
+  }
+  private async identifierExternalResolveByJwk(args: ExternalIdentifierJwkOpts, context: IAgentContext<any>): Promise<ExternalIdentifierJwkResult> {
+    return (await this.identifierResolveExternal({ ...args, method: 'jwk' }, context)) as ExternalIdentifierJwkResult
+  }
 }

package/src/functions/LegacySupport.ts

@@ -1,50 +1,54 @@
-import { IIdentifier } from '@veramo/core'
-import { ManagedIdentifierDidOpts, ManagedIdentifierOptsOrResult } from '../types'
+import {IIdentifier} from '@veramo/core'
+import {ManagedIdentifierDidOpts, ManagedIdentifierOptsOrResult} from '../types'
 
 /**
  * Converts legacy id opts key refs to the new ManagedIdentifierOpts
  * @param opts
  */
 export function legacyKeyRefsToIdentifierOpts(opts: {
-  idOpts?: ManagedIdentifierOptsOrResult
-  iss?: string
-  keyRef?: string
-  didOpts?: any
+    idOpts?: ManagedIdentifierOptsOrResult
+    iss?: string
+    keyRef?: string
+    didOpts?: any
 }): ManagedIdentifierOptsOrResult {
-  if (!opts.idOpts) {
-    console.warn(
-      `Legacy idOpts being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-    )
-    // legacy way
-    let kmsKeyRef =
-      opts.keyRef ??
-      opts.didOpts?.idOpts?.kmsKeyRef ??
-      (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
-    if (!kmsKeyRef) {
-      throw Error('Key ref is needed for access token signer')
-    }
-    return {
-      kmsKeyRef: opts.keyRef ?? kmsKeyRef,
-      identifier: kmsKeyRef,
-      issuer: opts.iss,
-    } satisfies ManagedIdentifierDidOpts
-  } else {
-    const idOpts = opts.idOpts
-    if (opts.keyRef && !idOpts.kmsKeyRef) {
-      // legacy way
-      console.warn(
-        `Legacy keyRef being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-      )
-      idOpts.kmsKeyRef = opts.keyRef
-    }
-    if (opts.iss && !idOpts.issuer) {
-      // legacy way
-      console.warn(
-        `Legacy iss being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
-      )
-      idOpts.issuer = opts.iss
-    }
+    if (!opts.idOpts) {
+        console.warn(
+            `Legacy idOpts being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+        )
+        // legacy way
+        let kmsKeyRef =
+            opts.keyRef ??
+            opts.didOpts?.idOpts?.kmsKeyRef ??
+            opts.didOpts?.kid ??
+            opts.didOpts.idOpts?.kid ??
+            (typeof opts.didOpts?.idOpts.identifier === 'object' ? (opts.didOpts?.idOpts.identifier as IIdentifier).keys[0].kid : undefined)
+        if (!kmsKeyRef) {
+            throw Error('Key ref is needed for access token signer')
+        }
+        let identifier =  (opts.didOpts?.identifier ?? opts.didOpts?.idOpts?.identifier) as IIdentifier | undefined
 
-    return idOpts
-  }
+        return {
+            kmsKeyRef: opts.keyRef ?? kmsKeyRef,
+            identifier: identifier ?? kmsKeyRef,
+            issuer: opts.iss,
+        } satisfies ManagedIdentifierDidOpts
+    } else {
+        const idOpts = opts.idOpts
+        if (opts.keyRef && !idOpts.kmsKeyRef) {
+            // legacy way
+            console.warn(
+                `Legacy keyRef being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+            )
+            idOpts.kmsKeyRef = opts.keyRef
+        }
+        if (opts.iss && !idOpts.issuer) {
+            // legacy way
+            console.warn(
+                `Legacy iss being used. Support will be dropped in the future. Consider switching to the idOpts, to have support for DIDs, JWKS, x5c etc. See https://github.com/Sphereon-Opensource/SSI-SDK-crypto-extensions/tree/feature/multi_identifier_support/packages/identifier-resolution`
+            )
+            idOpts.issuer = opts.iss
+        }
+
+        return idOpts
+    }
 }

package/src/functions/externalIdentifierFunctions.ts

@@ -1,5 +1,5 @@
-import { didDocumentToJwks, getAgentResolver } from '@sphereon/ssi-sdk-ext.did-utils'
-import { calculateJwkThumbprint, JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { didDocumentToJwks, getAgentResolver, jwkTtoPublicKeyHex } from '@sphereon/ssi-sdk-ext.did-utils'
+import { calculateJwkThumbprint, coseKeyToJwk } from '@sphereon/ssi-sdk-ext.key-utils'
 import {
   getSubjectDN,
   pemOrDerToX509Certificate,
@@ -8,20 +8,26 @@ import {
   X509ValidationResult,
 } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { contextHasPlugin } from '@sphereon/ssi-sdk.agent-config'
-import { IParsedDID, parseDid } from '@sphereon/ssi-types'
+import { IParsedDID, JWK, parseDid } from '@sphereon/ssi-types'
 import { IAgentContext, IDIDManager, IResolver } from '@veramo/core'
 import { isDefined } from '@veramo/utils'
 import { CryptoEngine, setEngine } from 'pkijs'
 import {
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
   ExternalIdentifierDidOpts,
   ExternalIdentifierDidResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   ExternalIdentifierMethod,
   ExternalIdentifierOpts,
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
   ExternalJwkInfo,
+  isExternalIdentifierCoseKeyOpts,
   isExternalIdentifierDidOpts,
+  isExternalIdentifierJwkOpts,
   isExternalIdentifierJwksUrlOpts,
   isExternalIdentifierKidOpts,
   isExternalIdentifierOidcDiscoveryOpts,
@@ -39,6 +45,10 @@ export async function resolveExternalIdentifier(
     return resolveExternalDidIdentifier(opts, context)
   } else if (isExternalIdentifierX5cOpts(opts)) {
     return resolveExternalX5cIdentifier(opts, context)
+  } else if (isExternalIdentifierJwkOpts(opts)) {
+    return resolveExternalJwkIdentifier(opts, context)
+  } else if (isExternalIdentifierCoseKeyOpts(opts)) {
+    return resolveExternalCoseKeyIdentifier(opts, context)
   } else if (isExternalIdentifierKidOpts(opts)) {
     method = 'kid'
   } else if (isExternalIdentifierJwksUrlOpts(opts)) {
@@ -82,6 +92,7 @@ export async function resolveExternalX5cIdentifier(
         chain: opts.identifier,
         trustAnchors: opts.trustAnchors ?? [],
         verificationTime: opts.verificationTime,
+        opts,
       })
     }
     if (verificationResult.certificateChain) {
@@ -90,6 +101,7 @@ export async function resolveExternalX5cIdentifier(
           jwk: cert.publicKeyJWK,
           kid: cert.subject.dn.DN,
           jwkThumbprint: calculateJwkThumbprint({ jwk: cert.publicKeyJWK }),
+          publicKeyHex: jwkTtoPublicKeyHex(cert.publicKeyJWK),
         } satisfies ExternalJwkInfo
       })
     }
@@ -108,6 +120,7 @@ export async function resolveExternalX5cIdentifier(
           jwk,
           kid: getSubjectDN(cert).DN,
           jwkThumbprint: calculateJwkThumbprint({ jwk }),
+          publicKeyHex: jwkTtoPublicKeyHex(jwk),
         } satisfies ExternalJwkInfo
       })
     )
@@ -129,6 +142,78 @@ export async function resolveExternalX5cIdentifier(
   }
 }
 
+/**
+ * Resolves a JWK. Normally this is just returning the JWK, but in case the JWK contains a x5c the chain is validated
+ * @param opts
+ * @param context
+ */
+export async function resolveExternalJwkIdentifier(
+  opts: ExternalIdentifierJwkOpts & {
+    x5c?: ExternalIdentifierX5cOpts
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierJwkResult> {
+  if (!isExternalIdentifierJwkOpts(opts)) {
+    return Promise.reject('External JWK Identifier args need to be provided')
+  }
+  const jwk = opts.identifier
+  let x5c: ExternalIdentifierX5cResult | undefined = undefined
+  if (jwk.x5c) {
+    x5c = await resolveExternalX5cIdentifier({ ...opts.x5c, identifier: jwk.x5c }, context)
+  }
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  return {
+    method: 'jwk',
+    jwk,
+    jwks: [
+      {
+        jwk,
+        jwkThumbprint,
+        kid: jwk.kid,
+        publicKeyHex: jwkTtoPublicKeyHex(jwk),
+      },
+    ],
+    x5c,
+  } satisfies ExternalIdentifierJwkResult
+}
+
+/**
+ * Resolves a JWK. Normally this is just returning the JWK, but in case the JWK contains a x5c the chain is validated
+ * @param opts
+ * @param context
+ */
+export async function resolveExternalCoseKeyIdentifier(
+  opts: ExternalIdentifierCoseKeyOpts & {
+    x5c?: ExternalIdentifierX5cOpts
+  },
+  context: IAgentContext<any>
+): Promise<ExternalIdentifierCoseKeyResult> {
+  if (!isExternalIdentifierCoseKeyOpts(opts)) {
+    return Promise.reject('External Cose Key args need to be provided')
+  }
+  // TODO: We need to do cbor conversion here as well.
+  const coseKey = opts.identifier
+  let x5c: ExternalIdentifierX5cResult | undefined = undefined
+  if (coseKey.x5chain) {
+    x5c = await resolveExternalX5cIdentifier({ ...opts.x5c, identifier: coseKey.x5chain }, context)
+  }
+  const jwk = coseKeyToJwk(coseKey)
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  return {
+    method: 'cose_key',
+    coseKey,
+    jwks: [
+      {
+        jwk,
+        jwkThumbprint,
+        kid: coseKey.kid,
+        publicKeyHex: jwkTtoPublicKeyHex(jwk),
+      },
+    ],
+    x5c,
+  } satisfies ExternalIdentifierCoseKeyResult
+}
+
 export async function resolveExternalDidIdentifier(
   opts: ExternalIdentifierDidOpts,
   context: IAgentContext<IResolver & IDIDManager>
@@ -163,7 +248,12 @@ export async function resolveExternalDidIdentifier(
             .flatMap((jwks) => jwks)
         )
       ).map((jwk) => {
-        return { jwk, jwkThumbprint: calculateJwkThumbprint({ jwk }), kid: jwk.kid }
+        return {
+          jwk,
+          jwkThumbprint: calculateJwkThumbprint({ jwk }),
+          kid: jwk.kid,
+          publicKeyHex: jwkTtoPublicKeyHex(jwk),
+        }
       })
     : []
 

package/src/functions/managedIdentifierFunctions.ts

@@ -1,11 +1,13 @@
 import { getFirstKeyWithRelation } from '@sphereon/ssi-sdk-ext.did-utils'
-import { calculateJwkThumbprint, JWK, toJwk } from '@sphereon/ssi-sdk-ext.key-utils'
+import { calculateJwkThumbprint, coseKeyToJwk, toJwk } from '@sphereon/ssi-sdk-ext.key-utils'
 import { pemOrDerToX509Certificate } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { contextHasDidManager, contextHasKeyManager } from '@sphereon/ssi-sdk.agent-config'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
 import { IAgentContext, IIdentifier, IKey, IKeyManager } from '@veramo/core'
 import { CryptoEngine, setEngine } from 'pkijs'
 import {
   IIdentifierResolution,
+  isManagedIdentifierCoseKeyOpts,
   isManagedIdentifierDidOpts,
   isManagedIdentifierDidResult,
   isManagedIdentifierJwkOpts,
@@ -14,6 +16,8 @@ import {
   isManagedIdentifierKeyResult,
   isManagedIdentifierKidOpts,
   isManagedIdentifierX5cOpts,
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
   ManagedIdentifierJwkOpts,
@@ -35,6 +39,8 @@ export async function getManagedKidIdentifier(
   const method = 'kid'
   if (!contextHasKeyManager(context)) {
     return Promise.reject(Error(`Cannot get Key/JWK identifier if KeyManager plugin is not enabled!`))
+  } else if (opts.identifier.startsWith('did:')) {
+    return Promise.reject(Error(`managed kid resolution called but a did url was passed in. Please call the did resolution method`))
   }
   const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? opts.identifier })
   const jwk = toJwk(key.publicKeyHex, key.type, { key })
@@ -54,7 +60,11 @@ export async function getManagedKidIdentifier(
   } satisfies ManagedIdentifierKidResult
 }
 
-export function isManagedIdentifierResult(identifier: ManagedIdentifierOptsOrResult & { crypto?: Crypto }): identifier is ManagedIdentifierResult {
+export function isManagedIdentifierResult(
+  identifier: ManagedIdentifierOptsOrResult & {
+    crypto?: Crypto
+  }
+): identifier is ManagedIdentifierResult {
   return 'key' in identifier && 'kmsKeyRef' in identifier && 'method' in identifier && 'opts' in identifier && 'jwkThumbprint' in identifier
 }
 
@@ -101,6 +111,38 @@ export async function getManagedKeyIdentifier(opts: ManagedIdentifierKeyOpts, _c
   } satisfies ManagedIdentifierKeyResult
 }
 
+/**
+ * This function is just a convenience function to get a common result. The user already apparently had a key, so could have called the kid version as well
+ * @param opts
+ * @param context
+ */
+export async function getManagedCoseKeyIdentifier(
+  opts: ManagedIdentifierCoseKeyOpts,
+  context: IAgentContext<any>
+): Promise<ManagedIdentifierCoseKeyResult> {
+  const method = 'cose_key'
+  const coseKey: ICoseKeyJson = opts.identifier
+  if (!contextHasKeyManager(context)) {
+    return Promise.reject(Error(`Cannot get Cose Key identifier if KeyManager plugin is not enabled!`))
+  }
+  const jwk = coseKeyToJwk(coseKey)
+  const jwkThumbprint = calculateJwkThumbprint({ jwk })
+  const key = await context.agent.keyManagerGet({ kid: opts.kmsKeyRef ?? jwkThumbprint })
+  const kid = opts.kid ?? coseKey.kid ?? jwkThumbprint
+  const issuer = opts.issuer
+  return {
+    method,
+    key,
+    identifier: opts.identifier,
+    jwk,
+    jwkThumbprint,
+    kid,
+    issuer,
+    kmsKeyRef: key.kid,
+    opts,
+  } satisfies ManagedIdentifierCoseKeyResult
+}
+
 export async function getManagedDidIdentifier(opts: ManagedIdentifierDidOpts, context: IAgentContext<any>): Promise<ManagedIdentifierDidResult> {
   const method = 'did'
   if (!contextHasDidManager(context)) {
@@ -236,6 +278,8 @@ export async function getManagedIdentifier(
     resolutionResult = await getManagedX5cIdentifier(opts, context)
   } else if (isManagedIdentifierKeyOpts(opts)) {
     resolutionResult = await getManagedKeyIdentifier(opts, context)
+  } else if (isManagedIdentifierCoseKeyOpts(opts)) {
+    resolutionResult = await getManagedCoseKeyIdentifier(opts, context)
   } else {
     return Promise.reject(Error(`Could not determine identifier method. Please provide explicitly`))
   }

package/src/types/IIdentifierResolution.ts

@@ -1,13 +1,19 @@
 import { IAgentContext, IDIDManager, IKeyManager, IPluginMethodMap } from '@veramo/core'
 import {
+  ExternalIdentifierCoseKeyOpts,
+  ExternalIdentifierCoseKeyResult,
   ExternalIdentifierDidOpts,
   ExternalIdentifierDidResult,
+  ExternalIdentifierJwkOpts,
+  ExternalIdentifierJwkResult,
   ExternalIdentifierOpts,
   ExternalIdentifierResult,
   ExternalIdentifierX5cOpts,
   ExternalIdentifierX5cResult,
 } from './externalIdentifierTypes'
 import {
+  ManagedIdentifierCoseKeyOpts,
+  ManagedIdentifierCoseKeyResult,
   ManagedIdentifierDidOpts,
   ManagedIdentifierDidResult,
   ManagedIdentifierJwkOpts,
@@ -30,9 +36,12 @@ export const identifierResolutionContextMethods: Array<string> = [
   'identifierManagedGetByJwk',
   'identifierManagedGetByX5c',
   'identifierManagedGetByKey',
+  'identifierGetManagedByCoseKey',
   'identifierExternalResolve',
   'identifierExternalResolveByDid',
   'identifierExternalResolveByX5c',
+  'identifierExternalResolveByJwk',
+  'identifierExternalResolveByCoseKey',
 ]
 
 /**
@@ -63,6 +72,11 @@ export interface IIdentifierResolution extends IPluginMethodMap {
 
   identifierManagedGetByKey(args: ManagedIdentifierKeyOpts, context: IAgentContext<IKeyManager>): Promise<ManagedIdentifierKeyResult>
 
+  identifierManagedGetByCoseKey(
+    args: ManagedIdentifierCoseKeyOpts,
+    context: IAgentContext<IKeyManager & IIdentifierResolution>
+  ): Promise<ManagedIdentifierCoseKeyResult>
+
   // TODO: We can create a custom managed identifier method allowing developers to register a callback function to get their implementation hooked up. Needs more investigation as it would also impact the KMS
 
   /**
@@ -75,5 +89,9 @@ export interface IIdentifierResolution extends IPluginMethodMap {
 
   identifierExternalResolveByDid(args: ExternalIdentifierDidOpts, context: IAgentContext<any>): Promise<ExternalIdentifierDidResult>
 
+  identifierExternalResolveByJwk(args: ExternalIdentifierJwkOpts, context: IAgentContext<any>): Promise<ExternalIdentifierJwkResult>
+
+  identifierExternalResolveByCoseKey(args: ExternalIdentifierCoseKeyOpts, context: IAgentContext<any>): Promise<ExternalIdentifierCoseKeyResult>
+
   identifierExternalResolveByX5c(args: ExternalIdentifierX5cOpts, context: IAgentContext<any>): Promise<ExternalIdentifierX5cResult>
 }

package/src/types/common.ts

@@ -1,4 +1,4 @@
-import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
 import { IIdentifier, IKey } from '@veramo/core'
 import { ExternalIdentifierType } from './externalIdentifierTypes'
 import { ManagedIdentifierType } from './managedIdentifierTypes'
@@ -42,6 +42,10 @@ export function isKeyIdentifier(identifier: ManagedIdentifierType): identifier i
   )
 }
 
+export function isCoseKeyIdentifier(identifier: ManagedIdentifierType): identifier is ICoseKeyJson {
+  return typeof identifier === 'object' && `kty` in identifier && ('baseIV' in identifier || 'x5chain' in identifier) && !('x5c' in identifier)
+}
+
 export function isX5cIdentifier(identifier: ManagedIdentifierType | ExternalIdentifierType): identifier is string[] {
   return Array.isArray(identifier) && identifier.length > 0 // todo: Do we want to do additional validation? We know it must be DER and thus hex for instance
 }

package/src/types/externalIdentifierTypes.ts

@@ -1,9 +1,18 @@
 import { DidDocumentJwks } from '@sphereon/ssi-sdk-ext.did-utils'
-import { JWK } from '@sphereon/ssi-sdk-ext.key-utils'
-import { X509ValidationResult } from '@sphereon/ssi-sdk-ext.x509-utils'
+import { ICoseKeyJson, JWK } from '@sphereon/ssi-types'
+import { X509CertificateChainValidationOpts, X509ValidationResult } from '@sphereon/ssi-sdk-ext.x509-utils'
 import { IParsedDID } from '@sphereon/ssi-types'
 import { DIDDocument, DIDDocumentSection, DIDResolutionResult } from '@veramo/core'
-import { isDidIdentifier, isJwkIdentifier, isJwksUrlIdentifier, isKidIdentifier, isOidcDiscoveryIdentifier, isX5cIdentifier, JwkInfo } from './common'
+import {
+  isCoseKeyIdentifier,
+  isDidIdentifier,
+  isJwkIdentifier,
+  isJwksUrlIdentifier,
+  isKidIdentifier,
+  isOidcDiscoveryIdentifier,
+  isX5cIdentifier,
+  JwkInfo,
+} from './common'
 
 /**
  * Use whenever we need to resolve an external identifier. We can pass in kids, DIDs, and x5chains
@@ -32,7 +41,13 @@ export function isExternalIdentifierDidOpts(opts: ExternalIdentifierOptsBase): o
   return ('method' in opts && opts.method === 'did') || isDidIdentifier(identifier)
 }
 
-export type ExternalIdentifierOpts = (ExternalIdentifierJwkOpts | ExternalIdentifierX5cOpts | ExternalIdentifierDidOpts | ExternalIdentifierKidOpts) &
+export type ExternalIdentifierOpts = (
+  | ExternalIdentifierJwkOpts
+  | ExternalIdentifierX5cOpts
+  | ExternalIdentifierDidOpts
+  | ExternalIdentifierKidOpts
+  | ExternalIdentifierCoseKeyOpts
+) &
   ExternalIdentifierOptsBase
 
 export type ExternalIdentifierKidOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
@@ -48,6 +63,7 @@ export function isExternalIdentifierKidOpts(opts: ExternalIdentifierOptsBase): o
 export type ExternalIdentifierJwkOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
   method?: 'jwk'
   identifier: JWK
+  x5c?: ExternalIdentifierX5cOpts
 }
 
 export function isExternalIdentifierJwkOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierJwkOpts {
@@ -55,6 +71,16 @@ export function isExternalIdentifierJwkOpts(opts: ExternalIdentifierOptsBase): o
   return ('method' in opts && opts.method === 'jwk') || isJwkIdentifier(identifier)
 }
 
+export type ExternalIdentifierCoseKeyOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
+  method?: 'cose_key'
+  identifier: ICoseKeyJson
+}
+
+export function isExternalIdentifierCoseKeyOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierCoseKeyOpts {
+  const { identifier } = opts
+  return ('method' in opts && opts.method === 'cose_key') || isCoseKeyIdentifier(identifier)
+}
+
 export type ExternalIdentifierOidcDiscoveryOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
   method?: 'oidc-discovery'
   identifier: string
@@ -75,28 +101,42 @@ export function isExternalIdentifierJwksUrlOpts(opts: ExternalIdentifierOptsBase
   return ('method' in opts && opts.method === 'oidc-discovery') || isJwksUrlIdentifier(identifier)
 }
 
-export type ExternalIdentifierX5cOpts = Omit<ExternalIdentifierOptsBase, 'method'> & {
-  method?: 'x5c'
-  identifier: string[]
-  verify?: boolean // defaults to true
-  verificationTime?: Date
-  trustAnchors?: string[]
-}
+export type ExternalIdentifierX5cOpts = Omit<ExternalIdentifierOptsBase, 'method'> &
+  X509CertificateChainValidationOpts & {
+    method?: 'x5c'
+    identifier: string[]
+    verify?: boolean // defaults to true
+    verificationTime?: Date
+    trustAnchors?: string[]
+  }
 
 export function isExternalIdentifierX5cOpts(opts: ExternalIdentifierOptsBase): opts is ExternalIdentifierX5cOpts {
   const { identifier } = opts
   return ('method' in opts && opts.method === 'x5c') || isX5cIdentifier(identifier)
 }
 
-export type ExternalIdentifierMethod = 'did' | 'jwk' | 'x5c' | 'kid' | 'oidc-discovery' | 'jwks-url' | 'oid4vci-issuer'
+export type ExternalIdentifierMethod = 'did' | 'jwk' | 'x5c' | 'kid' | 'cose_key' | 'oidc-discovery' | 'jwks-url' | 'oid4vci-issuer'
 
-export type ExternalIdentifierResult = ExternalIdentifierDidResult | ExternalIdentifierX5cResult
+export type ExternalIdentifierResult = IExternalIdentifierResultBase &
+  (ExternalIdentifierDidResult | ExternalIdentifierX5cResult | ExternalIdentifierJwkResult | ExternalIdentifierCoseKeyResult)
 
 export interface IExternalIdentifierResultBase {
   method: ExternalIdentifierMethod
   jwks: Array<ExternalJwkInfo>
 }
 
+export interface ExternalIdentifierJwkResult extends IExternalIdentifierResultBase {
+  method: 'jwk'
+  jwk: JWK
+  x5c?: ExternalIdentifierX5cResult
+}
+
+export interface ExternalIdentifierCoseKeyResult extends IExternalIdentifierResultBase {
+  method: 'cose_key'
+  coseKey: ICoseKeyJson
+  x5c?: ExternalIdentifierX5cResult
+}
+
 export interface ExternalIdentifierX5cResult extends IExternalIdentifierResultBase {
   method: 'x5c'
   x5c: string[]
@@ -107,6 +147,7 @@ export interface ExternalIdentifierX5cResult extends IExternalIdentifierResultBa
 
 export interface ExternalJwkInfo extends JwkInfo {
   kid?: string
+  publicKeyHex: string
 }
 
 export interface ExternalIdentifierDidResult extends IExternalIdentifierResultBase {